Hacking news

Hackers used PlugX RAT with “Time Bomb” though Dropbox abuse for targeting a Taiwanese Government Agency

The security firm, Trend Micro has reported a targeted attack against a Taiwanese government entity which used a variant of the PlugX RAT that abuses the Dropbox service. PlugX Remote Access Tool (RAT) is a remote access Trojan which is also called Korplug with some older variants which are also known as Sogu, Thoper, TVT, or Destory RAT.  PlugX is a very popular remote access tool for hackers and cyber criminals because it is very cheap and  the owner’s remote command & control server can be hidden because the large diffusion of the malicious agent.  Also the PlugX software design  allows for plugins or APIs to be updated independently and in a backward-compatible way, without interrupting the execution of the malware or requiring it to be reinstalled. 
Hackers used PlugX RAT with "Time Bomb" though Dropbox abuse for targeting a Taiwanese Government Agency
Typical PlugX Attack Scenario
Researchers from Trend Micro were analyzing a targeted attack that hit a government agency in Taiwan which took place last May. In the said attack, the cyber criminals used PlugX RAT that abused Dropbox to download and further update its C&C settings to allow them to remotely target the Taiwanese entity and gain control of some machines. Security experts noted that the Dropbox abuse has earlier been used to host the malware by cyber criminals but never for updating C & C settings. However in this case, Trend Micro discovered that the cyber criminals used the Dropbox to update its C&C settings,  which according to Trend Micro is an alarming sign.  
The benefit of using Dropbox is two fold for the cyber criminals. Dropbox is often used by the staff and therefore systems security specialists deployed by the company may not flag communications between the PlugX RAT and DropBox folders as an indicator on compromise.  The other benefit Dropbox abuse allows attackers to masquerade the malicious traffic and making hard the detection by law enforcement and security firms.

Trend Micro has identified two variants of PlugX namely BKDR_PLUGX.ZTBF-A and TROJ_PLUGX.ZTBF-A.  These two variants have all the classic features available in any other RAT. Of the above two types of PlugX variants, the second one (TROJ_PLUGX.ZTBF-A,) is a relatively new one and is considered as a new version.  This version is a more sophisticated version of PlugX variants studied so far.  It incorporates anti-forensic techniques, an authentication mechanism of the attacker, a different encryption algorithm, extended configuration, and more protocols and functions.  Thus it gives a complete anonymity to the cyber criminal through its complex diffusion methods.

Trend Micro said that in the Taiwanese entity hack case, the attackers have used a particular PlugX RAT variant which includes a a triggering mechanism based on the system date which would make it much hard to detect.

“This backdoor also connects to a certain URL for its C&C settings. The use of Dropbox aids in masking the malicious traffic in the network because this is a legitimate website for storing files and documents.  We also found out that this malware has a trigger date of May 5, 2014, which means that it starts running from that date. This is probably done so that users won’t immediately suspect any malicious activities on their systems.” continues Trend Micro.

Trend Micro stated that it had notified Dropbox of the above said targeted attack but there is little Dropbox can do.  The fact and the matter is that there is no vulnerability in Dropbox but, the cyber criminals are just using the file sharing part of drop box to update their C & C servers.

You can read all above PlugX RAT here.
read more

Dutch hackers devise a simple malware to hack into Google Glass and take photos and videos without owner knowing it

Dutch website volkskrant has reported that Dutch hackers have come up a malware to infiltrate and take over Google Glass from a potential victim.  The Google Glass is a wearable computer system with a headset that resembles an ordinary pair of glasses and lets you do your routine work while using it.   
Dutch hackers devise a simple malware to hack into Google Glass and take photos and videos without owner knowning it
As per the report, hackers can take over the Google Glass by injecting a malware code into the victims Google Glass.  However the malware has to be injected physically by inserting a mini usb into the Google Glass USB port as of now.   Volkrant says that it is relatively easy for someone to borrow the glasses for a few seconds.  

This could be done by getting someone to borrow the glasses for a moment – such as a pretty girl in a café, they could then insert a mini usb stick in an guarded moment to insert the code.

By taking over the glasses hackers can then monitor whatever the victim is looking at through a remote computer from a distance. The hackers can also take snaps and shoot videos without the knowledge of the owner.  Volkrant says that a bit of further editing can lead to revealing the victims confidential personal information like email ids, passwords etc.

Volkrant was privy to first hand experience of the malware at work after computer experts from Nijmegen IT company Masc and the accountancy group Deloitte computer security division demonstrated the same.

