TechCrunch Falls Victim to OurMine Hacking Group

Verizon-owned prominent technology site TechCrunch has become the latest victim of the OurMine hacking group.

OurMine Security appeared to gain publishing access to the site, which uses the popular content management system WordPress, and posted its now infamous message.

A post on the site under the byline of Seattle-based writer Devin Coldewey said: “Hello Guys, don’t worry we are just testing techcrunch security, we didn’t change any passwords, please contact us.”

The post was then promoted as a ticker, the top banner in red and a the main story on TechCrunch’s front page.

The OurMine posting appeared at around 12.20pm BST (7.20am ET) but was removed within two hours. It was still showing in Google’s index and cache at the time of writing.

The attack on the technology site is latest in a number of high-profile compromises by OurMine, which included the social media accounts of Twitter chief executive Jack Dorsey, Facebook CEO Mark Zuckerberg and Google boss Sundar Pichai.

OurMine also claimed responsibility last week for a DDoS attack on Pokémon Go’s servers.

The TechCrunch attack appears to have leveraged a contributor’s account, rather than a hack on the site’s WordPress system. In previous attacks, OurMine has used weaker linked accounts to post to services such as Twitter, rather than taking over the user’s social media accounts directly.

The attacks underscore the inherent flaws in linked systems: your accounts, or in this case site, is only as resilient as your weakest link. Security experts recommend the use of two-step verification systems to help prevent accounts being compromised. It is unknown whether TechCrunch writer accounts required two-step verification for access to the site’s WordPress backend.

TechCrunch, which is owned by AOL, and in turn by Verizon, did not respond to request for comment.



Cyber espionage Group Patchwork Sets Its Sights on Multiple Industries

A cyberespionage group known for targeting diplomatic and government institutions has branched out into many other industries, including aviation, broadcasting, and finance, researchers warn.

Known as Patchwork, or Dropping Elephant, the group stands out not only through its use of simple scripts and ready-made attack tools, but also through its interest in Chinese foreign relations.

The group’s activities were documented earlier this month by researchers from Kaspersky Lab, who noted in their analysis that China’s foreign relations efforts appear to represent the main interest of the attackers.

In a new report Monday, researchers from Symantec said that the group’s recent attacks have also targeted companies and organizations from a broad range of industries: aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing and software.

While most of Patchwork’s past victims were based in China and Asia, almost half of the recent targets observed by Symantec were based in the U.S.

The group uses a legitimate mailing list provider to send newsletter-like emails to its intended targets. The rogue emails link to websites set up by the attackers with content related to China. Depending on the industry they operate in, victims receive links to websites with content relevant for their business.

The rogue websites have links to .pps (PowerPoint) or .doc (Word) files hosted on other domains. If downloaded and opened, these files attempt to exploit known vulnerabilities in Microsoft Office in order to execute rogue code on users’ computers.

The Symantec researchers have observed exploits for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) and the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641).

Since the most recent of those vulnerabilities, CVE-2015-1641, was patched by Microsoft in April 2015, attackers appear confident that their targets have outdated Microsoft Office installations on their computers.

Typically, the PowerPoint file will try to exploit CVE-2014-4114, and if successful, will install a backdoor program called Enfourks that functions as an AutoIT executable. AutoIT is a scripting language for automating graphical user interface interactions.

The .doc files will try to exploit CVE-2012-0158 or CVE-2015-1641 and will try to install a different backdoor program called Steladok. Both of these programs can search for and steal files or can be used to install additional malware components.



Kovter Trojan Gets New Persistence Mechanism

The actor behind the Kovter Trojan has come up with a new persistence mechanism over the past weeks and also started masquerading the malware as a Chrome update, Microsoft security researchers warn.

It’s a well-known fact that cybercriminals are constantly updating their malicious applications to ensure increased efficiency, and the people behind Kovter have been very active in this regard over the past several months: in April, they added ransomware capabilities to this file-less Trojan, while starting to masquerade it as a Firefox update several weeks ago.

Now, Microsoft Malware Protection Center (MMPC) researchers reveal that the actor has updated Kovter’s persistence method and that they also observed changes in the latest campaigns associated with this threat. The new persistence method, spotted for the first time last month, makes remediation more difficult for antivirus software, researchers say.

Kovter, already known for its file-less infection capabilities, generates and registers a new random file extension upon installation, and also defines a new shell open verb to handle this specific extension. For that, the malware sets specific registry keys, which ensure that the malicious Kovter command contained in the registry key is executed via the shell extension open verb each time a file with that custom file extension is opened.

