Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyberhacking. Show all posts

Hacking Group Exposes Pentagon IT Provider's Documents

 


A person familiar with the matter informed us that hackers stole internal documents from Leidos Holdings Inc., one of the largest IT service providers in the US government, in an attempted breach of security. There has been a recent discovery at Leidos and they believe they were the victim of a previously disclosed breach of a Diligent Corp. system they used, which was in use at the time, said the person who requested not to be named because it is an internal matter. According to the person who spoke with me, Leidos is currently investigating this issue. 

As one of the most highly regarded companies in the world, Leidos' clients include the Defense Department, Homeland Security Department, and NASA, as well as other national and international government agencies. Based on a filing in Massachusetts dated June 2023, it was reported that Leidos used the Diligent system to store information that was gathered during internal investigations. It has been reported that Leidos has refused to comment on the information that has been stolen. 

A request for comments was not immediately responded to by the Pentagon, the Department of Homeland Security, and NASA. As Bloomberg News discovered, some files purportedly from Leidos had been posted on a cybercrime forum, but the details of those files had been redacted, so Bloomberg could not verify the authenticity of the files. Even though Steele Compliance Solutions is owned by Steele, which acquired the company in 2021, a diligent spokesperson said it appears that the leak and its source are related to a hack in 2022. 

At that time, there were less than 15 customers, including Leidos, who were using the product, according to the company. Detailed in a data breach notice filed in Massachusetts on November 11, 2022, Diligent declared the breach to Leidos after discovering the data leak. The attack was carried out by an unauthorized party who exploited a weakness in Diligent's platform to download documents, which may have occurred as early as September 30th of last year. 

The third intruder exploited a second vulnerability around or around October 1, 2022, allowing him to gain access to data submitted through Leidos' enterprise case management system (ECMS), hosted by Diligent, as well as personal information submitted via the system. Earlier reports indicated that the leak of data was linked to Steele Compliance Solutions, one of Diligent's subsidiary companies acquired in 2021, and that was where the scandal originated. 

When mergers and acquisitions occur, there is chaos and sensitive information may be transferred between the two companies, giving hackers a prime opportunity to exploit the situation. An FBI report published in 2021 forecasted that cybercriminals will target organizations during "time-sensitive financial events" such as mergers and acquisitions to extract sensitive information. On February 9, 2023, Leidos received notification of a second data leak, which prompted an investigation into a possible security breach. 

During the investigation, it was discovered that the impacted documents contained personal information, and to allow victims to be able to protect themselves against identity theft, the defence contractor offered two years of identity theft protection. Leidos confirmed that this data leak was caused by an incident that occurred in 2023 that impacted a third-party vendor for which all necessary notification was made in the past. 

According to the Pentagon defence contractor, “our network or any sensitive customer data was not affected by the incident.” At the time of the incident, the product in question was being used by fewer than 15 customers, including defence contractor Leidos, as reported by the company. In a data breach notice filed in Massachusetts on November 11, 2022, Diligent Corporation disclosed the breach to Leidos after discovering unauthorized access to its data. The breach involved an unauthorized party exploiting a vulnerability in Diligent's platform to download documents. 

It is believed that this exploitation may have occurred as early as September 30, 2022. A subsequent intrusion was identified around October 1, 2022, where a third-party attacker exploited a second vulnerability. This allowed the intruder to access data submitted through Leidos' Enterprise Case Management System (ECMS), which was hosted by Diligent, and personal information submitted via the system. Previous reports had indicated that the data leak was associated with Steele Compliance Solutions, a subsidiary of Diligent acquired in 2021 and that this subsidiary was the origin of the breach. 

Mergers and acquisitions often involve transferring sensitive information between companies, creating opportunities for cybercriminals to exploit these transitions. An FBI report published in 2021 anticipated that cybercriminals would target organizations during "time-sensitive financial events," such as mergers and acquisitions, to extract sensitive information. On February 9, 2023, Leidos was notified of a second data leak, which triggered an investigation into a potential security breach. 

