Sunday, May 29, 2016

Issue 66 - Week of May 23rd


1.       $12.7 Million gone in just 3 Hours: In just three hours, over 100 criminals managed to steal US$12.7 Million from around 1,400 ATMs placed in small convenience stores across Japan. The heist was carried out using cloned credit cards that contained bank account details obtained from Standard Bank in South Africa. This incident shows a sophisticated move by a group of criminals who stole the critical card data, but rather than using it immediately, it kept the data safe and used effectively when least suspected.

2.       Philippines bank hit by SWIFT hacking group allegedly linked to North Korea: SWIFT Bank Hackers have attacked another bank in the Philippines using the same modus operandi as that in the $81 Million Bangladesh Bank heist. Security researchers have found evidence that malware used by the hacking group shares code similarities with the malware used to hack Sony Pictures - which is attributed to the North Korean hacking group known as Lazarus. Head of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) promised to improve payment system security with new programs and tighten the guidelines for auditors and regulators.

3.       Ecuador Bank hacked — $12 Million stolen in an attack on SWIFT system: As with the Bangladesh case, hackers managed to get the bank’s codes for using Swift before committing the crime. The victim- Banco del Austro, filed a lawsuit in New York federal court this year, accusing Wells Fargo & Co. of failing to  notice red flags. In all the SWIFT related hacks - it turns out that the security of SWIFT itself was not breached, but cyber criminals used advanced malware to steal credentials of bank’s employees to commit the crime before covering their tracks.

4.       LinkedIn data breach - the company responds: Four years after being breached and data being posted online recently - the company decided to respond last week. The company send out an email to all affected users and it basically accepted that there was breach and the company has invalidated all passwords that were set prior to the breach. Sample in the image below. Experts strongly recommend that users change their passwords on a regular basis, not to share passwords across multiple sites and not to use official email address on such sites.

5.       Reddit forces password reset of 100,000 users: Reddit is enforcing the reset of 100,000 user accounts in the wake of a stream of hacked accounts such as the LinkedIn data breach which led to the release of data belonging to millions of users. Reddit itself has not been compromised. Rather, password dumps, weak password choice and reusing the same account credentials for different sites are contributing to the problem.

6.       Google to kill passwords by 2017: The top 3 passwords emerging out of the massive LinkedIn breach are: "123456","LinkedIn" and "password". It is hilarious that people still choose terrible passwords to protect their online accounts. Google is working on a new password-less authentication method called Trust API, in which Google intends to use biometrics data – like typing patterns, current location, voice, facial recognition and more – to derive a 'Trust Score'. This Trust Score is then used to authenticate you without any need to enter a password or PIN.

7.       Locky Ransomware hits Maharashtra Mantralaya: Locky Ransomware, which has created havoc in the world, has locked 150 computers in Revenue and Public Works Department of Mantralaya in Maharashtra - the administrative headquarters of the state government. The infected machines have been isolated and sent for forensic analysis. Officials suspect the malware made it into the network thru a SPAM email. Locky is a sophisticated malware - it uses AES to encrypt and domain generation algorithm (DGA) to evade. A good web security solution along with good security practices helps in blocking such ransomware.

8.       Be careful if you are using a wireless keyboard: Last year, a white hat hacker developed a cheap device - called KeySweeper- that looked and functioned just like a generic USB mobile charger, but covertly logged and reported back all keystrokes from Microsoft wireless keyboards. The nasty device would work even after it is unplugged because of its built-in rechargeable battery. The primary method of defense is either to restrict the use of wireless keyboards, or to use keyboards that use the Advanced Encryption Standard (AES) encryption technology.

9.       Widely-used patient care app found to include hidden 'backdoor' access: An clinical application suite designed to help clinical teams manage patients ahead of surgical operations includes a hidden username and password, which could be used to access and modify patient records. The hard-coded credentials in Medhost's Perioperative Information Management System (PIMS) have not been publicly disclosed, but if known could allow an attacker to "backdoor" the app to read or change sensitive information on patients. A newer version of the software is now available that removes the credentials.


10.   USB-Charging can Expose Smartphones To Infection: When charging phones from unknown points or public booths - a handshake takes place between the phone and PC and a lot of data is revealed to the computer -- including device name, manufacturer, type, serial number, and electronic chip ID. This info can be used by interested parties or cybercriminals for collecting data on a user and to transfer malware.

