Hacking news

North Korean hackers behind attacks on cryptocurrency exchanges in South Korea

North Korean hackers behind attacks on cryptocurrency exchanges in South Korea

South Korean cryptocurrency exchanges hacked by North Korea, claims report

North Korean hackers are suspected to be behind the attacks on cryptocurrency exchanges this year who have netted millions in the virtual currency, claims South Korea’s chief intelligence agency.

The widespread malware campaign targeting cryptocurrency users is believed to be carried out by the “Lazarus Group,” a state-sponsored hacking group linked to the North Korean government. According to researchers, this group has been involved in some notable crimes, such as the 2014 Sony Pictures hack, an $81 million Bangladesh cyber theft in 2016 and the worldwide WannaCry ransomware attacks in May this year.

Citing the country’s National Intelligence Service (NIS), South Korea’s Chosun Ilbo reported that the cyberattacks credited to North Korean hackers also included the leaking of personal information from 36,000 accounts from South Korea’s biggest and one of the top five cryptocurrency exchange in the world, Bithumb, in June.

It also cited the NIS saying that the hackers had also demanded a ransom of 6 billion won ($5.5 million) in exchange for destroying the leaked personal information. Additionally, around 7.6 billion won ($6.99 million) worth of cryptocurrencies were also stolen at that time.

Attacks also included the theft of cryptocurrencies from accounts at exchanges Yapizon, now called Youbit, and Coinis in April and September.

In October, another cyberattack on about 10 cryptocurrency exchanges was carried out by North Korean hackers using e-mails containing malware that used North Korean internet addresses, which was thwarted by the Korea Internet Security Agency (KISA), Chosun Ilbo cited the NIS.

According to the NIS, the malware used to hack the cryptocurrency exchanges was similar to the hacks carried out on Sony Pictures and Bank of Bangladesh in 2014 and 2016 respectively.

Source: Reuters

read more

‘Moneytaker’ hacker group stole millions from U.S. and Russian banks

'Moneytaker' hacker group stole millions from U.S. and Russian banks

Russian hacking group steals more than $10 million from U.S. banks

A Moscow-based security firm, Group-IB has discovered a new group of Russian-speaking hackers who have stolen millions of dollars since May 2016 through international heists.

In a 36-page report published on Monday, Group-IB, which runs the largest computer forensics laboratory in eastern Europe, provided details of the newly-disclosed hacking group “MoneyTaker” named after a piece of custom malware it uses. According to the Group-IB, the hacking group has carried out more than 20 successful attacks on financial institutions and legal firms in the U.S., UK and Russia in the last two months alone.

The MoneyTaker group stole funds by targeting electric fund transfer networks like SWIFT (Society for Worldwide Interbank Financial Telecommunication). The MoneyTaker group also targeted law firms and financial software vendors. Group-IB has confirmed that 20 companies were successfully hacked, of which 16 attacks were on U.S. organizations, three on Russian banks, and one against an IT company in the UK.

In the U.S., the group primarily targeted smaller, community banks as victims, and stole money by infiltrating the credit card processor, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (U.S.). This act of theirs went unnoticed for a year and a half.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” said Dmitry Volkov, Group-IB co-founder and head of intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.”

The first attack happened in spring of 2016 when money was stolen from a bank by breaching its “STAR” network, a bank transfer messaging system that connects 5,000 ATMs in the U.S.

MoneyTaker members also targeted an interbank network known as AWS CBR, which interfaces with Russia’s central bank. The hackers also stole internal documents related to the SWIFT banking system, although there’s no evidence they have successfully carried out attacks over it.

“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin,” said the Group-IB.

“After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.”

In Russia, $1.2 million was stolen per attack. Last year, stolen SWIFT account credentials was used by online criminals to steal $81 million from a bank in Bangladesh. The amount of information MoneyTaker has collected on the Star, SWIFT, and AWS CBR networks has increased the possibility of the group looking to carry more attacks targeting the interbank payment systems, the group said.

“A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker,” company officials said in a statement.

“Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” they added.

“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”

Source: The Register

read more

Google releases iPhone hacking tool for security researchers

Google releases iPhone hacking tool for security researchers

Google releases a tool that helps security researchers hack iPhones

Ian Beer, a well-known name among iOS bug bounty hunters who works for Google Project Zero, released a proof-of-concept tool on Monday that allows security researchers and other developers to hack into iOS 11.1.2, a recent version of Apple’s operating system. This could open up the possibility of jailbreak for devices such as iPhones and iPads running iOS 11.1.2.