The investigation revealed that the compromised documents contained personal information. In response, Leidos offered two years of identity theft protection to allow affected individuals to protect themselves against identity theft. Leidos confirmed that the data leak was caused by an incident in 2023 that affected a third-party vendor. The company assured that all necessary notifications had been made in the past and emphasized that neither their network nor any sensitive customer data were impacted by the incident.

Hacker Subscription Service Exposes 600,000 Bank Card Details

 

A disturbing new hacker subscription service has emerged, offering access to 600,000 stolen bank card details for a fee of just £120. This service, identified by cybersecurity researchers from Flare, is named “Breaking Security” and allows its subscribers to exploit stolen bank card information for various illicit activities, including unauthorized transactions and identity theft. 

The service provides subscribers with detailed information about the compromised cards, including card numbers, expiration dates, and CVV codes. This data enables hackers to make online purchases or even clone the cards for physical transactions. The subscription service’s affordability and extensive database make it particularly dangerous, as it lowers the barrier for individuals seeking to engage in cybercrime. Flare’s researchers have highlighted the significant threat posed by Breaking Security, noting that such services are part of a growing trend in the cybercrime industry. These services make it easier for less technically skilled individuals to access sophisticated tools and data, leading to a rise in cybercrimes. 

The availability of such a service underscores the evolving nature of cyber threats and the increasing sophistication of criminal networks. Authorities are currently investigating Breaking Security to identify and apprehend the perpetrators behind the service. Law enforcement agencies are working to mitigate the impact on the affected individuals and prevent further exploitation of the stolen card data. The investigation is focused on tracking down the source of the data breach and the infrastructure supporting the subscription service. This incident highlights the critical importance of robust cybersecurity measures for both individuals and organizations. 

For individuals, it is crucial to regularly monitor bank statements for unauthorized transactions and to use security features such as two-factor authentication wherever possible. Organizations, on the other hand, must invest in comprehensive security solutions to protect sensitive data and detect breaches promptly. The emergence of Breaking Security also points to a broader issue within the cybercrime ecosystem. As long as there is a market for stolen data, cybercriminals will continue to find innovative ways to monetize their activities. 

This calls for a coordinated effort between law enforcement, cybersecurity experts, and financial institutions to dismantle such operations and safeguard against future threats. In conclusion, the discovery of the Breaking Security subscription service represents a significant threat to financial security and privacy. The service’s ability to provide extensive access to stolen bank card details for a relatively low cost is alarming. It underscores the need for enhanced vigilance and proactive measures to combat the growing menace of cybercrime. 

As investigations continue, it is essential for individuals and organizations to remain vigilant and take necessary steps to protect themselves from such sophisticated threats.

North Korean Hacker Group Kimsuky Deploys New Linux Malware 'Gomir' via Trojanized Software Installers

 

North Korean hacker group Kimsuky has unveiled a new Linux malware named "Gomir," a variant of the GoBear backdoor. This development marks a significant advancement in the group's cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities. 

In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear. 

Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed "Gomir." This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine. 

It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Following these steps, the original executable is deleted, and the initial process is terminated. To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file ('cron.txt') in the current working directory. If successful, the helper file is removed. Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests. 

These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more. Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems. Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors. 

The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets. By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data. The implications of Kimsuky's activities are significant. By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea. 

The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage. Symantec's report on this campaign includes a set of indicators of compromise (IOCs) for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats. 

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes ever more critical. Organizations, especially those in high-target regions like South Korea, must remain vigilant and proactive in their defense strategies. This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms. 

The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime. By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.

Playdapp's $31M Token Heist and Silent Reward Controversy

 

In a surprising and concerning turn of events, the gaming world faced a significant security breach as Playdapp, a prominent gaming platform, fell victim to a cyber intrusion. The breach resulted in a hacker successfully minting tokens with an estimated worth of $31 million. Adding an intriguing twist to the incident, the gaming platform has chosen an unconventional approach by offering a reward for silence, sparking debates over transparency and cybersecurity practices. 
 
