On Monday, the question and answer site Quora announced that a third-party was able to gain access to virtually every data point the company keeps on 100 million users. Even if you don’t recall having a Quora account, you might want to make sure.

In a blog post, Quora CEO Adam D’Angelo explained that the company first noticed the data breach on Friday and has since enlisted independent security researchers to help investigate what happened and mitigate the damage. D’Angelo said that affected users should be receiving an email that explains the situation, but if you have a Quora account, it’s probably a good idea to go ahead and change your password—especially if you reuse passwords. In all, the attackers were able to compromise a lot of data. Quora says that information includes:

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Fortunately, Quora says it has not stored any identifying information associated with anonymous inquiries and replies.

For users, the biggest immediate concern should be that part about hackers accessing “data imported from linked networks.” Quora allows users to sign in with Facebook or Google and it’s possible that personal information from one of those networks also made it into the wrong hands. We’ve asked all three companies for more details on exactly what was compromised but we did not receive an immediate reply.

We also asked Quora what type of cryptographic hashing method it uses. The hackers should only be able to figure out the password through brute-force guessing and that takes longer depending on the complexity of the hash.

The good news is that there’s no financial information associated with Quora users, the bad news is that the website is more like a social network than it might seem. People ask personal questions that could help draw a personality profile and others give answers that could do the same. Earlier this year, when Facebook admitted that it had lost control of 87 million users data, the general public was reminded that data breaches aren’t just about identity theft. In that case, a firm working for the 2016 Trump presidential campaign obtained access to the data, raising concerns that it was used for targeted political messaging. The firm has disputed the number of users’ data it obtained and maintains that none of the data was directly employed during the 2016 election.

For now, check your inbox for any notifications and you can read an FAQ here.

[Quora]

Source: Hack of 100 Million Quora Users Could Be Worse Than it Sounds

A Twitter user using the pseudonym of @TheHackerGiraffe has hacked over 50,000 printers to print out flyers telling people to subscribe to PewDiePie’s YouTube channel.

The messages have been sent out yesterday, November 29, and have caused quite the stirr among the users who received them, as they ended up on a bunch of places, from high-end multi-functional printers at large companies to small handheld receipt printers at gas stations and restaurants.

The only condition was that the printer was connected to the Internet, used old firmware, and had “printing” ports left exposed online.

The message the printers received was a simple one. It urged people to subscribe to PewDiePie’s YouTube channel in order for PewDiePie –a famous YouTuber from Sweden, real name Felix Kjellberg– to keep the crown of most subscribed to YouTube channel.

If this sounds …odd… it’s because over the past month, an Indian record label called T-Series has caught up and surpassed PewDiePie, once considered untouchable in terms of YouTube followers.

The Swedish Youtube star made a comeback after his fans banded together in various social media campaigns, but T-Series is catching up with PewDiePie again.

Source: Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie | ZDNet

More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play—often abbreviated as UPnP—to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets. In Wednesday’s blog post, the researchers wrote:

Source: Mass router hack exposes millions of devices to potent NSA exploit | Ars Technica

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Source: Marriott’s Starwood hotels mega-hack: Half a BILLION guests’ deets exposed over 4 years

Computer science boffins have demonstrated a side-channel attack technique that bypasses recently-introduced privacy defenses, and makes even the Tor browser subject to tracking. The result: it is possible for malicious JavaScript in one web browser tab to spy on other open tabs, and work out which websites you’re visiting.

This information can be used to target adverts at you based on your interests, or otherwise work out the kind of stuff you’re into and collect it in safe-keeping for future reference.

Researchers Anatoly Shusterman, Lachlan Kang, Yarden Haskal, Yosef Meltser, Prateek Mittal, Yossi Oren, Yuval Yarom – from Ben-Gurion University of the Negev in Israel, the University of Adelaide in Australia, and Princeton University in the US – have devised a processor cache-based website fingerprinting attack that uses JavaScript for gathering data to identify visited websites.

The technique is described in a paper recently distributed through ArXiv called “Robust Website Fingerprinting Through the Cache Occupancy Channel.”

