Krebs On Security – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 31 May 2024 01:04:03 +0000 en-US hourly 1 https://wordpress.org/?v=71042 200474804 Google Stops Glupteba Botnet and Sues Two Russians https://gridinsoft.com/blogs/google-stops-glupteba-botnet-and-sues-two-russians/ https://gridinsoft.com/blogs/google-stops-glupteba-botnet-and-sues-two-russians/#respond Wed, 08 Dec 2021 18:43:58 +0000 https://gridinsoft.com/blogs/?p=6631 Google representatives said that they stopped the work of the Glupteba botnet: they deleted the accounts, and also disabled the servers and domains associated with it. In addition, the company has filed a lawsuit against the Russians Dmitry Starovikov and Alexander Filippov, which are accused of creating and operating a botnet. According to an expert… Continue reading Google Stops Glupteba Botnet and Sues Two Russians

The post Google Stops Glupteba Botnet and Sues Two Russians appeared first on Gridinsoft Blog.

]]>
Google representatives said that they stopped the work of the Glupteba botnet: they deleted the accounts, and also disabled the servers and domains associated with it. In addition, the company has filed a lawsuit against the Russians Dmitry Starovikov and Alexander Filippov, which are accused of creating and operating a botnet.

According to an expert report, Google removed about 63 million files from Google Docs, which Glupteba operators used to distribute their malware, as well as 1183 Google accounts, 908 cloud projects and 870 Google Ads accounts, which hackers also used to host various parts of their botnet.

In addition, over the past few days, Google has been working with several hosters and internet infrastructure companies (such as Cloudflare) to work out the issue of shutting down Glupteba’s C&C servers.

Unfortunately, the company admits that this operation will only cause temporary problems in the operation of the botnet, since the malware was originally created with a backup C&C system that runs on top of the Bitcoin blockchain. However, Google hopes that Glupteba will reduce its activity for at least a few months.

The Glupteba botnet was first documented in an ESET report back in 2011. Today it is one of the oldest botnets in the world, which attacks users in the United States, India, Brazil and Southeast Asia.

Glupteba attacks only Windows systems and relies on hacked or pirated software and pay-per-install schemes for distribution. Having penetrated the device, the malware loads various modules that can perform specialized tasks.experts say.

On compromised machines, Glupteba steals credentials and cookies, mines cryptocurrency, and deploys and exploits proxy components targeting Windows systems and IoT devices.

One of the most famous botnet modules is capable of spreading infection from a Windows computer to MikroTik routers found on internal networks. It is believed that this particular module was used at the beginning of this year to build the Mēris botnet, responsible for some of the largest DDoS attacks to date.

In addition to creating technical problems for the work of Glupteba, Google experts say that they have managed to identify two Russian citizens who are associated with some of the deactivated domains and accounts.

In court documents, Google claims that Dmitry Starovikov and Alexander Filippov are the creators and operators of Glupteba, and another 15 unknown persons are their accomplices. According to the company, they operated several sites where they advertised the capabilities of their botnet. For example, dont.farm, where they sold access to hacked Google and Facebook ad accounts. It is believed that the hackers obtained the credentials for these accounts through their botnet and later sold the access to other attackers.

Google Stops Glupteba Botnet

Moreover, Google believes that this is all just part of Glupteba, a larger “criminal enterprise”, which also included the management of AWMProxy.net (later vd.net) and abm.net. These resources made it possible to rent access to proxies hosted on the computers of Glupteba victims.

Google Stops Glupteba Botnet

As part of its lawsuit, Google is seeking compensation for the damages, an injunction against two suspects barring them from interacting with any Google services, and an order that the creators of Glupteba violated a number of US laws: the Racketeers and Corrupt Organizations Act (RICO), the Computer fraud and abuse, the Electronic Communications Privacy Act, the Lanham Act (Federal Trademark Act of 1946), and engaged in improper business interference to obtain illicit enrichment.