Playdapp, known for its interactive and immersive gaming experiences, recently faced a severe security breach. A cyber intruder managed to exploit vulnerabilities within the platform, orchestrating a complex attack that allowed them to mint tokens valued at an astonishing $31 million. The scale and sophistication of the breach have raised concerns not only within the gaming community but also across the broader cybersecurity landscape. 
 
The hacker responsible for the Playdapp breach successfully capitalized on the compromised security, minting tokens that hold substantial monetary value. This financial windfall poses not only an immediate threat to the platform but also highlights the potential long-term repercussions for both Playdapp and its user base. Adding an unusual twist to the narrative, Playdapp has opted to issue a reward for silence regarding the breach. 

This decision has sparked controversy and ignited discussions about the ethical considerations surrounding such incentives. Critics argue that this approach may compromise transparency and hinder the dissemination of crucial information that could benefit the broader cybersecurity community. As Playdapp grapples with the aftermath of the breach, the incident sheds light on the vulnerabilities prevalent in online gaming platforms. 

The industry, already a lucrative target for cybercriminals due to the value associated with in-game assets, now faces heightened scrutiny regarding the robustness of its security measures. The breach serves as a stark reminder for gaming platforms and other online services to reevaluate and fortify their cybersecurity protocols. 

With a surge in cyber threats targeting the gaming community, the need for robust defense mechanisms and proactive security measures has never been more apparent. Playdapp's decision to offer a reward for silence introduces an ethical quandary. While the platform may argue that such incentives are intended to protect users and prevent panic, critics contend that transparency is paramount in building trust. Striking a balance between safeguarding sensitive information and providing users with the transparency they deserve becomes a pivotal challenge in the aftermath of such breaches.

100,000 Most Hack-able Passwords and Tips to Steer Clear of Them!




Keeping a password is an essential requirement and it stands a high stand in keeping a person’s private life, Private.

The need emerges from the necessity of keeping your stuff (any sort) locked away from people who don’t need to see it and from people who got no business of seeing it.

Hence, looking and raking for that almost perfect password is super necessary. Especially with all these hackers and cyber-cons always round the corner.

One thing to always keep in mind is that if a password is even mildly easy for a user to keep in mind, it is super easy for a hacker to hack.

Per the UK’s Cyber Security Center Breach analysis, the password, “123456 was found to be used 23 million times during breaches.

That password was followed by a “12345678 in the list, which was found to be used around 7 million times in the breaches.

The most horrendously obvious password used are, “123456” and “password”.

Other passwords on the list were, “ashley”, “michael”, “qwerty” and “1111111”.

The following is the link to the top 100,000 most hack-able passwords.



A Few Tips!

1.    A strong password should have at least six characters which include a combination of upper cases, lower cases, symbols and number.

2.  If your passwords happen to match with the ones in the list change them as soon as possible.

3.  The very first step to take could be thinking of difficult to guess passwords by combining memorable plus random words.

4.  The more creative the password the safer the account it protects.


5.  Complexity is a must.

6.  Enforce strong password policy on every account possible.

7.   Check the password regularly and use 2FA (Factor Authentication) for major sites, accounts especially emails etc.

8.  All the passwords should be unique for all the different sites and accounts.

9.  All the default passwords must be changed because the IT department always has a list.

Other ways of protecting include using a password manager for less important websites and accounts.

Hidden for 5 years, complex ‘TajMahal’ spyware discovered

It's not every day that security researchers discover a new state-sponsored hacking group.

Spyware is inherently intriguing primarily because of the complexity that allows it to carry out its malicious plans, and breaking them down is something that security researchers have to do on a regular basis. However, a unique form of spyware with a phenomenal 80 different components and all kinds of tricks has been discovered by a group of analysts after it. Also, this spyware had been under wraps for more than five years.

A technically sophisticated cyberespionage framework that has been active since at least 2013 has been outed by security researchers.

In a recent talk at the Kaspersky Security Analyst Summit in Singapore, researcher Alexey Shumin shed light on the firm’s groundbreaking discovery of an adaptable Swiss Army spyware framework called TajMahal.

