This website is dedicated to everything digital forensics, from hacking to cybersecurity. Every day, readers can get new information on the digital forensics front – often with headlines pulled straight from top-tier media. This site also touts a large database of research on cyber threats, from international security spending to the most damaging cyber attacks of the year.
ZeroFucks ransomware encrypts files with AES-256 and replaces the extension in the filename with “.zerofucks” (i.e. “myphoto.jpg” is changed to “ myphoto.zerofucks”.
When the ransomware encrypts files the following GUI is displayed to the victims, crooks demand a €400 ransom worth of Bitcoins.
“All your important files have been encrypted. If you want your files back, you need to pay €400 in Bitcoins. After the payment is received, we will give you access to unlock your files. Click on the Payment button to get more info.” reads ransom note.
“If you don’t pay within 48 hours, the price will be doubled. After another 24 hours, the price will be doubled again. If you don’t pay within 96 hours your files will be destroyed.”
The module is used by colleges and universities to customize their web applications.
The vulnerability, tracked as CVE-2019-8978, was discovered by the security expert Joshua Mulliken, it affects the authentication process used by the two modules of the ERP, including the Ellucian Banner Enterprise Identity Services used to manage user accounts.
“An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s).” reads the security advisory published by the expert.
The vulnerability could be exploited by a remote attacker to hijack users’ accounts.
“A user’s unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access.” continues the advisory. “For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.”
Affected versions are Banner Enterprise Identity Services 8.3 and later, Ellucian addressed the vulnerability in May.
Unfortunately, threat actors started exploiting the CVE-2019-8978 flaw in the wild.
“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.” reads the alert published on the Federal Student Aid.
The educational institutions that were targeted by the attacks exploiting the vulnerability have reported that threat actors are using scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.
Officials reported that attackers created at least 600 fake or fraudulent student accounts within a 24-hour period. The malicious activity is continuing over multiple days resulting in the creation of thousands of fake student accounts. The bad news is that some of the accounts created in the attacks were involved in criminal activity.
Officials warn that for those organizations that have not implemented network segregation attackers could access students’ financial aid data.
Ellucian denies that the creation of fake accounts is related to the vulnerability in its ERP.
“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct,” read a statement published by the company. “The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products.”
“Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals,”
The company recommends implementing reCAPTCHA capabilities to the admission process.
The airline company WizzAir informed its customers that it had reset the account passwords due to a technical issue in the system.
The airline company WizzAir had reset the account passwords of its users due to a technical issue in its system.
In an email message sent to the customers, the company explained that it has discovered and suffered “some temporary technical irregularity.”
The company did not disclose technical details of the incident, for this reason, some users speculate that the root cause of the problem was a hack. In compliance with EU privacy regulation GDPR, the company must provide a full and detailed account of the incident within 72 hours.
Fortunately, it seems that the company was not hacked.
“It appears that these assumptions are nothing to fret about. BleepingComputer has learned from a company representative that personal data belonging to customers was not affected in any way.” reported BleepingComputer.
The company only provided the following comment:
“We can confirm that we have sent an email today to our customers about the detection of a temporary technical irregularity in our system. At no point was any personal data compromised and resetting the passwords on the WIZZ accounts was a precautionary action. Safety remains a priority for Wizz Air, and that includes the security of our passengers’ data.” – reads the statement sent by WizzAir.
Following the notification message, people with a WizzAir account will receive a new email with instructions about how they can regain access to all features of the Wizz account.
The principal Twitter account of Scotland Yard, which has more than 1.2 million followers, was hacked and tweeted a series of bizarre messages on Friday night.
Hackers took over the Scotland Yard’s principal Twitter account and tweeted a dozen bizarre messages on Friday night, some of the tweets referred to the British rapper Digga D.
Digga D, real name Rhys Herbert, was jailed last year aged 17 along with other four members of his gang after they were caught with baseball bats and machetes, the police discovered they were planning to attack another gang.
The messages were expressing anti-police sentiment and calling for the jailed rapper to be released.
“Free Digga D,” states one of the Tweet.
