Mark Vartanyan, who operated under the handle “Kolypto”, was arrested in Norway last year, and extradited to America in December. The 29-year-old was charged with one count of computer fraud. On Monday, he pleaded guilty [PDF] to a district court in Atlanta, US. He faces up to 10 years in the clink and a $250,000 fine – that’s slashed from a maximum of 25 years due to his guilty plea. He will be sentenced in June.
[…]
Citadel surfaced in 2011, infected Windows PCs, and silently slurped victims’ online banking credentials so their money could be siphoned into crooks’ pockets. It could also snoop on computer screens and hold files to ransom. It was a remarkable success. US prosecutors estimate that, at its height, the malware infected 11 million computers and was responsible for the theft of more than $500m from bank accounts.

Source: Russian mastermind of $500m bank-raiding Citadel coughs to crimes

We recently announced a new addition to Metasploit to help you do exactly that: the Hardware Bridge API. The Hardware Bridge API extends Metasploit’s capabilities into the physical world of hardware devices. Much in the same way that the Metasploit framework helped unify tools and exploits for networks and software, the Hardware Bridge looks to do the same for all types of hardware. From within Metasploit you can now branch out into a Metasploit compatible hardware device to remotely control and use it for your penetration testing needs.
[…]
If your device supports CAN, Metasploit will automatically provide several interactive vehicle-related commands. This will also mark your Hardware Bridge (HWBridge) session as an Automotive session that can be viewed in your session list or via modules that are designed to work only on automotive systems. This allows exploit developers to focus on writing automotive tools without having to worry about the attached hardware. It also provides internal Metasploit APIs to make common automotive calls easier, such as getting the vehicle speed or requesting a security access token from the Engine Control Unit (ECU).

Source: Exiting the Matrix: Introducing Metasploit’s Ha… | Rapid7 Community and Blog

If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here.

The bugs range from attackers exfiltrating copies of what’s sent to printers, to denial-of-service, code execution, forced resets and even bricking the targets.

The work from the University Alliance Ruhr landed on Full Disclosure here (with five vendor-specific follow-ups), and as they note: “This vulnerability has presumably been present in every PostScript printer [for] 32 years as solely legitimate PostScript language constructs are abused.”

Source: We don’t want to alarm you, but PostScript makes your printer an attack vector • The Register

“Hmm, what is that unauth.cgi thingy? and what does that id number mean?”, I thought to myself.

Luckily for me the Internet connection had come back on its own, but I was now a man on a mission, so I started to look around to see if there were any known vulnerabilities for my VEGN2610. It turned out that there are none. :< I started looking up what that "unauth.cgi" page could be, and I found 2 publicly disclosed exploits from 2014, for different models that manage to do unauthenticated password disclosure. Booyah! Exactly what I need. (link 1 & link 2) Those two guys found out that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials. I tested the method described in both, and voila - I have my password, now I can go to sleep happy and satisfied. I woke up the next morning excited by the discovery, I thought to myself: "3 routers with same issue… Coincidence? I think not". Luckily, I had another, older NETGEAR router laying around; I tested it and bam! Exploited.

Source: CVE-2017-5521: Bypassing Authentication on NETGEAR Routers

Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.

So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.

Affected ElasticSearch administrators are greeted in one actor’s attacks with a message reading:

“Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins p14t0s@sigaint.org (sic).”

Source: MongoDB hackers now sacking ElasticSearch

Hackers have brewed up a strain of Android malware that uses compromised smartphones as conduits to attack routers.The Switcher trojan does not attack Android device users directly. Instead, the malware uses compromised smartphones and tablets as tools to attack any wireless networks they connect to.Switcher brute-forces access to the network’s router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server, security researchers at Kaspersky Lab report.This server fools the devices into communicating with websites controlled by the attackers, leaving users wide open to either phishing or further malware-based attacks.The attackers claim to have successfully infiltrated 1,280 wireless networks so far, mainly in China.

Source: New Android-infecting malware brew hijacks devices. Why, you ask? Your router • The Register

Why China especially? Because Google is forbidden there, so Chinese Android users are forced to use different app market places than the Play store.

Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1 billion user accounts, breaking the company’s own humiliating record for the biggest security breach in history.

The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users, which had been the most far-reaching hack until the latest revelation.
[…]
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers. The company says it believes bank-account information and payment-card data were not affected.

But hackers also apparently stole passwords in both attacks. Technically, those passwords should be secure; Yahoo said they were scrambled twice — once by encryption and once by another technique called hashing. But hackers have become adept at cracking secured passwords by assembling huge dictionaries of similarly scrambled phrases and matching them against stolen password databases.

That could mean trouble for any users who reused their Yahoo password for other online accounts. Yahoo is requiring users to change their passwords and invalidating security questions so they can’t be used to hack into accounts. (You may get a reprieve if you’ve changed your password and questions since September.)