Security researchers still aren't sure who's behind the versatile TajMahal spyware—or how they went undetected for so long. ‘TajMahal’ modules and bundles functionality which have never been before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

The 80 distinct modules include not just the standard ones like keylogging and screen-grabbing but also completely new tools.

TajMahal include two main packages: ‘Tokyo’ and ‘Yokohama’. Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers.

TajMahal is a wonder to behold.

"Such a large set of modules tells us that this APT is extremely complex," Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. "TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing."

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.

Beto O’Rourke Was A Former Hacking Group Member In His Teen Days!




Beto O’Rourke, who’s better known for his candidature for the Democratic Presidential seat, has been revealed to be a part of an eminent hacking group in his teen days.


Recently in an interview for an upcoming book, O’Rourke confirmed that during his days in El Paso, he was a member of a hacking cult of the name, “Cult of the Dead Cow”.

His major tasks while in the group comprised of stealing long-distance phone service, participating stealthily in electronic discussions and related offenses.

While in the group he also took to writing online essays by the pen name of “Psychedelic Warlord”.

The essays ranged from fiction from the perspective of a killer to mocking a neo-Nazi.

According to the article, the ex-congressman was one of the most renowned former hackers of the American Politics.

The book goes by the name of “Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.”

The book also encompasses the first-time mentions of the members of the aforementioned cult after they finally agreed to be named.

There is neither evidence nor insinuations as to Beto being a part of illegal hacking activities that deal with writing code or so.

The group in 1980s started getting known for hijacking others’ machines. It was all kind of controversial.

O’Rourke being a presidential candidate gets kind of in a shady side of the court with a past like this.

He was born to a high-up family in El Paso, but he also had played in a punk band before he started his small technology business and stepped into local politics.

O’Rourke’s national presence was enhanced when he defeated Texas Republican Sen. Ted Cruz during a Senate campaign.

On the brighter side, Beto’s involvement shows a profound sense of technological comprehension and a powerful will to change what’s not required.

iPhone hacking tool for sale on eBay

iPhones are renown for their security -- to the point that even law enforcement agencies have trouble accessing their contents. An Israeli firm, Cellebrite, became well-known when it transpired that hacking tools it made were used by the US government to crack locked iPhones and now its hacking tools are available to buy on eBay.

Cellebrite phone-cracking devices, beloved by law enforcement, are available at bargain-basement prices so you can get a gander at all the devices that the police have presumably been able to squeeze for data.

The Cellebrite Universal Forensic Extraction Device (UFED) is a smartphone hacking tool commonly used by the FBI, Department of Homeland Security and other law enforcement agencies in the US and elsewhere. It’s the most powerful tool yet created by the Israeli company, able to extract a huge amount of data – even data which has been deleted from phones.

Security researcher Matthew Hickey who is the co-founder of the training academy, Hacker House recently told Forbes that he’d picked up a dozen Cellebrite UFED devices for dirt cheap and probed them for data, which he found in spades.

For as little as $100-$1000, you can get your hands on a second-hand piece of Cellebrite equipment (a fraction of its usual selling price). For just a few Benjamins, you could get a Cellebrite UFED (Universal Forensic Extraction Device) and use it for whatever you might fancy.

A brand new one normally costs $5,000 to $15,000 depending on the model.

What surprised Hickey was that nobody bothered to wipe these things before dumping them onto eBay, he told Forbes:

“You’d think a forensics device used by law enforcement would be wiped before resale. The sheer volume of these units appearing online is indicative that some may not be renewing Cellebrite and disposing of the units elsewhere.”

Websites Including Ixigo Hacked, Leaving 127 Million Accounts Exposed For Sale






Over 127 million accounts were broken into from around 8 separate websites. This is the doing of a hacker who’d stolen records of 620 million people before.

The travel booking site “Ixigo” seems to be one of the major victims from which records were stolen.

Allegedly, these infamous records include the users’ names, email addresses, passwords and other personal details.

According to a research, 18 million user records were wrested from Ixigo and around 40 million were stolen from YouNow which is a live-video streaming site.

1.8 million accounts were wrested from Ge.tt and 57 million records were snatched off from Houzz.

