Hacking news

Chinese programmer gets jailed for withdrawing $1 million in cash using an ATM flaw

A senior Chinese bank programmer was arrested after he withdrew more than 7 million yuan (around $1,000,000) in “free” cash by exploiting an ATM flaw. He has been given a prison sentence of 10 and a half years, the South China Morning Post reported.

Qin Qisheng, 43, a former manager in Huaxia Bank’s technology development center in Beijing, discovered a flaw in the bank’s main operating system in 2016. According to the report, the loophole enabled Qisheng to make cash withdrawals from the ATM around 12 a.m. As the bank’s system was not working properly, the cash withdrawals made by Qisheng were not recorded and also no alert was raised.

Apparently, Qisheng who had discovered the flaw in 2016, had inserted a few scripts in the banking system in November that year, which suppressed cash withdrawal alerts. From November 2016 to January 2018, Qisheng withdrew between 5,000 yuan and 20,000 yuan ($740 to $2,965) from a dummy account the bank used for testing. By the start of last year, Qisheng had collected over $1,000,000, that he added it to his personal bank account. He also did not inform his superiors what he was doing.

In January last year, a subsidiary branch in Cangzhou, Hebei detected and verified the irregular activity in the dummy account during a manual check. The incident was reported by the bank to relevant authorities.

Once Qisheng was caught, the bank decided to not continue to press charges against him and accept his explanation that he had simply been trying to investigate the ATM flaw. Qisheng had kept the money in his personal account and invested some of it in the stock market. While Huaxia bank said that he should have reported these activities, they requested police to drop the case if he returned the money.

Although Qisheng returned the money, the authorities did not accept the explanation and was detained in March. The Chaoyang district court found him guilty of theft in December and awarded him a jail sentence of 10 and a half years with a fine of 11,000 yuan ($16,000).

Even though Qi had returned all the money to the bank before his arrest, it was not enough to let him go, the district court said. It also added that the request by Huaxia bank to pardon Qi was not legitimate.

“On the one hand, [the bank] said that the accused’s behaviour was in violation of the rules. On the other hand, he said that he could conduct relevant tests. This is self-contradictory,” said the judge.

After the trial, Qin filed an appeal arguing that he did not deserve such a severe punishment. The second and final ruling by the Beijing Intermediate People’s Court upheld the verdict.

“After reviewing the papers, speaking to the appellant and listening to the opinions of the defenders, we believed that the facts of the case were clear and decided not to have another trial,” the court said.

“The case is closed.”

Huaxia Bank has rectified the ATM flaw to avoid any internal theft incident in the future. Huaxia bank has yet to respond on the issue.

Source: SCMP

Vulnerability in PNG file can allow hackers to hack Android smartphones

Beware, while opening a harmless-looking image downloaded from the internet, emails, social media apps, or messaging apps, as it could compromise your smartphone.

Google has discovered three new critical vulnerabilities that allow hackers to hack an Android smartphone just by looking at a PNG image. This bug has affected millions of devices that run on Android OS versions, ranging from Nougat 7.0 to its current Android 9.0 Pie.

The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, were, however, patched in Android Open Source Project (ASOP) by Google as part of their Android Security Updates for February 2019.

According to Google’s Android Security Bulletin, the vulnerability that allows “a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process,” is the most severe vulnerability.

This means that if a hacker successfully manages to deceive a user to open or download an image from any webpage, or received through an instant messaging service, or as an attachment in an email, he or she can get access to your smartphone.

Besides the three flaws, Google also included fixes for 42 vulnerabilities in the Android OS in total in its 2019 February update, of which 11 are considered as critical, 30 high impact and one medium-gravity.

Google has said that it has no reports of anyone exploiting the vulnerabilities listed in its February security bulletin against real users or in the wild. The search giant also said that it has alerted its Android partners of all vulnerabilities a month before publication, adding that “source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.”