As Duc Nguyen, MMPC, explains, all “Kovter needs to do to run on infected machines is open a file with their custom file extension […] – causing the malicious shell open command to run. This in turn runs a command using mshta.”

Although a clean tool, mshta is abused by Kovter for the execution of malicious JavaScript designed to load the main payload from another registry location. To ensure that this shell open command is triggered on a regular basis, the Trojan drops a series of garbage files with its custom file extension in different locations, Nguyen explains. Given that the malicious code is contained within the shell open verb registry key, the content of these garbage files isn’t important.

To complete the installation process, the malware sets up the auto-start mechanism that would automatically open these files, and it uses both a shortcut file and a batch (.bat) file for this. The shortcut (.lnk) pointing to the garbage file is dropped in the Windows startup folder. When using a batch script file (.bat), which is dropped in a randomly generated folder, Kovter sets a registry run key to execute it (the .bat will run the garbage file to execute the malicious shell open verb).

“Instead of just adding the mshta script directly as a run key registry as in the old variant, Kovter is now using this shell open trick to start itself. Although Kovter is technically not fully file-less after this latest update, the majority of the malicious code is still held only within the registry. To remove Kovter completely from an infected computer, antivirus software needs to remove all of these dropped files as well as the registry change,” the MMPC researcher explains.

Other changes observed in Kovter over the past couple of months include the distribution through a fake Chrome browser update. Previously, the Trojan was pretending to be an Adobe Flash or a Firefox update. What’s more, the malware is now using a series of new digital certificates, which ensure a higher infection rate.

According to Microsoft, each time the Kovter actors release a new wave of samples that have been signed with a new certificate, there is a spike in successful infections. Telemetry data shows that some of the latest updates to the Trojan were made on around May 21, June 14, and in the first week of July.

To stay protected, users are advised to download and update applications only from their original and trusted websites. They should also install and maintain an anti-virus program to ensure that infection attempts are prevented before they could do any harm.

By SecurityWeek News


Ransomware Advice Service to Tackle Extortion Gang

European police agency Europol is teaming up with cybersecurity companies in an initiative aimed at slowing an “exponential” rise in ransomware.

The scheme revolves around a website that connects victims and police, gives advice and helps with data recovery.

The number of ransomware victims tripled in the first three months of 2016, according to one estimate.

Ransomware is malware that typically demands a fee to unscramble important data on a compromised device.

The No More Ransom site will be updated as ransomware gangs are tackled, one of the project’s partners said.

Co-ordinated by Europol, the initiative also involves the Dutch national police, Intel Security and Kaspersky Labs.

“For a few years now ransomware has become a dominant concern for EU law enforcement,” said Wil van Gemert, Europol’s deputy director of operations.

“We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware.”

No More Ransom brings together information about what ransomware is, how to avoid falling victim and what to do if a person or company is caught out.

“Right now the only option victims have is to pay the ransom or not,” said Raj Samani, European head of Intel Security. “This gives people another option.”

Often, people struggle to find out what they can do when they are hit.

With this website, victims will be able to upload scrambled files to identify which strain of ransomware has locked up their data, he said.

Bitcoin sign

“We’ve seen a threefold increase in infected victims from January to March this year,” he added. “And we’re seeing a rise in new families of ransomware coming up all the time.”

In June, one site that tracks ransomware logged more than 120 separate families of the malicious code being used in different campaigns.

“It’s becoming a hugely profitable economy for the criminals,” said Mr Samani. “They know there’s real money to be made here.

“What’s particularly telling is that historically ransomware victims have been consumers and small businesses,” he said. “But we are now seeing bigger institutions, hospitals and universities, getting hit.”

The site will be kept up to date with information gleaned from international action against gangs that run ransomware campaigns, Mr Samani said.

Other police forces, security companies and researchers will be encouraged to contribute to the site and add advice or tools to help victims.

At present, the site links to decryption software for four well-known families of ransomware – Coinvault, Shade, Rannoh and Rakhni.


Interpark’s 10.3 Million Customer Information Leaked

The private information of an estimated 10.3 million users of online shopping mall Inter park has been stolen by a hacker group.

The information includes names, addresses, email addresses, dates of birth and phone numbers. Police launched an investigation after learning about the massive data theft.

The e-commerce company, owned by U.S. online shopping giant eBay, apologized Monday.

“On July 11, Interpark became aware that some of our user information had been stolen by a hacker group through an advanced persistent threat attack, and reported the hack to the police the next day,” said Interpark on its website.

An advanced persistent threat (APT) attack is carried out on a compromised system over a long period of time without detection, instead of making a onetime hit.