Sunday, May 22, 2016

Issue 65 - Week of May 16th

1.       Hacker steals money from bank and donates $11,000 to Anti-ISIS group: Sounds like a Robin Hood Hacker - he hacked an unnamed bank and donated the money to Kurdish anti-ISIS Group. The same hacker had breached Hacking Team last year. This is an example of a hacker putting their skills to political use, while some have applauded his efforts, others are not impressed with the tactics used to raise the funds.

2.       Schools pay ransom to recover data: In February - 53 schools in a US county discovered that they had been hit by Ransomware. Even though the schools had backups, it figured that the restoration effort of this size to remote servers can take weeks, and each day the students and teachers do not have access to data -has a dollar value which rapidly exceeds the cost of paying the ransom. Hence, the school district paid the criminals nearly $10,000 to get the keys needed to decrypt their data. In Issue 61 - we had discussed about a new ransomware that targets schools & hospitals. In Feb - A Hollywood hospital had paid $17K as ransom.

3.       Hacker puts up 167 million LinkedIn passwords for sale: LinkedIn suffered a data breach in 2012, with what was believed to be 6.5 million user account passwords posted online. However, four years later, the cyber-attack has come back to haunt LinkedIn with hackers selling data belonging to 167 million users on the dark web. The passwords were protected using the SHA1 algorithm which without salt made cracking the information easy. After legal threats to the hacker search engine - LeakedSource - it has chosen to remove the stolen data for the moment.

4.       1 Million computers hacked for making big money from Adsense: A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy. The malware drops JavaScript files that downloads and implements a PAC file that hijacks all Web traffic, ensuring traffic routes through an attacker-controlled server, where actual results are replaced with fake Web pages. The goal is to help cyber-criminals earn money from the Google's AdSense program.

5.       Ukrainian hacker admits stealing corporate press releases for $30 Million profit: A 28-year-old Ukrainian hacker has pleaded guilty in the United States to stealing unpublished news releases and using that non-public information in illegal trading to generate more than $30 Million in illicit profits. These hackers would hack into the network of various PR companies to access unpublished Press releases, study them and accordingly buy stocks of those companies. In many cases the prices of the stocks they bought would move up after the actual press release and these hackers would then sell their stocks to make money.

6.       TeslaCrypt ransomware group pulls plug, releases decrypt key: The somewhat surprising move last week by the operators of the TeslaCrypt ransomware sample, to cease operations and publicly release the universal master decryption key for it, is good news for victims of the malware. But the move, welcome as it is, doesn't necessarily mean that the group won’t simply release another sample or start afresh with a new malware campaign altogether, security researchers warned. Andy Settle, head of special investigations at Forcepoint LLC, said it could have been a matter of self-preservation.

7.       Leading antivirus security flaw exposes Linux, Mac and Windows: The antivirus engine used in multiple Symantec products has an easy-to-exploit vulnerability that could allow hackers to easily compromise Linux, Mac and Windows computers.  As Symantec is intercepting system input and output, you only need to email a file -- the victim doesn't even need to read the email, just the act of AV scanning it is a trigger. The flaw was fixed last week via LiveUpdate.

8.       Cyber-attackers targeted Bangladesh official in $81m stealing spree: The cyber-attackers behind a successful cyber-heist which left the Bangladesh central bank $81 million out of pocket targeted the PC of a Bangladeshi official to conduct the theft. According to Reuters, a Bangladesh diplomat admitted last week that a computer belonging to a Bangladesh central bank official was targeted in the attack.

9.       Presidential campaigns hit by hackers: The current US presidential candidates and their campaign sites have become the target of hackers. Officials said motivation for these attacks range “from philosophical differences to espionage,” with nation-state hackers going after candidates’ foreign policy details. Attacks against presidential campaigns are nothing new: the 2008 and 2012 campaigns were hit hard by cyber-attacks as well.


10.   Good-Guy hacker finds flaw that could have drained $25B from an Indian bank: Exploiting a vulnerable mobile application - a security researcher could have stolen as much as $25 Billion from one of the India's biggest banks with the help of just a few lines of code. Being a white hat hacker, he immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits. 