Unfortunately, it is unknown when third-party handset manufacturers will roll out the security updates on their phones, as many of them take weeks, if not months, to do roll them out. This means your Android handset is still not protected even after receiving the 2019 February update. It is suggested that one should patch their Android smartphone as soon as a security update available from the handset manufacturer.

Employee tricked into giving North Korean hackers access to Chile’s ATM over fake Skype job interview

North Korean hackers fooled a Redbanc employee into a fake job interview over Skype and then tricked him into downloading malware onto his work computer to get access to the company’s interbank network, according to a report by Chilean news site trendTIC.

For those unaware, Redbanc is an interbank network in Chile that connects the ATMs of all the banks in Chile.

It all began when the Redbanc employee in question responded to a developer job advertisement on the job website, LinkedIn. When the Redbanc professional clicked to apply for the position, he was contacted by the hackers for an interview, which they conducted in Spanish via a Skype call.

During the interview, the employee was asked to download, install, and run a program named ApplicationPDF.exe on the computer. He was told that it was a part of the recruitment process and would generate a standard application form online in PDF format.

However, the program instead installed malware on the computer, which in turn allowed hackers to gain access to the employee’s work computer username, hardware and OS, and proxy settings. This information was later used to deliver a second-stage payload to the device.

Although this attack took place in December last year, it was only made public after Chilean Senator Felipe Harboe used Twitter to accuse Redbanc of not disclosing the breach in time.

In a statement, the company says “the event had no impact on our operations, keeping our services running smoothly”.

Security company Flashpoint linked the malware strain to PowerRatankba, a malware toolkit that was previously used by North Korea-affiliated hacker group Lazarus. This hacking group which is behind the infamous Sony hack in 2014, have also been accused of attempting to steal money from Banco de Chile last year.

Fortnite is possibly the best free to play battle royale game that has gained immense popularity in recent years. The game is played by more than 78.3 million players every month.

It is worth noting that Fortnite is a free to play battle royale game, but Epic Games has earned more than £1bn from Fortnite. The company did this by selling rare and expensive skins that enhance the visual appearance of the in-game player character.

A recent report by BBC has revealed that children as young as 14 are making thousands of pounds a week by selling hacked Fortnite accounts.

So here’s everything you need to know about the issue mentioned above.

ALSO READ: Fortnite Download: Android, iOS, Windows, Mac, Xbox, Nintendo Switch, And PlayStation

Selling Hacked Fortnite Accounts: The Issue

A vast list of usernames and passwords published online from several data breaches over the years coupled with hacker tools helped hackers to gain access to thousands of Fortnite accounts in a day.

Once a hacker gains access to a Fortnite account he changes the password and enables two-factor authentication with his own email account. Lastly, these accounts are then sold for a starting price of £0.25.

About 20 hackers admitted that they were stealing the private gaming accounts of players and reselling them online. Accounts containing rare and expensive skins are sold as high as hundreds of pounds by the teenage hackers.

According to the report, a 14-year-old victim who lost his Fortnite account and then he became a hacker and earned around £1,500 in his first few weeks. This illegal business of hacked Fortnite accounts is growing day by day.

How To Protect Your Fortnite Account

Epic Games allows users to enable two-factor authentication to safeguard their Fortnite account against hackers. That said, a majority of players don’t use this feature. Consequently, it becomes easier for crackers to gain access to users password and hack their Fortnite accounts. This group of hackers later enable two-factor authentication, making it impossible to retrieve the account.

So the easiest way to protect your Fortnite account is by enabling two-factor authentication.

NASA is an independent agency of the United States Federal Government responsible for the civilian space program, as well as aeronautics and aerospace research.

A few days ago this technologically advanced space research center sent an email to all employees. This email informed the employees’ about the recent data breach through which hackers gained access to employees’ private information.

So here’s everything you need to know about this security issue.

ALSO READ: Uber and NASA collaborate for the flying taxi project

Someone Hacked NASA: The Issue

According to an internal memo that was sent by NASA’s human resources department, hackers might have breached NASA’s servers in recent months. This major data breach was identified on 23rd October.