Let me remind you that I also wrote that the US authorities accused the Ukrainian citizen of running a brute force botnet.

The post Google Stops Glupteba Botnet and Sues Two Russians appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-stops-glupteba-botnet-and-sues-two-russians/feed/ 0 6631
Hackers broke into FBI mail server and sent fake cyberattack alerts https://gridinsoft.com/blogs/hackers-broke-into-fbi-mail-server/ https://gridinsoft.com/blogs/hackers-broke-into-fbi-mail-server/#respond Mon, 15 Nov 2021 19:06:29 +0000 https://blog.gridinsoft.com/?p=6120 Last weekend, unknown hackers managed to break into the mail server of the Federal Bureau of Investigation (FBI). Hackers used the access to send letters that imitated FBI alerts about cyberattacks and data theft. Spamhaus, a non-profit spam-tracking organization, reported that such emails were delivered to tens of thousands of recipients in two waves. At… Continue reading Hackers broke into FBI mail server and sent fake cyberattack alerts

The post Hackers broke into FBI mail server and sent fake cyberattack alerts appeared first on Gridinsoft Blog.

]]>
Last weekend, unknown hackers managed to break into the mail server of the Federal Bureau of Investigation (FBI). Hackers used the access to send letters that imitated FBI alerts about cyberattacks and data theft.

Spamhaus, a non-profit spam-tracking organization, reported that such emails were delivered to tens of thousands of recipients in two waves. At the same time, experts believe that about 100,000 letters are only a small part of the campaign.

According to Spamhaus, messages came from a legitimate address eims@ic.fbi.gov, with IP 153.31.119.142 (mx-east-ic.fbi.gov), and the subject line said “Urgent: Threat actor in systems”.

FBI mail server

Spamhaus said the mailing was followed by a rash of phone calls and letters from concerned organizations seeking more information on the attacks on FBI offices. Although the letters were clearly fake (they contained many spelling errors), the newsletter caused serious panic, as the letters passed the SPF and DKIM security checks, that is, they were sent from real FBI servers and bypassed all spam filters.

Worse, messages from the attackers reported that a certain Vinny Troia was responsible for these attacks. Troy is a renowned cybersecurity researcher who leads darknet research at NightLion Security and Shadowbyte. The fact that the attackers blamed Vinnie Troy for non-existent attacks was well commented on by renowned information security specialist Markus Hutchins.

Vinnie Troia has written a book that sheds light on [the activities of] the hacker group TheDarkOverlord. Soon after, someone started erasing ElasticSearch clusters, leaving his name behind. Later, his Twitter and his website were hacked. Now someone sent it out from the hacked FBI mail server.on his Twitter account, Hutchins writes.

Troia himself writes on Twitter that, in his opinion, the accident is the work of a man known as pompomourin. In the past, this person has already been involved in incidents aimed at damaging the investigator’s reputation.

The last time they [pompomourin] hacked into the National Center for Missing Children, and posted a blog post saying I was a pedophile.Troia told Bleeping Computer.

Moreover, a few hours before the attack on the FBI mail server and the sending of spam, pompompurin contacted the researcher on Twitter and advised him to “enjoy” what was about to happen.

The FBI has already confirmed the break-in. The agency said it was already investigating the incident, and the compromised server was temporarily shut down to stop spamming.

Apparently, the hackers took advantage of a vulnerability in the software running on the server to send messages. At the same time, the compromised machine was isolated from the agency’s corporate mail and did not give access to any data or personal information on the FBI network.

Well-known cybersecurity journalist Brian Krebs notes that the LEEP (Law Enforcement Enterprise Portal) allowed anyone to apply for an account, but the registration process required filling out contact information.

An important step in this process was that candidates received a one-time password confirmation by email from eims@ic.fbi.gov. And this code, as well as the applicant’s contact information, leaked through the HTML code of the page.Krebs writes.

As a result, using a special script, the attackers were able to change the parameters, specify the subject and text of the email of their choice, and automate the sending of messages.

