Tag Archives: massive

Fourth Fappening Hacker Admits to Stealing Celebrity Pics From iCloud Accounts

Fourth Fappening Hacker Admits to Stealing Pics From Celebrities’ iCloud Accounts

Almost three years after the massive leakage of high-profile celebrities’ nude photos—well known as “The Fappening” or “Celebgate” scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.

A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.

Garofano has admitted to illegally obtaining credentials for his victims’ iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.

Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.

Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.

“Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them,” the Justice Department said.

Besides stealing victims’ personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims’ accounts, with other individuals.

In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.

Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.

While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.

The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.

Huge Flaw Found in Intel Processors; Patch Could Hit 5-30% CPU Performance

intel-hacking

The first week of the new year has not yet been completed, and very soon a massive vulnerability is going to hit hundreds of millions of Windows, Linux, and Mac users worldwide.

According to a blog post published yesterday, the core team of Linux kernel development has prepared a critical kernel update without releasing much information about the vulnerability.

Multiple researchers on Twitter confirmed that Intel processors (x86-64) have a severe hardware-level issue that could allow attackers to access protected kernel memory, which primarily includes information like passwords, login keys, and files cached from disk.

The security patch implements kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space and keeps it protected and inaccessible from running programs and userspace, which requires an update at the operating system level.

“The purpose of the series is conceptually simple: to prevent a variety of attacks by unmapping as much of the Linux kernel from the process page table while the process is running in user space, greatly hindering attempts to identify kernel virtual address ranges from unprivileged userspace code,” writes Python Sweetness.

It is noteworthy that installing the update will hit your system speed negatively and could bring down CPUs performance by 5 percent to 30 percent, “depending on the task and processor model.”

“With the page table splitting patches merged, it becomes necessary for the kernel to flush these caches every time the kernel begins executing, and every time user code resumes executing.”

Much details of the flaw have been kept under wraps for now, but considering its secrecy, some researchers have also speculated that a Javascript program running in a web browser can recover sensitive kernel-protected data.

AMD processors are not affected by the vulnerability due to security protections that the company has in place, said Tom Lendacky, a member of the Linux OS group at AMD.

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” the company said. 

“The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

The Linux patch that is being released for ALL x86 processors also includes AMD processors, which has also been considered insecure by the Linux mainline kernel, but AMD recommends specifically not to enable the patch for Linux.

Microsoft is likely to fix the issue for its Windows operating system in an upcoming Patch Tuesday, and Apple is also likely working on a patch to address the vulnerability.

World’s Biggest Botnet Just Sent 12.5 Million Emails With Scarab Ransomware

scarab-ransomware

A massive malicious email campaign that stems from the world’s largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.

The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.

According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.

Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year.

Massive Email Campaign Spreads Scarab Ransomware

ransomware-email

According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.

The Forcepoint researchers said “the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany.”

The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:

  • Scanned from Lexmark
  • Scanned from Epson
  • Scanned from HP
  • Scanned from Canon

As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings ‘Samwell’ and ‘JohnSnow.’

The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with “.[suupport@protonmail.com].scarab” to the encrypted files.

Once done with the encryption, the ransomware then drops a ransom note with the filename “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT” within each affected directory.

The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that “the price depends on how fast you [the victim] write to us.”

However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: “Before paying you can send us up to 3 files for free decryption.”

Protection Against Ransomware

To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.

Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.

Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.

Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw

equifax-apache-struts

The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed.

Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies.

Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1.

This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13.

Right after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its proof-of-concept (PoC) exploit code was uploaded to a Chinese site.

Despite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of nearly half of the US population.

“Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,” the company officials wrote in an update on the website with a new “A Progress Update for Consumers.” 

“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

CVE-2017-5638 was a then-zero-day vulnerability discovered in the popular Apache Struts web application framework by Cisco’s Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw.

The issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

At the time, Apache warned it was possible to perform a remote code execution attack with “a malicious Content-Type value,” and if this value is not valid “an exception is thrown which is then used to display an error message to a user.”

Also Read: Steps You Should Follow to Protect Yourself From Equifax Breach

For those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

Since the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also initiated an investigation into its products against four newly discovered security vulnerabilities in Apache Struts2.

