The crooks had infected the network of Hancock Health, in Indiana, with the Samsam software nasty, which scrambled files and demanded payment to recover the documents. The criminals broke in around 9.30pm on January 11 after finding a box with an exploitable Remote Desktop Protocol (RDP) server, and inject their ransomware into connected computers.

Medical IT teams were alerted in early 2016 that hospitals were being targeted by Samsam, although it appears the warnings weren’t heeded in this case.

According to the hospital, the malware spread over the network and was able to encrypt “a number of the hospital’s information systems,” reducing staff to scratching out patient notes on pieces of dead tree.
[…]
The ransomware’s masters accepted the payment, and sent over the decryption keys to unlock the data. As of Monday this week, the hospital said critical systems were up and running and normal services have been resumed.

This doesn’t appear to be a data heist. The hospital claimed no digital patient records were taken from its computers, just made inaccessible. “The life-sustaining and support systems of the hospital remained unaffected during the ordeal, and patient safety was never at risk,” the healthcare provider argued.
[…]
It’s one thing to keep an offline store of sensitive data to prevent ransomware on the network from attacking it. It’s another to keep those backups somewhere so out of reach, they can’t be recovered during a crisis, effectively rendering them useless.

It just proves that when planning disaster recovery, you must consider time-to-restoration as well as the provisioning of backup hardware.

Source: Hospital injects $60,000 into crims’ coffers to cure malware infection • The Register

BCC and MediaMarkt are large electronics stores in NL. Ziggo is a large internet ISP. By linking to fake pages through marktplaats.nl (the Dutch ebay / Craigslist equivalent) people were able to shop for products on the fake sites, which were never delivered. Using a chat interface, the crims tried to gain access to the bank accounts of the marks. It very much surprises me that this kind of fraud only results in a few months in jail.

Een aantal mannen heeft voor grootschalige internetoplichting elk diverse maanden gevangenisstraf gekregen. Zij verdienden vooral aan namaakwebshops van onder meer BCC, MediaMarkt en Ziggo.

Source: Gevangenisstraf voor internetoplichting – Emerce

The exploit allowed hackers to request a password reset for a target account and then click the generated link without opening the email it had been sent in. How was this possible? Theories circulated, buoyed by posts on Hacker Noon and The Next Web. It was the r/bitcoin users out to cause trouble; Or was it a Reddit admin gone rogue?But this attack had incentive beyond ideology. What made the users of r/btc such a rich target was the deployment of a bot account called Tippr, which was used, among other things, to reward a particularly funny or insightful comment. By tagging someone and designating an amount, Tippr withdrew some BCH from your hotwallet and allocated it to the recipient. Given that Tippr is active on both Reddit and Twitter (where it provides its donation service for such heavyweights as the Tor Project), there was easy money to be had.

Source: How a Reddit Email Vulnerability Led to Thousands in Stolen Bitcoin Cash

Malware discovered by Symantec researchers sneakily spoofs Uber’s Android app and harvests users’ passwords, allowing attackers to take over the effected users’ accounts. The malware isn’t widespread, though, and most Uber users are not effected.
[…]
In order to steal a user’s login information, the malware pops up on-screen regularly and prompts the user to enter their Uber username and password. Once a user falls for the attack and enters their information, it gets swept up by the attacker.

To cover up the credential theft, this malware uses deep links to Uber’s legitimate app to display the user’s current location—making it appear as though the user is accessing the Uber app instead of a malicious fake.

Source: Rare Malware Targeting Uber’s Android App Uncovered

The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD’s data-storage platters. If the sound is played at a specific frequency, it creates a resonance effect that amplifies the vibration effect.Because hard drives store vasts amounts of information inside small areas of each platter, they are programmed to stop all read/write operations during the time a platter vibrates so to avoid scratching storage disks and permanently damaging an HDD.

Source: Acoustic Attacks on HDDs Can Sabotage PCs, CCTV Systems, ATMs, More

A breach at Forever 21 left customer payment card information exposed to hackers, the retailer confirmed Thursday. The company didn’t specify how many customers had information stolen, but said various point of sales terminals were affected between April 3 and November 18, 2017. Hackers collected credit card numbers, expiration dates, verification codes and sometimes cardholder names.

Source: Forever 21: Yes, hackers breached our payment system – CNET

t is understood the bug is present in modern Intel processors produced in the past decade. It allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.The fix is to separate the kernel’s memory completely from user processes using what’s called Kernel Page Table Isolation, or KPTI. At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers.
[…]
At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on. Imagine a piece of JavaScript running in a browser, or malicious software running on a shared public cloud server, able to sniff sensitive kernel-protected data.

