This month: Cloudflare repelled a record DDoS attack, closed AlphaBay marketplace in 2017 back online, a disgruntled hacker leaked training materials from the Conti hack group, a dangerous bug was fixed in the Steam wallet, carders published millions of bank card details for advertising purposes, and many others. interesting events.
LEAKED NO FLY LIST
A copy of the list of the FBI Terrorist Screening Center (TSC) has leaked to the network. The database contains 1.9 million records, including the secret No Fly List, that is, a list of persons who should not be allowed onboard aircraft.
The TSC base, run by the FBI, was established in 2003 following the September 11 terrorist attacks. It contains the names and personal details of individuals who are “known or reasonably suspected of involvement in terrorist activities.” Although the base is operated by the FBI, the agency provides access to several US government agencies, including the Department of State, Department of Defense, Transportation Security Administration, Customs and Border Protection, and international law enforcement.
Although the database contains data on suspected terrorism, in the US it is better known as the No Fly List, a list that is mainly used by US authorities and international airlines to allow or deny entry to the US.
The very existence of the TSC base has been kept secret for over a decade, but in recent years, authorities have begun to notify US citizens that they have been added to the No Fly List.
Now the Security Discovery company and the well-known information security expert Bob Dyachenko report that a copy of this database was seen on the network at an IP address in Bahrain.
“The discovered Elasticsearch cluster contained 1.9 million records. I don’t know which part of the TSC list it was keeping, but it seems the whole list was revealed. In the wrong hands, this list can be used to harass, harass, or persecute people on the list or their families. This can cause many personal and professional problems for innocent people whose names [for some reason] were included in the list, ”the specialist writes.
Information on the list includes:
- full name;
- ID in TSC;
- date of birth;
- passport ID;
- country of issue of the passport;
- No Fly status.
Dyachenko notified the Department of Homeland Security of the leak on July 19, when the database was indexed by Censys and ZoomEye (and when he discovered it himself). The server was down after about three weeks, on August 9, 2021. The expert says he does not know why the protective measures took so long, and it is not known whether the unauthorized persons did not have time to reach this base.
- Analysts at the nonprofit organization Digital Citizens Alliance and anti-piracy firm White Bullet estimate that the pirates earn more than 1.34 billion dollars, Lares through advertising on websites and applications that are distributed through pirated movies, TV shows, games, and live broadcasts.
- The study examined 664 mil-Liar da ad impressions about 6,000 popular piracy sites and 900 applications (in the period from June 2020 to May 2021).
- Comparing with the matrix displays advertising revenue, the researchers determined that advertising revenue brings site owners about 1 mil-liard dollars a year, and even more applications 250 mil Lyon dollars.
Cloudflare announced the prevention of the largest DDoS attack to date, reaching 17.2 million HTTP requests per second, three times the power of other known attacks. The incident happened last month and targeted one of Cloudflare’s financial customers. According to the company, an unknown attacker used a botnet of 28,000 infected devices to send HTTP requests to the client’s network.
Based on the IP addresses of the infected devices, Cloudflare experts estimate that 15% of the traffic came from Indonesia, with another 17% from India and Brazil.
These attacks are commonly referred to as “volumetric” attacks and differ from classic DDoS attacks in that attackers focus on sending as many unwanted HTTP requests as possible to the victim’s server in order to load its CPU and RAM, interfering with customers to use targeted sites.
Although the attack peaked at 17.2 million requests for only a few seconds, the attacker spent hours forcing his botnet to attack the victim. As a result, Cloudflare had to process over 330 million unwanted HTTP requests. Thus, for Cloudflare, this attack was equal to 68% of legitimate HTTP traffic processed by the company on average in the second quarter of 2021 (about 25 million requests per second).
Moreover, the hacker did not stop after the first incident: in the following weeks, the same botnet carried out two other large-scale attacks, including another one with a maximum capacity of 8 million requests per second aimed at an unnamed hoster.
Cloudflare says it is currently tracking the evolution of this botnet, which appears to be based on a modified version of the well-known IoT malware Mirai.
Leaky networks of enterprises
- Positive Technologies experts reported on the low security of industrial companies. In the course of the pentests carried out, the company’s experts gained access to the technological segment of the network of 75% of industrial companies. This allowed access to process control systems in 56% of cases.