“The attack we demonstrated compromises ‘human secrets’: by finding out which websites a user accesses, it can teach the attacker things like a user’s sexual orientation, religious beliefs, political opinions, health conditions, etc.,” said Yossi Oren (Ben-Gurion University) and Yuval Yarom (University of Adelaide) in an email to The Register this week.

It’s thus not as serious as a remote attack technique that allows the execution of arbitrary code or exposes kernel memory, but Oren and Yarom speculate that there may be ways their browser fingerprinting method could be adapted to compromise computing secrets like encryption keys or vulnerable installed software.

Source: Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you’re visiting • The Register

People’s connections in the US to Google – including its cloud, YouTube, and other websites – were suddenly rerouted through Russia and into China in a textbook Border Gateway Protocol (BGP) hijacking attack.

That means folks in Texas, California, Ohio, and so on, firing up their browsers and software and connecting to Google and its services were instead talking to systems in Russia and China, and not servers belonging to the Silicon Valley giant. Netizens outside of America may also have been affected.

The Chocolate Factory confirmed that for a period on Monday afternoon, from 1312 to 1435 Pacific Time, connections to Google Cloud, its APIs, and websites were being diverted through IP addresses belonging to overseas ISPs. Sites and apps built on Google Cloud, such as Spotify, Nest, and Snapchat, were also brought down by the interception.

Specifically, network connectivity to Google was instead routed through TransTelekom in Russia (mskn17ra-lo1.transtelecom.net), and into a China Telecom gateway (ChinaTelecom-gw.transtelecom.net) that black-holed the packets. Both nodes have since stopped resolving to IP addresses.

The black-hole effect meant Google and YouTube, and apps and sites that relied on Google Cloud, appeared to be offline to netizens. It is possible information not securely encrypted could have been intercepted by the aforementioned rogue nodes, however, our understanding is, due to the black-hole effect, it’s likely most if not all connections weren’t: TCP connections would fail to establish, and no information would be transferred. That’s the best case scenario, at least.

Source: OK Google, why was your web traffic hijacked and routed through China, Russia today? • The Register

UPDATE: Nigerian firm Main One Cable Co takes blame for routing Google traffic through China

This week, US Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries’ malware it has discovered.

CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack US systems: we may release your tools to the wider world.

“This is intended to be an enduring and ongoing information sharing effort, and it is not focused on any particular adversary,” Joseph R. Holstead, acting director of public affairs at CYBERCOM told Motherboard in an email.

On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Google-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code.

One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear.

Adam Meyers, vice president of intelligence at CrowdStrike said that the sample did appear new, but the company’s tools detected it as malicious upon first contact. Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Motherboard in an email that the sample “was known to Kaspersky Lab in late 2017,” and was used in attacks in Central Asia and Southeastern Europe at the time.

Source: The US Military Just Publicly Dumped Russian Government Malware Online – Motherboard

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.

[…]

Three hours after the public announcement of the security gap, Daemon Security CEO Michael Shirk replied with one line that overwrote shadow files on the system. Hickey did one better and fit the entire local privilege escalation exploit in one line.

Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro  Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Source: Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off.

“I did a little bit of digging because I was a little sketched out because I couldn’t really find even that the company existed,” Schoen told BuzzFeed News.

The We Purchase Apps website listed a location in New York, but the address appeared to be a residence. “And their phone number was British. It was just all over the place,” Schoen said.

It was all a bit weird, but nothing indicated he was about to see his app end up in the hands of an organization responsible for potentially hundreds of millions of dollars in ad fraud, and which has funneled money to a cabal of shell companies and people scattered across Israel, Serbia, Germany, Bulgaria, Malta, and elsewhere.

Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin.

“I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell.

A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.)

“A significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application.”

The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners.

But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.)

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.

“This is not your run-of-the-mill fraud scheme,” said Asaf Greiner, the CEO of Protected Media. “We are impressed with the complex methods that were used to build this fraud scheme and what’s equally as impressive is the ability of criminals to remain under the radar.”

Another fraud detection firm, Pixalate, first exposed one element of the scheme in June. At the time, it estimated that the fraud being committed by a single mobile app could generate $75 million a year in stolen ad revenue. After publishing its findings, Pixalate received an email from an anonymous person connected to the scheme who said the amount that’s been stolen was closer to 10 times that amount. The person also said the operation was so effective because it works “with the biggest partners [in digital advertising] to ensure the ongoing flow of advertisers and money.”