Hakcer’s listings showed that an antiquated “MD5” hashing algorithm was applied to “scramble” passwords which are otherwise easy to “unscramble”.

It was claimed by the hacker themselves that they had user records from mainstream sites like MyFitnessPal and Animoto with declaring number of records to be 151 million and 25 million respectively.

Bitcoin currency of $20,000 could now be used in exchange for databases which make life easier for hackers, from the Dream Market cyber-souk in the Tor network.

The price is pretty hacker-pocket friendly. The major target audience for the deal seem to be spammers and credential stuffers.

These credentials could further be used to hack into other sites and wrest other user details.

The victimized websites have started alerting their users about the hazard and it would only be fit for the users to stay vigilant about it all.

The Return Of Trojan Poses Substantial Hacking Threat To Businesses!




The Trojan malware has returned with its infectious ransomware attacks with an aim to harvest banking credentials and personal and property related data.




Business organizations have come out to become the latest targets of this malware.



With long-term and insidious operations as ambition, the Trojan poses a lot of threat even to intellectual property.



In one of the new reports of one of the reputed security companies, it was mentioned that backdoor attacks against businesses with Trojans as back power have subsequently increased.



According to the aforementioned security lab, “Trojans” and “Backdoors” are different.



A Trojan is supposed to perform one function but ends up performing another and a Backdoor is a type of Trojan which enables a threat actor to access a system via bypassing security.



“Spyware” attacks have also consequentially risen. A spyware is a malware which aids gaining information on a device and sending it to a third party, stealthily.



This concept, of a spyware, sure is old but still is as efficacious as any other powerful malware and strictly works towards data exfiltration.



The “Emotet Trojan” has been considered to be behind the information stealing campaigns all round last year and in the beginning of this moth too.



This Trojan could move through networks, harvest data, and monitor networks. Also, it could easily infect systems by reproducing with no substantial effort at all.



Emotet is a self-sufficient danger which tends to spread onto compromised systems in addition to installing other malware on them.

The menacing behavior of TrickBot was also inferred upon by the aforementioned report, as it’s one of the by-products of Emotet.



The constantly evolving TrickBot daily gets updated with new abilities, stealing passwords and browser histories and harvesting sensitive data being a few of them.



Consultancy firms seem to be the primary targets of the Trojan. It is disposed towards harvesting more than just banking details and personal information.



Intellectual property is another thing which is a major point of concern for everyone now that the cyber-cons have stooped down to breaching walls using Trojans.



These tactics were thought to be really boring and old but have taken serious tosses and turns and have evolved into something genuinely perilous.



Businesses should stop under-estimating the attacks and keep a keen eye towards any potentiality of such attacks.

A Botnet Compromises 18,000 Huawei Routers




A cyber hacker, by the pseudonym Anarchy, claims to have made a botnet within 24 hours by utilizing an old vulnerability that has reportedly compromised 18, 000 routers of Chinese telecom goliath Huawei.

As indicated by a report in Bleeping Computer, this new botnet was first recognized in this current week by security researchers from a cyber-security organization called Newsky Security.

Following the news, other security firms including Rapid7 and Qihoo 360 Netlab affirmed the presence of the new danger as they saw an immense recent uptick in Huawei device scanning.
The botnet creator contacted NewSky security analyst and researcher Ankit Anubhav who believes that Anarchy may really be a notable danger who was already distinguished as Wicked.

The activity surge was because of outputs looking for devices that are vulnerable against CVE-2017-17215, a critical security imperfection which can be misused through port 37215. These outputs to discover the vulnerable routers against the issue had begun on 18 July.

While the thought processes have still not been clarified, the hacker revealed to Anubhav that they wished to make "the biggest and the baddest botnet in town...”
"It's painfully hilarious how attackers can construct big bot armies with known vulns," the security researcher later added.

The working endeavor code to compromise Huawei routers by utilizing this known defect was made public in January this year. The code was utilized as a part of the Satori and Brickerbot botnets, and also a series of variations which depended on the scandalous Mirai botnet, which is as yet going quite strong.