Other companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities.

Equifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people’s information.

While the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.

Powered by WPeMatico

Apache Struts 2 Flaws Affect Multiple Cisco Products

apache-struts-flaws-cisco

After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework.

Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.

However, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities—one discovered earlier this month, and another in March—one of which is believed to be used to breach personal data of over 143 million Equifax users.

Some of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws.

Cisco Launches Apache Struts Vulnerability Hunting

Cisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) we reported on September 5 and the remaining three also disclosed last week.

However, the remote code execution bug (CVE-2017-5638) that was actively exploited back in March this year is not included by the company in its recent security audit.

The three vulnerabilities—CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805—included in the Cisco security audit was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues.

The fourth vulnerability (CVE-2017-12611) that is being investigated by Cisco was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system.

Apache Struts Flaw Actively Exploited to Hack Servers & Deliver Malware

Coming on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them.

This could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco’s Threat intelligence firm Talos has observed that this flaw is under active exploitation to find vulnerable servers.

Security researchers from data centre security vendor Imperva recently detected and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload.

The majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe.

Out of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to “insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.”

This flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems.

The last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts.

Cisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services.

At the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the Cisco Bug Search Tool.

Since the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.

Powered by WPeMatico

Instagram Hacker Puts 6 Million Celebrities Personal Data Up For Sale On DoxaGram

doxagram-Instagram-hack

It’s now official, Instagram has suffered a massive data breach, and reportedly an unknown hacker has stolen personal details of more than 6 million Instagram accounts.

Just yesterday, we reported that Instagram had patched a critical API vulnerability that allowed the attacker to access phone numbers and email addresses for high-profile verified accounts.

However, Instagram hack now appears to be more serious than initially reported.

Not just a few thousands of high-profile users—it’s more than 6 million Instagram users, including politicians, sports stars, and media companies, who have had their Instagram profile information, including email addresses and phone numbers, available for sale on a website, called Doxagram.

The suspected Instagram hacker has launched Doxagram, an Instagram lookup service, where anyone can search for stolen information only for $10 per account.

A security researcher from Kaspersky Labs, who also found the same vulnerability and reported it to Instagram, told The Hacker News that the issue actually resided in the Instagram’s mobile API, specifically in the password reset option, which apparently exposed mobile numbers and email addresses of the users in the JSON response—but not passwords.

doxagram-Instagram-hack

Instagram has not confirmed the hacker’s claims yet, but the company said Friday it is investigating the data breach.

The news comes three days after an unknown hacker hijacked most-followed-account on Instagram belonged to Selena Gomez—with over 125 Million followers—and posted her ex-boyfriend Justin Bieber’s full-frontal nude photographs.

However, Instagram did not confirm if the recent data breach was related to Selena’s hacked account.

The company had already notified all of its verified users of the issue via emails and also encouraged them to be cautious if they receive any suspicious or unrecognised phone call, text message, or email.

With email addresses and phone numbers in hand, the hacker’s next step could be used the stolen info in tandem with social engineering techniques to gain access to verified Instagram accounts and post on their behalves in order to embarrass them.

Instagram users are also highly recommended to enable two-factor authentication on their accounts and always secure them with a robust and different password.

Additionally, avoid clicking on suspicious links and attachments you receive in an email and providing your personal or financial details without verifying the source properly.

Powered by WPeMatico

Over 711 Million Email Addresses Exposed From SpamBot Server

spam-emails

A massive database of 630 million email addresses used by a spambot to send large amounts of spam to has been published online in what appears to be one of the biggest data dumps of its kind.

A French security researcher, who uses online handle Benkow, has spotted the database on an “open and accessible” server containing a vast amount of email addresses, along with millions of SMTP credentials from around the world.

The database is hosted on the spambot server in Netherlands and is stored without any access controls, making the data publicly available for anyone to access without requiring any password.

According to a blog post published by Benkow, the spambot server, dubbed “Onliner Spambot,” has been used to send out spams and spread a banking trojan called Ursnif to users since at least 2016.