Let me remind you that I also wrote that List of suspects in terrorism that are monitored by the FBI leaked to the network.

The post Hackers broke into FBI mail server and sent fake cyberattack alerts appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-broke-into-fbi-mail-server/feed/ 0 6120
Users can be lured to a malicious site through a vulnerability in Apple AirTag https://gridinsoft.com/blogs/vulnerability-in-apple-airtag/ https://gridinsoft.com/blogs/vulnerability-in-apple-airtag/#respond Fri, 01 Oct 2021 13:14:06 +0000 https://blog.gridinsoft.com/?p=5979 Security researcher Bobby Rauch discovered a vulnerability in AirTag key fobs, which Apple advertises as a convenient solution for tracking personal belongings (for example, laptops, phones, car keys, backpacks, and so on). Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was… Continue reading Users can be lured to a malicious site through a vulnerability in Apple AirTag

The post Users can be lured to a malicious site through a vulnerability in Apple AirTag appeared first on Gridinsoft Blog.

]]>
Security researcher Bobby Rauch discovered a vulnerability in AirTag key fobs, which Apple advertises as a convenient solution for tracking personal belongings (for example, laptops, phones, car keys, backpacks, and so on).

Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.

The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.

Apple AirTag vulnerability

Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the problem could be exploited by inserting malicious data into the phone number field.

The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then he enters malicious data into the phone number field.

After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.

Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since we are talking about an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.

In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.

Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.

Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple of the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.

Let me remind you that recently another information security specialist disclosed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge to Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Shortly thereafter, a researcher known by the nickname Illusion of Chaos published detailed descriptions and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.

The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company has never left their bug reports unattended for months, released ineffective patches, understated the size of rewards and generally prohibited researchers from participating in the bug bounty further, if they started to complain.

Let me also remind you that I wrote that Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card.

The post Users can be lured to a malicious site through a vulnerability in Apple AirTag appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-apple-airtag/feed/ 0 5979
New feature in Exchange Server will apply fixes automatically https://gridinsoft.com/blogs/new-feature-in-exchange-server-will-apply-fixes/ https://gridinsoft.com/blogs/new-feature-in-exchange-server-will-apply-fixes/#respond Tue, 28 Sep 2021 21:46:35 +0000 https://blog.gridinsoft.com/?p=5964 Microsoft has added a new feature to Exchange Server that will automatically take action to remediate high-risk vulnerabilities (most likely already exploited by hackers). This should protect Exchange servers from attacks and give administrators more time to install full-fledged patches when Microsoft releases them. The fact is that zero-day vulnerabilities in Microsoft Exchange have recently… Continue reading New feature in Exchange Server will apply fixes automatically

The post New feature in Exchange Server will apply fixes automatically appeared first on Gridinsoft Blog.

]]>
Microsoft has added a new feature to Exchange Server that will automatically take action to remediate high-risk vulnerabilities (most likely already exploited by hackers).

This should protect Exchange servers from attacks and give administrators more time to install full-fledged patches when Microsoft releases them. The fact is that zero-day vulnerabilities in Microsoft Exchange have recently been regularly exploited by “government hackers”, as well as by groups pursuing financial gain.

For example, I recently wrote about US and UK accused China for attacks on Microsoft Exchange servers. Moreover, Sophos experts have discovered the Epsilon Red ransomware that exploits vulnerabilities in Microsoft Exchange servers to attack other machines on the network.

The new functionality is called Microsoft Exchange Emergency Mitigation (EM) and is based on the Exchange On-premises Mitigation Tool (EOMT), released in March this year to help identify and fix ProxyLogon problems.

EM runs as a Windows service on Exchange Mailbox servers and will be automatically installed on Exchange Server 2016 and Exchange Server 2019 mailbox servers after the September 2021 cumulative update (or newer) is deployed. Administrators can disable EM if they don’t want Microsoft to automatically apply security measures to their servers.