Below the message posted by the Met police Supt, Roy Smith after the breach:
We are aware that the @metpoliceuk has been subject to unauthorised access and our media team are working hard to delete the messages and ensure the security of the account. Please ignore any Tweets until we verify that it is back under official control. RT
London’s Metropolitan Police confirmed that hackers also targeted emails and news pages.
Scotland Yard pointed out that its IT infrastructure had not been compromised, the incident only affected the press office’s online provider, MyNewsDesk. The MyNewsDesk service automatically spreads content to the Met’s website and Twitter account once it is published. It also sends emails to subscribers.
“Unauthorised messages appeared on the news section of our website,” states Scotland Yard. “We apologise to our subscribers and followers for the messages they have received.“
“We are confident the only security issue relates to access to our MyNewsDesk account. We have begun making changes to our access arrangements to MyNewsDesk,” .
“There has been no ‘hack’ of the Met Police’s own IT infrastructure. We are assessing to establish what criminal offences have been committed.”
US President Donald Trump caught the opportunity to attack the London Mayor Sadiq Khan, he retweeted an image of the hijacked Metropolitan Police account.
SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB) has been hacked, attackers stole data about internal projects.
Attackers have hacked SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB), and exfiltrated data about internal projects.
According to the Russian media, SyTech has been working with FSB since 2009, in particular, they contributed to several projects for FSB unit 71330 and for fellow contractor Quantum. The company earned 40 million rubles ($635,000) from public contracts in 2018. The latest project is the development of Nalog-3 for the Main Scientific Innovation Implementation Center.
“According to the data received, the majority of non-public projects of Sytech were commissioned by military unit No. 71330, which allegedly is part of the 16th directorate of the FSB of Russia.” states the website CrimeRussia.”This unit is engaged in electronic intelligence, experts form the International Center for Defense and Security in Tallinn believe.”
Some of the research projects accessed by the hackers were for Russia’s intelligence service, including one for deanonymizing Tor traffic.
On July 13, a hacker group named 0v1ru$ hacked into SyTech’s Active Directory server then compromised the entire infrastructure of the company, including JIRA instance.
The hackers exfiltrated 7.5TB of data and defaced the website of the company by publishing “yoba face.”
The hackers published images of the company’s servers on Twitter and also shared the data with another hacker crew known as Digital Revolution, that in 2018 breached the FSB contractor Quantum.
The hackers provided the stolen data to BBC Russia, who verified the presence of other older projects for compromising other network protocols, including Jabber, ED2K, and OpenFT.
“Among the projects of Sytech there is the work on de-anonymization of users of the Tor-network, collection of information about Facebook, MySpace and LinkedIn users, hidden collection of information on the Web, a system for substituting Internet traffic, through which certain users could be redirected to special sites when requested portals from the “black list.” continues CrimeRussia.
“Sytech was also supposed to explore the possibilities of developing a complex of penetration and covert use of resources of peer-to-peer and hybrid networks, network protocols Jabber, OpenFT and ED2K, which were used by darknet users and hackers.“
Nautilus – a project for tracking the activity of users on the principal social media platforms (such as Facebook, MySpace, and LinkedIn).
Nautilus-S – a project for deanonymizing Tor traffic, it leverages on a network of rogue Tor nodes. In January 2014, researchers from Karlstad University in Sweden, presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. They discovered that a not specified Russian entity was eavesdropping nodes at the edge of the Tor network.
Reward – a project to covertly penetrate P2P networks.
Mentor – a project to spy on email communications managed by Russian companies.
Hope/Nadezhda – a project to analyzed the overall Russian internet and its connections to the global WWW.
Tax-3 – a project to allow you to manually remove from the information system of the FTS data of persons under state protection.
Researchers identified 25 malicious servers, 18 of which were located in Russia, and running Tor version 0.2.2.37, the same one detailed in the leaked files.
SyTech took down its website after the hack.
“Website “Siteka” is not available – neither in its previous form, nor in the version with “Yob-face”. When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.” concludes BBC Russia.
The former NSA contractor who pled guilty to stealing over 50TB of data from the Agency, was sentenced to nine years in prison
The former National Security Agency contractor Harold Thomas Martin III, who was accused and subsequently pled guilty to stealing over 50TB of classified NSA data, was sentenced to nine years in prison.