In total, the apps identified by BuzzFeed News have been installed on Android phones more than 115 million times, according to data from analytics service AppBrain. Most are games, but others include a flashlight app, a selfie app, and a healthy eating app. One app connected to the scheme, EverythingMe, has been installed more than 20 million times.

Once acquired, the apps continue to be maintained in order to keep real users happy and create the appearance of a thriving audience that serves as a cover for the cloned fake traffic. The apps are also spread among multiple shell companies to distribute earnings and conceal the size of the operation.

Source: How A Massive Ad Fraud Scheme Exploited Android Phones To Steal Millions Of Dollars

A wave of reports about hijacked WhatsApp accounts in Israel has forced the government’s cyber-security agency to send out a nation-wide security alert on Tuesday, ZDNet has learned.

The alert, authored by the Israel National Cyber Security Authority, warns about a relatively new method of hijacking WhatsApp accounts using mobile providers’ voicemail systems.

This new hacking method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath.

The general idea is that users who have voicemail accounts for their phone numbers are at risk if they don’t change that account’s default password, which in most cases tends to be either 0000 or 1234.

The possibility of an account takeover happens when an attacker tries to add a legitimate user’s phone number to a new WhatsApp app installation on his own phone.

Following normal security procedures, the WhatsApp service would then send a one-time code via SMS to that phone number. This would typically alert a user to an ongoing attack, but Bar-Zik argues that a hacker could easily avoid this by carrying out the attack during nighttime or when he is sure the user is away from his phone.

After several failed attempts to validate the one-time code sent via SMS, the WhatsApp service would then prompt the user to perform a “voice verification,” during which the WhatsApp service would call the user’s phone and speak the one-time verification code out loud.

If the attacker has timed his/her attack at the proper time and the user can’t or won’t answer his phone, that message would eventually land in the victim’s voicemail account.

Source: Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking | ZDNet

On 13 April 2018, with support from the Netherlands General Intelligence and Security Service and UK counterparts, the Netherlands Defence Intelligence and Security Service (DISS) disrupted a cyber operation being carried out by a Russian military intelligence (GRU) team. The Russian operation had targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

The 4 Russian intelligence officers at Schiphol Airport.

To conduct their operation, 4 Russian intelligence officers had set up specialised equipment in the vicinity of the OPCW offices and were preparing to hack into OPCW networks. As host country the Netherlands bears responsibility for ensuring the organisation’s security. In order to protect the security of the OPCW it therefore pre-empted the GRU operation and escorted the Russian intelligence officers out of the country. “The cyber operation targeting the OPCW is unacceptable. Our exposure of this Russian operation is intended as an unambiguous message that the Russian Federation must refrain from such actions,” said Defence Minister Ank Bijleveld in her response. “The OPCW is a respected international institution representing 193 nations around the globe and was established to rid the world of chemical weapons. The Netherlands is responsible for protecting international organisations within its borders, and that is what we have done.”

Equipment

The 4 Russian intelligence officers entered the Netherlands via Schiphol Airport, travelling on diplomatic passports. They subsequently hired a car which they positioned in the parking lot of the Marriot Hotel in The Hague, which is adjacent to the OPCW offices.

Equipment was set up in the boot of the car with which the officers intended to hack into wifi networks and which was installed for the purpose of infiltrating the OPCW’s network. The antenna for this equipment lay hidden under a jacket on the rear shelf and the equipment was operational when DISS interrupted the operation.

Source: Netherlands Defence Intelligence and Security Service disrupts Russian cyber operation targeting OPCW

Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts—bypassing security measures and potentially giving them full control of both profiles and linked apps—has already stirred the threat of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.

The bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.) Facebook has not said whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.

Source: Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR

The site itself was compromised on Tuesday

A rootkit is a piece of software that hides itself on computer systems, and uses its root or administrator-level privileges to steal and alter documents, spy on users, and cause other mischief and headaches. A UEFI rootkit lurks in the motherboard firmware, meaning it starts up before the operating system and antivirus suites run, allowing it to bury itself deep in an infected machine, undetected and with high-level access privileges.