The new functionality will detect Exchange servers that are vulnerable to one or more known issues and automatically apply temporary mitigation measures to them (until administrators can apply full patches).

So far EM offers three types of protection:

  • A custom rule blocks certain patterns of malicious HTTP requests that could compromise the Exchange server.
  • disabling the vulnerable service on the Exchange server;
  • disabling the vulnerable application pool on the Exchange server.
The new service will not replace the installation of security updates on Exchange Server, but it is the fastest and easiest way to mitigate the highest risks to Internet-connected on-premises Exchange servers before installing the appropriate patches.the developers write.

Let me also remind you that I talked about the fact that Hackers attack Microsoft Exchange servers on behalf of Brian Krebs.

The post New feature in Exchange Server will apply fixes automatically appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-feature-in-exchange-server-will-apply-fixes/feed/ 0 5964
The Ransomwhere project creates a database of ransomware payments https://gridinsoft.com/blogs/the-ransomwhere-project/ https://gridinsoft.com/blogs/the-ransomwhere-project/#respond Tue, 13 Jul 2021 21:04:38 +0000 https://blog.gridinsoft.com/?p=5700 Jack Cable, Stanford’s student and Krebs Stamos Group cybersecurity researcher created the Ransomwhere project that is free and open database of payments that have been transferred to various ransomware hack groups. This database, devoid of any personal information, will be available to information security specialists and law enforcement officers for free download. Unfortunately, such a… Continue reading The Ransomwhere project creates a database of ransomware payments

The post The Ransomwhere project creates a database of ransomware payments appeared first on Gridinsoft Blog.

]]>
Jack Cable, Stanford’s student and Krebs Stamos Group cybersecurity researcher created the Ransomwhere project that is free and open database of payments that have been transferred to various ransomware hack groups.

This database, devoid of any personal information, will be available to information security specialists and law enforcement officers for free download. Unfortunately, such a database can be easily corrupted by fake material, but to counter this, Cable plans to study all submissions, and in the future plans to add a voting system for individuals so that reports can be flagged as fake.

In general, the site is very simple: it allows victims of ransomware attacks and security specialists to transfer copies of their ransom notes to Ransomwhere, as well as report the amount of the ransom and the bitcoin address to which the victims transferred the payment. Then this address will be indexed in the public database.

The main idea is to create a centralized system that tracks payments sent by hackers, which will allow them assessing the scale of their profits and operations more accurately, about which very little is known. The creator of the project hopes that the anonymous exchange of payment data through a third-party service, such as Ransomwhere, will remove some barriers in the information security community, such as nondisclosure agreements and business competition.

So far, Cable relies only on publicly available materials to expand its database, but the researcher told The Record that he is already exploring “the possibility of partnerships with analytical companies in the field of information security and blockchain to integrate the data they may have about the victims.”

It could also be interesting to explore tracking downstream bitcoin addresses — e.g. once the criminals receive a payment, where do they go? As the project goes on, I may explore doing it myself or partnering with firms that specialize in this.Jack Cable said.

Reporters note that the launch of the Ransomwhere project is very similar to the launch of the ID-Ransomware project created by Michael Gillespie in early 2016. Initially, it was a site where hacker victims could download the ransom notes they received, and the site told them which malware family was attacking their systems and where they could get help recovering their files. As a result, ID-Ransomware has become an indispensable tool for many incident response specialists.

Let me remind you that I also talked about the fact that HIBP (Have I Been Pwned?) Leak aggregator opens the source code.

The post The Ransomwhere project creates a database of ransomware payments appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/the-ransomwhere-project/feed/ 0 5700
Cyrillic on the keyboard may become a “vaccine” against Russian hackers https://gridinsoft.com/blogs/vaccine-against-russian-hackers/ https://gridinsoft.com/blogs/vaccine-against-russian-hackers/#respond Tue, 18 May 2021 16:08:54 +0000 https://blog.gridinsoft.com/?p=5482 After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers. The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives. According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian… Continue reading Cyrillic on the keyboard may become a “vaccine” against Russian hackers

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers.