For those unaware, Google’s Project Zero identifies bugs and exploits in all kinds of software of various companies to make them safer.

According to Beer, the tool released takes advantage of an exploit called “tfp0”. Beer says the tool was tested on iPhone 6s, iPhone 7 and iPod touch 6G. However, he believes that with some tweaks, the tool should work on all devices.

“tfp0 should work for all devices, the PoC local kernel debugger only for those I have to test on (iPhone 7, 6s and iPod Touch 6G) but adding more support should be easy,” Beer wrote .

The Google researcher last week teased this release in a tweet that asked the iOS 11 kernel security researchers to keep a research-only device on iOS 11.1.2 or below raising sparks of a fresh exploit of the OS.

“If you’re interested in bootstrapping iOS 11 kernel security research keep a research-only device on iOS 11.1.2 or below. Part I (tfp0) release soon,” Beer said at the time.

Speaking to Motherboard, Google told that Beer’s goal is to allow other security researchers to explore and test iOS security layers without the need to develop and find their own exploits. In other words, Google gave other researchers a head start to carry out their own research.

According to Google, their ultimate goal is to help security researchers search and find other potential vulnerabilities and hopefully report them to Apple so that they get fixed and the operating system is made safer.

“While it might seem surprising that Google would release a tool to hack a device from a competitor, it actually makes a lot of sense. The iPhone is one of the hardest consumer devices to hack, and researchers who can do that and are able to find bugs in it rarely report the bugs or publish the tools they use because they are so valuable”, said Motherboard.

However, the disclosure opens up the possibility for the jailbreaking community to bootstrap an iPhone jailbreak until Apple issues a fix.

Source: Motherboard

read more

Bitcoin Exchange NiceHash Hacked, Over $67 Million In Bitcoin Stolen

Bitcoin Exchange NiceHash Hacked, Over $67 Million In Bitcoin Stolen

Largest Cryptocurrency Mining Market NiceHash Hacked And Over $67M In Bitcoin Stolen

NiceHash, touted as one of the world’s largest Bitcoin trading and mining site, has revealed that hackers have compromised its payment system and wiped out its entire Bitcoin wallet, resulting in over $60 million loss.

For those unaware, formed in 2014, NiceHash serves as a marketplace for miners to rent out their hash rate to others, which sees them earn Bitcoin at regular intervals.

The breach was announced by the company on social media as well as its website.

“Unfortunately, there has been a security breach involving NiceHash website. We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours,” the company said in a statement on Wednesday (December 6).

“Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken,” it added.

“Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days. In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency.”

BTC address shared by a NiceHash user on Reddit suggests that a sum of 4,736.42 BTC – an amount equivalent to $67 million at current prices – was stolen, reported CoinDesk, a site specializing in cryptocurrency news and data, on Thursday.

Worried Bitcoin users took to Twitter to express their concerns. A user named Lohit tweeted, “Are we going to get our btc? or might as well just forget it. Your press release said nothing about sending us what you owe. I have 4000$ stuck in your wallet which is now almost 4300$.” Another NiceHash user Philip Richardson tweeted: “If I don’t get my BTC back I will never use your service again”.

NiceHash is suggesting that users of its internal wallets should change all of their online passwords as a precaution.

“We are truly sorry for any inconvenience that this may have caused and are committing every resource towards solving this issue as soon as possible.

“We would not exist without our devoted buyers and miners all around the globe. We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavor to update you at regular intervals.”

Slovenian police are investigating the case along with authorities in other states, spokesman Bostjan Lindav said, without providing details.

The full press release is available here.

The number of Bitcoins stored and their value has increased rapidly over the last year making it a favorite target for hackers, which in turn has raised online security concerns for cryptocurrency marketplaces and exchanges. The digital currency’s value has soared in recent weeks, crossing $19,000 for the first time on Thursday.

This isn’t the first time that Bitcoin has been stolen from a compromised major platform. In August, Enigma, an Ethereum-based investment platform was breached, and later lost $500,000 worth of ethereum.

Source: IBT

read more

Uber paid 20-year-old Florida hacker $100000 to keep data breach secret

Uber paid 20-year-old Florida hacker $100000 to keep data breach secret

Uber paid hackers to keep data breach secret, says sources

Uber, the ride-hailing smartphone app, suffered a data breach last year in which over 57 million customers and 600,000 drivers had their personal information stolen by a 20-year-old hacker from Florida.

