je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie - This domain may be for sale!

The H Security - 7 min 56 sek zpět
Click here for more information

Find the best information and most relevant links on all topics related to
Kategorie: Hacking & Security - This domain may be for sale! - 7 min 57 sek zpět
Click here for more information

Find the best information and most relevant links on all topics related to
Kategorie: Hacking & Security

XPan, I am your father

Kaspersky Securelist - 12 min 46 sek zpět

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. Harvesting victims via weakly protected RDP (remote desktop protocol) connections, criminals are manually installing the ransomware and encrypting any files which can be found on the system.

Interestingly, this XPan variant is not necessarily new in the malware ecosystem. However, someone has chosen to keep on infecting victims with it, encouraging security researchers to hunt for samples related to the increasing number of incident reports. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.

“Recupere seus arquivos aqui.txt” loosely translated to “recover your files here” is a phrase that not many Brazilian users are eager to see in their desktops.

The ransomware author left a message for Kaspersky in other versions and has done the same in this one, with traces to the NMoreira “CrypterApp.cpp” there’s a clear link between different variants among this malware family.

NMoreira, XPan, TeamXRat, different names but same author.

Even though many Brazilian-Portuguese strings are present upon initial analysis, there were a couple that caught our attention. Firstly, the ransomware uses a batch file which will pass a command line parameter to an invoked executable file, this parameter is “eusoudejesus” which means “I’m from Jesus”. Developers tend to leave tiny breadcrumbs of their personality behind in each one of their creations, and in this sample we found many of them.

A brief religious reference found in this XPan variant.

Secondly, a reference to a Brazilian celebrity is done, albeit indirectly. “Computador da Xuxa” was a toy computer sold in Brazil during the nineties, however it’s also a popular expression which is used to make fun of very old computers with limited power.

This is what cybercriminals think of your encrypted computer: just a toy they can control.

“Muito bichado” equals to finding a lot of problems in these type of systems, in this case meaning that the environment in which is XPan is executing is not playing fair and the execution is quite buggy.

Lastly, we have the ransomware note demanding the victim to send an email to the account ‘’. Considering that the extension for all the encrypted files in this variant is ‘.one’ this seems like a pretty straightforward naming convention for the criminals’ campaigns.

The rescue note in Portuguese.

Upon closer inspection, we discovered that this sample is nearly identical to another version of Xpan which used to be distributed back in November 2016 and used the extension “.__AiraCropEncrypted!”. Every bit of executable code remains the same, which is quite surprising, because since that time there were several newer versions of this malware with an updated encryption algorithm. Both samples have the same PE timestamp dating back to the 31st of October 2016.

The only difference between the two is the configuration block which contains the following information:

  • list of target file extensions;
  • ransom notes;
  • commands to execute before and after encryption;
  • the public RSA key of the criminals.

The decrypted configuration block of Xpan that uses the extension “.one”.

The file encryption algorithm also remains the same. For each target file the malware generates a new unique 255-byte random string S (which contains the substring “NMoreira”), turns it into a 256-bit key using the API CryptDeriveKey, and proceeds to encrypt the file contain using AES-256 in CBC mode with zero IV. The string S will be encrypted using the criminals’ RSA public key from the configuration block and stored in the beginning of the encrypted file.

According to one of the victims that contacted us, criminals were asking for 0.3 bitcoin to provide the recovery key, using the same approach as they did with before: the user sends a message to a mailbox with his unique ID and patiently awaits for further instructions.

The victims so far are small and medium businesses in Brazil: ranging from a dentist clinic to a driving school, demonstrating once again that ransomware makes no distinctions and everyone is at risk. As long as there are victims, assisting them and providing decryption tools whenever possible is necessary, no matter the ransomware family or when it was created.

Victims: we can help

This time luck is on the victims’ side! Upon thorough investigation and reverse engineering of the sample of “.one” version of Xpan, we discovered that the criminals used a vulnerable cryptographic algorithm implementation. It allowed us to break encryption as with the previously described Xpan version.

We successfully helped a driving school and a dentist clinic to recover their files for free and as usual we encourage victims of this ransomware to not pay the ransom and to contact our technical support for assistance in decryption.

