Hacking & Security

Pornbots – Sexual Barbies of the Future

InfoSec Institute Resources - 20 Červen, 2016 - 14:00

Introduction Ever since the commercialization of the Internet, spammers, and cyber crooks use various techniques, including pornbots, to disseminate spam messages and commit fraud. Pornbots are computer programs which send automatic messages purported to come from users shown on pornographic photos. For example, an automatic message sent by a pornbot may read as follows: “Hi, […]

The post Pornbots – Sexual Barbies of the Future appeared first on InfoSec Resources.

Kategorie: Hacking & Security

The tip of the iceberg: an unexpected turn in the xDedic story

Kaspersky Securelist - 20 Červen, 2016 - 13:32

Introduction

Last week we reported on the xDedic underground marketplace that facilitated the selling and buying of access to compromised RDP servers. We counted over 70,000 hacked server accounts from 173 countries for sale on the marketplace. After the public announcement the xDedic website very quickly went offline, thanks to the cooperation of several major ISPs. However, it seems that this was not the end of the story.

The day after the announcement, an anonymous source from a Lithuanian IP address posted an unusual comment on our blog using the alias “AngryBirds.”

We usually take such comments with a pinch of salt and generally don’t pay too much attention to comments with strange links. However, this time the links pointed to a series of pastes on the popular resource Pastebin, which in turn contained long lists of IP addresses and date information.

One such paste contains about 19,000 records. The author of the comment mentioned that the list of pastes is related to hacked servers from the xDedic marketplace. At first glance it looked real – the earliest date was close to the time when the first servers were listed on xDedic (according to our records the first server was added in November 2014). However, we were slightly sceptical and decided to validate the list before making use of it. With this blogpost we share the results of that validation and our thoughts on the data we received.

We have collected and concatenated all the pastes in one list: it contains around 176,000 unique records from October 2014 to February 2016.

Validation Challenge

The first problem we faced is that we didn’t have full IP addresses from the xDedic marketplace, because the marketplace revealed only first two octets of each IP. We had some data from the sinkhole, but this was just part of the full xDedic dataset and related to the operation of a single criminal (group) relying on the SSCLIENT backdoor that we managed to sinkhole. The problem becomes even worse when you consider the fact that our sinkhole data starts from the end of March 2016 while the Pastebin dataset ends at the end of February 2016. Theoretically, we can’t provide a strong validation of the submitted data. Nevertheless, we decided to do our best.

One way of comparing the datasets was to check the correlation between the numbers of servers added monthly, so we combined them into one chart, seen below:

The orange bars show the number of servers added to the marketplace while the blue bars show the IPs found on Pastebin. There is a weak but still recognizable correlation between the two datasets starting from June 2015. We have no solid theory as to why this began in June 2015, but one thought is that the developers of xDedic introduced a major change to the platform code around that time which somehow affected the server information displayed.

Another check we did was to see how much the Pastebin dataset overlaps with our data from the sinkhole. As mentioned above, the sinkhole data started coming in at the end of March 2016 while Pastebin data ends in February, leaving a one month gap between the two datasets. However, we should still see an element of overlap considering that some servers could have been resold on the marketplace. And so it turned out: 1,303 unique IP addresses were found both in our sinkhole data and in the Pastebin data.

Next, we decided to check how many of the reported IP addresses from the Pastebin dataset were RDP servers. So we simply scanned known IPs for the most popular RDP ports. The results were quite impressive: 71,784 IPs had the RDP service running on port range 3300-3400 (most of them were on standard port 3389).

Finally, we decided to compare the list of subnets, based on the first two octets we had from the marketplace before March 2016 and check to see if these subnets were part of the Pastebin data too. The results were astonishing:

Subnets from marketplace before March’16 Subnets that matched Pastebin dataset 8,721 8,718

There were only three IPs on the marketplace which didn’t make it into Pastebin dump. We checked those and found that they were added on 29th of February 2016. We assume that these three IPs (subnets) were added at the end of the day, right after the Pastebin dump ended.