The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives.

According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian Krebs, the cybercriminals’ statement is not true.

Here’s the thing: digital ransomware groups like DarkSide are very concerned about making their entire platform geopolitical because their malware is specifically designed to work only in certain parts of the world.Krebs writes.

According to the journalist, similarly to other ransomware programs, DarkSide contains an embedded list of countries in which it does not infect computer systems. As a rule, this list includes the countries of the former USSR and the CIS countries. In particular, the DarkSide list includes: Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Romania, Syria, Turkmenistan, Tajikistan, Tatarstan, Ukraine and Uzbekistan.

Before installing on a system, the malware checks for the presence of the language of the country from the list and, if it is detected, is not installed.

Cybercriminals are known to react quickly to defenses that reduce their profitability, so why don’t the bad guys just make a difference and start ignoring language checks? Well, they certainly can and maybe even will (the latest version of DarkSide analyzed by Mandiant does not check the system language).the journalist said.

However, the refuse from language check increases the security risk of cybercriminals themselves and reduces profits, explained the chief researcher of the New York-based information security company Unit221B Allison Nixon.

Because of Russia’s “unique legal culture”, Nixon said, Russian cybercriminals use language tests to make sure their victims are abroad.

They do it for legal protection. Installing a Cyrillic keyboard or changing a specific registry entry to “RU”, etc., may be enough to convince malware that you are Russian. Technically, this can be used as a “vaccine” against Russian malware.Nixon explained.

Does this mean that installing the Russian layout will one hundred percent secure the system from hackers? Not. There are many groups in the cybercriminal world that, unlike DarkSide, don’t care about the victims of their attacks. Changing language settings cannot replace cyber hygiene and cybersecurity best practices, Krebs emphasizes. However, the expert sees no reason why not to try such simple preventive way to keep yourself safe.

The worst thing that can happen is that you accidentally switch language settings, and all your menu items will be in Russian.writes Krebs.

Let me remind you that I also wrote that NATO experimented with deceptive techniques to combat Russian hackers.

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vaccine-against-russian-hackers/feed/ 0 5482
Attackers Hacked OGUsers Hacking Forum Again https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/ https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/#respond Thu, 29 Apr 2021 16:10:14 +0000 https://blog.gridinsoft.com/?p=5429 Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum. As a result, OGUSERS was… Continue reading Attackers Hacked OGUsers Hacking Forum Again

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
Recently, the media reported that attackers hacked one of the most popular hacking forums on the Internet, OGUSERS (aka OGU) again, for the second time in the last year. Then an unknown attacker stole the data of 200,000 users, according to the official statistics of users indicated on the forum.

As a result, OGUSERS was temporarily disabled and put into maintenance mode, and users were notified of a password reset, urging everyone to turn on two-factor authentication for their accounts so that the stolen data could not be used to hack accounts.

Let me remind you that another OGUSERS hack occurred in May 2019. Then the attackers entered the server through a vulnerability in one of the custom plugins and gained access to a backup dated December 26, 2018. The site was then hacked again in November 2020.

OGUSERS started out as a website selling stolen accounts on a wide variety of platforms and services.

But if it all started with ‘interesting’ social media accounts (Twitter, Instagram) with unique or short usernames, it later developed into a full-fledged resource for the sale of any accounts, including user accounts of PlayStation Network, Steam, Domino’s Pizza and etc.media talk about the forum.

In addition, Motherboard reporters turned their attention to OGUSERS back in 2018, when they were preparing a series of articles on the increasing cases of SIM card fraud. Such attacks with the capture of someone else’s phone numbers are used to steal accounts on social networks, steal large amounts of cryptocurrency, and so on. OGUSERS is one of the largest trading platforms where accounts stolen under such circumstances were sold.