Ursnif Banking Trojan is capable of stealing banking information from target computers including credit card data, and other personal information like login details and passwords from browsers and software.

spam-emails

“Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it,” Benkow said. “And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.”

As the researcher explained, he found “a huge list of valid SMTP credentials”—around 80 millions—which is then used to send out spam emails to the remaining 630 million accounts via internet provider’s mail servers, making them look legitimate that bypass anti-spam measures.

The list also contains many email addresses that appear to have been scraped and collected from other data breaches, such as LinkedIn, MySpace and Dropbox.

The researcher was able to identify a list of nearly 2 million email addresses to be originated from a Facebook phishing campaign.

The exposed database has been verified by Troy Hunt, added the leaked email addresses to his breach notification site.

spam-emails

At the time of writing, it is unclear who is behind the Onliner Spambot.

Users can check for their email addresses on the site and those affected are obviously advised to change their passwords (and keep a longer and stronger one this time) for your email accounts and enable two-factor authentication if you haven’t yet.

Also, do the same for other online accounts if you are using same passwords on multiple sites.

Powered by WPeMatico

FBI Arrests Another Hacker Who Visited United States to Attend a Conference

fbi-hacker-arrested-opm-data-breach

The FBI has arrested a Chinese citizen for allegedly distributing malware used in the 2015 massive OPM breach that resulted in the theft of personal details of more than 25 Million U.S. federal employees, including 5.6 Million federal officials’ fingerprints.

Yu Pingan, identified by the agency as the pseudonym “GoldSun,” was arrested at Los Angeles international airport on Wednesday when he was arrived in the United States to attend a conference, CNN reported.

The 36-year-old Chinese national is said to face charges in connection with the Sakula malware, which was not only used to breach the US Office of Personnel Management (OPM) but also breached Anthem health insurance firm in 2015.

The Anthem breach resulted in the theft of personal medical records of around 80 million current and former customers of the company.

Sakula is a sophisticated remote access Trojan (RAT) that was known to be developed by Deep Panda, a China-based advanced persistent threat group (known as APT19) and could allow an attacker to remotely gain control over a targeted system.

opm-chinese-hacker

However, after a few months of the discovery of the OPM breach, Chinese government arrested a handful of hackers within its borders in connection with the OPM hack, dismissing its own involvement.

Pingan’s arrest was similar to that of Marcus Hutchins, a 22-year-old British security researcher who has been accused of creating and distributing the infamous Kronos banking Trojan between 2014 and 2015.

According to an indictment filed in the US District Court for the Southern District of California on 21 August, Pingan has been charged with one count of the Computer Fraud and Abuse Act and is also accused of conspiracy to commit offence or defraud the United States.

The indictment suggests Pingan collaborated with two unnamed hackers to acquire and use malware to conduct cyber attacks against at least 4 unnamed US companies from April 2011 through January 2014.

“Defendant YU and co-conspirators in the PRC [People’s Republic of China] would establish an infrastructure of domain names, IP addresses, accounts with internet service providers, and websites to facilitate hacks of computer networks operated by companies in the United States and elsewhere,” the indictment reads.

Although the indictment filed doesn’t name the companies that were targeted, it does note that the affected companies were headquartered in San Diego, California; Massachusetts; Arizona; and Los Angeles, California.

Pingan’s role in those cyber attacks was to supply advanced malware to other unnamed Chinese crooks for hacks against United States organisations.

Pingan remains behind bars pending a court hearing on his detention next week.

Powered by WPeMatico

Companies Could Face $22 Million Fine If They Fail to Protect Against Hackers

data-breach-hacking

Over the past few years, massive data breaches have become more frequent and so common that pretty much every week we heard about some organisation being hacked or hacker dumping tens of millions of users records.

But even after this wide range of data breach incidents, many organisations fail to grasp the importance of data protection, leaving its users’ sensitive data vulnerable to hackers and cyber criminals.

Not now! At least for organisations in Britain, as the UK government has committed to updating and strengthening its data protection laws through a new Data Protection Bill.