Monday, May 16, 2016

Issue 64 - Week of May 9th

1.       Tumblr discloses email security breach: Hackers obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, the Yahoo-owned microblogging site Tumblr announced last week. Tumblr staff confirmed in a blog they believe that this information was not used to access Tumblr accounts but as a precaution the affected users will be required to set a new password.

2.       4 data breaches reported last week: (i) Kiddicare, company that sells child toys and accessories across the United Kingdom was hacked and 794,000 Accounts Leaked. (ii) UserVoice, a web-based service that offers customer service and helpdesk tools, notified that the company suffered a data breach and some user accounts were compromised, including their names, email addresses, and passwords. (iii) Google suffered a minor data breach after a vendor unintentionally leaked sensitive information about its undisclosed number of employees to the wrong email address — but luckily, the person who received it deleted the email straight away. (iv) A fine of about $260,000 was imposed on a London-based HIV clinic, for leaking data of 781 HIV patients.

3.       InvestBank UAE breached: Close on the heels of the Qatar National Bank leak - a 10 gigabyte file holding sensitive financial data compromised from an InvestBank in the United Arab Emirates (UAE) has been leaked online. The file contains information on tens of thousands of customers from a bank based in Sharjah. The dump appears to contain payment card data, as well as a large number of sensitive, internal files relating to the bank's employees and systems.

4.       Commercial Bank of Ceylon hacked?: Commercial Bank of Ceylon, based in Colombo, Sri Lanka, has apparently been hacked, with its data posted online last week by the Bozkurtlar hacking group, which has also posted five other data dumps from banks including The Dutch Bangla Bank (Bangladesh), The City Bank (Bangladesh), Trust Bank (Bangladesh), Business Universal Development Bank (Nepal) and Sanima Bank (Nepal).

5.       'Pawn Storm' APT campaign rolls on with attacks in Germany, Turkey: A sophisticated group of hackers called 'Pawn Storm' setup a fake webmail server designed to look like a German Political party's webmail server in an apparent attempt to steal the email credentials of party members. They also targeted the personal emails credentials of these party members. In a similar attack - Turkish prime minister, members of the country’s parliament and Turkey’s largest newspapers were targeted.  Based on the profile of the Pawn Storm's victims, it is suggested that the group is based out of Russia.

6.       OkCupid user account data released: OkCupid is an American-based international operating free online dating, friendship, and social networking website. Sensitive data like usernames, sexual preferences, orientation and more, belonging to almost 70,000 users has been released online by researchers. Last year, another online dating service -  Ashley Madison suffered a breach.

7.       Pornhub launches Bug Bounty program; offering reward up to $25,000: With the growing number of cyber-attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward. Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security. Pornhub has partnered with HackeOne - a bug bounty startup that operates bug bounty programs for companies.

8.       10-year-old boy becomes the youngest Bug Bounty hacker: 10-year-old Finnish boy - Jani from Helsinki, recently reported an Instagram bug to Facebook that allowed him to delete other Instagram users' comments just by entering a malicious code into the app's comment field. Jani was rewarded $10K, he said he will use the money to buy a football and a new bicycle. He has been learning about hacking and programming from instructional videos on YouTube. His dream job is to become an information security expert.

9.       Sony 2014 breach linked to $81m Bangladesh Bank cyber heist: After SWIFT announced that a second unnamed banking customer had been hit with malware similar to that of the Bangladesh heist  - a security firm has published an analysis linking the tools used in both these attacks to the 2014 attack on Sony Pictures.  While North Korean hackers are believed to be behind the Sony breach the recent attack on banks is suspected to be the handiwork of North Korea and Pakistani hackers.


10.   Mozilla asks court to disclose firefox exploit used by FBI to hack Tor users: Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation. Last year, the FBI used a zero-day flaw to hack Tor browser and de-anonymize users visiting child sex websites.



Sunday, May 8, 2016

Issue 63 - Week of May 2nd


1.       BEC hack scams company of $495,000: An investment company - Pomeroy Investment Corp - was recently robbed of $495,000 through a common email fraud method where the hacker, posing as a co-worker, had the funds transferred to his account. A staff received an email from another "employee" of the company asking for transfer of funds into a Hong Kong bank. The so-called email appeared genuine to the recipient, who had the money transferred. It was few days later the company realized they had been cheated via what is known as a business email compromise (BEC). Police received a complaint about the incident and have cautioned against transfer of any amount of money based on emails and advised verifying messages before making any money transactions.

