The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time, the attackers were unable to steal confidential information about T-Mobile customers.

Let me remind you that we have already talked about the strange hack group Lapsus$, which blackmailed Nvidia, leaked the source codes of Microsoft, as well as Ubisoft, and Samsung, compromised Okta, but fame for hackers was clearly more important than financial gain.

The well-known investigative journalist Brian Krebs, who has specialized in information security for many years and has repeatedly exposed various hack groups and helped law enforcement officers in their investigations, reported on the T-Mobile hack.

Krebs, who got into the private chats of the group members, writes that the attack on T-Mobile took place some time ago, even before the arrests of seven alleged Lapsus$ members, which UK law enforcement agencies reported at the end of March 2022.

According to the chat logs, the VPN credentials that the group used for initial access were purchased and stored on the dark web, on sites such as Russian Market. The goal of the attackers was to compromise the accounts of T-Mobile employees, which ultimately allowed them to carry out SIM-swap attacks.

In addition to accessing an internal customer account management tool called Atlas, the hackers’ discussions suggest they gained access to Slack and Bitbucket accounts, using the latter to download 30,000 source code repositories.

At the same time, hackers were looking for T-Mobile accounts associated with the FBI and the US Department of Defence in Atlas (see screenshot below). To their disappointment, it turned out that additional verification procedures were needed to work with such accounts.

Interestingly, after failing to keep records of the FBI and other intelligence agencies, the leader of the group, a 17-year-old teenager from the UK, known by the nicknames White, WhiteDoxbin and Oklaqq, told other hackers to focus on stealing source codes and breaking the VPN connection with Atlas, which WhiteDoxbin considered “garbage”. The other members of the band were extremely unhappy with this decision.

After the publication of Krebs’s article, T-Mobile representatives confirmed the hack. The company stated:

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives.

According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian Krebs, the cybercriminals’ statement is not true.

According to the journalist, similarly to other ransomware programs, DarkSide contains an embedded list of countries in which it does not infect computer systems. As a rule, this list includes the countries of the former USSR and the CIS countries. In particular, the DarkSide list includes: Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Romania, Syria, Turkmenistan, Tajikistan, Tatarstan, Ukraine and Uzbekistan.

Before installing on a system, the malware checks for the presence of the language of the country from the list and, if it is detected, is not installed.

However, the refuse from language check increases the security risk of cybercriminals themselves and reduces profits, explained the chief researcher of the New York-based information security company Unit221B Allison Nixon.

Because of Russia’s “unique legal culture”, Nixon said, Russian cybercriminals use language tests to make sure their victims are abroad.

Does this mean that installing the Russian layout will one hundred percent secure the system from hackers? Not. There are many groups in the cybercriminal world that, unlike DarkSide, don’t care about the victims of their attacks. Changing language settings cannot replace cyber hygiene and cybersecurity best practices, Krebs emphasizes. However, the expert sees no reason why not to try such simple preventive way to keep yourself safe.

Let me remind you that I also wrote that NATO experimented with deceptive techniques to combat Russian hackers.

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

The fact is that Krebs is famous for his investigations and revelations, and over the long years of his career, he helped find and de-anonymize more than a dozen criminals, which the latter, of course, do not like at all.

Criminals have been taking revenge on the journalist for many years. So, criminals have been already sent a SWAT team to Krebs home, they took a loan on his behalf for $20,000, transferred $1,000 to his PayPal account from a stolen payment card, and the PayPal account itself was compromised more than once. They even tried to transfer money from Krebs’ account to the terrorist the ISIS subsidiary. After disclosure of the Mirai IoT malware authors, Krebs’ website suffered one of the most powerful DDoS attacks in history at that time.

A couple of years ago, users of the German imageboard Pr0gramm (pr0gramm.com), with which the operators of the Coinhive cryptojacking service were associated, standed against the journalist. Offended by the Krebs investigation, users launched the #KrebsIsCancer campaign on social networks (“Krebs is cancer”). The fact is that in German the surname of the journalist, Krebs, translates as “cancer”, and on Pr0gramm they decided to literally “fight cancer”: they trolled Krebs and eventually donated more than $120,000 to this fight.

It is also worth noting that malware authors often mention Brian Krebs in the code of their programs as a kind of “hello”. According to the journalist, a complete list of such cases would consist of hundreds of pages.

Yesterday there was a post on KrebsOnSecurity titled “No, I Didn’t Hack Your MS Exchange Server“. In it, Krebs says that now “on his behalf” attacks are taking place on servers that are vulnerable to ProxyLogon problems.

The researcher writes that the Shadowserver Foundation found that Microsoft Exchange servers are being attacked by the KrebsOnSecurity and Yours Truly malware.

For example, the attackers first host the Babydraco web shell on the vulnerable server at /owa/auth/babydraco.aspx. The malicious file krebsonsecurity.exe is then loaded via PowerShell, which transfers data between the victim server and the attacker’s domain – Krebsonsecurity[.]top.

Shadowserver has found more than 21,000 Exchange servers running the Babydraco backdoor, although they do not know how many of those systems were downloading secondary payloads from a rogue version of Krebsonsecurity.

The researcher cites the December post of one of the website visitors:

Krebs explains that instead of “XXX-XX-XXX”, that address was his social security number. “I was killed through DNS,” he sums up.

Let me also remind you that we reported that Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange.

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

Krebs first turned his attention to this domain when a man named Mike O’Connor, who owned it for 26 years, put it up for sale in February this year. Then the domain was put up for auction, and its starting price was $1.7 million.

Speaking with Krebs, O’Connor said he was very worried that the domain would buy Microsoft, but explained that he desperately needed money.

Why is Corp.com so dangerous? The fact is that when setting up Active Directory, many companies’ administrators use it as a stub.

“This problem is known as a namespace collision: when domain names that are intended to be used exclusively on a company’s internal network end up intersecting domains that can resolve onto the open Internet”, – Explains Brian Krebs.

Unfortunately, in earlier versions of Windows with Active Directory support (for example, Windows 2000 Server), “corp” was used as an example or Active Directory path by default, and many companies apparently used this parameter without changing it.

The situation is complicated by the fact that some companies are building or assimilating vast networks based on this erroneous setup.

What happens if an employee who works for a company that uses the Active Directory corp path takes their corporate laptop with them to their local Starbucks?

“Most likely, some resources on his laptop will try to access this internal “corp ”domain. By virtue of how Windows DNS name resolution works, this corporate laptop that has gone online via the Starbucks wireless network is likely to search resources on corp.com”, — says Brian Krebs.

In essence, this means that the person under the control of corp.com can passively intercept the private communications of hundreds of thousands of computers that are outside their corporate environment, where the designation “corp” was used for the Active Directory domain.

In fact, if Microsoft had not acquired the domain, its buyer could use Corp.com to collect passwords, emails, and other sensitive data from a variety of misconfigured corporate machines.

Mike O’Connor, who is 70 years old, says this was one of the reasons for the sale: many computers constantly tried to share data with his domain.

Ok, now Microsoft has corp.com, but it seems that the company has not fixed issues in its problematic subdomains, and I recently wrote about.

The post Microsoft bought the domain Corp.com, so criminals would not do it appeared first on Gridinsoft Blog.