image
More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union's law enforcement agency. In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks. Webstresser.org (formerly Webstresser.co), as it appeared in 2017. In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week. “Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned. The focus on Webstresser's customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline. Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites. This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018. The takedowns come as courts in the United States and Europe are beginning to hand down serious punishment for booter service operators, their customers, and for those convicted of launching large-scale DDoS attacks. Last month, a 34-year-old Connecticut man received a 10-year prison sentence for carrying out DDoS attacks a number of hospitals in 2014. Also last month, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia's Internet access in 2016. In December 2018, the ringleader of an online crime group that launched DDoS attacks against Web sites — including several against KrebsOnSecurity — was sentenced to three years in a U.K. prison. And in 2017, a 20-year-old from Britain was sentenced to two years in jail for renting out Titanium Stresser, a booter service that earned him $300,000 over several years it was in operation. Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21 and are using booter services to settle petty disputes over online games. But not all countries involved in Operation Power Off are taking such a punitive approach. In the Netherlands, the police and the prosecutor’s office have deployed new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders. Europol says at least one user of Webstresser has already received this alternative sanction. “Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely,” Europol said. According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

Source

image
Many of you might have this question in your mind: “Is it illegal to test a website for vulnerability without permission from the owner?” Or… “Is it illegal to disclose a vulnerability publicly?” Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of finding and exploiting serious vulnerabilities in Magyar Telekom, the largest Hungarian telecommunication company, who is now facing up to 8 years in prison. According to local Hungarian media, the defender first discovered a severe vulnerability in Magyar Telekom systems in April 2018 and reported it to the company officials, who later invited him to a meeting. Reportedly, the hacker then traveled to Budapest for the meeting, which didn't go well as he expected, and apparently, the company did not permit him to test its systems further. However, the man continued probing Magyar Telekom networks and discovered another severe vulnerability at the beginning of May that could have allowed an attacker to access all public and retail mobile and data traffic, and monitor company's servers. When Magyar Telekom detected an “uninvited” intrusion on their internal network, the company on same day reported the incident to the police, leading to his arrest. The hacker is currently on trial. The Hungarian Prosecution Service is requesting a prison sentence, while the Hungarian Civil Liberties Union, a non-profit human rights watchdog, is defending the hacker, claiming that the indictment is inaccurate, incomplete and in false colors. However, the Prosecutor's Office said “anyone who reads the prosecutor’s document can make sure that the indictment contains all information,” arguing that the defendant crossed a line and due to the danger his actions may have posed to society, he must face legal consequences. The Prosecutor's Office also offered the man a plea bargain, which said if he admitted his guilt, he would be given a 2-year suspended sentence, and if not, he would have to serve five years in jail. After he refused the plea deal, the hacker has now been charged with an upgraded crime in the indictment, i.e., disrupting the operation of a “public utility,” which could soon end him up behind bars for up to 8 years, if proven guilty. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

Many of you might have this question in your mind:

“Is it illegal to test a website for vulnerability without permission from the owner?”

Or… “Is it illegal to disclose a vulnerability publicly?”

Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions.