2.       Another Ransomware victim: Michigan Public Utility is currently cleaning up its administrative systems after an undisclosed number of computers were infected with ransomware. The agency has stressed that the cyber incident "should have no impact on the delivery of water and electricity to its customers". In February, a ransomware attack shut down medical record systems at a LA Hospital and the hospital paid $17,000 in Ransom to the criminals.

3.       Wendy's hit with lawsuit over data breach: A class action lawsuit has been filed against Wendy’s for alleged negligence in securing its computer systems and customer data. According to the filing, Wendy’s did not update its computer system when required, thus making it susceptible to hacks. Confidential details of millions of customer credit cards were possibly leaked from various Wendy’s locations. The lawsuit accused Wendy’s of using outdated credit card systems that do not comply with federal guidelines, and for holding card details for too long.

4.       For sale - 272 million email passwords for just $1: A massive database of emails and passwords for popular email services, including Gmail, Microsoft, and Yahoo, are being offered for sale on the Dark Web for $1. An anonymous Russian hacker, who goes by the moniker "the Collector," was first spotted advertising 1.17 Billion user records for email accounts on a dark web forum. A large number of those 1.17 Billion accounts credentials turned out to be duplicate and that 272 Million records were unique. In an unrelated but similar incident - it was revealed last week that a database containing the details of over 57 million email accounts was put up for sale on the dark web.

5.       ImageMagick tool vulnerable to remote code execution: ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. A serious zero-day vulnerability has been discovered in ImageMagick, which could allow hackers to execute malicious code remotely on servers by uploading a maliciously-crafted image. The vulnerability will be patched in next versions, which are due to be released by this weekend.

6.       ADP data used in US bank employee W-2 breach: ADP is a payroll processing provider, thieves used unregistered employee accounts to create fake accounts and siphon W-2 information from the ADP portal. This leaves the victims exposed to the risk of tax returns being filed fraudulently in their names. Mattel, Snapchat, Seagate, Polycom have all been recently lost W-2 data.

7.       2016 Global threat report: INSIDER THREAT- THE MALICIOUS AND THE ACCIDENTAL: Insider threats refer to attacks that either originate or receive cooperation from sources within an organization. Attackers are targeting insiders within organizations – or via business partners and third party suppliers – and gaining access to networks by manipulating staff into revealing their credentials. With these stolen credentials, criminals move among networks, accessing and stealing sensitive data, often going unnoticed until it’s too late. Industry measures the time that attackers spends in the network as Dwell time - which begins when an attacker enters a network and continues until they leave or are forced out. Minimizing dwell time reduces the opportunity for an attacker to achieve lateral movement and steal data.

8.       Russian hacker who stole from banks ordered to pay $7 million: A Russian man who spent about 3 years behind bars in the United States has been spared further prison time due to his "substantial assistance" in the investigation but ordered to pay $7 Million to cover damages he caused to banks for using Gozi - a vicious computer virus. The hacker used to rent the Gozi malware out for $500 a week to cyber criminals who in turn, used the malware to steal money from bank accounts, he also would control all compromised computers remotely as Botnet to steal data and access banks accounts.

9.       High-severity openSSL vulnerability allows hackers to decrypt HTTPS traffic: OpenSSL has released a series of patches against six vulnerabilities, including a pair of high-severity flaws that could allow attackers to execute malicious code on a web server as well as decrypt HTTPS traffic. One of the high-severity flaws, allows a man-in-the-middle attacker to initiate a "Padding Oracle Attack" that can decrypt HTTPS traffic if the connection uses AES-CBC cipher. The other high-severity bug, is a memory corruption flaw in the OpenSSL.


10.   IRCTC denies hack, says committee is examining alleged data theft: IRCTC has a total user-base of 39 million, and sells 500,000 railway tickets every month. Last week, cyber cell found a CD containing 15K IRCTC data records in the market for sale. This led to wide spread speculation that IRCTC was hacked. IRCTC has denied the hack, but has formed a team to investigate the data theft.