Now, in a statement released on the 2016 attack, Uber said that it paid two hackers $100,000 in ransom to destroy the data of the company’s 2016 hack and keep the breach quiet, Reuters reported. It also did not notify those who were affected by the breach.

According to the statement, the hack was performed by two people on a third-party cloud service. The rideshare company did not disclose any more information except that the hacker is a 20-year-old man from Florida.

The stolen information included names and driver’s license numbers as well as rider names, email addresses and mobile phone numbers. However, no information regarding location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth have been stolen, Uber said. Affected drivers will get free credit monitoring and identity theft protection.

“None of this should have happened, and I will not make excuses for it,” Uber’s current CEO Dara Khosrowshahi said in the statement. It was revealed that even he was not aware of the 2016 incident until “recently”.

On November 21, 2017, Uber had announced about the data breach that took place last year. Newly appointed Uber CEO Khosrowshahi fired two of Uber’s top security officials when he announced the breach last month, following an investigation that first alerted Uber’s board about the hack.

According to Khosrowshahi, the incident should have been disclosed to regulators when it was discovered last year, Reuters reported.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures,” Uber said in a statement.

Sources told Reuters that former CEO Travis Kalanick knew about the 2016 hack and “bug bounty” payment in November of last year. However, who made the final decision to authorize the payment to the hacker and to keep the breach secret is still unclear.

“You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it,” Khosrowshahi said of the breach.

Kalanick was aware of the breach and “bug bounty” payment in November of last year. Uber’s “bug bounty” service is hosted by HackerOne, a company that offers its platform to several tech companies, the report said. Bug bounty services are typically used by security researchers to report software weaknesses.

However, it appears that the hacker stole the information first and was then retroactively entered into the bug bounty. In other words, the Uber executives who knew about the breach used the bug bounty so that they could pay it and pretend it was all part of IT security protocol.

The company did not want to disclose that they had been hacked and would have probably not acknowledged it too, had it not been for the investigation conducted by the board last month.

Reuters was unable to establish the identity of the hacker or another person who sources said helped him. Uber spokesman Matt Kallman declined to comment on the matter. Similarly, Kalanick, who stepped down as Uber CEO in June, refused to comment on the matter, according to his spokesman.

Katie Moussouris, a former HackerOne executive, told Reuters that Uber’s payout and silence at the time was extraordinary under such a program.

“If it had been a legitimate bug bounty, it would have been ideal for everyone involved to shout it from the rooftops,” Moussouris said.

Five states and multiple countries are investigating the matter, to find out if the company had to notify consumers or government agencies after breaches according to the law.

Source: Reuters

read more

TeamViewer vulnerability allows users sharing a desktop session to gain control of the other’s PC

TeamViewer hack allows users sharing a desktop session to gain control of the other’s PC

TeamViewer promptly issues a patch to fix the vulnerability

TeamViewer issued a patch for users on Tuesday to fix a vulnerability that allows users sharing a desktop session to gain control of another PC without the latter’s permission. This vulnerability affected versions of TeamViewer running on Windows, macOS and Linux machines.

For those unaware, TeamViewer is a popular remote-support software for desktop sharing, online meetings, web conferencing and file transfer between computers over the internet from anywhere in the world. To establish a connection between a local computer and a remote computer, the local computer requires the remote computer’s ID and password to gain control over the remote computer, whereas the remote computer requires the local computer’s ID and password to gain control over the local computer.

The vulnerability was first publicized by a Reddit user “xpl0yt” on Monday who linked it to a Proof-of-Concept (PoC) published on GitHub by a user named “gellin”. TeamViewer too went on to acknowledge existence of the vulnerability after it was publicly disclosed.

According to the PoC released by Gellin, it showed how one could modify TeamViewer permissions via a simple injectable C++ DLL, which controls “naked inline hooking and direct memory modification to change TeamViewer permissions.”

The code can be used on both the client and server side.

  • If Server is an attacker – Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the “switch sides” feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.
  • If Client is an attacker – it will allow the client side to take control of the mouse and keyboard of the server side, ignoring any control settings or permissions on the server side.

This vulnerability could be exploited to gain control of the presenter’s session or the viewer’s session without permission.

To do so, the bug requires both users to first be authenticated and then the attacker needs to inject the PoC code into their own process with a tool such as a DLL injector or some type of code mapper.