Last year, Hungarian police arrested a 20-year-old ethical hacker accused of

Source

image
UPDATE An Iran-linked APT known as Chafer has been spotted targeting various entities based in Iran with an enhanced version of a custom malware that takes a very unique approach to communication by using the Microsoft Background Intelligent Transfer Service (BITS) mechanism over HTTP. Meanwhile the victimology suggests the threat group is waging a cyber-espionage operation against diplomats there. Remexi, Remixed Over the course of the autumn, analysts at Kaspersky Lab observed attackers targeting embassies using an improved version of the Remexi malware, which Chafer has used in the past. It’s a spyware, capable of exfiltrating keystrokes, screenshots and browser-related data like cookies and history. Remexi developers used the C programming language and the GCC compiler on Windows in the MinGW environment to create the latest version of the malware (which has a March 2018 time stamp). The main notable aspect of the code is that it consists of several working threads dedicated to different tasks that it deploys in its working directory, according to Kaspersky. These include command-and-control (C2) command parsing, data exfiltration, launching victim activity logging in a separate module and seven threads for various espionage and auxiliary functions. It’s also worth noting how these threads share information. “One of the malware threads checks in an infinite loop if the mouse button was pressed and then also increments the integer iterator infinitely,” Kaspersky analysts said, in a posting this week. “If the mouse-hooking function registers a button hit, it lets the screenshotting thread know about it through a global variable. After that, it checks if the iterator divided by (captureScreenTimeOut/captureActiveWindowTimeOut) has a remainder of 0. In that case, it takes a screenshot.” Legit Microsoft Tools in the Mix A notable aspect of the improved trojan is the fact that the Remexi developers are relying on legitimate Microsoft utilities. For instance, for both C2 communication and exfiltration, Remexi uses the aforementioned BITS mechanism over HTTP. “One of the things we keep in mind when we attribute a campaign to one or another actor is malefactors’ tactics, techniques and procedures (TTP),” said Denis Legezo, senior security researcher, Global Research and Analysis Team (GReAT) at Kaspersky Lab. “Some of them develop all the needed tools from scratch, and others extensively use third-party applications alongside the code by their own developers. Chafer now is among the latter ones. Data exfiltration using BITS/bitsadmin.exe isn’t typical at all.” He added, “In terms of protective measures, such communication mechanism means that the system administrators have to check BITS inbound/outbound traffic to external network resources in their environments.” This “greater reliance on freely available software tools, also known as ‘living off the land'” offers threat groups a key advantage, according to previous Chafer analysis from Symantec: “By limiting their use of malware, groups such as Chafer hope to be less conspicuous on a victim’s network and, if discovered, make their attack more difficult to attribute.” Remexi also employs XOR encryption with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data. There are unique keys used by different samples, including the use of the word “salamati,” which means “health” in Farsi. How Remexi is arriving on victims’ desktops remains a bit of a mystery. “So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread,” analysts said. “However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware.” That said, in earlier attacks from 2015, Symantec found evidence that Chafer had been compromising targeted organizations by attacking their web servers, likely through SQL injection attacks, in order to drop malware onto them. In 2017, the group added a new infection method to its toolkit, using malicious documents which are likely circulated using spear-phishing emails sent to individuals working in targeted organizations. Victimology As for the victimology, Kaspersky speculates that the campaign could a domestic affair. In addition to the aforementioned “salamati” being used as a Farsi-language human-readable encryption key, the vast majority of the users targeted by this new variant of Remexi appear to have Iranian IP addresses, including those tied to foreign diplomatic entities based in the country. “They were after local hosts for years, but foreign diplomatic entities are something new for them from our point of view,” Legezo told Threatpost. “We saw several emerging actors moving from domestic campaigns to international ones. Such development seems quite logical: they got experience, toolsets became more mature and the set of tasks also broadens.” Also, “among the artifacts related to malware authors, we found in the binaries a .pdb path containing the Windows user name ‘Mohamadreza New,'” the analysts noted. “Interestingly, the FBI website for wanted cybercriminals includes two Iranians called Mohammad Reza, although this could be a common name or even a false flag.” This victim set could signal a return to Chafer’s roots. According to the prior analysis from Symantec, foreign diplomats inside Iran have been a target for Chafer in the past. But the APT, which has been around since at least 2014, switched up its tactics in 2017 to expand beyond Iran to “hit organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey.” Outside of the Middle East, Symantec also found evidence of attacks against one African airline and attempts to compromise an international travel reservations firm. Sectors targeted included airlines; aircraft services; software and IT services companies serving the air and sea transport sectors; telecom services; payroll services; engineering consultancies; and document management software. “So far, the campaign’s TTPs aren’t state of the art, but a trend among emerging actors is quite visible: they are becoming more mature and broadening their set of targets,” Legezo told Threatpost. “Speaking about targeted malware, one shouldn’t consider anyone as an amateur. Maybe we don’t see ‘advanced’ (from ‘APT’ abbreviation) techniques used in every campaign, but ‘persistent’ is here for sure anytime. Therefore, it’s important to think about protective measures, like security software, a remediation plan and threat intelligence in advance.” This post was updated at 2:35 p.m. ET on Feb. 4 to reflect additional researcher insights.

Source

More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

Webstresser.org (formerly Webstresser.co), as it appeared in 2017.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

This seizure notice appeared on the homepage of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites in December 2018.

The takedowns come as courts in the United States and Europe are beginning to hand down serious punishment for booter service operators, their customers, and for those convicted of launching large-scale DDoS attacks. Last month, a 34-year-old Connecticut man received a 10-year prison sentence for carrying out DDoS attacks a number of hospitals in 2014. Also last month, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.

In December 2018, the ringleader of an online crime group that launched DDoS attacks against Web sites — including several against KrebsOnSecurity — was sentenced to three years in a U.K. prison. And in 2017, a 20-year-old from Britain was sentenced to two years in jail for renting out Titanium Stresser, a booter service that earned him $300,000 over several years it was in operation.

Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21 and are using booter services to settle petty disputes over online games.

But not all countries involved in Operation Power Off are taking such a punitive approach. In the Netherlands, the police and the prosecutor’s office have deployed new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders. Europol says at least one user of Webstresser has already received this alternative sanction.

“Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely,” Europol said.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

Source

image
Data privacy dominated the week of news ending Feb. 1. News headlines included both Facebook and Google finding themselves in hot water over distributing data-sucking apps on iOS devices. A severe flaw was also found in kid-tracking IoT smartwatches that could expose sensitive information for 35,000 children. Also this week was a new data dump of 2.2 billion compromised credentials discovered on the Dark Web, This was labeled “Collections #2-5.” Threatpost editors Lindsey O’Donnell and Tara Seals discuss these top news stories and more in this week’s Threatpost news wrap. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/8482943/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) For direct download click here.

Source

image
Ah, the Super Bowl. For some, this Sunday’s show down between the Los Angeles Rams and the New England Patriots will be about gathering family and friends around for a great American pastime: The Super Bowl party. Some are just in it for the commercials. Some see a gambling opportunity; and for fans of the two teams playing, it’s the culmination of everything they’ve been hoping for since September. And for cybercriminals, Super Bowl LIII is a massive fraud and infrastructure attack opportunity, and a perfect chance to attack those streaming the event. Consumer Frauds and Scams The ZeroFOX team said that it has found several instances this week of advertisements to place online sports bets and discussions about online betting for the Super Bowl, many of them fraudulent. Other common scams that are making the rounds are offers for tickets to see the game in Atlanta, cheap hotel rooms in the Peach City, and discounted official merchandise and jerseys. “Watch out for those offering great deals on things like tickets, places to stay or that cool jersey you’ve been eyeing – be sure to take extra steps to verify that you’re getting what you’re paying for,” said Kirsten Ashbaugh, threat analyst on the ZeroFOX Alpha Team, in a report shared with Threatpost. “And if you do decide to place a wager, check the relevant state laws to make sure you’re in the clear.” Although sports betting, including online betting, has become legal in some states over the past year, it may not be legal or accessible depending on where one lives. “Only a handful of states have legalized this type of betting, and not all of them offer the ability to bet online,” Ashbaugh said. “The ones that do may restrict even online betting to those physically within state boundaries. If you do decide to partake, be sure to check if your state allows you to bet online, and look to make sure the website or app you’re using is reputable.” On the fraudulent ticket and travel front, game day ticket sales last week increased 65 percent, but instances of fraud attacks also spiked, according to data from Forter sent to Threatpost. The firm identified two types of criminals that have been actively trying to exploit both ticketing sites and football enthusiasts ahead of the big game: Foreign fraudsters and domestic “legacy” fraudsters. Forter’s analysis found that most fraud comes from outside of the U.S., making up 3.8 percent of total attempted Super Bowl ticket purchases. And when it comes to domestic threats, a New York-based crime ring has been targeting the ticketing industry and the Super Bowl specifically. “The culprit uses sophisticated technology to alter IP address and fake their location, and frequently changes personal account details to avoid detection,” a Forter spokesperson explained via email. “So far, this scam has led to one massive failed attempt at purchasing $10,000 worth of Super Bowl tickets.” Those looking for last-minute tickets should thus be on high alert. “Sellers may offer tickets that either are fake, created falsely online, or they could be reselling tickets that someone else is already planning on using,” ZeroFOX’s Ashbaugh noted. “You could get to the gate and be out of luck. It’s also a good idea to never post pictures on social media or elsewhere of your tickets to events like the Super Bowl, because people could use those photos or the ticket number to create fake tickets.” Infrastructure Risks One of the other concerns at the Super Bowl involves the critical applications and networks that support the event, hosted both locally and in the cloud. Broadcast networks, industrial control systems, civil-service networks and other related systems are also all at risk, according to Daniel Smith, a researcher at Radware. He noted in a Thursday posting that there’s a precedent for the concern: “While there hasn’t been a recent attack of scale reported against the Super Bowl, last year we did witness a piece of malware named Olympic Destroyer that targeted and disrupted the opening ceremonies and entry into the 2018 Winter Olympics.” Also, today’s stadiums, theaters, arenas and amphitheaters are target-rich environments, he added. They require small cells, WiFi and distributed antennae system (DAS) deployments to serve fans with modern, interactive game-watching enhancements. Often, the technologies designed to enhance the spectators’ experience are easily exploited to harvest information from attendees, according to Smith. It’s an attractive cybercrime opportunity, given the sheer amount of data traffic that these systems support. Extreme Networks reported that last year’s attendees at Super Bowl LII in Minnesota transferred 16.32 Terabytes of data with a peak rate of 7.867 Gbps. “This Super Bowl, like years before, will bring large crowds once again that will demand connectivity and are expected to consume record breaking volumes this year,” Smith said. “This is an enormous demand for connectivity and the technology involved could poses a security risk for event organizers, partners, sponsors and attendees as their activities in the stadium begin to produce more digital oil: data.” Infected Streams Last year, the Big Game drew an estimated 103 million viewers and saw record-breaking streaming traffic, according to NBC. Super Bowl LII had an average online viewership of 2 million, a 15 percent gain over the 2017 event. The stream was available on NBC Sports app, NBCSports.com and the Yahoo Sports app, among others. At its peak, the online audience clocked in at 3.1 million concurrent streams. It’s safe to say that this year’s digital audience will likely improve on that. So as the Los Angeles Rams face off against the New England Patriots this year, cybercriminals will be looking to take advantage of the thirst for multimedia and streaming access to the game. In the era of “cord-cutting,” those without television packages will look for ways to watch Super Bowl LIII digitally, as will those who have to work or who will otherwise not be in front of a TV. Against this backdrop, cybercriminals have been focused on spreading malicious software via unsanctioned streams, designed to harvest and steal personal information. “On Super Bowl Sunday, millions of sports fans worldwide will descend onto the internet eagerly searching for a free stream,” Ray Walsh, digital privacy expert at BestVPN.com, said via email. “The result is every hacker’s dream. This year, hackers are expected to have set up more infected streams than ever before. Anybody arriving on an infected page to hit the ‘Click Here to Watch the Super Bowl in HD’ button is in for a nasty surprise. Malware, spyware, trojans and ransomware are all going to be on the menu — which means that sports fans are going to end up with serious infections.” Fans should instead stick to watching official HD streams, he added, to avoid misery.