- In 2020, the industrial sector was the second most popular area for hackers after the state sector: 12% of attacks were directed at it .
- The main threats to industrial companies today – a spinel-onazh and financial losses . In 2020, the majority of attacks ( 84% of cases) were motivated by data acquisition, and 36% of hackers were interested in financial benefits .
- In 91% of industrial organizations, an outside attacker can break into the corporate network. Once on the internal network, a hacker in 100% of cases can get user credentials and full control over the infrastructure, and in 69% – steal confidential data.
One of the largest marketpleysov darknet – AlphaBay has been active since 2014 and in 2017 it face-vidiro Wali law enforcement, along with the other large marketpleysom – Hansa Market. Then the closure of AlphaBay and Hansa Market was the result of a major international operation in which the United States, Canada, Thailand, Holland, Great Britain, France, Lithuania, as well as representatives of Europol, the FBI and the Drug Enforcement Administration took part.
According to the FBI, AlphaBay was ten times the size of the infamous Silk Road. The trading platform was used by 200 thousand users and 40 thousand sellers. At the same time, AlphaBay had more than 250 thousand advertisements for the sale of drugs, more than 100 thousand advertisements for the sale of stolen or fake identification documents and access devices, counterfeit goods, malware and other hacking tools and services.
Shortly before the liquidation of AlphaBay in Thailand, 25-year-old Canadian citizen Alexandre Cazes was arrested, who was considered one of the leaders of the resource, known under the nickname Alpha02. Shortly after his arrest, on July 12, 2017, Kaz committed suicide in a Thai prison.
However, another administrator of the resource, who was responsible for security and known under the nickname DeSnake, did not fall into the hands of law enforcement officers and remained at large for all the past years.
As Bleeping Computer has now reported, DeSnake has unexpectedly announced on the forum that AlphaBay has reopened and is ready to go. To verify his identity, DeSnake attached the original public PGP key to the message, which he used during the heyday of the marketplace. Moreover, one of the forum users confirmed the authenticity of the DeSnake key and the fact that he was part of the AlphaBay team. Another user also verified the administrator’s identity by talking to him about “things that only an AlphaBay employee could know.”
In a lengthy statement, DeSnake explains that it would like to set new standards and build a “professionally managed, anonymous, secure marketplace.” He writes that he wants to create an autonomous and anonymous decentralized network of trading platforms, where everyone can open their own marketplace. From the description, it will be like Amazon for the darknet, where sellers and buyers will be able to move from one store to another using the same account and not trusting any of them with their cryptocurrency.
DeSnake assures that the new AlphaBay is designed for long life, uses secure and proven code, bulletproof servers and protections against disruptions that can be caused by both equipment failure and police raids.
He also advertises AlphaGuard’s automated system, which “ensures that users/merchants can access funds in their wallet (including escrow) at any time via I2P / Tor,” and an automated dispute resolution system that aims to resolve issues between buyers and sellers without the intervention of moderators.
DeSnake has laid out a concise set of rules for the revamped AlphaBay to help avoid unnecessary scrutiny from law enforcement:
- it is forbidden to harm other people (search for hired killers, and so on);
- it is forbidden to discuss weapons (even in self-defense);
- no erotica / porn in any form (logins for main sites are allowed);
- no fentanyl or substances mixed with or based on fentanyl;
- No COVID-19 vaccines
- no doxing and doxing threats;
- any activity related to Russia, Belarus, Kazakhstan, Armenia, Kyrgyzstan (people, organizations, governments), as well as data of citizens of these countries is prohibited;
- it is prohibited to sell ransomware, search for access brokers to deploy ransomware, or discuss ransomware.
Journalists note that now AlphaBay uses only Monero cryptocurrency and currently only two products are on sale, in both cases they are drugs. Forum statistics show that so far on the updated AlphaBay, there are 19 members who have exchanged 72 messages.
Matthew Green on Apple’s new initiative
Renowned cryptographer and Johns Hopkins University professor Matthew Green spoke about Apple’s new technology, which will soon start looking for signs of child sexual abuse among user images.