Source: Yahoo Suffers World’s Biggest Hack Affecting 1 Billion Users

Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide.

Source: Exclusive: SWIFT confirms new cyber thefts, hacking tactics

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham’s series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds. Note: it was infected by another botnet first and then after 98 seconds by Mirai

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, “it then connects out to download the full virus,” Graham said in a Twitter post. “Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims.”

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn’t help because his Mirai-infected camera has a telnet password that cannot be changed.

“The correct mitigation is ‘put these devices behind your firewall’,” Graham said.

Source: Surveillance camera compromised in 98 seconds

hree has suffered a massive data breach in which the personal information and contact details of millions of customers could have been accessed. It is believed to one of the largest hacks of its kind to affect people living in Britain.

Here’s everything you need to know about the hack.
What happened?

UK-based cyber criminals managed to gain access to the upgrade database in Three’s computer system.

The database contains the personal information of those who are eligible for an upgrade, but it is not clear exactly how many customers this includes. The company has not outlined whether the system includes those who have previously upgraded or historic customers that have left the network.

Attackers allegedly accessed the database using stolen employee credentials, which allowed them to login to the system without Three noticing. Once in, they tricked it into sending high-end upgrade handsets to an address where they could intercept them.

Three has not said whether the accessed customer data was also stolen.
What customer details did they access?

Three has confirmed that the data accessed included names, phone numbers, addresses, dates of birth, and some email addresses.

Source: Three Mobile hack: how to protect yourself if you’ve been affected 

An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:

Elevation of privilege: Since the boot partition is typically not encrypted: It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user. If the boot is not secured, then it would be possible to replace the kernel and the initrd image.

Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.

Denial of service: The attacker can delete the information on all the disks.

The Exploit (PoC)

The attacker just have to press and keep pressing the [Enter] key at the LUKS password prompt until a shell appears, which occurs after 70 seconds approx.

Source: Enter 30 to shell: Cryptsetup Initram Shell [CVE-2016-4484]

Bangladesh’s central bank hopes to retrieve $30 million more of the $81 million stolen from its account at the New York Federal Reserve in February, two bank officials said on Monday.

Hackers used stolen Bangladesh Bank credentials to try to send three dozen SWIFT messages to transfer nearly $1 billion from its Fed account. They succeeded in transferring $81 million to four accounts at Rizal Commercial Banking Corp in Manila.

Most of the money was laundered through casinos in Manila.

On Friday, Philippine authorities began the process of handing over $15.25 million to Bangladesh.

“We are hoping to get back around $30 million which remains frozen,” Bangladesh Bank deputy governor Abu Hena Mohammad Razee Hassan, who heads its financial intelligence unit, told Reuters.

Source: Bangladesh hopes to recover $30 million more from cyber heist

Adultfriendfinder.com 339,774,493 users “World’s largest sex & swinger community”
Cams.com 62,668,630 users “Where adults meet models for sex chat live through webcams”
Penthouse.com 7,176,877 users Adult magazine akin to Playboy
Stripshow.com 1,423,192 users Another 18+ webcam site
iCams.com 1,135,731 users “Free Live Sex Cams”
Unknown domain 35,372 users

Total: 412,214,295 aff

Source: AdultFriendFinder was hacked – LeakedSource

Remember the days back in the 90s when you could cripple someones Internet connection simply by issuing a few PING command like “ping -t [target]”? This type of attack was only successful if the victim was on a dial-up modem connection. However, it turns out that a similar form of ICMP flooding can still be used to perform a denial of service attack; even when the victim is on a gigabit network.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

Cisco ASA 5506, 5515, 5525, 5540 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
Cisco Router 897 (unless rate-limited)
Palo Alto (unless ICMP Flood DoS protection is activated) – See advisory from Palo Alto.
SonicWall (if misconfigured)
Zyxel NWA3560-N (wireless attack from LAN Side)
Zyxel Zywall USG50

Source: BlackNurse Denial of Service Attack – NETRESEC Blog

With proof of concept. Of course, this requires “hacking” the originating bot back and only works if the bot is running over http, but still, better than nothing.

Source: Invincea Labs

An extraordinary, focused attack on DNS provider Dyn continues to disrupt internet services for hundreds of companies, including online giants Twitter, Amazon, AirBnB, Spotify and others.

The worldwide assault started at approximately 11am UTC on Friday. It was a massive denial-of-service blast that knocked Dyn’s DNS anycast servers offline, resulting in knock-on impacts across the internet. Folks immediately started reporting problems; millions of people are affected.

After two hours into the initial tidal wave of junk traffic, Dyn announced it had mitigated the assault and service was returning to normal. But the relief was short lived: just about an hour later, the attack resumed and at the time of writing (1800 UTC), not only is Dyn’s service still down but its website is too.