As the information security company KELA now reports, the administrator of the OGUsers forum said that the site was hacked again, as unknown persons uploaded the web shell to the server. At first, the site administration doubted that the database was damaged, but soon a rival hack forum began selling the stolen OGUsers database for $3,000.

Hacked OGUsers Forum

Bleeping Computer, citing its own sources, writes that OGusers were hacked on April 11, 2021, and the attackers had full access to the database dump. The database included records of approximately 350,000 users and private messages.

A source told the publication that OGUsers uses a variety of plug-ins that contain vulnerabilities that attackers can chain together to install a web shell.

Vitaly Kremez, head of Advanced Intel, says that such leaks from criminal forums may be beneficial to law enforcements and information security researchers:

This OGUsers leak could potentially help identify cybercriminals via email and IP addresses and then link this information to their real identities. Previous OGUsers leaks contained important clues that helped uncover cybercriminal operations, especially related to fraud and hijacking of cryptocurrency accounts, as well as operations to swap SIM cards.

Let me remind you that I talked about the fact that the Netherlands police posted warnings on hacker forums.

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attackers-hacked-ogusers-hacking-forum-again/feed/ 0 5429
Hackers attack Microsoft Exchange servers on behalf of Brian Krebs https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/ https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/#respond Tue, 30 Mar 2021 16:27:42 +0000 https://blog.gridinsoft.com/?p=5317 The well-known information security expert, journalist and author of the KrebsOnSecurity blog has repeatedly become a target for attacks and mockery of hackers. Now hackers are attack Microsoft Exchange servers with Proxylogon vulnerabilities on behalf of Brian Krebs. The fact is that Krebs is famous for his investigations and revelations, and over the long years… Continue reading Hackers attack Microsoft Exchange servers on behalf of Brian Krebs

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

]]>
The well-known information security expert, journalist and author of the KrebsOnSecurity blog has repeatedly become a target for attacks and mockery of hackers. Now hackers are attack Microsoft Exchange servers with Proxylogon vulnerabilities on behalf of Brian Krebs.

The fact is that Krebs is famous for his investigations and revelations, and over the long years of his career, he helped find and de-anonymize more than a dozen criminals, which the latter, of course, do not like at all.

Criminals have been taking revenge on the journalist for many years. So, criminals have been already sent a SWAT team to Krebs home, they took a loan on his behalf for $20,000, transferred $1,000 to his PayPal account from a stolen payment card, and the PayPal account itself was compromised more than once. They even tried to transfer money from Krebs’ account to the terrorist the ISIS subsidiary. After disclosure of the Mirai IoT malware authors, Krebs’ website suffered one of the most powerful DDoS attacks in history at that time.

A couple of years ago, users of the German imageboard Pr0gramm (pr0gramm.com), with which the operators of the Coinhive cryptojacking service were associated, standed against the journalist. Offended by the Krebs investigation, users launched the #KrebsIsCancer campaign on social networks (“Krebs is cancer”). The fact is that in German the surname of the journalist, Krebs, translates as “cancer”, and on Pr0gramm they decided to literally “fight cancer”: they trolled Krebs and eventually donated more than $120,000 to this fight.

It is also worth noting that malware authors often mention Brian Krebs in the code of their programs as a kind of “hello”. According to the journalist, a complete list of such cases would consist of hundreds of pages.

Yesterday there was a post on KrebsOnSecurity titled “No, I Didn’t Hack Your MS Exchange Server“. In it, Krebs says that now “on his behalf” attacks are taking place on servers that are vulnerable to ProxyLogon problems.

The researcher writes that the Shadowserver Foundation found that Microsoft Exchange servers are being attacked by the KrebsOnSecurity and Yours Truly malware.

For example, the attackers first host the Babydraco web shell on the vulnerable server at /owa/auth/babydraco.aspx. The malicious file krebsonsecurity.exe is then loaded via PowerShell, which transfers data between the victim server and the attacker’s domain – Krebsonsecurity[.]top.