Hackers gained access to employees’ personally identifiable information, including their Social Security numbers.

The server that was hacked stored the data of employees’ that worked at NASA between July 2006 to October 2018. As of now, there’s no exact list of the employees’ whose personal data might have been exposed by this data breach.

---

Someone Hacked NASA: The Aftermath

It is worth noting that, its the third breach of NASA since 2011. NASA is now working with federal investigators to determine the extent of the breach. They are also identifying the perpetrators who might be responsible for this data breach.

In response to Gizmodo, a NASA spokesperson stated that the agency “does not believe that any agency missions were jeopardized by the intrusions.” 

NASA shared this memo to warn the employees to take necessary precautions to safeguard against identity theft. Well, NASA believes that the data breach didn’t affect any of its missions.

A cybersecurity expert Sam Curry told The Independent, “while [personally identifiable information] and employee privacy are vital, there are many things at NASA in the national security domain and are of vital importance to the nation.”

NASA has stated that it will provide further details when they have more information about the data breach.

Arizona Man Says Hacker Spoke to Him Through His Home’s Nest Security Camera

As creepy and disturbing it may sound, an Arizona man was startled when a hacker spoke to him through his internet security camera that was meant to keep him safe, reports The Arizona Republic.

The victim, Andy Gregg, a real estate agent in Phoenix, Arizona, said he was in his backyard when he heard a voice speaking to him creepily from inside his home. At first, he thought a burglar had entered his home. However, he soon realized that the voice was coming from his Nest Cam IQ security camera in the front window of his home.

The hacker claimed that he was a “white hat” hacker associated with the Anonymous hacktivist group. He informed Gregg that his personal information was compromised probably in a previous data breach.

The hacker then recited a number of passwords Gregg had used for logging into multiple websites. While the hacker had no access to the cam’s video feed, nor Gregg’s location, he said the loopholes, however, could have been explored by notorious hackers for malicious purposes.

“I’m really sorry if I startled you or anything. I realize this is super unprofessional, and I’m sorry that it’s a little late in the day to do this,” the hacker can be heard telling Gregg, according to a recording obtained by The Arizona Republic/azcentral.

“We don’t have any malicious intent.”

The hacker informed Gregg that he had accessed his camera to warn him about its security vulnerabilities. Gregg immediately unplugged the camera and changed his passwords to avoid any future access to his camera by malicious hackers.

“You basically feel very vulnerable,” Gregg told The Arizona Republic. “It feels like you’ve been robbed essentially and somebody’s in your house. They know when you’re there. They know when you’re leaving.”

Google-owned Nest said in a statement to the Arizona Republic that it is aware of hackers accessing its cameras using passwords exposed in other breaches. It said that the company has no control over the device beyond the user’s login point, as their devices do not come with default logins. Users need to set up their device with a unique set of login credentials that only they are aware. Hence, Nest suggests its users to set up two-factor authentication to provide an additional layer of security on their devices.

Hackers crack Sony’s PlayStation Classic shortly after the release

Last week, Sony released PlayStation Classic with 20 officially preinstalled games, which includes games such as Metal Gear Solid, Final Fantasy VII, Grand Theft Auto, and Resident Evil Director’s Cut. The list of games left out many countless classic games from the 90s leaving fans disappointed. Moreover, the gaming console does not have any built-in machine to add more unofficial games.

However, this did not stop the members of the console hacking community to find a way out to unofficially add games to the mini-console. Just one week after its launch, hackers have apparently found a method to run games and software on the PlayStation Classic via a USB flash drive, reports Ars Technica.

Popular console hackers, yifanlu and madmonkey1907 have managed to successfully sideload the PlayStation Classic’s code via the system’s UART serial port. Thanks to the weak cryptography in the PlayStation Classic, which was discovered by these console hackers while dumping the PlayStation Classic system code onto an external machine.