Aftermath

We sorted the Pastebin IPs by the country they belong to and got a different picture compared to what we saw previously. Here is the new TOP 10 (new countries marked in bold):

Marketplace TOP 10 Pastebin TOP 10 (NEW) # Country Compromised Servers Country Compromised Servers 1 Brazil 6,540 USA 60,081 2 China 5,023 United Kingdom 8,817 3 Russia 4,020 Brazil 8,770 4 India 3,488 Canada 6,112 5 Spain 3,155 France 5,973 6 Italy 3,119 Spain 5,954 7 France 2,474 Australia 5,855 8 Australia 2,448 Russia 5,608 9 South Africa 2,438 Italy 5,536 10 Malaysia 2,140 Germany 4,988

If we compare visually what we saw on the marketplace and on Pastebin:

Interestingly, the number of servers hosted in the USA and the UK jump into the TOP 10 to rank first and second respectively. Also, Canada and Germany now appear in the TOP 10. This may make more sense when you consider that the marketplace data concerns only unsold offerings, while the huge Pastebin dataset could reflect a more realistic picture of all compromised servers. This suggests that the source of the data is either high-frequency monitoring of the xDedic marketplace (with access to full IP information) or someone had advanced access to the backend (be it a hosting provider or one of the developers). Meanwhile our charts from the sinkhole also had the USA, the UK and Germany in the TOP 10, which supports the fact that the real picture should have these major countries in the TOP 10.

Extra Note

In our earlier report we mentioned that the average server on the xDedic marketplace cost around $7-8 USD. However, many journalists asked us: “What was the most expensive server for sale on xDedic?”

When we looked at the data again we saw one server that cost $6,000 USD. In fact, only around 50 servers cost more than $50 USD, and all of them were located in the USA, from Alaska to Florida. The TOP 10 most expensive servers on xDedic marketplace were offered by a single criminal (group) with the alias “Narko“:

Subnet State City OS Date Price, USD 72.69.*.* Illinois Chicago Windows 7 03.04.2016 $6,000 50.195.*.* Massachusetts New Bedford Windows 7 12.05.2016 $4,000 173.10.*.* Washington Bellevue Server 2012 R2 29.04.2016 $4,000 162.233.*.* Mississippi Lucedale Windows 7 05.04.2016 $4,000 104.57.*.* Oklahoma Stratford Windows 7 10.05.2016 $4,000 97.87.*.* Michigan Davison Windows 7 24.12.2015 $2,500 50.255.*.* Michigan Ypsilanti Server 2012 R2 18.03.2016 $2,000 108.58.*.* New York Hicksville Server 2008 R2 11.04.2016 $2,000 74.124.*.* North Carolina Randleman Windows 7 18.04.2016 $1,500 24.178.*.* Georgia Gainesville Windows 7 08.04.2016 $1,500

We can only speculate as to why these servers cost more than others, but there is no objective way to find their exact IPs because they were added to xDedic after the period covered by the Pastebin dataset.

Conclusions

If we consider the newly obtained Pastebin data as authentic this can help many organizations, companies and individuals to identify compromised servers they own. For us it was yet another confirmation that when it comes to cybercrime, we often see just the tip of the iceberg. The reason why the xDedic marketplace looked smaller to the buyer is because the most desirable servers were often sold almost as soon as they were added to marketplace, leaving only the least interesting and unwanted servers for sale.

After all the analysis we still have many questions:

  • Where does the data come from?
  • Why does the dataset from Pastebin not include more data from March to June 2016? That would make validation far easier.
  • How many of these IPs are still compromised now?

What we can tell for sure is that the Pastebin dataset:

  • Matches the timeline of the xDedic operation.
  • Contains the IPs of many RDP servers.
  • Contains many IPs of known compromised RDP servers.
  • Shows a correlation with the dynamics of the xDedic marketplace offering.
  • Contains 100% of the subnetworks we saw on the xDedic marketplace within the same timeframe.

In any case, whatever unanswered questions remain, it makes sense for the system administrators of the listed IP addresses to check carefully for a potential past compromise of their servers.

Since much of this information has already become public through the open comment on our blog post, we are releasing for national CERTs a full combined list of IPs with country code based on the GeoIP.

On the assumption that the Pastebin data provided by AngryBirds is genuine, we would like to say a formal thank you for sharing this data with us. However, there is one thing that can be improved next time, namely responsible disclosure. Making this data fully public may encourage other criminals to attack easy targets or result in the undeserved public shaming of administrators who run currently secure systems.

Had we received this information via a private channel (email, private URL, etc.), we would have been happy to relay it to CERTs and local authorities of affected countries via our established channels and partners. So we would ask that in future those who respond to our research refrain from dumping such data into the public domain. Thank you!