Shadowserver has found more than 21,000 Exchange servers running the Babydraco backdoor, although they do not know how many of those systems were downloading secondary payloads from a rogue version of Krebsonsecurity.

The motives behind the cybercriminals behind the Krebonsecurity[.]top domain are unclear, but the domain itself has recently been linked to other types of cybercriminal activity and attacks on me. I first heard about this domain in December 2020, when one of the readers told me that his entire network was hijacked by a cryptocurrency mining botnet that contacted this domain.says Krebs.

The researcher cites the December post of one of the website visitors:

I noticed this morning that the cooler on the server in my home lab was making a lot of noise. At first, I didn’t think much of it, but after cleaning and testing, it still made noise. After completing other work related matters, I checked and found that a cryptominer had entered my system pointing to XXX-XX-XXX.krebsonsecurity.top. He ended up infecting all three Linux servers on my network.

Krebs explains that instead of “XXX-XX-XXX”, that address was his social security number. “I was killed through DNS,” he sums up.

Let me also remind you that we reported that Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange.

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/feed/ 0 5317
Attacks on EMV cards, which were only a theory for 12 years, noticed in reality https://gridinsoft.com/blogs/attacks-on-emv-cards-which-were-only-a-theory-for-12-years-noticed-in-reality/ https://gridinsoft.com/blogs/attacks-on-emv-cards-which-were-only-a-theory-for-12-years-noticed-in-reality/#respond Fri, 31 Jul 2020 16:08:10 +0000 https://blog.gridinsoft.com/?p=4129 Experts from the Gemini Advisory company published a report, according to which on underground hacker forums were found two precedents, when hackers collected EMV card data and put this information up for sale. Thus, attacks on EMV cards, which were only a theory 12 years, have been noticed in reality. The ZDNet publication says that… Continue reading Attacks on EMV cards, which were only a theory for 12 years, noticed in reality

The post Attacks on EMV cards, which were only a theory for 12 years, noticed in reality appeared first on Gridinsoft Blog.

]]>
Experts from the Gemini Advisory company published a report, according to which on underground hacker forums were found two precedents, when hackers collected EMV card data and put this information up for sale. Thus, attacks on EMV cards, which were only a theory 12 years, have been noticed in reality.

The ZDNet publication says that just recently analysts at Cyber R&D Lab conducted an interesting experiment related to EMV cards.

The researchers issued EMV cards with a chip in 11 banks in the US, UK and EU, and then used hacking tools against them, which are usually used to copy information stored on EMV cards and their magnetic stripes.

As a result, the researchers were able to extract data from EMV cards and created clones with the same magnetic stripe, but without the actual chip.

“This became possible due to the fact that all EMV-cards have a magnetic stripe just in case, for example, for a situation when a user has gone abroad and cannot use EMV, or there is an old PoS-terminal”, – told ZDNet journalists.

The fact that it is possible to copy the magnetic stripe of EMV cards has been known since 2008, but it was believed that this feature could hardly be abused, since banks planned to transfer all users to EMV and often refused to use magnetic stripes. As practice has now shown, this did not happen, and Cyber R&D Labs specialists reported that they managed to clone four cards in the above described way and carry out transactions.

Noticed attacks on EMV cards

However, until this week, the problem was still considered rather theoretical, since it was not known about the massive use of this technique by hackers, and now experts at Gemini Advisory have discovered such precedents.

The researchers write that the EMV cards data were stolen from the American supermarket chain Key Food Stores Co-Operative Inc., as well as from the American liquor store Mega Package Store.

Noticed attacks on EMV cards
An example of a shimmer installed in a PoS terminal. Photo: Krebs on Security

The fact that criminals have begun cloning EMV cards seems to be confirmed by the warning, issued by Visa. Visa representatives write that malware such as Alina POS, Dexter POS and TinyLoader have been updated and can now collect information from EMV cards, which has never been seen before, since the data collected in this way usually could not be monetized.