According to the hackers, the most sensitive parts of the PlayStation Classic’s codes were signed and encrypted using a key that had been mistakenly left behind on the console instead of being held by Sony.

YifanLu took to Twitter and documented the process in real-time of hacking the PlayStation Classic’s security. He was able to successfully run Crash Bandicoot on the console via a USB thumb drive (see video below).

YifanLu stated, “One key is, ‘Hey am I Sony?’…The other key is saying, ‘Hey I am Sony.’ They distributed the key that identifies [themselves] uniquely and this key doesn’t expire for another 50 years or so.”

Basically, consoles have encrypted codes that run in the system to prevent people from making any changes. However, on the PlayStation Classic, the necessary tool to decrypt the system’s codes is already available in the console’s system and all a user has to do is copy it to their PC.

In order to hack the mini-console, yifanlu and madmonkey1907 used an open-source tool called BleemSync, which is available on GitHub for PlayStation Classic owners who want to carry the procedure at home. Apparently, the PlayStation Classic doesn’t check the software it is running, which makes the cracking process easy. However, it is important to note that since the console is still in its early days, running other games can result in your PlayStation Classic being bricked, if done wrong.

The easy hacking process of the console is certainly not good news for Sony. And, the company would be looking to rectify the error by locking down the console via future hardware revisions.

Quora hack exposes data of about 100 million users

Quora, the question-and-answer sharing website, announced yesterday that data of about 100 million of its users was compromised as a result of unauthorized access to one of their systems by a “malicious third party”.

“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” Quora CEO Adam D’Angelo said in a security update blog post. “We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing.  We have notified law enforcement officials. We are notifying affected Quora users. We have already taken steps to ensure the situation is contained, and we are working to prevent this type of event from happening in the future. Protecting our users’ information and fostering an environment built on trust remains our top priority so that together we can continue to share and grow the world’s knowledge.”

Quora discovered the breach on Friday, November 30, when they found that user’s data was accessed by an unauthorized third-party.

According to Quora, the following information may have been compromised:

• Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
• Public content and actions, e.g. questions, answers, comments, upvotes
• Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

However, as a safety measure, the company is currently notifying users whose data was compromised and logging out all affected Quora users. It has also notified law enforcement officials and has retained a leading digital forensics and security firm to assist them.

The users who wrote questions and answers anonymously were not affected by this breach, as the website does store information of people who post anonymous content. Currently, it is unknown how the attacker gained access to Quora’s systems.

“It is our responsibility to make sure things like this don’t happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again. There’s little hope of sharing and growing the world’s knowledge if those doing so cannot feel safe and secure, and cannot trust that their information will remain private. We are continuing to work very hard to remedy the situation, and we hope over time to prove that we are worthy of your trust,” Dylan added.

Quora has advised its users to not reuse the same password as Quora across multiple services, and suggested them to change it if they are doing so. Also, we would advise our readers to use unique passwords for every site that you visit to avoid being a victim of data breach.

Dell.com resets all customer passwords after a network breach

Dell Inc., the U.S. based hardware giant, announced yesterday that the company had suffered a security breach earlier this month, on November 9, 2018. However, the company said that it managed to stop hackers who were looking to access data such as customer names, email addresses and hashed passwords.

“Dell is announcing that on November 9, 2018, it detected and disrupted unauthorized activity on its network attempting to extract Dell.com customer information, which was limited to names, email addresses and hashed passwords,” the company said in its press release.

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

According to reports, Dell did not inform its customers about the breach when it forced the password resets for all customer accounts on November 14, 2018. Also, the company did not mention how the hackers were able to breach its network.

“Our investigations found no conclusive evidence that any information was extracted,” Dell said in its press release. “Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.”

Dell said that it is still investigating the incident, but said the breach wasn’t extensive one, as the company’s engineers were able to detect the intrusion on the same day it took place.

While a Dell spokesperson refused to provide the number of affected accounts, he said that “it would be imprudent to publish potential numbers when there may be none.”