A full combined list of IPs with country code based on the GeoIP (.csv file)

Hacker Breaks into Political Party's Video Conference System; Could Spy, too!

The Hacker News - 20 Červen, 2016 - 12:46
A critical flaw in the video conferencing software of the Quebec Liberal Party (PLQ) − a Canadian federalist provincial political party − allowed a user to spy on and hear the strategy discussions of the party at its premises and even access the live video camera feeds. But luckily, the unknown white hat hacker who discovered the flaw alerted the PLQ staff of the security issue, showing them
Kategorie: Hacking & Security

Nový Ransomware RAA je napsaný v JavaScriptu

Zive.cz - bezpečnost - 20 Červen, 2016 - 12:41
RAA se nešíří v příloze pošty jako typicky spustitelný soubor. Přijde vám dokument se skutečnou příponou .JS, kterou Windows spouští přes vestavěný Windows Scripting Host. [html: ] Za nalezení a analýzu můžete poděkovat Benkow a JamesWT Díky knihovně CryptoJS dokáže přes AES zašifrovat obsah ...
Kategorie: Hacking & Security

Servery Aceru terčem útoku. Piráti získali údaje o platebních kartách uživatelů

Novinky.cz - bezpečnost - 20 Červen, 2016 - 12:15
Počítačoví piráti podnikli v minulých měsících útok na servery společnosti Acer v USA. Ten byl úspěšný, kyberzločinci se tak zmocnili důvěrných dat o zákaznících tohoto počítačového gigantu. Mezi nimi jsou i údaje o platebních kartách, které mohou piráti snadno zneužít. Upozornil na to server Neowin.
Kategorie: Hacking & Security

Five signs an attacker is already in your network

LinuxSecurity.com - 20 Červen, 2016 - 11:44
LinuxSecurity.com: According to some estimates, attackers have infiltrated 96% of all networks, so you need to detect and stop them before they have time to escalate privileges, find valuable assets and steal data.
Kategorie: Hacking & Security

5 things you should know about password managers

LinuxSecurity.com - 20 Červen, 2016 - 11:40
LinuxSecurity.com: New data breaches are coming to light almost weekly and they reveal a simple but troubling fact: many people still choose weak passwords and reuse them across multiple sites. The reality is, remembering dozens of complex passwords is almost impossible, and carrying them around on a scrap of paper that you have to keep updating is a huge hassle. That's why password managers exist. Here's why they're important, and how to get the most out of them.
Kategorie: Hacking & Security

Hack sends cryptocurrency Ether plunging into the abyss

LinuxSecurity.com - 20 Červen, 2016 - 11:37
LinuxSecurity.com: The Decentralized Autonomous Organization (DAO) has admitted becoming the victim of a cyberattack in which an attacker was able to drain the platform of the cryptocurrency Ether.
Kategorie: Hacking & Security

Monday review – the hot 20 stories of the week

Sophos Naked Security - 20 Červen, 2016 - 11:06
From the BadTunnel vulnerability to patching Adobe Flash (have you done that yet?) - catch up with everything we wrote in the last seven days. It's weekly roundup time!

Hack the Pentagon: 138 bugů ve vládních systémech, odměny v desetitisících

Zive.cz - bezpečnost - 20 Červen, 2016 - 10:14
Na začátku dubna jsme psali o programu Hack the Pentagon , který měl ověřit bezpečnost vládních systémů amerického ministerstva obrany. Ve dnech od 18. dubna do 12. května tak dali zájemcům možnost lovit chyby za slíbenou odměnu. Akce se nakonec zúčastnilo 1 410 specialistů, kteří dohromady ...
Kategorie: Hacking & Security

Ze serverů Aceru unikly údaje o zákaznících, včetně čísel platebních karet

Zive.cz - bezpečnost - 20 Červen, 2016 - 10:03
Acer oznámil, že se jeho servery staly terčem hackerů. Útoky trvaly téměř rok, přičemž si útočníci odnesli informace o klientech, jakož i čísla platebních karet. Na hrozbu upozornil Neowin.net. Podle předběžných výsledků vyšetřování měla neznámá hackerská skupina přístup do systémů společnosti v ...
Kategorie: Hacking & Security

News Flash: the “Ohdear­notagain” vulnerability [Chet Chat Podcast 242]

Sophos Naked Security - 20 Červen, 2016 - 01:14
Enjoy our latest podcast with Sophos experts John Shier and Paul Ducklin as they take wittily serious aim at the latest security news.