Volkrant says the malware could be spread through a wifi network or Android App but its too early for that according to the website. 

Deloitte’s Thomas Bosboom told the Volkskrant it took a few pizzas and a dozen hackers to develop the scam. ‘We asked ourselves what was the worst case scenario and realised that would be following what the user is looking at,’ he said.

Speaking on the dutch hacking of Google Glass, the Google spokesman told the website paper that “security is an issue with the glasses and that in new versions, the screen will be operated by a code, like smartphones.” “The more feedback we get, the safer we can make the Glass ready for the wider launch later this year,” he said.

Readers may note that the Google Glass has been hacked many times earlier through use of QR codes photographed by a Glass wearer to take over the system while others have exploited vulnerability in the Android software to gain access.
read more

A fraud campaign called ‘Luuuk’ siphons off €500,000 ($679,700) from 190 accounts holders in a European Bank

More than half a million United States Dollars were siphoned of using a banking Malware.  The banking malware fraud campaign which has siphoned more than half a million dollars from a European bank over the course of a week from 10th to 20th Jan, 2014 from 190 victims was discovered by researchers at Kaspersky Lab. In a report posted on Secure List blog says that researchers at  Kaspersky Security have discovered this fraud campaign, which they have dubbed ‘Luuuk’ siphoned of exactly €500,000.00 ($679,700.00) from 190 victims from a European Bank.  The victims were mostly from Italy and Turkey, the post said.

A fraud campaign called 'Luuuk' siphons off €500,000 ($679,700) from 190 accounts holders in a European Bank
Luuuk was detected by Kaspersky researchers when they chanced upon suspicious looking control and command server. The server contained multiple log files that showed bots conversing with a Web panel. The data extracted by Kaspersky suggested a financial fraud because it included victims’ details such as the amount of money stolen from clients’ bank accounts.

The Kaspersky researchers named the fraud after the panel used in the server  which was /server/adm/luuuk/   Kapersky said that the scam was executed through a combination of man-in-the-browser attacks that allowed the criminals to usurp victims’ credentials via a Web injection. After the money was siphoned of it was then routed to a automatic “pre-set money mule accounts” which Kaspersky believes belongs to the cyber criminals or their couriers.  According to GReAT’s research, there were four separate drop groups that transmitted funds via special bank accounts and via cash-outs at ATMs.

A fraud campaign called 'Luuuk' siphons off €500,000 ($679,700) from 190 accounts holders in a European Bank
One particular group was responsible for transferring sums of €40,000 to €50,000 , another was responsible for transferring 15,000 to 20,000 Euros, and a third was responsible for transferring between €2,500 and €3,000. The last drop group was responsible for transferring between €1,750 and €2,000.

“The Luuuk’s bosses may be trying to hedge against these losses by setting up different groups with different levels of trust: the more money a ‘drop’ is asked to handle, the more he is trusted,” said Vicente Diaz, a principal security researcher with GReAT.

As of now it is unclear as to exactly which malware was used for this fraud but experts believe that it may be a strain of Zeus or a freshly authored malware that allows the interception of financial data automatically, as soon as users log into their bank accounts. There is a strong possibility that a strain of  Zeus was used as Zeus is know to have plenty of variations like Citadel, SpyEye and IceIX. All the above variations have almost similar configurations as was used by the cyber criminals in this case.

While Kaspersky has notified the concerned bank and investigating agencies, the Command & Control server associated with Luuuk disappeared two days after it was discovered which indicates that the authors/owners of Luuuk may have been alerted about its discovery.  Some experts believe that Luuuk is not dead and may arise again in some remote part of the world to siphon money from some other banks.

“Based on the transaction activity we believe that this could be an infrastructure change rather than a complete shutdown of the operation,” 
read more

Reuters website hacked by the Syrian Electronic Army, visitors redirected to a deface page containing message from Syrian Electronic Army

The Pro-Assad regime, Syrian hackers Syrian Electronic Army today hacked the official website of Reuters.  Reuters is a international news agency which is headquartered in Canary Wharf, London, United Kingdom and it transmits news in English, French, Arabic, Spanish, German, Italian, Portuguese, Russian, Japanese and Chinese to almost all parts of the world.

The hack came into public notice after several of the visitors who tried to access the articles on the Reuters website were redirected to a deface page saying, 

Hacked by Syrian Electronic Army      
Stop publishing fake reports and false articles about Syria!      
UK government is supporting the terrorists in Syria to destroy it, Stop spreading its propaganda. 