Following the security breach, the company has encouraged its customers to change password for their Dell.com account and also for other online services if they use the same or similar passwords.

iPhone X, Samsung Galaxy S9, and Xiaomi Mi 6 fall prey to hacking in the Pwn2Own hacking competition in Tokyo

Trend Micro-sponsored Pwn2Own, the annual hacking contest, that took place at the PacSec security conference in Tokyo, saw hackers successfully exploit iPhone X, Samsung Galaxy S9, and Xiaomi Mi6. Other handsets such as Google Pixel 2 and Huawei P20 too were involved in the contest.

For those unaware, Trend Micro, a global leader in cyber-security solutions, hosts Pwn2Own in an effort to promote its Zero Day Initiative (ZDI) program, that is designed to reward security researchers to exploit the latest and most popular mobile devices and demonstrate and disclose major zero-day vulnerabilities to tech companies. Following the contest, vendors will have 90 days to produce patches for these bugs.

Day 1 at the Pwn2Own Tokyo 2018

At the start of day one, Amat Cama and Richard Zhu from the “Fluoroacetate” team were the first to hack Xiaomi Mi 6 with the help of NFC component.

They used the touch-to-connect feature to force-open the web browser on the phone and navigate to their specially crafted webpage following which the webpage exploited an Out-Of-Bounds write in WebAssembly to get code execution. This hack earned them $30,000 USD and 6 Master of Pwn points.

“During the demonstration, we didn’t even realize that action was occurring until it was too late. In other words, a user would have no chance to prevent this action from happening in the real world,” ZDI reports in a blog post.

Later, the Fluoroacetate team went on to exploit another handset, Samsung Galaxy S9. They used a heap overflow in the baseband component to get code execution on the device. This hack earned the team another $50,000 USD and 15 more points towards Master of Pwn. Fluoroacetate also hacked iPhone X via Wi-Fi using a pair of bugs – a JIT (Just-In-Time) vulnerability in the web browser followed by an Out-Of-Bounds write for the sandbox escape and escalation. This hack fetched them another $60,000 USD and 10 additional Master of Pwn points.

Besides the Fluoroacetate team, another team MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) from UK too tried their luck on Xiaomi 6 and Samsung Galaxy S9. In the case of Xiaomi 6, they used a code execution exploit via Wi-Fi that forced the default web browser to navigate to a portal page. They then chained additional bugs together to silently install an application via JavaScript, bypass the application whitelist, and automatically start the application. This hack earned the MWR team $30,000 USD and 6 Master of Pwn points.

The MWR Labs team also combined three different bugs to successfully exploit the Samsung Galaxy S9 over Wi-Fi. They forced the phone to a captive portal without user interaction, then used an unsafe redirect and an unsafe application load to install their custom application. Although they failed in their first attempt, they successfully hacked in its second attempt, which earned the team $30,000 USD and 6 more Master of Pwn points.

Michael Contreras, a researcher who was last entry of the day, received $25,000 USD and 6 Master of Pwn points for hacking the Xiaomi Mi 6 browser via JavaScript type confusion flaw.

Day 2 at the Pwn2Own Tokyo 2018

The second day at the Pwn2Own Tokyo 2018 started with Fluoroacetate team exploiting one more zero-day vulnerabilities in iPhone X and Xiaomi Mi 6.

Their first iPhone X zero-day combined a JIT bug in the browser along with an out-of-bounds access that resulted in a deleted photo getting exfiltrated from the targeted phone. This hack fetched them a $50,000 USD.

In the case of Xiaomi Mi6, the team used an integer overflow vulnerability that allowed them to exfiltrate a picture from the device, earning them an additional $25,000 USD.

MWR Labs too successfully hacked the Xiaomi Mi6 on the second day. They loaded a custom application by combining a download bug along with a silent app installation and stole some pictures from the phone. They earned $25,000 USD for this hack.

Team Fluoroacetate with a total of 45 points and $215,000 USD in prizes won the title of Master of Pwn!