Specifically, in terms of the best-case scenario, it is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory.

Source: ‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign • The Register

This very specifically could mean that you can’t seperate Virtual Machines properly any more.

AMD is quite chuffed to not be affected.

A Romanian man and woman are accused of hacking into the outdoor surveillance system deployed by Washington DC police, which they used to distribute ransomware.The two suspects are named Mihai Alexandru Isvanca and Eveline Cismaru, Romanian nationals, both arrested last week by Romanian authorities part of Operation Bakovia that culminated with the arrest of five suspects on charges of distributing email spam laced with the CTB-Locker and Cerber ransomware strains.Hackers breached 123 of 187 of Washington police CCTV camerasAccording to an affidavit filed by the US Secret Service, the two are accused of hacking into 123 of the 187 security cameras deployed part of the Metropolitan Police Department of the District of Columbia (MPDC) closed-circuit TV system that Washington police uses to keep an eye on public spaces across the city.
[…]
The two supposedly hacked MPDC cameras and computers on January 9. Washington police discovered the intrusion on January 12 and shut down the system for four days until January 15 to clean and secure their network.

The shutdown of Washington, DC’s entire CCTV system took place two weeks ahead of President Trump’s inauguration ceremony and caused a stir in US media, as many initially pinned it on foreign nation-state hackers.

Source: Hackers Used DC Police Surveillance System to Distribute Cerber Ransomware

Nissan Canada’s vehicle-financing wing has been hacked, putting personal information on as many as 1.13 million customers in the hands of miscreants.
[…]
According to Nissan Canada, the exposed data includes at least customer names, addresses, vehicle makes and models, vehicle identification numbers (VINs), credit scores, loan amounts and monthly payment figures.

“We are still investigating precisely what personal information has been impacted,” the biz said, adding that it was working with the cops and infosec experts to work out what the heck happened. “At this time, there is no indication that customers who financed vehicles outside of Canada are affected.”

Nissan Canada admitted it discovered on Monday, December 11, that it had been hacked, and alerted the world, er, 10 days later.

Source: Braking news: Nissan Canada hacked, up to 1.1m Canucks exposed • The Register

Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models.Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work.HP said more than 460 models of laptop were affected by the “potential security vulnerability”.It has issued a software patch for its customers to remove the keylogger.The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012.

Source: HP laptops found to have hidden keylogger – BBC News

CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.The emitted RF signals are a byproduct of repeatedly writing to PLC memory in a specific way.Once transmitted the signal can be picked up by a nearby antenna before been decoded using a low-cost Software-Defined Radio (SDR) and a PC. “The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead,” according to CyberX.

Source: Why bother cracking PCs? Spot o’ malware on PLCs… Done. Industrial control network pwned • The Register

The group has conducted more than 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia in the last two months alone, according to Russian incident response firm Group-IB. MoneyTaker has primarily targeted card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).In addition to banks, MoneyTaker has attacked law firms and financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three on Russian banks and one against a Brit IT company.By constantly changing their tools and tactics to bypass antivirus and traditional security solutions, and most importantly carefully eliminating their traces after completing operations, the group has largely gone unnoticed. “MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” said Dmitry Volkov, Group-IB co-founder and head of intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.”

Source: New Ruski hacker clan exposed: They’re called MoneyTaker, and they’re gonna take your money • The Register

Penetration tester Sabri Haddouche has reintroduced the world to email source spoofing, bypassing spam filters and protections like Domain-based Message Authentication, Reporting and Conformance (DMARC), thereby posing a risk to anyone running a vulnerable and unpatched mail client.What he’s found is that more than 30 mail clients including Apple Mail, Thunderbird, various Windows clients, Yahoo! Mail, ProtonMail and more bungled their implementation of an ancient RFC, letting an attacker trick the software into displaying a spoofed from field, even though what the server sees is the real sender.That means if the server is configured to use DMARC, Sender Policy Framework(SPF) or Domain Keys Identified Mail (DKIM), it will treat a message as legit, even if it should be spam-binned.

Source: Mailsploit: It’s 2017, and you can spoof the ‘from’ in email to fool filters • The Register

New submitter Chir breaks the news to us that the NiceHash crypto-mining marketplace has been hacked. The crypto mining pool broke the news on Reddit, where users suggest that as many as 4,736.42 BTC — an amount worth more than $62 million at current prices — has been stolen. The NiceHash team is urging users to change their online passwords as a result of the breach and theft.