Hackeři našli v síti Pentagonu 138 bezpečnostních děr

Novinky.cz - bezpečnost - 18 Červen, 2016 - 08:38
Velmi netradičním způsobem se americké ministerstvo obrany rozhodlo otestovat bezpečnost své sítě a dalších počítačových systémů. Uspořádalo soutěž, ve které se hackeři mohli předhánět, kdo najde více bezpečnostních trhlin. A málo jich rozhodně nebylo…
Kategorie: Hacking & Security

Google’s Android Rewards Program Pays Out Half Million in First Year

Threatpost - 17 Červen, 2016 - 20:40
Google announced that it paid just north of half a million dollars to security researchers as part of the first year of its Android Security Rewards program.
Kategorie: Hacking & Security

The Pirate Bay Founder Ordered to Pay $395,000 Fine in Lawsuit he didn't even know about

The Hacker News - 17 Červen, 2016 - 18:19
One of the founders of notorious file-sharing website The Pirate Bay has been ordered to pay a fine worth nearly US$400,000 to several major record labels after their content was shared illegally via the platform. The penalty has been imposed on The Pirate Bay co-founder Peter Sunde by a court in Helsinki, Finland. Interestingly, Sunde, who already left the notorious file sharing site in
Kategorie: Hacking & Security

Threatpost News Wrap, June 17, 2016

Threatpost - 17 Červen, 2016 - 17:15
Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, and another Flash zero day.
Kategorie: Hacking & Security

Breached Credentials Used to Access Github Repositories

Threatpost - 17 Červen, 2016 - 17:01
Password reuse strikes GitHub users, some of whom will have to reset their credentials after unauthorized attempts were made to access a large number of GitHub accounts.
Kategorie: Hacking & Security

Flash zero-day fix is out, get it ASAP

Sophos Naked Security - 17 Červen, 2016 - 16:55
Flash 0-day! To misquote Yogi Berra, it's like déjà vu all over again all over again...

Adobe Update Plugs Flash Player Zero-Day

Krebs on Security - 17 Červen, 2016 - 16:40

Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

The latest update brings Flash to v. 22.0.0.192 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.

If you choose to update, please do it today. The most recent versions of Flash should be available from this Flash distribution page or the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.). Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually check for updates in Chrome an restart the browser to get the latest Flash version).

For some reason that probably has nothing to do with security, Adobe has decided to stop distributing direct links to its Flash Player software. According to the company’s Flash distribution page, on June 30, 2016 Adobe will decommission direct links to various Flash Player downloads. This will essentially force Flash users to update the program using its built-in automatic updates feature (which sometimes takes days to notice a new security update is available), or to install the program from the company’s Flash Home page — a download that currently bundles McAfee Security Scan Plus and a product called True Key by Intel Security.

Anything that makes it less likely users will update Flash seems like a bad idea, especially when we’re talking about a program that often needs security fixes more than once a month.

Kategorie: Hacking & Security

Guest editorial: The DNC hack and dump is what cyberwar looks like

Ars Technica - 17 Červen, 2016 - 16:20

(credit: Erik (HASH) Hersman)

Dave Aitel is CEO of Immunity Inc., an offensive security firm that consults for Fortune 500s and government agencies. He is a former "security scientist" for the NSA and a past contractor for DARPA's Cyber Fast Track program. His firm specializes in vulnerability research, penetration testing and network testing tools. His views don't necessarily reflect the opinions of Ars Technica.

What occurred with the recently disclosed breach of the Democratic National Committee servers, and the dumping of stolen data on a WordPress site, is more than an act of cyber espionage or harmless mischief. It meets the definition of an act of cyberwar, and the US government should respond as such.

The claims by “Guccifer 2.0”—that a lone hacker carried out this attack—are not believable. Of course, anything is possible, but the attack looks to be an operation conducted by Russian intelligence services. Had this been a “normal” operation—that is, covert intel gathering by Russia's Foreign Intelligence Service or any other foreign intelligence service (as the Chinese have done in past election seasons)—it would be business as usual. To be honest, the US government would not really be justified in denouncing it, as it does the same thing. But what makes this attack very different—and crosses the line—is the Russian team’s decision to dump the Clinton campaign’s opposition strategy on the public Web, presumably for the dual purpose of both spreading misinformation about the party responsible for the breach and interfering with the Clinton campaign.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security
Syndikovat obsah