According to infosec biz ESET, a firmware rootkit dubbed LoJax targeted Windows PCs used by government organizations in the Balkans as well as in central and eastern Europe. The chief suspects behind the software nasty are the infamous Fancy Bear (aka Sednit aka Sofacy aka APT28) hacking crew, elsewhere identified as a unit of Russian military intelligence.

That’s the same Fancy Bear that’s said to have hacked the US Democratic Party’s servers, French telly network TV5, and others.

The malware is based on an old version of a legit application by Absolute Software called LoJack for Laptops, which is typically installed on notebooks by manufacturers so that stolen devices can be found.

[…]

Once up and alive, LoJax contacts command-and-control servers that are disguised as normal websites and are known to be operated by Russian intelligence. It then downloads its orders to carry out.

[…]

This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement. Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the typical user.

[…]

There are firmware settings that can thwart the flash installation simply by blocking write operations. If BIOS write-enable is off, BIOS lock-enable is on, and SMM BIOS write-protection is enabled, then the malware can’t write itself to the motherboard’s flash storage.

Alternatively, wiping the disk and firmware storage will get rid of this particular rootkit strain.

Modern systems should be able to resist malicious firmware overwrites, we’re told, although ESET said it found at least one case of LoJax in the PC’s SPI flash.

“While it is hard to modify a system’s UEFI image, few solutions exists to scan system’s UEFI modules and detect malicious ones,” wrote Team ESET. “Moreover, cleaning a system’s UEFI firmware means re-flashing it, an operation not commonly done and certainly not by the average user. These advantages explain why determined and resourceful attackers will continue to target systems’ UEFI.”

Source: Resident evil: Inside a UEFI rootkit used to spy on govts, made by you-know-who (hi, Russia) • The Register

Olle and his fellow cyber security consultant Pasi Saarinen recently discovered a new way to physically hack into PCs. According to their research, this method will work against nearly all modern computers. This includes laptops from some of the world’s biggest vendors like Dell, Lenovo, and even Apple.

And because these computers are everywhere, Olle and Pasi are sharing their research with companies like Microsoft, Apple and Intel, but also the public. The pair are presenting their research at the SEC-T conference in Sweden on September 13, and at Microsoft’s BlueHat v18 in the US on September 27.

[…]

Because cold boot attacks are nothing new, there have been developments to make them less effective. One safeguard created by the Trusted Computing Group (TCG) was to overwrite the contents of the RAM when the power was restored.

And that’s where Olle and Pasi’s research comes in. The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware. Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.

Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk.

Source: The Chilling Reality of Cold Boot Attacks – F-Secure Blog

In this writeup, I’ll describe a new technique to crack WPA PSK (Pre-Shared Key) passwords.

In order to make use of this new attack you need the following tools:

• hcxdumptool v4.2.0 or higher
• hcxtools v4.2.0 or higher
• hashcat v4.2.0 or higher

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:

• No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
• No more waiting for a complete 4-way handshake between the regular user and the AP
• No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
• No more eventual invalid passwords sent by the regular user
• No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
• No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
• No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string

Source: New attack on WPA/WPA2 using PMKID

Snapchat doesn’t just make messages disappear after a period of time. It also does the same to GitHub repositories — especially when they contain the company’s proprietary source code.

So, what happened? Well, let’s start from the beginning. A GitHub with the handle i5xx, believed to be from the village of Tando Bago in Pakistan’s southeastern Sindh province, created a GitHub repository called Source-Snapchat.

At the time of writing, the repo has been removed by GitHub following a DMCA request from Snap Inc

[…]

Four days ago, GitHub published a DMCA takedown request from Snap Inc., although it’s likely the request was filed much earlier. GitHub, like many other tech giants including Google, publishes information on DMCA takedown requests from the perspective of transparency.

[…]

To the question “Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online,” the Snap Inc representative wrote:

“SNAPCHAT SOURCE CODE. IT WAS LEAKED AND A USER HAS PUT IT IN THIS GITHUB REPO. THERE IS NO URL TO POINT TO BECAUSE SNAP INC. DOESN’T PUBLISH IT PUBLICLY.”

The most fascinating part of this saga is that the leak doesn’t appear to be malicious, but rather comes from a researcher who found something, but wasn’t able to communicate his findings to the company.