Source

Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts.

Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on

Source

image
Mac users need to beware of a newly discovered piece of malware that steals their web browser cookies and credentials in an attempt to withdraw funds from their cryptocurrency exchange accounts. Dubbed CookieMiner due to its capability of stealing cookies-related to cryptocurrency exchanges, the malware has specifically been designed to target Mac users and is believed to be based on DarthMiner, another Mac malware that was detected in December last year. Uncovered by Palo Alto Networks' Unit 42 security research team, CookieMiner also covertly installs coin mining software onto the infected Mac machines to secretly mine for additional cryptocurrency by consuming the targeted Mac's system resources. In the case of CookieMiner, the software is apparently geared toward mining “Koto,” a lesser-known, privacy-oriented cryptocurrency which is mostly used in Japan. However, the most interesting capabilities of the new Mac malware is to steal: Both Google Chrome and Apple Safari browser cookies associated with popular cryptocurrency exchanges and wallet service websites. Usernames, passwords and credit card information saved in the Chrome web browser. Cryptocurrency wallet data and keys. iPhone's text messages of victims stored in iTunes backups. When talking about the targeted cryptocurrency exchanges and wallet services, CookieMiner was found targeting Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, and any website having “blockchain” in its domain and using cookies to track their users temporarily. By leveraging the combination of stolen login credentials, web cookies, and SMS data, it would be possible for an attacker to even bypass two-factor authentication for exchange sites and steal cryptocurrencies from the victim's accounts and wallets. “If only the username and password are stolen and used by a bad actor, the website may issue an alert or request additional authentication for a new login,” the researchers explained in their blog post published Thursday. “However, if an authentication cookie is also provided along with the username and password, the website might believe the session is associated with a previously authenticated system host and not issue an alert or request additional authentication methods.” It should be noted that researchers have not yet found any evidence of the attackers successfully withdrawing funds from any user's wallet or account, but are speculating based on the malware's behavior. What's more? CookieMiner also uses the EmPyre backdoor for post-exploitation control, allowing attackers to send commands to the infected Mac computers for remote control. EmPyre is a Python post-exploitation agent that checks if the Little Snitch application firewall is running on the victim's machine and if it finds one, it will stop and exit. The agent can also be configured to download additional files. Although it is unclear how the CookieMiner malware is pushed to the victims at the first place, it is believed that the users are tricked into downloading tainted software onto their machines which delivers the malware. Palo Alto Networks has already contacted targeted cryptocurrency exchanges and wallet services, along with Apple and Google, and reported the issue. Since the researchers believe that the CookieMiner campaign is still active, the best way to prevent falling victim to such malware attacks is to avoid saving your credentials or credit card information within your web browsers and, not to mention, avoid downloading apps from third-party platforms. You should also consider clearing your cookies when visiting the banking or financial accounts, and “keep an eye on their security settings and digital assets to prevent compromise and leakage,” researchers advised. Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

Source

image
By Waqas The IT security researchers at Palo Alto Networks’ Unit 42 have discovered a dangerous new Mac malware capable of targeting devices for multi-purposes including stealing cryptocurrency. Dubbed CookieMiner by researchers; the Mac malware is a variant of OSX.DarthMiner, another nasty piece of malware known for targeting MacOS. But, CookieMiner aims at much more than its predecessor. See: 400% increase in […] This is a post from HackRead.com Read the original post: New Mac Malware steals iPhone text messages from iTunes backups

Source