The Syrian Electronic Army  later confirmed the attack from their official Twitter account. 

All @Reuters articles links were redirected to a message from the Syrian Electronic Army #SEA #Syria
— SyrianElectronicArmy (@Official_SEA16) June 22, 2014

Earlier this week Syrian Electronic Army hacked Two other U.K’s prominent news agencies website, “The Sunday Times and The Sun”.

However experts says that it was not that the Reuters web servers which were breached in this hack. According to the sources, the Reuters website is managed by a third party ad provider Taboola  and it is Taboola who is to be blamed.

Many visitors who used adblockers on their browsers were not redirected, which meant that one of the code inserted from Taboola was poisoned by the Syrian Electronic Army.  This makes it difficult to pin the blame on Taboola, because one of the admin’s account who managed the ads code on the website may also be responsible. Neither Taboola, nor Reuters have commented over the matter yet but a press release is soon expected.

It is not the first time when Syrian Electronic Army has targeted a western media group, they keep doing it all the time as they believe that the Western world and media are pro rebels and against the Assad regime in Syria. Their official statement however always states that they do it when any media group makes any fake news about Syria or poke them about their ways.

We have already contacted the Syrian Electronic Army for more information on the hack and will update you with one.

UPDATE: Adam Singolda Founder & CEO of Taboola confirmed the breach in a blog post and said the attack was carried out using Phishing attack.

The Company has changed all its access passwords and will continue to investigate the attack for next 24 hours, he said.

Syrian Electronic Army too confirmed that the attack was carried out using Taboola.

A tweet tweeted earlier today shows the screenshot taken by the SEA from Taboola’s Paypal account.

A quick look into the Israeli company @Taboola PayPal account. #SEA
— SyrianElectronicArmy (@Official_SEA16) June 22, 2014

Now the company (Taboola) must be worried with the Screenshot of their Paypal account published online which contains 604,210.86 USD.
While Taboola will keep investigating for 24 hours, SEA will be keep looking into their Payment and clients accounts.

It is still not clear, who controls the Taboola for now, Is it the Syrian Electronic Army!

read more

Code Spaces shut down after a massive 12 hour DDoS attack, several gigs worth of data lost

Code Spaces had to be closed after a prolonged 12-hour massive Distributed Denial of Service (DDoS) attack and extortion attempt. Code Spaces has put up a notice stating that “We are experiencing massive demand on our support capacity, we are going to get to everyone it will just take time” on its site

Codes Spaces shut down after a massive 12 hour DDoS attack, several gigs worth of data lost
The post put up on the blog seems to suggest that some unauthorized person gained access to Code Spaces’ Amazon EC2 control panel and asked to be contacted by the company. When Code Spaces contact the person fearing breach of its control panel, the hacker requested a large sum of money to restore the site. While the company was communicating with the hacker, it tried to gain control of the control panel.  However the hacker smelled a rat and started deleting crucial backup files.

“Most of our data, backups, machine configurations and offsite backups were either partially or completely deleted,” the company said. “All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that lead us here.”

We are expecting a full report from Code Spaces once it sorts out its security issues. However those readers who have stored data on the site can email [email protected] with an account URL, and if you’re lucky, some remaining files will be returned to you.  It is also not known whether the hacker only deleted files or downloaded the user files with financial and personal information.

“All that we have to say at this point is how sorry we are to both customers and to the people who make a living at Code Spaces for the chain of events that lead us here,” the company said.

The event is the latest in a series of security breaches that have happened in June 2014.  Feedly, the RSS service provider was brought down for two day by a similar DDoS attack and later Evernote was similarly assaulted and went offline for couple of hours.  Similarly, just recovered today from a prolonged three day  DDoS attack,  in which unknown attackers overloaded the site with traffic and crashed. said in a post that no user information was compromised.
read more

106 million AT&T mobility subscribers data at risk, ex contractor breached and leaked data

If you are a AT&T mobile service customer in the United States you are in a bit of soup.  AT&T has issued a warning to all its mobile customers of a data breach that leaked birth dates and Social Security numbers of its United States subscribers.  According to a letter written by AT&T to the California Attorney General, one of AT&T’s contractor was responsible for the breach.  The contractor has since been identified and his contract with AT&T has been terminated.
106 million AT&T mobility subcribers data at risk, ex contractor breached and leaked data
In the letter, AT&T said that contractor and his cohorts were apparently looking to generate codes that unlock devices and thus leaked the sensitive customer information.  AT&T stated that it has a uncompromising policy for privacy through this letter to the AG office.  This letter has now been mailed to all AT&T subscribers and AT&T said that it is offering affected customers a year of free credit monitoring and is recommending that all AT&T subscribers should change the passcodes on their accounts as a precaution.