The British government has warned businesses that if they fail to take measures to protect themselves adequately from cyber attacks, they could face fines of up to £17 Million (more than $22 Million), or 4% of their global turnover—whichever amount is higher.

However, the financial penalties would be a last resort, and will not be applied to those organisations taking proper security measures and assessing the risks adequately, but unfortunately become a victim of cyber attack.

The penalties would be issued by the data protection regulator, the Information Commissioner’s Office (ICO).

“Our measures are designed to support businesses in their use of data and give consumers the confidence that their data is protected and those who misuse it will be held to account,” Digital Minister Matt Hancock said in a government press release.

Hancock said this newly-proposed Data Protection Bill would:

  • Make it easier and simpler to withdraw consent for the use of personal data
  • Allow people to ask for their personal information held by organisations to be erased
  • Enable parents to give consent for their child’s data to be used
  • Require “explicit” consent to be necessary for processing user’s sensitive data
  • Expand the definition of “personal data” to include IP addresses, DNA and internet cookies
  • Strengthen and update Data Protection Law to reflect the changing nature and scope of the country’s digital economy
  • Make it easier and free for users to require companies to disclose the personal data they hold on them
  • Make it easier for users to move data between service providers

The proposal is being considered as part of a government consultation launched on Tuesday by the Department for Digital, Culture, Media and Sport for deciding how to implement the Network and Information Systems (NIS) Directive from next May.

This is separate from the General Data Protection Regulations (GDPR) that are aimed at protecting data rather than services.

The GDPR will replace the British Data Protection Act 1998 from 25 May 2018 and the government have confirmed that Brexit will not change this.

This new proposal is mainly focused on ensuring critical infrastructures, like transport, health, energy, and water are protected from cyber attacks that could result in major disruption to services, as was seen in Ukraine last year.

The proposal will also cover other cyber threats affecting IT infrastructures such as power failures, hardware failures and environmental hazards.

The move comes after the British NHS ( National Health Service) became the highest-profile victim of the recent WannaCry ransomware attack, which resulted in the shutdown of hospitals and operations, patient records being made unavailable and ambulances being diverted.

Powered by WPeMatico

Gang Behind Fireball Malware that Infected 250 Million PCs Busted by Police

fireball-chinese-adware-software

Chinese authorities have recently initiated a crackdown on the operators of a massive adware campaign that infected around 250 Million computers, including Windows and Mac OS, across the world earlier this year.

The adware campaign was uncovered by security researchers at Check Point last month after it already infected over 25 million computers in India, 24 million in Brazil, 16 million in Mexico, 13 million in Indonesia and 5.5 million in the United States.

Dubbed Fireball, the infamous adware comes bundled with other free legitimate software that you download off the Internet.

Once installed, the malware installs browser plug-ins to manipulate the victim’s web browser configurations and replace their default search engines and home pages with fake search engines.

Far from legitimate purposes, Fireball has the ability to spy on victim’s web traffic, execute malicious code on the infected computers, install plugins, and even perform efficient malware dropping, creating a massive security hole in targeted systems and networks.

fireball-chinese-adware-software

At the time, Check Point researchers linked the operation to Rafotech, a Beijing-based Chinese firm which claims to offer digital marketing and game apps to 300 million customers, blaming the company for using Fireball for generating revenue by injecting ads into the web browsers.

Now, Beijing Municipal Public Security Bureau Network Security Corps have made 11 arrests in the case.

All the suspects are Rafotech employees, three of which worked as the company’s president, technical director, and operations director, Chinese new agency reports.

Chinese outlets report that the Fireball developers made a profit of 80 Million Yuan (nearly US$12 million) from the adware campaign.

The establishment of Rafotech was jointly funded by several people in 2015, and by the end of the year, they developed the Fireball virus for the advertising fraud, which redirects the victim’s every query to either Yahoo.com or Google.com and includes tracking pixels that collect the victim’s information.

All the arrested suspects have allegedly admitted of the development and distribution of the Fireball malware. The arrests began in June shortly after the story about Fireball went online.

No doubt, the company was using the Fireball adware to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware, which may come up as a potential disaster in future.

Powered by WPeMatico