Monday, May 2, 2016

Issue 62 - Week of April 25th


1.       Qatar National Bank Probes Possible Data Breach: Qatar National Bank is probing reports of an online leak of confidential data of a large number of its customers, but has not confirmed it suffered a data breach. The details leaked include names, passwords, and banking information of several journalists, ruling family, government and defense officials. Some 1.5GB of information was found online and Reuters reports seeing recent transactions of overseas remittances. The bank is one of the largest in the Middle East.

2.       German Nuclear Power Plant Infected With Malware: A German nuclear power plant near Munich reportedly was found infected with malware, It has confirmed that since the plant is cut off from Internet, the malware infection did not affect or harm operations. Conficker and W32.Ramnit malware were discovered in unit B of the Gundremmingen plant on the computer system that operates the tools that move nuclear fuel rods. Conficker is a worm that can spread quickly through networks, while W32.Ramnit steals files from computers and is spread through USB sticks.

3.       Spotify Hacked! Change your Password ASAP: If you are one of the millions of people around the world who love to listen to music on Spotify, you may need to change your password immediately. Spotify apparently suffered a security breach that leaked hundreds of Spotify accounts details, including emails, usernames, passwords and account type, which was published last week to the popular anonymous file sharing website Pastebin. Spotify is investigating.  Couple of months ago, hundreds of spotify premium accounts were exposed online.

4.       Nearly 93.4 Million Mexican Voter Data Leaked Online: A hacker discovered over 100 gigabytes of an extensive database completely open on the Internet for anyone to download while the hacker was browsing Shodan – a search engine for servers and Internet-connected devices. The database turned out to be a voter registration database for the country of Mexico that contained the personal information, including full names, residential addresses, and national identification numbers, of virtually all registered voters.  Philippines and Turkey too suffer similar hacks.

5.       DDoS Extortionists made $100,000 without Launching a Single Attack: Cyber crooks find a new and ingenious way to make hundreds of thousands of dollars with no effort.  An unknown cyber gang, pretending to be Armada Collective, has made more than $100,000 in less than two months simply by threatening to launch DDoS attack on websites, but never actually launched a single attack. Armada Collective is the criminal gang that was responsible for one of largest DDoS attacks against ProtonMail in November 2015 and extorted $6,000 to stop sustained DDoS attack that had knocked its service offline.

6.       Details emerge on the Bangladesh Heist: Investigators discovered that hackers who stole $81 million from the Bangladesh Central Bank actually hacked into software from SWIFT financial platform, a key part of the global financial system. The hackers used a custom-made malware to hide evidence and go undetected by erasing records of illicit transfers with the help of compromised SWIFT system. Recently, Bangladesh police investigators uncovered evidence revealing that the Bank was using second-hand $10 network switches without a Firewall to run its network, which offered hackers access to the bank’s entire infrastructure, including the SWIFT servers.

7.       Former Tor Developer Created Malware for FBI to Unmask Tor Users: Tor is an anonymity software used by millions of people, including government officials, human rights activists, journalists and, of course, criminals around the world to keep their identity hidden while surfing the Internet. According to an investigation, a cyber-security expert and former employee of the Tor Project, helped the FBI with Cornhusker a.k.a Torsploit malware that allowed Feds to hack and unmask Tor users in several high-profile cases, including Operation Torpedo and Silk Road.

8.       MIT University Launches Bug Bounty Program: The Massachusetts Institute of Technology (MIT) launches its experimental bug bounty program this week, which aims at encouraging university students and security enthusiasts to find and responsibly report vulnerabilities in its official websites. The MIT becomes the first academic institution to reward hackers, open only for university affiliates with valid certifications.  Other recent Bug bounty programs – Uber, General Motors, Pentagon.

9.       Irremovable Android malware poses as Google Chrome update: A banking and personal information stealing mobile malware posing as a Google Chrome update for Android, and which can't be removed from the infected device, has been spotted in the wild by cybersecurity researchers. The malware is capable of harvesting banking information, call logs, SMS data and browser history which are all sent to a remote command-and-control server. The Malware can't be removed as it refuses to allow the user to remove administrative access. The only way to remove the infection is to return the device to factory settings - an option which causes all data stored on the phone to be lost.

Bank of Baroda hacked: Hackers infiltrated the bank and started carrying out transactions through debit cards of BoB customers. One time passwords were not generated or needed for such fraudulent transactions. 70 customers’ accounts were affected and a loss of over ₹ 1Million reported.