According to several posts on a Twitter account believed to belong to i5xx, the researcher tried to contact SnapChat, but was unsuccessful.

“The problem we tried to communicate with you but did not succeed In that we decided [sic] Deploy source code,” wrote i5xx.

The account also threatened to re-upload the source code. “I will post it again until you reply :),” he said.

For what it’s worth, it’s pretty easy for security researchers to get in touch with Snap Inc. The company has an active account on HackerOne, where it runs a bug bounty program, and is extremely responsive.

According to HackerOne’s official statistics, the site replies to initial reports in 12 hours, and has paid out over $220,000 in bounties.

Source: Hacker swipes Snapchat’s source code, publishes it on GitHub

At a Kiev nightclub in the spring of 2012, 24-year-old Ivan Turchynov made a fateful drunken boast to some fellow hackers. For years, Turchynov said, he’d been hacking unpublished press releases from business newswires and selling them, via Moscow-based middlemen, to stock traders for a cut of the sizable profits.

Oleksandr Ieremenko, one of the hackers at the club that night, had worked with Turchynov before and decided he wanted in on the scam. With his friend Vadym Iermolovych, he hacked Business Wire, stole Turchynov’s inside access to the site, and pushed the main Moscovite ringleader, known by the screen name eggPLC, to bring them in on the scheme. The hostile takeover meant Turchynov was forced to split his business. Now, there were three hackers in on the game.

Newswires like Business Wire are clearinghouses for corporate information, holding press releases, regulatory announcements, and other market-moving information under strict embargo before sending it out to the world. Over a period of at least five years, three US newswires were hacked using a variety of methods from SQL injections and phishing emails to data-stealing malware and illicitly acquired login credentials. Traders who were active on US stock exchanges drew up shopping lists of company press releases and told the hackers when to expect them to hit the newswires. The hackers would then upload the stolen press releases to foreign servers for the traders to access in exchange for 40 percent of their profits, paid to various offshore bank accounts. Through interviews with sources involved with both the scheme and the investigation, chat logs, and court documents, The Verge has traced the evolution of what law enforcement would later call one of the largest securities fraud cases in US history.

Source: How a hacker network turned stolen press releases into $100 million – The Verge

A service named “Timehop” that claims it is “reinventing reminiscing” – in part by linking posts from other social networks – probably wishes it could go back in time and reinvent its own security, because it has just confessed to losing data describing 21 million members and can’t guarantee that the perps didn’t slurp private info from users’ social media accounts.

“On July 4, 2018, Timehop experienced a network intrusion that led to a breach of some of your data,” the company wrote. “We learned of the breach while it was still in progress, and were able to interrupt it, but data was taken.”

Names and email addresses were lifted, as were “Keys that let Timehop read and show you your social media posts (but not private messages)”. Timehop has “deactivated these keys so they can no longer be used by anyone – so you’ll have to re-authenticate to our App.”

The breach also led to the loss of access tokens Timehop uses to access other social networks such as Twitter, Facebook and Instagram and the posts you’ve made there. Timehop swears blind that the tokens have been revoked and just won’t work any more.

But the company has also warned that “there was a short time window during which it was theoretically possible for unauthorized users to access those posts” but has “no evidence that this actually happened.”

It can’t be as almost-comforting on the matter of purloined phone numbers, advising that for those who shared such data with the company “It is recommended that you take additional security precautions with your cellular provider to ensure that your number cannot be ported.” Oh thanks for that, Timehop. And thanks, also, for not using two-factor authentication, because that made the crack possible. “The breach occurred because an access credential to our cloud computing environment was compromised,” the company’s admitted. “That cloud computing account had not been protected by multifactor authentication. We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

All of which leaves users in the same place as usual: with work to do, knowing that if their service providers had done their jobs properly they’d feel a lot safer.

Source: Nostalgic social network ‘Timehop’ loses data from 21 million users

For the past two days, secure email provider ProtonMail has been fighting off DDoS attacks that have visibly affected the company’s services, causing short but frequent outages at regular intervals.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” a ProtonMail spokesperson said describing the attacks.

The email provider claims to “have traced the attack back to a group that claims to have ties to Russia,” a statement that some news outlets took at face value and ran stories misleading readers into thinking this was some kind of nation-state-planned cyber-attack.