Specifically, Apple will check all Messages received and sent by children for nudity. Images in iCloud Photos will also be scanned, and upon detecting illegal content there, Apple will be able to “provide law enforcement agencies with valuable and useful information about the distribution of well-known CSAM (child sexual abuse materials).”
“This is an incredibly powerful demonstration of technology, showing that even end-to-end encrypted photos can be subjected to sophisticated scans. The scan itself is harmless and only the victim’s parent will be notified when [explicit] images are found. But it demonstrates that Apple is ready to create and deploy such technology. I hope they will never be asked to use it for any other purpose. “
– Matthew Green
The TorrentFreak edition discovered that Vindex, which represents the interests of TRK Ukraina, sent Google a strange request to remove content from search results. One of the addresses violating the rights of TRK Ukraina pointed to 127.0.0.1, that is, the anti-pirates found prohibited content in their own systems.
Journalists note that under the DMCA (Digital Millennium Copyright Act) Google processes requests to remove approximately five million URLs every week, and in total, the search giant has already removed more than five billion links. But when trying to fight piracy, companies often make mistakes and shoot themselves in the foot. For example, Toomics recently asked Google to remove dangerous URLs for its own site from the search results.
A similar situation happened with the request of the Ukrainian anti-piracy company Vindex. The link violating the copyright of TRK Ukraina to broadcast football matches pointed to 127.0.0.1:6878/ace/manifest.m3u. That is, the pirated playlist file was found on Vindex’s own computer. This file can be a playlist for the Ace Stream P2P platform, which is often used for pirated content.
TorrentFreak writes that Vindex should set up its bots properly. The fact is that the company did not previously have an impeccable reputation: from all the links that Vindex demanded from Google to be removed, a little more than 10% were removed. This time, Google, of course, also took no action.
Social media privacy
- Researchers at Kaspersky Lab analyzed the requests of Russian-speaking users for privacy settings in various services. It turned out that most often people want to know how to make a page on the VKontakte social network as confidential as possible ( 25% ).
- Similar requests were made for other social networks: Instagram ( 12% ), Facebook ( 7% ), TikTok and Twitter ( 4% each ). In addition, among the most popular requests were privacy settings in WhatsApp ( 12% ) and Google ( 11% ).
- Users are also interested in how to configure privacy mode directly in operating systems: 13% figured out how to act to protect personal data in Windows, and 7% – in mobile operating systems, iOS and Android. A significant proportion of requests ( 39% ) were related to the privacy settings of certain services on Android devices.
DRAINING CONTI MANUALS
A disgruntled participant in the ransomware “affiliate program” Conti has leaked manuals and technical manuals used by hackers to train their “partners”. The docs tell you how to access someone else’s network, perform a side move, expand access, and then steal data before encrypting.
The documentation was posted on the XSS hacker forum. The author of the plum had a financial conflict with the authors of Conti, and thus he decided to take revenge.
The fact is that Conti works according to the ransomware as a service (RaaS) scheme. That is, malware developers are directly involved in malware and payment sites, and their hired “partners” hack victims’ networks and encrypt devices. As a result, the ransom payments are distributed between the hack-group itself and its “partners”, and the latter usually receive 70-80% of the total amount.
The offended “partner” of the hack group stated that he was only paid $ 1,500 for the attack, although the rest of the team is making millions and promising others large payments. As a result, in addition to the manuals, screenshots were published on the forum, which show the IP addresses where Conti hosts the Cobalt Strike control servers.
Also, a RAR archive called “Manuals for Workers and Soft.rar” was released, containing 37 text files with instructions on how to use various hacking tools and legal software.
Security expert Vitaly Kremez from Advanced Intel analyzed the archive and said that these materials are quite consistent with Conti’s attack scenarios.
“By and large, this is the holy grail of pentester operations carried out by Conti pentesters, everything is described from A to Z. The implications [of this leak] are enormous, it will allow new ransomware penetration testers to improve their skills, step by step.
The leak also demonstrates the maturity of this extortion group and shows how sophisticated, meticulous and experienced they are in attacking corporations around the world, ”says Kremez.