In the letter to the subscribers, the Telco stated that, “AT&T’s commitment to customer privacy and data security are top priorities, and we take those commitments very seriously,” It then went on to describe the breach for its subscribers, “We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and April 21, 2014, and, while doing so, would have been able to view your social security number and possibly your date of birth.”

It further added, “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.”

AT&T in an independent report confirmed that the contractor was not able to breach any financial data of the customers.  But AT&T refused to inform as to how many of its 116+ million subscribers were affected.  It also didnt specify as to how a contractor could access such important customer information files without any checks and balances.  Security experts believe this to be a big lapse on part of the carrier due to undefined roles in the hierarchy.

If you are a affected AT&T subscriber, you may have received a email from the telco stating the same and offering you a year of free credit monitoring.  Either way all AT&T subscribers are requested to change their passcodes immediately.
read more

Evernote forum hacked, Members profile information compromised

The official discussion forum of Evernote was hacked earlier this week, Geoff Barry, community manager at Evernote said in a blog post

Evernote forum hacked, Members profile information compromised

Just few days back the Popular note making and archiving service was brought down by hackers for several hours using DDOS attack.

Geoff Barry said that The hackers were able to retrieve forum members’ profile information. however password hashes of the accounts created in 2011 or earlier may be accessed. If you use that same password on other services today, please update it, he said.

The Company is sending email notifications to all the effected users.

However it is still not clear why the hackers attacked the forum just few days after the DDOS incident. was this the case of Ransom!

read more

China accused of massive DDoS attack against a Hong Kong based anti-China news site Apple Daily

Apple Daily a very popular website with a strong anti-China stance was hit by a massive Distributed Denial of Service (DDoS) attack through whole of Wednesday.  Apple Daily which also has its own newspapers in Hong Kong and Taiwan has been a overt critic of Beijing’s anti-democracy policies and was supposed to hold a unofficial referendum on universal suffrage in Hong Kong.  From all news accounts it is learnt that China or Chinese backed hackers may be behind this massive DDoS attack.
China accused of massive DDoS attack against a Hong Kong based anti-China news site Apple Daily
Democracy is a high contempt word in China and liberal and pro democracy activists are often arrested and send to concentration camps.  However under the ‘One China Two Systems’ followed by Beijing, Hong Kong enjoys a relative freedom on this account and even on the 25th anniversary of Tiananmen square massacre, over 180,000 Hong Kong citizens had participated in the peaceful protest held in Central Park, Hong Kong.

Apple Daily and University of Hong Kong were supposed to take a unofficial online referendum about the universal suffrage to take views of Hong Kong citizens in this matter. The university in collaboration with Center for Social Policy Studies at the Hong Kong Polytechnic University was supposed to research and carry out an online referendum on voting rights in the Special Administrative Region (SAR) of China. 

The referendum itself was organized by Occupy Central, a movement striving for universal suffrage, and was to take place from June 20-22. Beijing was worried that if overwhelming numbers vote in favour of electing Hong Kong’s CEO by a one person one vote system – unlike the current election-by-committee process, that could lead to a major embarrassment to Beijing inside China and a big blow to its assertive foreign affairs program.

Beijing is adamant that any reform of the electoral system should only go as far as choosing candidates from a pre-approved shortlist and this stance has been opposed by pro democracy activists and Occupy Central movement.

In addition to the websites Apple Daily newspaper, the website Public Opinion Programme at the University of Hong Kong was still down at the time of writing.

Readers may also note that on June 14th and 15th, Amazon Web Services (AWS), Cloudflare and UDomain all suffered major DDoS attacks and were inaccessible.  This was seen by many including global democracy activists as a deliberate attempt to disrupt the vote.  To understand the massive DDoS campaign undertaken against the website readers may note that AWS recorded 10 billion system requests over 20 hours, CloudFare recorded a 75Gb DDoS per second and UDomain a 10Gb per second attack.

After the attack and possibly because of pressure from Beijing, AWS and UDomain have since withdrawn hosting support to the online referendum program.

Apple Daily’s holding company, Next Media group’s chairman. Jimmy Lai, refused to openly blame the Chinese Communist Party for the DDoS on his Hong Kong and Taiwan news sites.