(Aptly, Dyn researcher Doug Madory had recently given a talk on DDoS attacks.)

By blasting Dyn offline, public DNS providers – such as Google and broadband ISPs – are unable to contact Dyn to lookup hostnames for netizens, preventing people from accessing sites using Dyn for DNS.

Source: DNS devastation: Top websites whacked offline as Dyn dies again

Avtech is the second most popular search term in Shodan. According to Shodan, more than 130.000 Avtech devices are exposed to the internet.

That’s because there are 14 serious unpatched vulnerabilities, the guide in the link goes through.

Ensure the admin interface is not exposed to the internet, change the default admin password if you own one of these cameras!

Source: Avtech devices multiple vulnerabilities

Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed. It is now ten months later. Are the culprits in jail yet? Not quite, here are the numbers of compromised stores:

November 2015 3501
March 2016 4476 +28%
September 2016 5925 +69%

Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).

At least 159 hacked stores use Magento Enterprise Edition, which is used only by the largest online stores.

754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.

Source: 5900 online stores found skimming [analysis]

VIDEO Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion.

Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks against a Tesla Model S P85 and 75D and say their efforts will work on multiple Tesla models.

The Shanghai, China-based hacking firm has withheld details of the world-first zero day attacks and privately disclosed the flaws to Tesla.

The firm worked on the attack for several months, eventually gaining access to the motor that moves the driver’s seat, turning on indicators, opening the car’s sunroof and activating window wipers.

Keen Security Lab’s attacks also appear to compromise the touch screen that controls many of a Tesla’s functions.

“We are able to fold the side mirrors when drivers are changing lanes,” Nie says in the demonstration.

“All attacks are contactless without physically modifying the car.”

Source: Hackers hijack Tesla Model S from afar, while the cars are moving

The answer is simpler than you might think: The defense of an innocent, learning disabled, 15-year-old girl. In the criminal complaint, she’s called “Patient A,” but to me, she has a name, Justina Pelletier. Boston Children’s Hospital disagreed with her diagnosis. They said her symptoms were psychological. They made misleading statements on an affidavit, went to court, and had Justina’s parents stripped of custody. They stopped her painkillers, leaving her in agony. They stopped her heart medication, leaving her tachycardic. They said she was a danger to herself, and locked her in a psych ward. They said her family was part of the problem, so they limited, monitored, and censored her contact with them.Justina resorted to sneaking notes, hidden in origami, to tell her family what she wasn’t allowed to say around eavesdroppers. Hospital staff pushed her to do things she was physically incapable of, due to the physical condition they refused to acknowledge she has. They laughed at her as she struggled futilely. They left her on a toilet for hours when she couldn’t void her bowels. They left her secluded in a bare room, or alone in the hallway, sometimes for days when she couldn’t wheel herself elsewhere.

Source: Why I Knocked Boston Children’s Hospital Off The Internet: A Statement From Martin Gottesfeld | Huffington Post

A Medical horror story

The Russian government “directed the recent compromises of emails from US persons and institutions,” the US Department of Homeland Security and the Office of the Director of National Intelligence said on Friday, an accusation that gives formal recognition to a claim previously voiced through unnamed sources.

In late July, The New York Times reported that federal officials briefed on the views of American intelligence agencies had “high confidence” that the Russian government was behind the theft of email and other documents from the Democratic National Committee.

Source: US govt straight up accuses Russia of hacking prez election

The problem occurred with Spotify Free, which lets people to stream music gratis in exchange for being played and shown adverts. One advertiser sneakily embedded nasty software code into its Spotify ads that hijacked browsers on macOS and Linux systems.

We’re told the ads caused the computers’ default browsers to open up dodgy websites that then attempted to install malware or steal victims’ passwords.

“OS X and Linux users claim to have been hit with redirects to phishing and tech support scams,” said Pieter Arntz, a malware intelligence researcher at Malwarebytes Labs.

Source: Is this the real life? Is this just fantasy? Spotify serving malware, no escape from reality

The world’s largest distributed denial of service (DDoS) attack has been clocked from the same network of 152,463 compromised low-powered cameras and internet-of-things devices which punted a media outlet off the internet.

Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
— Octave Klaba / Oles (@olesovhcom) September 22, 2016

Two concurrent attacks against French hosting provider OVH clocked in at a combined 990Gbps, larger than any other reported.

The same fleet of networked junk also scored the world’s largest single DDoS largest attack when it offed cyber crime publication Krebs On Security in attacks tipping 620Gbps.

OVH chief technology officer Octave Klaba says the growing fleet of cameras and digital video recorders has the capability to deliver a multi-vector 1.5 Tbps DDoS attack.

Source: 152k cameras in 990Gbps record-breaking dual DDoS

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen

Yahoo

For some reason they are blaming a state sponsored actor, but don’t really back up this claim. Also, not the use of the words: may and majority.