DDoS Attack Statistics
Qrator Labs analysts have summed up the results of the second quarter of 2021 by publishing statistics on DDoS attacks. It is reported that during this time, the largest botnet has almost doubled, and the main attack vectors are still UDP, IP and SYN floods.
- In the second quarter of 2021, there was a significant increase in UDP flood attacks, which accounted for more than half of the attacks ( 53.04% ).
- The growth of this segment is due to an increase in the share of attacks in the 10-100 Gbps band – a class of high-speed attacks, for the organization of which the amplification technique through public UDP services is often used.
- More sophisticated attacks, such as SYN flood, are also not losing ground: their share in the second quarter was 11.9% .
- The three main “pure” attack vectors are UDP, IP and SYN floods, which accounted for 78% of all DDoS attacks in the second quarter.
- The median attack time was 270 s , which is close to observations for 2020, when this figure was 300 s . Compared to the first quarter of 2021, the median attack time has grown significantly – from 180 seconds .
- The average throughput of all DDoS attacks in the second quarter was 6.5 Gbps . In the first quarter, this figure was slightly higher – 9.15 Gbps , while in the fourth quarter of 2020 this figure was only 4.47 Gbps .
- In the second quarter of 2021, the largest botnet contained 137,696 bots .
STEAM WALLET BUG
Valve has patched a vulnerability in Steam, due to which the balance of the wallet could be replenished with arbitrary amounts.
The manufacturer was notified of this problem by drbrix, who reported the vulnerability in early August via the HackerOne platform. Currently, the bug has already been fixed, and the researcher received $ 7,500 for his work.
In the report, drbrix said that for a fraudulent balance top-up, it was necessary to change the email address to any containing the amount100 string (the researcher himself used the brixamount100abc @ xxx mailbox). Then it was required to follow the link , proceed to depositing funds, choosing a payment method using Smart2Pay, and continue further, as with a normal deposit of funds, choosing, for example, $ 1. After that, it was required to intercept the POST request to and change the amount to an arbitrary one, which became possible due to the name of the mailbox.https://store.steampowered.com/steamaccount/addfundshttps://globalapi.smart2pay.com/
“In my opinion, the consequences are obvious: an attacker will be able to generate money and break the Steam market by selling game keys for cheap and so on,” concluded drbrix.
Soon, Valve employees confirmed the exploit submitted by the researcher and reported on the elimination of the problem. It is currently unknown whether anyone other than drbrix knew about this bug, and whether the cybercriminals did not manage to exploit this problem before it was fixed.
SCANDAL AROUND NSO GROUP
In mid-June 2021, the human rights organization Amnesty International, the non-profit project Forbidden Stories, as well as more than 80 journalists from a consortium of 17 media organizations in ten countries around the world published the results of a joint investigation called Project Pegasus. This was the reason for a new scandal around the NSO Group.
Since the existence of Pegasus and the activities of the NSO Group has been known for a long time, many wondered: why did the scandal break out only now? After all, there was nothing fundamentally new in the report, and hardly anyone in the cybersecurity community was surprised by the existence of spyvari.
A well-known information security expert who stopped Wannacry ransomware, Markus Hutchins (MalwareTech), gave a good answer to this question on Twitter.
“Until today, I did not understand what was new in this story, but now I realized that, probably, all this was not known outside of the cybersecurity community before. So TL; DR: there are companies that have zero days and spyware that can hack phones remotely. This is usually sold to governments, who then use [these tools] to attack “terrorists” (in many cases, this simply means anyone the authorities consider a threat).
The vague definition of the term “terrorist” varies from state to state, and many (especially authoritarian states) view activists and journalists as threats. The reality is that ‘stopping terrorists’ easily turns into ‘spying on everyone we don’t like’, and this is what this leak is about. “
– Marcus Hutchins on his Twitter
REMOTE LOCK FROM SAMSUNG
Samsung said it can turn off any of its TVs remotely using the TV Block feature, which is built into products sold worldwide. The reason for this statement was the July riots in South Africa, which led to large-scale robberies, including the warehouses and stores of Samsung.
“TV Block is a remote security solution that detects if Samsung TVs have been improperly activated and ensures that TVs can only be used by legitimate owners who have proof of purchase.