The man was arrested by the FBI in October 2016, the US DoJ charged Harold Thomas Martin with theft of secret documents and highly classified government material. According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.
According to the Politico website, sources informed of the events reported that Kaspersky learned about Martin after he sent strange Twitter messages to two researchers of the firm in 2016, minutes before The Shadow Brokers began leaking the NSA dump online.
“The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. ” reported the Politico website.
“The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999’ to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports.
A first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with Kaspersky Lab CEO Eugene Kaspersky.
Kaspersky reported the events to the NSA that identified Martin and the FBI arrested him later.
The DoJ’s chief national security prosecutor John Carlin revealed that Martin was employed by Booz Allen Hamilton. Booz Allen Hamilton is the same defense contractor that employed the notorious Edward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.
The theft was the largest heist of classified government material in the history of the US.
The Israeli surveillance firm NSO Group informed its clients that it is able to scoop user data by mining from major social media.
The Financial Times reported that the Israeli surveillance firm NSO Group informed its clients that it is able to mine user data from major social media. NSO is based in Herzliya, near Tel Aviv, and employs 600 people worldwide. The private equity firm Novalpina Capital has the majority of the shares in NSO Group.
“[NSO Group] told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch” reported the FT.
According to the AFP, an NSO spokesperson denied the allegation.
“There is a fundamental misunderstanding of NSO, its services and technology,” the spokesman said.
“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”
The FT report cites documents it had viewed and descriptions of a product demonstration. According to the report, the surveillance capabilities of the company had “evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos”.
NSO pointed out that it does not operate its solutions, including the Pegasus spyware, instead, it only licenses them law enforcement and government agencies “for the sole purpose of preventing or investigating serious crime including terrorism”.
Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.
Dutch authorities announced the arrest of a 20-year old man for allegedly developing Dryad and Rubella Macro Builders.
Dutch authorities announced have arrested a 20-year old man that is accused to be the author of Dryad and Rubella Macro Builders.
The man lives in Utrecht, it created and distributed Rubella, Cetan and Dryad toolkits.
“Recently the high tech crime team (THTC) of the Dutch National Police Unit arrested a 20 year old resident of the Dutch city of Utrecht. He is suspected of large-scale production and selling of malware.” reads the announcement. “The young man offered programs with names like Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst others Word or Excel files.”
Both macro builders allow crooks to easily create malicious Office documents that are usually involved in hacking campaigns as a first-stage loader for other malware.
The Rubella Macro Builder crimeware kit appeared in the threat landscape on April 2018 and rapidly gained popularity in the cybercriminal underground. It allows crooks to generate a malicious payload for social-engineering spam campaigns, the author was offering it as a service for a three-month license of $120.
According to Flashpoint, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email.
The macro might also purposely attempt to bypass endpoint security defenses.
The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.
According to Flashpoint experts, some popular criminal gangs used Rubella malware in their campaign, including the criminal crews behind the Panda and Gootkit banking malware.
The Dutch man was identified by law enforcement with the support of McAfee and another private company.
According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them.
“Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder.” reads a post published by McAfee. “McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation.”
The man was also promoting a variety of different products and services, ranging from stolen credit card data, a malware to steal funds from crypto wallets and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.
The Dutch authorities also revealed that the man had in possession access credentials for thousands of websites.
The police also seized around 20,000 Euro (around $22,000) in cryptocurrency such as Bitcoins.
“Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. “concludes McAfee. “Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.”
Poland and Lithuania are probing the potential privacy and security risks of using a Russian-made app FaceApp.
Millions of people recently downloaded the FaceApp app and are taking part in the “#FaceApp Challenge” to show friends how they can look like when they will be old and grey. Many security experts are warning of the risks of using the popular app, threat actors could be potentially interested in data collected by FaceApp.
FaceApp was developed in 2017 by Wireless Lab, when it was downloaded 80 million times, but now thanks to the challenge it is becoming viral. Wireless Lab is a Russian firm based in the Skolkovo hub that is located near Moscow and is considered Russia’s Silicon Valley created by the Kremlin.
The app leverages neural networks to simulate people aging, it adds wrinkles, it turns teeth yellow and colors the hair with gray.