“Once the code is injected into the process it’s programmed to modify the memory values within your own process that enables GUI elements that give you the options to switch control of the session,” Gellin told Threat Post. “Once you’ve made the request to switch controls there are no additional check on the server-side before it grants you access.”

Those users who have configured TeamViewer to accept automatic updates will get the patch delivered automatically; however, it could take up to three to seven days for the patches before the update is installed. For those who do not have automatic updates set will be notified when an update is available.

Nelson, security researcher with Arbor Networks and the ASERT Research team who reviewed the PoC advises users patch for the bug fast. “Typically, these type bugs are leveraged quickly and broadly until they are patched,” he said. “This bug will be of particular interest to attackers carrying out malicious tech support scams. Attacker will no longer need to trick the victim into giving control of the system or running malicious software, instead they will be able to use this bug to gain access themselves,” he said.

Source: Threatpost

read more

Homeland Security team remotely hacked a Boeing 757 in a ‘controlled experiment’

Homeland Security team remotely hacked a Boeing 757 in a ‘controlled experiment’

DHS Team remotely took control of a Boeing 757

A team of cybersecurity experts working with the US Department of Homeland Security (DHS) had reportedly hacked a Boeing 757 aircraft on the runway at Atlantic City airport, New Jersey in a controlled experiment carried out as a part of the test in September 2016. The team comprising of academicians and industry experts were able to remotely crack the IT systems of the 757 and take control of the aircraft, with the pilots unaware of the experiment taking place.

During a keynote speech at the CyberSat Summit 2017 in Virginia last week, Robert Hickey, the aviation program manager within the Cyber Security Division of the DHS Science and Technology (S&T) Directorate, revealed the chilling details of the hack.

“We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration,” said Hickey. “[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.”

Hickey said the details of the hack were classified but the researchers exploited the plane’s own radio frequency communications to penetrate its internal network. The classified test was reportedly carried out by the DHS “artificial environment and risk reduction measures were already in place”. Also, a Boeing official was present during the hacking of the aircraft

Following testing, Hickey said that experts advised that “it was no big deal”.

Apparently, Aviation and IT security experts were aware of the security flaws discovered by DHS. But it was only in March 2017 that seven airline pilot captains from American Airlines and Delta Air Lines were informed that their aircrafts could be hacked.

A Boeing spokesperson said: “The Boeing Company has worked closely for many years with DHS, the FAA, other government agencies, our suppliers and customers to ensure the cybersecurity of our aircraft and will continue to do so.

“Boeing observed the test referenced in the Aviation Today article, and we were briefed on the results. We firmly believe that the test did not identify any cyber vulnerabilities in the 757, or any other Boeing aircraft.”

Back in 2015, a security researcher, Chris Roberts claimed to have gained access to an aircraft engine during a flight through its entertainment system; however, those claims were never verified.

Source: Hackread



read more

Hacked North Korean Radio Station Plays “The Final Countdown”

Hacked North Korean Radio Station Plays “The Final Countdown”

Hacker Takes Over North Korean Radio Station, Broadcasts ‘The Final Countdown’

The listeners of the North Korean short-wave radio station, 6400kHz got hacked to play the 1986 hit song “The Final Countdown” by the 80’s Swedish rock band legends Europe on repeat after it was allegedly hijacked by an unknown hacker.

“The Jester,” a vigilante grey-hat hacker broke the news of the incident on Twitter by posting a link to a recording of the broadcast.

“A god among us has hijacked 6400kHz (North Korean station) and is playing the Final Countdown,” said The Jester on Twitter on November 9.

“The Jester” is famous for hacking jihadist websites, and in October 2016 had defaced the website of the Russian Ministry of Foreign Affairs with the message, “Stop attacking Americans.”

Strategic Sentinel, a Washington-based nonpartisan geostrategic consulting company, noted that the Korean communist regime often broadcasts coded messages on the station before provocations. It had stated on Twitter on 23rd September:

“Radio Pyongyang has broadcasted coded messages on 6400kHz. Usually, when they do this it signals an upcoming provocation.”

It stated in September, “The most likely thought for these messages is an expected missile test on the heels of #DPRK FM #UNGA statements,” just after North Korea announced it was considering a hydrogen bomb test in the Pacific Ocean.

It also noted that there is a pattern in the coded alerts. In the past, North Korea made broadcasts two days before conducting a nuclear test, one day before an intercontinental ballistic missile test, and one day before Japanese flyovers.