But in reality, the DDoS attacks have no ties to Russia, weren’t even planned to in the first place, and the group behind the attacks denounced being Russian, to begin with.

Small hacker group behind ProtonMail DDoS attacks

Responsible for the attacks is a hacker group named Apophis Squad. In a private conversation with Bleeping Computer today, one of the group’s members detailed yesterday’s chain of events.

The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.

The group didn’t cite any reason outside “testing” for the initial and uncalled for attack on ProtonMail, which they later revealed to have been a 200 Gbps SSDP flood, according to one of their tweets.

“After we sent the first attack, we downed it for 60 seconds,” an Apophis Squad member told us. He said the group didn’t intend to harass ProtonMail all day yesterday or today but decided to do so after ProtonMail’s CTO, Bart Butler, responded to one of their tweets calling the group “clowns.”

This was a questionable response on the part of the ProtonMail CTO, as it set the hackers against his company even more.

“So we then downed them for a few hours,” the Apophis Squad member said. Subsequent attacks included a whopping TCP-SYN flood estimated at 500 Gbps, as claimed by the group…

…and NTP and CLDAP floods, as observed by a security researcher at NASK  and confirmed by another Apophis Squad member.

The attacks also continued today when the group launched another DDoS attack consisting of a TCP-SYN flood estimated at between 50 and 70 Gbps…

… and another CHARGEN flood estimated at  2 Gbps.

Radware, the company which was involved in mitigating the attacks on ProtonMail’s infrastructure, could not confirm the 500 Gbps DDoS attack at the time of writing but confirmed the multi-vector assault.

“We can’t confirm attack size as it varied at different points in the attack,” a Radware spokesperson said. “However we can confirm that the attack was high volumetric, multi-vector attack. It included several UDP reflection attacks, multiple TCP bursts, and Syn floods.”

In addition to targeting ProtonMail, the group also targeted Tutanota, for unknown reasons, but these attacks stopped shortly after. Tutanota execs not goading the hackers might have played a role.

Hackers deny Russian connection

The Apophis Squad group is by no means a sophisticated threat. They are your typical 2018 hacker group that hangs out in Discord channels and organizes DDoS attacks for, sometimes, childish reasons.

The group is currently developing a DDoS booter service, which they were advertising prior to yesterday’s attacks on Twitter and on Discord, claiming to be able to launch DDoS attacks using protocols such as NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML-RPC.

Their Twitter timeline claims the group is based in Russia, and so does their domain, but in a private conversation the group said this wasn’t accurate.

“We aint russian [sic],” the group told us.

“We believe the attackers to be based in the UK,” a Radware spokesperson told Bleeping Computer via email today.

If the ProtonMail DDoS attack later proves to have been of 500 Gbps, it will be one of the biggest DDoS attacks recorded, following similar DDoS attacks of 1.7 Tbps (against a yet to be named US service provider) and 1.3 Tbps (against GitHub).

Source: ProtonMail DDoS Attacks Are a Case Study of What Happens When You Mock Attackers

Starting yesterday, there have been numerous reports of people’s Windows computers being infected with something called “All-Radio 4.27 Portable”. After researching this, it has been determined that seeing this program is a symptom of a much bigger problem on your computer.

If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help at this time. Due to this and the amount of malware installed, if you are infected I suggest that you reinstall Windows from scratch if possible.

If that is not an option, you can create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer.

Furthermore, some of the VirusTotal scans associated with this infection have indicated that an information stealing Trojan could have been installed as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected.

Source: All-Radio 4.27 Portable Can’t Be Removed? Then Your PC is Severely Infected

Adidas AG ADDYY 2.03% said Thursday that a “few million” customers shopping on its U.S. website may have had their data exposed to an unauthorized party.

Neither the specific number of users affected nor the time frame of the potential breach were immediately disclosed, but the German sportswear maker said it became aware of the issue on Tuesday and has begun a forensic review.

Adidas said they are alerting “certain customers who purchased on adidas.com/US” and that, according to the company’s preliminary examination, data affected include contact information, usernames and encrypted passwords.

“Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted,” the company said.

Source: Adidas Reports Data Breach – WSJ

Ticketmaster on Wednesday disclosed a data breach reportedly caused by malware infecting a customer support system outsourced to an external company.