Source: NiceHash Hacked, $62 Million of Bitcoin May Be Stolen – Slashdot

Uber’s ride-sharing service has given birth to some of the most creative criminal scams to date, including using a GPS-spoofing app to rip off riders in Nigeria, and even ginning up fake drivers by using stolen identities.Add to those this nefariously genius operation: Cybercriminals, many working in Russia, have created their own illegitimate taxi services for other crooks by piggybacking off Uber’s ride-sharing platform, sometimes working in collaboration with corrupt drivers.Based on several Russian-language posts across a number of criminal-world sites, this is how the scam works: The scammer needs an emulator, a piece of software which allows them to run a virtual Android phone on their laptop with the Uber app, as well as a virtual private network (VPN), which routes their computer’s traffic through a server in the same city as the rider.The scammer acts, in essence, as a middleman between an Uber driver and the passenger—ordering trips through the Uber app, but relaying messages outside of it. Typically, this fraudulent dispatcher uses the messaging app Telegram to chat with the passenger, who provides pickup and destination addresses. The scammer orders the trip, and then provides the car brand, driver name, and license plate details back to the passenger through Telegram.In one Russian-language crime-forum post, a scammer says their service runs in some 20 cities, including Moscow and St. Petersburg, as well as Kiev in Ukraine and Minsk in Belarus; another thread suggests the service has been used in New York and Portugal as well.In some cases, the scam middleman will use an Uber promotional code or voucher for a free or discounted ride—meaning they’d just pocket whatever fee charged to the passenger. In another variation of the scheme, some scammers are working with drivers to split profits—one post explicitly says the scammer cooperates with drivers.

Source: The Underground Uber Networks Driven by Russian Hackers

PayPal says that one of the companies it recently acquired suffered a security incident during which an attacker appears to have accessed servers that stored information for 1.6 million customers.The victim of the security breach is TIO Networks, a Canadian company that runs a network of over 60,000 utility and bills payment kiosks across North America. PayPal acquired TIO Networks this past July for $238 million in cash.
[…]
In a press release published in a late Friday afternoon news dump, PayPal provided more details about the incident.
A review of TIO’s network has identified a potential compromise of personally identifiable information for approximately 1.6 million customers. The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure.

Source: PayPal Says 1.6 Million Customer Details Stolen in Breach at Canadian Subsidiary

In a sustained campaign, Voits managed to get the login details and passwords for 1,600 county employees, including for the Xjail computer system that is used to track inmates. By March he had the logins to the prison management system and tried to amend the records of one inmate to arrange their early release.

His tinkering raised red flags, however, and the authorities moved in. Once Voits’ meddling was discovered, inmate records were fixed and the county called in computer forensics, spending $235,488 to fix the mess.

Source: Prison hacker who tried to free friend now likely to join him inside

Pawnbroking and secondhand goods outlet Cash Converters has suffered a data breach.

Customers were notified of the leak on Thursday by email, samples of which have been posted on social media.

Cash Converters said it had discovered that a third party gained unauthorised access to customer data within the company’s UK webshop.

Credit card data was not stored. However, hackers may have accessed user records including personal details, passwords, and purchase history from a website that was run by a third party and decommissioned back in September. The current webshop site is not affected, the firm said.

The Register

the individuals were able to download files containing a significant amount of other information, including:

The names and driver’s license numbers of around 600,000 drivers in the United States. Drivers can learn more here.
Some personal information of 57 million Uber users around the world, including the drivers described above. This information included names, email addresses and mobile phone numbers. Riders can learn more here.

Bloomberg

FireEye’s Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Source: Introducing GoCrack: A Managed Password Cracking Tool « Introducing GoCrack: A Managed Password Cracking Tool | FireEye Inc

In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.

[…]

The subdomains and their associated Russian IP addresses have repeatedly been linked to possible malware campaigns, having been flagged in well-known research databases as potentially associated with malware. The vast majority of the shadow subdomains remained active until this week, indicating that the Trump Organization had taken no steps to disable them. This suggests that the company for the past four years was unaware of the breach. Had the infiltration been caught by the Trump Organization, the firm should have immediately decommissioned the shadow subdomains, according to cybersecurity experts contacted by Mother Jones.

It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We’re talking here about intercepting and stealing personal information and the de-anonymization of a dating service that could cause victims no end of troubles – from messages being sent out in their names to blackmail. We took the most popular apps and analyzed what sort of user data they were capable of handing over to criminals and under what conditions.We studied the following online dating applications: Tinder for Android and iOS Bumble for Android and iOS OK Cupid for Android and iOS Badoo for Android and iOS Mamba for Android and iOS Zoosk for Android and iOS Happn for Android and iOS WeChat for Android and iOS Paktor for Android and iOSBy de-anonymization we mean the user’s real name being established from a social media network profile where use of an alias is meaningless.

Source: Dangerous liaisons – Securelist