“Whoever is behind it, it’s obvious that he wants to muzzle the voice for the referendum,” he claimed, according to the New York Times. “This kind of scale of attack is currently out of our technical power to stop. We’re searching for better defense.”
read more

Alleged NullCrew hacker Arrested by the FBI on Charges involving Cyber Attacks on Companies and Universities

FBI has arrested a 20 year old Tennessee teenager and charged him with federal computer hacking crime for allegedly conspiring to launch cyber attacks on two Universities and three companies since last summer.

Alleged NullCrew hacker Arrested by the FBI on Charges involving Cyber Attacks on Companies and Universities

Timothy Justin French, aged 20, is allegedly associated with the hacker group “NullCrew,” who have claimed responsibility for dozens of high-profile computer attacks against corporations, educational institutions, and government agencies including the cyber attack against the World Health Organization (WHO) and Public Broadcasting Service (PBS) in 2012.

Justin who also uses the online alias “Orbit,” “@Orbit,” “@Orbit_g1rl,” “crysis,” “rootcrysis,” and “c0rps3,” was arrested by FBI agents at his home in Morristown, Tenn., East of Knoxville, last Wednesday. He has been charged with conspiracy to commit computer fraud and abuse in a criminal complaint and he will be facing prosecution in U.S. District Court in Chicago.

According to the complaint affidavit, NullCrew has used Twitter accounts to announce dozens of attacks against various victims, including the websites of two organizations in July 2012 and eight computer servers belonging to a large company in September 2012 where they also leaked the usernames and passwords from these organizations. In November 2012, NullCrew announced an attack on a foreign government’s ministry of defence and leaked more than 3000 usernames, emails and passwords of the members and personnel of the defence ministry.  

The FBI had been working with a confidential witness, who was invited to join online chats with members of NullCrew through Skype, Twitter, and CryptoCat, The chats included the look back at old hacks, computer vulnerabilities which can be exploited and planning for new targets and more leaks.

The complaint charges French with involvement in five cyber attacks launched by NullCrew: a July 19, 2013, attack on University A, a large public university; a Feb. 1, 2014, attack on Company A, a large Canadian telecommunications company; attacks in early 2014 against University B and California-based Company B, both announced by NullCrew on April 20, 2014 as part of a series of hacking attacks; and an attack against Company C, a large mass media communications company, that NullCrew announced on Feb. 5, 2014.

During the investigation one of the IP address which was used by the alias, Orbit was found to be assigned to French’s Morristown, Tenn., address belonging to Timothy.  If convicted Timothy may face upto 10 years in prison and a $250,000 fine.

read more

Syrian Electronic Army hacks The Sunday Times and The Sun’s website

Back after a long hubris, the SEA struck again today.  Two of the U.K’s prominent news agencies, The Sunday Times and The Sun were the latest victims of the pro Assad’s Syrian regime hackers “Syrian Electronic Army”.

Both the websites of The Sunday Times and The Sun was showing a defaced page earlier today with a short message saying,

Hacked By Syrian Electronic Army Stop publishing fake reports and false articles about Syria!UK government is supporting the terrorists in Syria to destroy it, stop spreading its propaganda.

Syrian Electronic Army hacks The Sunday Times and The Sun's website

The news came in light after the Syrian Electronic Army announced through their Twitter account that they were behind the attack.

Both @TheSunNewspaper and @thesundaytimes websites were hacked by the Syrian Electronic Army #SEA #Syria
— SyrianElectronicArmy (@Official_SEA16) June 18, 2014

Though hacked, the websites carried the defaced page for very less time as the security engineers swung into action and restored the websites and both sites were back to normal.

Two Tweets tweeted one after another by the Sun confirmed the attack, however their tweets included their typical promotional ways as they tried to leverage the hack to gain new visitors.

Our website is currently being hacked by the Syrian Electronic Army. To keep reading the real story about Syria, buy The Sun tomorrow…
— The Sun (@TheSunNewspaper) June 18, 2014

Good news! Our website is back up and running, which means business as usual. Kim Kardashian’s racy pics, anyone?
— The Sun (@TheSunNewspaper) June 18, 2014

It is not the first time that the Syrian Electronic Army has targeted a western media group, they keep doing it all the time as they believe that the Western world and media are pro rebels and against the Assad regime in Syria. Their official statement however always states that they do it when any media group makes any fake news about Syria or poke them about their ways.

last month Syrian Electronic Army hijacked 4 of the wall street journal twitter accounts followed by RSA conference website hack just a few days before it.

We have already contacted the Syrian Electronic Army for more update on the story, and will update the article as soon as we get any further information about the hack.

read more