Gemini Advisory believes that the method that criminals began to use was described as early as in 2008, and that this technique, EMV-Bypass Cloning, was the subject of recent research by Cyber R&D Labs.

“I demonstrated cloning from chip data to magstripe, but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster ”. This new research shows that the problem still has not been fixed, 12 years on”, – said engineer Steven Murdoch, who described the cloning technique in 2008.

In theory, it is not too difficult to defend against such attacks: it is enough for banks to conduct more thorough checks when processing transactions from magnetic stripes of EMV cards. However, unfortunately, as a study by Cyber R&D Labs has shown, not all banks pay attention to this.

By the way, here the hacker Tamagotchi instantly collected on Kickstarter an amount 7 times more than necessary – hacking is in fashion, and your personal data, including bank accounts and cards, is always in danger. Let me also remind you that BlackRock Trojan steals passwords and card data from 337 applications on Android OS.

The post Attacks on EMV cards, which were only a theory for 12 years, noticed in reality appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/attacks-on-emv-cards-which-were-only-a-theory-for-12-years-noticed-in-reality/feed/ 0 4129
Europe’s largest private hospital operator Fresenius attacked with Snake ransomware https://gridinsoft.com/blogs/europes-largest-private-hospital-operator-fresenius-attacked-with-snake-ransomware/ https://gridinsoft.com/blogs/europes-largest-private-hospital-operator-fresenius-attacked-with-snake-ransomware/#respond Fri, 08 May 2020 01:09:50 +0000 https://blog.gridinsoft.com/?p=3763 Fresenius, Europe’s largest private hospital operator and major provider of products and services for dialysis, was affected during Snake ransomware cyberattack. According to KrebsOnSecurity sources, the incident disrupted some systems, but care for the patients continues. Germany-based Fresenius company includes four independent companies: Fresenius Medical Care, a leading provider of services for people with kidney… Continue reading Europe’s largest private hospital operator Fresenius attacked with Snake ransomware

The post Europe’s largest private hospital operator Fresenius attacked with Snake ransomware appeared first on Gridinsoft Blog.

]]>
Fresenius, Europe’s largest private hospital operator and major provider of products and services for dialysis, was affected during Snake ransomware cyberattack.

According to KrebsOnSecurity sources, the incident disrupted some systems, but care for the patients continues.

Germany-based Fresenius company includes four independent companies: Fresenius Medical Care, a leading provider of services for people with kidney failure; Fresenius Helios, Europe’s largest private hospital operator; Fresenius Kabi, a pharmaceutical and medical device company; and Fresenius Vamed, medical facility manager.

Overall, Fresenius employs nearly 300,000 people in more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States.

“This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies”, — reports KrebsOnSecurity.

We live in truly difficult times – I recall that the other day, the Indian techno giant Jio disclosed data of people tested for COVID-19.

One Fresenius Kabi employee in the United States said that the computers in his company’s office were hacked and a cyberattack affected company’s operations around the world.

During the attack, hackers used Snake ransomware, which is a relatively new malware. Snake operators attack mainly large companies, turn off their IT systems and demand a ransom in bitcoins for access to data.

“I can confirm that Fresenius IT systems have been the victim of the malware. As a precaution, have been taking steps to prevent further spread. We also informed the relevant investigating authorities, and although some functions in the company are currently limited, patient care continues,” – said Fresenius representative.

According to security researchers, Snake ransomware is unique as it tries to identify IT processes associated with enterprise management tools and large automated process control systems. The malware is written in Golang and has a higher level of obfuscation than other ransomware.

After starting, Snake deletes shadow copies of computer volumes and then disables numerous processes associated with SCADA systems, virtual machines, industrial management systems, remote management tools, network management software, etc. Then it encrypts files on the device, skipping those located in the Windows system folders, and various system files.

The post Europe’s largest private hospital operator Fresenius attacked with Snake ransomware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/europes-largest-private-hospital-operator-fresenius-attacked-with-snake-ransomware/feed/ 0 3763