Brazilian cybercriminals are focusing their efforts in creating new and local ransomware families, attacking small companies and unprotected users. We believe this is the next step in the ransomware fight: going from global scale attacks to a more localized scenario, where local cybercriminals will create new families from scratch, in their own language, and resorting to RaaS (Ransomware-as-a-service) as a way to monetize their attacks.

MD5 reference

dd7033bc36615c0fe0be7413457dccbf – Trojan-Ransom.Win32.Xpan.e (encrypted file extension: “.one”)
54217c1ea3e1d4d3dc024fc740a47757 – Trojan-Ransom.Win32.Xpan.d (encrypted file extension: “.__AiraCropEncrypted!”)

Monday review – the hot 18 stories of the week

Sophos Naked Security - 39 min 29 sek zpět
From Burger King's Google Home trigger and how tech scammer have made millions to the many vulnerabilities found in Linksys routers, & more!

Umělá inteligence je sice v plenkách, už teď ale přestáváme rozumět, jak vlastně funguje. To je problém - bezpečnost - 1 hodina 22 min zpět
Ačkoliv je vývoj neuronových sítí a strojového učení stále na svém počátku, vědci už nyní pomalu začínají mluvit o fenoménu black box. Stručně řečeno, přestáváme rozumět, co se sakra uvnitř toho strojového učení vlastně děje. Neuronové sítě jsou tedy skutečně jakousi černou skříňkou, které ...
Kategorie: Hacking & Security

Rusko špehovalo e-maily příslušníků dánské armády - bezpečnost - 2 hodiny 16 min zpět
Rusko pomocí skupiny hackerů proniklo do systémů dánské armády a v letech 2015 a 2016 mělo přístup k e-mailům některých jejích příslušníků. Informoval o tom v neděli dánský list Berlingske s odvoláním na dánského ministra obrany Clause Hjorta Frederiksena.
Kategorie: Hacking & Security

Zákeřná Karmen: Tento ransomware by dokázala ovládat i vaše babička - bezpečnost - 23 Duben, 2017 - 19:00
** Jak složité je spustit ransomwarovou kampaň? ** Karmen spíše než malware připomíná CRM systém ** Ve webovém rozhraní se vyzná každý
Kategorie: Hacking & Security

Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs

The Hacker News - 22 Duben, 2017 - 17:13
Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet. Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows
Kategorie: Hacking & Security

SMSVova Spyware Hiding in ‘System Update’ App Ejected From Google Play Store

Threatpost - 22 Duben, 2017 - 14:00
An Android app that falsely claimed to be a tool for keeping smartphones up-to-date with the latest version of the OS was found surreptitiously tracking the physical location of it users using spyware called SMSVova.
Kategorie: Hacking & Security

US Court Sentences Russian Lawmaker's Son to 27 Years in Jail for Hacking

The Hacker News - 22 Duben, 2017 - 12:25
The son of a prominent Russian lawmaker was sentenced on Friday by a US federal court to 27 years in prison after being convicted of stealing millions of US credit card numbers and causing some $170 million in damages to businesses and individuals. This sentence is so far the longest sentence ever imposed in the United States for a hacking-related case. Roman Valeryevich Seleznev, 32, the
Kategorie: Hacking & Security

Americký soud poslal ruského hackera na 27 let do vězení - bezpečnost - 22 Duben, 2017 - 11:37
Soud v americkém Seattlu v pátek poslal na 27 let do vězení ruského hackera Romana Selezňova, který internetovými krádežemi kreditních karet a dalšími online podvody způsobil škody ve výši 169 milionů dolarů (4,2 miliardy korun). Podle amerických právníků jde o zatím nejvyšší trest, který byl v USA za podobné zločiny vyměřen.
Kategorie: Hacking & Security

Russian man gets longest-ever US hacking sentence, 27 years in prison

Ars Technica - 22 Duben, 2017 - 02:19

Images of Seleznev with stacks of cash were found on his laptop following his 2014 arrest in the Maldives. (credit: Department of Justice)

Russian hacker Roman Seleznev was sentenced to 27 years in prison today. He was convicted of causing more than $169 million in damage by hacking into point-of-sale computers.