In a statement, Ticketmaster said some of its customer data may have been accessed by an unknown intruder. Email notifications were sent to customers who purchased tickets between February and June 23, 2018, the company said

Names, addresses, email addresses, telephone numbers, and payment card details may have been compromised.

Source: Ticketmaster Discloses Breach That Impacts Nearly 5 Percent of Its Customers

Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever.

[…]

Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices.

[…]

For years police and banking-industry sleuths doubted they’d ever catch the phantoms behind Carbanak. Then, in March, the Spanish National Police arrested Ukrainian citizen Denis Katana in the Mediterranean port city of Alicante. The authorities have held him since then on suspicion of being the brains of the operation. Katana’s lawyer, Jose Esteve Villaescusa, declined to comment, and his client’s alleged confederates couldn’t be reached for comment. While Katana hasn’t been charged with a crime, Spanish detectives say financial information, emails, and other data trails show he was the architect of a conspiracy that spanned three continents. And there are signs that the Carbanak gang is far from finished.

[…]

The attackers cased their targets for months, says Kaspersky. The Carbanak crew was looking for executives with the authority to direct the flow of money between accounts, to other lenders, and to ATMs. They were also studying when and how the bank moved money around. The thieves didn’t want to do anything that would catch the eyes of security. State-backed spies use this type of reconnaissance in what’s known as an advanced persistent threat. “In those instances, the attacks are designed to steal data, not get their hands on money,” Emm says. When the time was right, the thieves used the verification codes of bank officers to create legit-looking transactions.

By the fall of 2014, the authorities realized they were dealing with something new. That October, Keith Gross, chair of the cybersecurity group for a European bank lobby, called a crash meeting with experts from Citigroup, Deutsche Bank, and other major European lenders. In a meeting room at Europol’s fortress-like headquarters in The Hague, Kaspersky researchers briefed the bank officials on what they’d found in Ukraine. “I’ve never seen anything like this before,” Troels Oerting, then the head of Europol’s Cybercrime Centre, told the group. “It’s a well-orchestrated malware attack, it’s very sophisticated, and it’s global.”

So Europol went global, too, enlisting help from law enforcement agencies in Belarus, Moldova, Romania, Spain, Taiwan, the U.S., as well as bank industry representatives. It set up a secure online clearinghouse where investigators could cross-check data and find links between the thefts, says Fernando Ruiz, head of operations in Europol’s cybercrime unit. At the heart of its operation was a lab where technicians dissected the two dozen samples of malware identified in the Carbanak thefts. By isolating unique characteristics in the code, detectives could trace where the programs came from and maybe who was using them. The work led them toward Denis Katana’s apartment in Alicante, a four-hour drive southeast of Madrid. “This is what the Spanish police used to open their investigation,” Ruiz says.

[…]

Yet experts point out that even if Katana was the mastermind, he was just one guy in a crime that surely must have had many authors. Unlike the bank jobs of yore, digital heists are amoeba-like ventures that divide over and over again as the malware proliferates. “We’ve already seen the modification of Carbanak and multiple groups using it,” says Kimberly Goody, an analyst at security software maker FireEye Inc. “Same case with Cobalt.”

In recent weeks, employees at banks in the Russian-speaking world have been receiving emails that appear to be from Kaspersky, the security company that unearthed Carbanak. The messages warn recipients that their PCs have been flagged for possibly violating the law and they should download a complaint letter or face penalties. When they click on the attachment, a version of the Cobalt malware infects their networks. It turns out cyberheists may not die even when their suspected perpetrators are nabbed.

Source: The Biggest Digital Heist in History Isn’t Over Yet – Bloomberg

• Ticketfly was the target of a malicious cyber attack last week
• In consultation with third-party forensic cybersecurity experts we can now confirm that credit and debit card information was not accessed.
• However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed. It’s important to note that many people purchase tickets with multiple email accounts, so the number of individuals impacted is likely lower.
• We take privacy and security very seriously and upon first learning about this incident we took swift action to secure the data of our clients and fans.
• Ticketfly.com, Ticketfly Backstage, and the vast majority of temporary venue/promoter websites are back online.

Source: Ticketfly | Ticketfly Cyber Incident Update