The purpose of this technology is to counter the creation of secondary markets associated with the sale of illegal goods, both in South Africa and beyond. This technology is pre-installed on all Samsung TV products, ”reads the official statement.
The media reported that the TV Block function was remotely activated on all TVs stolen from warehouses or from stores: their serial numbers were added to a special list on Samsung servers. After the stolen TV is connected to the Internet, the device will check the list of stolen devices and automatically disable all TV functions if it finds a match.
“This technology can be useful now, and it will also be useful to both the industry and our customers in the future,” the company says.
And while TV Block has really been useful to the company right now, the functionality raises some concerns. For example, you can imagine what happens if attackers break into a company’s servers and gain access to the block list used to turn off TVs remotely.
Fired from Google
At the disposal of the media outlet were internal Google documents telling about investigations of cases when company employees used their positions to steal, leak or abuse data to which they had access.
- According to these papers, between 2018 and 2020, the company laid off dozens of hundred-mining-ing for abuse of access to internal tools and data (including information about users and employees).
- For example, in 2020, Google laid off 36 employees due to security concerns. 86% of these allegations were related to the abuse of confidential information, such as transferring Google internal data to third parties.
- Another 10% of charges in 2020 involved misuse of various systems, including accessing user or employee data, helping others access that data, and modifying or deleting user or employee data.
40-year-old Los Angeles resident Hao Kuo Chi (Hao Kuo Chi) pleaded guilty to stealing more than 620 thousand personal photos and 9 thousand videos from someone else’s iCloud accounts.
The Florida prosecutor’s office, which brought charges of conspiracy and computer fraud against him, said that Chi was known on the network as icloudripper4you and was selling his “services” to hack iCloud. “Customers” pointed him to a specific iCloud account to be hacked, after which Chi and his unidentified accomplices posed as Apple support representatives in messages that they sent to the targets by email. After deceiving the victims’ iCloud credentials, the scammers stole photos and videos from their accounts.
The group was active from September 2014 to May 2018, during which time the attackers used the victims’ Apple ID and passwords not only to complete hacking orders but also to search these accounts for photos and videos of nude people. The revealing photos and videos of Chi and his associates were shared with each other through “a foreign end-to-end email encryption service to preserve anonymity.”
Chi pleaded guilty this month and confirmed that he gained unauthorized access to at least 306 iCloud accounts (mostly young women) in Arizona, California, Kentucky, Connecticut, Louisiana, Massachusetts, Maine, Ohio, Pennsylvania, Texas, Florida and South Carolina.
According to the Los Angeles Times, FBI agents found more than 500,000 fraudulent emails in two Gmail accounts (backupagenticloud and applebackupicloud) used for this scheme, as well as credentials for approximately 4,700 iCloud accounts. Chi’s Dropbox account, which was used to store and share stolen files, found about 620,000 photos and 9,000 videos with a total volume of over 1 TB.
Chi was caught quite simply. Back in 2018, an unnamed public figure from Tampa discovered nude photos of himself on porn sites. The photo was found by a California-based company that specializes in removing celebrity photos from the Internet. Since these photos were stored only on the iPhone (from where they were copied to iCloud), the victim turned to law enforcement agencies, seeking to find the source of the leak.
Law enforcers quickly figured out that Chi was logging into the victim’s iCloud directly from his home in La Pointe, California. By the time the FBI received the warrant and searched his home, law enforcement officers had a clear understanding of Chi’s activities thanks to data provided by Dropbox, Google, Apple, Facebook and Charter Communications at the court’s request.
Most attacked bugs
Experts from the FBI, the United States Department of Homeland Security (DHS CISA), the Australian Cybersecurity Center (ACSC), and the UK National Cyber Security Center (NCSC) have issued a joint security advisory that lists the vulnerabilities most ” popular ”among criminals in 2020 and 2021.
- Based on data collected by the US government, most of the most attacked vulnerabilities were discovered after the beginning of 2020 , and many bugs are clearly related to the widespread shift to remote work.
- Four vulnerabilities, often used in 2020 were associated with remote working , the VPN and cloud gray-visami .