Seleznev, aka "Track2," would hack into computers belonging to both small businesses and large financial institutions, according to prosecutors. He was arrested in the Maldives in 2014 with a laptop that had more than 1.7 million credit card numbers. After an August 2016 trial, Seleznev was convicted on 38 counts, including wire fraud, intentional damage to a protected computer, and aggravated identity theft.

The sentence is quite close to the 30 years that the government asked for. Prosecutors said Seleznev deserved the harsh sentence because he was "a pioneer" who helped grow the market for stolen credit card data and because he "became one of the most revered point-of-sale hackers in the criminal underworld."

Read 6 remaining paragraphs | Comments

Kategorie: Hacking & Security

>10,000 Windows computers may be infected by advanced NSA backdoor

Ars Technica - 21 Duben, 2017 - 22:12

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected. (credit: Dan Tentler)

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.


Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

Skype Fixes ‘SPYKE’ Credential Phishing Remote Execution Bug

Threatpost - 21 Duben, 2017 - 22:00
Microsoft fixed a bug in Skype last month that could have allowed an attacker to execute code on the system it was running on, phish Skype credentials and crash the application.
Kategorie: Hacking & Security

News in brief: Google Home gets smarter; Hackers target South Korean missiles; Harry Huskey dies

Sophos Naked Security - 21 Duben, 2017 - 19:56
Your daily round-up of some of the other stories in the news

Multiple security holes discovered in Linksys routers

Sophos Naked Security - 21 Duben, 2017 - 19:55
As with every router vulnerability, a key issue is, “How many owners will hear about the issue and bother to update?”

Researchers claim China trying to hack South Korea missile defense efforts

Ars Technica - 21 Duben, 2017 - 17:33

Enlarge / South Korea is deploying Lockheed Martin's THAAD missile defense system, and that's sparked the ire of the Chinese government, as well as military and "hacktivist" hacking groups, according to FireEye. (credit: US Army)

Chinese government officials have been very vocal in their opposition to the deployment of the Terminal High-Altitude Air Defense (THAAD) system in South Korea, raising concerns that the anti-ballistic missile system's sensitive radar sensors could be used for espionage. And according to researchers at the information security firm FireEye, Chinese hackers have transformed objection to action by targeting South Korean military, government, and defense industry networks with an increasing number of cyberattacks. Those attacks included a denial of service attack against the website of South Korea's Ministry of Foreign Affairs, which the South Korean government says originated from China.

FireEye's director of cyber-espionage analysis John Hultquist told the Wall Street Journal that FireEye had detected a surge in attacks against South Korean targets from China since February, when South Korea announced it would deploy THAAD in response to North Korean missile tests. The espionage attempts have focused on organizations associated with the THAAD deployment. They have included "spear-phishing" e-mails carrying attachments loaded with malware along with "watering hole" attacks that put exploit code to download malware onto websites frequented by military, government, and defense industry officials.

FireEye claims to have found evidence that the attacks were staged by two groups connected to the Chinese military. One, dubbed Tonto Team by FireEye, operates from the same region of China as previous North Korean hacking operations. The other is known among threat researchers as APT10, or "Stone Panda"—the same group believed to be behind recent espionage efforts against US companies lobbying the Trump administration on global trade. These groups have also been joined in attacks by two "patriotic hacking" groups not directly tied to the Chinese government, Hultquist told the Journal—including one calling itself "Denounce Lotte Group" targeting the South Korean conglomerate Lotte. Lotte made the THAAD deployment possible through a land swap with the South Korean government.

Read on Ars Technica | Comments

Kategorie: Hacking & Security

Threatpost News Wrap, April 21, 2017

Threatpost - 21 Duben, 2017 - 17:20
Last Friday's ShadowBrokers dump, Microsoft ditching passwords, and a new car dongle hack are all discussed.
Kategorie: Hacking & Security

Google Pleads for Better Cross-Border Exchange of Digital Evidence

Threatpost - 21 Duben, 2017 - 16:30
Google asked for MLAT reform, and released its biannual Transparency Report revealing it received a record number of government requests for user data.
Kategorie: Hacking & Security
Syndikovat obsah