After the ‘80s rock song was played on the 6400kHz radio station, the Twitteratis had a field day who reacted with applause and made fun at the autocratic regime.

You can check out the original official song “The Final Countdown” below:

Source: The Epooch Times






read more

Ex-Iowa college student hacks university system 90 times to change exam grades

Student hacks university system 90 times to change exam grades

Former University Of Iowa Student Arrested And Charged For Hacking Grades

A former college student and a wrestler at the University of Iowa has been arrested and charged by the Federal Bureau of Investigation (FBI) for gaining unauthorized access into the school’s system on several occasions to obtain advanced copies of exams and change grades for himself and many of his classmates.

The accused, 22-year-old Trevor Graves has reportedly changed his grades more than 90 times during the period between March 2015 and December 2016 and changed grades for at least five fellow students on numerous occasions, said the FBI, according to the New York Times.

Graves who worked with an unnamed accomplice in the hi-tech hacking scheme secretly installed plug keyloggers into university’s computers’ for classrooms and labs, which allowed him to see whatever his professors typed, including their credentials to login in the university’s grading and email systems. He used the information to intercept exams and test questions in advance and to repeatedly change grades on tests, quizzes and homework assignments, read the criminal complaint submitted to an Iowa district court.

Grades were allegedly changed for a number of classes, including courses in business, engineering and chemistry. One student told the FBI that Graves provided copies of about a dozen exams before they were administered.

The student confessed to accepting the material because “he/she knew Graves was providing the copies to other students and did not want the grading curve to negatively impact his/her scores,” the NY Times reported.

The university officials had warned 250 university faculty, staff and student IDs and passwords that that “unauthorized individuals” had obtained their HawkID and password information.

The FBI arrested Graves at the end of October, in his hometown in Denver, Colorado but was later released on bond before making an initial court appearance in Iowa two days later.

According to the report, Graves is charged with “intentionally accessing a computer without authorization to obtain information, and knowingly transmitting a computer program to cause damage.” Both charges carry a maximum sentence of 10 years in prison.

The scheme came to light when an instructor noticed in mid-December 2016 that some of Graves’ grades had been changed without her authorization. The professor reported to campus IT security officials, who investigated and found the keyloggers. The FBI was called in to help with the investigation.

On December 29, 2016, the FBI and University of Iowa Police executed a search warrant that led to an off-campus search of his apartment in Iowa city where authorities found keyloggers, mobile phones and thumb drives that contained information of the stolen exams. One of the mobile phones taken from the apartment showed Graves being logged into a professor’s account and interacting with an attachment titled “exam.”

The phones also contained series of text messages exchanged between Graves and his accomplices talking about the scheme. Graves who referred to the keyloggers as “pineapple” in one of the messages asked a classmate to go to a class to see that the instructor had logged into her account and “that we acquired the info,” the report said.

The university told FBI investigators that the cheating scheme cost the school $68,000 to conduct internal investigation, respond to the breach and take remedial steps to enhance IT security.

read more

Student expelled for hacking school computer and changing grades

Student Hacks School Computer Using Keylogger And Changed Grades, Gets Expelled

Student expelled for changing grades using keylogger

Under normal situations, a student wanting higher grades would mean extra effort and hard work and that’s usually a good thing. In this student’s case however, the school decided that its a bad thing when the hard work leads a student to hack into his school’s computer systems.

Greed did him in

The incident was reported in Kansas University (KU) where the student reportedly logged into the school’s systems and changed his grades from an F to an A. The student got the credentials needed to access the system by using a physical key-logger and installing it in one of the systems in the lecture halls.

The key-logger was a simple one, available for purchase online for as little as $20. Various KU professors while speaking to local news media said that the hack was only noticed because the student got too greedy with his grades. The professors also noted that the hack occurred last spring and was only noticed at the beginning of the new school year that too by chance. The teachers are hopeful that the University files a police complaint regarding this incident as a warning for any other student getting the same idea. This student’s name hasn’t been disclosed but he has been expelled for his actions.

Not a unique case

This isn’t the first reported case of students hacking into their school’s system to change grades. A Louisiana high school suspended 45 students at one stretch for hacking into the school’s computer systems to change their grades. Similar incidents have also been reported across the globe , most popular being one in Haifa, Israel where another student was expelled from The Technion Institute of Technology for hacking into his professor’s emails seeking any information that could be used to boost his grades.


read more