- In 2021, hackers continued to target vulnerabilities in perimeter devices. Among the bugs that were actively exploited in 2021 were problems in Microsoft products , Pulse , Accellion , VMware and Fortinet .
|Citrix||CVE-2019-19781||Arbitrary code execution|
|Pulse Secure||CVE 2019-11510||Arbitrary file reading|
|Fortinet||CVE 2018-13379||Path traversal|
|F5- Big IP||CVE 2020-5902||RCE|
|Microsoft||CVE-2020-0787||Elevation of privilege|
|Netlogon||CVE-2020-1472||Elevation of privilege|
As a result, the list of the most “popular” bugs of 2021 looks like this:
- Microsoft Exchange Server : CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 (ProxyLogon vulnerabilities);
- Pulse Secure : CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900;
- Accellion : CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104;
- VMware : CVE-2021-21985;
- Fortinet : CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
DRAINING A MILLION BANK CARDS
Operators of the underground marketplace AllWorld Cards held an unusual promotion. They published the data of a million bank cards stolen between 2018 and 2019 on many hacker forums.
The attackers said that a random sample of 98 cards showed that approximately 27% of the cards in the selection were still active. But according to the Italian information security firm D3Labs, about 50% of the cards are still working.
“Currently, the results obtained by our analytical team are still limited, but they show that about 50% of the cards are still working and are not marked as compromised,” the researchers write.
Cyble also analyzed this dump and reported that the leak contains card numbers, expiration dates, CVVs, owner names, country, state, city, address, postal code for each card, and a phone number or email address. mail. So far, Cyble analysts have analyzed only 400 thousand cards and write that the following banks have suffered the most:
- State Bank of India (44,654 cards);
- JPMorgan Chase Bank NA (27,440 cards);
- BBVA Bancomer (21,624 cards);
- The Toronto-Dominion Bank (14,647 cards);
- Poste Italiane S. p. A. (Banco Posta) (14,066 cards).
The researchers note that All World Cards is a new site in the carder scene and its unusual ad has been met with approval by many attackers. The marketplace was launched in May 2021 and currently has 2,634,615 cards. Card prices here range from $ 0.30 to $ 14.40, with 73% of cards costing between $ 3 and $ 5.
- On hacker forum RaidForums sell scans of passports 1.3 mil Lyon Russian clients cosmetics company Oriflame. The company did report that on July 31 and August 1, it was subjected to a series of cyber attacks and cybercriminals gained unauthorized access to its information systems.
- The company admitted that clients not only from Russia, but also from other CIS countries and Asia were affected. The hackers obtained copies of IDs, but data such as bank account numbers, phone numbers and passwords were not affected by the attack.
COBALT STRIKE VULNERABILITY
SentinelOne researchers discovered a DoS vulnerability in Cobalt Strike that could block beacon management as well as new deployments.
Let me remind you that this legitimate commercial tool, created for pentesters and red teams and focused on exploitation and post-exploitation, has long been loved by hackers, from government APT groups to ransomware operators. Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to use it (for example, relying on old, pirated, jailbroken and unregistered versions).
Typically, attackers use hacked versions of Cobalt Strike to gain stable remote access to a compromised network (and post-exploitation after deploying so-called beacons) and often use it during ransomware attacks.
SentinelOne experts report that they discovered the vulnerability CVE-2021-36798 (dubbed Hotcobalt) in the latest versions of the Cobalt Strike server. The bug allows you to register fake beacons on the server of a specific Cobalt Strike installation, and then by sending fake tasks to that server, disable it by running out of available memory.
As a result, already installed beacons will not be able to interact with the C&C server, the installation of new beacons on infected systems will also be blocked, and this will prevent the red team or attackers from using the deployed beacons.
“Active beacons will not be able to communicate with their C&C server until the operators restart it. However, restarting is also not enough to protect against this vulnerability, since you can continue to attack the server until it is fixed or until the configuration of the beacons is changed, ”experts write, suggesting that law enforcement agencies and information security researchers will be able to use Hotcobalt to the elimination of hacker infrastructure.
The vulnerability was discovered back in April, and the developers of CobaltStrike HelpSystems fixed the bug with the release of Cobalt Strike 4.4.
Catch up on more stories here
Follow us on Facebook here