According to the National Police Agency’s Cyber Bureau, the attack began in early May. Interpark only became aware of this when the hackers demanded 3 billion won worth of Bitcoins, a cyber currency that is traded like hard cash.

The company said highly sensitive information such as resident registration numbers and account passwords were not stolen

By Park Si-soo


Critical Flaws Found in Enterprise File Sharing Tool Filr

Enterprise software maker Micro Focus released security updates for its Filr product last week to patch several critical vulnerabilities discovered by researchers at SEC Consult.

Filr is a file management and collaboration tool that allows enterprise users to access and share corporate files from any device. The product was initially developed by Novell, whose owner, the Attachmate Group, merged with Micro Focus in 2014.

SEC Consult reported on Monday that one of its employees discovered no less than eight serious vulnerabilities affecting Filr versions 1.2 and 2.0. According to the security firm, the flaws can be exploited by an attacker to completely compromise the product.

The list of security holes includes cross-site request forgery (CSRF), command injection, insecure file permission, authentication bypass, path traversal and persistent cross-site scripting (XSS) issues. An attacker can leverage these flaws to alter an appliance’s configuration, execute arbitrary code and commands, and upload arbitrary files.

Researchers also discovered that the HttpOnly flag is not set for session cookies in the web interface. An attacker can leverage this in combination with the persistent XSS vulnerability to steal session cookies.

The following CVE identifiers have been assigned to the vulnerabilities found by SEC Consult: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609, CVE-2016-1610 and CVE-2016-1611. Micro Focus has published separate advisories for each of these weaknesses.

The security holes were reported to the vendor on May 23 and they were addressed last week with the release of Filr 2.0 Security Update 2 and Filr 1.2 Security Update 3. The latest Filr updates also address the Samba vulnerability known as Badlock and an OpenSSL flaw disclosed in May.

While most of the issues discovered by SEC Consult have been patched, there are a couple of bugs that Micro Focus will only patch in upcoming versions. For example, the HttpOnly issue could not be addressed because Micro Focus says a Filr component stops working properly if the flag is set.

The security consulting firm pointed out that these vulnerabilities were identified during a “very quick” security review. Users are advised to update their Filr installations as soon as possible, especially since PoC exploit code has been made available by SEC Consult.

By Eduard Kovac


2.3 Million ‘Warframe’ and ‘Clash of Kings’ Accounts Compromised

More than 2.3 million user records were compromised as two separate gaming companies announced they suffered data breaches.

Digital Extremes, the company behind Warframe, announced that a list of 775,749 email addresses was compromised after an attacker exploited a Drupal SQL exploit that was patched by Drupaltwo weeks after the breach occurred, according to a July 20 post in the company forum.

Separately, a hacker told ZDNet, that they made off with 1.6 million accounts from the official forum the game “Clash of Kings,” by exploiting a known weakness in the forum’s outdated vBulletin software found through dorking, according to a July 22 report.

The hacker provided a sample of the compromised database containing usernames, email addresses, IP addresses, device identifiers, Facebook data and access tokens.

It is unclear if the breaches are connected.

In the operating system arena, most products have auto-update features that check your products and verify that users have the latest version, Contrast Security CTO and Cofounder Jeff Williams told via emailed comments.

He said this is type of infrastructure doesn’t exist in the application world so often developers and operations teams are left flying blind.

“At a minimum, we need an infrastructure to notify users,” Williams said. “But even better would be to enable libraries and applications to automatically update themselves when new critical vulnerabilities are discovered.”



Ransomware Gang Claims Fortune 500 Company Hired Them to Hack the Competition

Ransomware—computer viruses that lock a victim’s files and demand a payment to get them back has become so common that experts believe it’s now an “epidemic.”

Security experts have always assumed that ransomware hackers are in it for the ransom. But a shocking claim made by one ransomware agent suggests there may be another motive: corporate sabotage.

In an exchange with a security researcher pretending to be a victim, one ransomware agent claimed they were working for a Fortune 500 company.

“We are hired by [a] corporation to cyber disrupt day-to-day business of their competition,” the customer support agent of a ransomware known as Jigsaw said, according to a new report by security firm F-Secure.

“The purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first.”

Ransomware is an attractive endeavor for cyber criminals. By asking for relatively low amounts of money from victims—as low as $150 or $400—it has a high rate of success. And by targeting thousands of internet users indiscriminately, it scales really well. But if this operator’s statements are true, it seems like a gang of cyber criminals has found a new way to get paid twice: once by ransom, and once by companies to disrupt their competitors.

The operator thought they were talking to just another ransomware victim, but it was actually an F-Secure researcher posing as “Christine Walters,” a fake persona of a 40-year-old from Finland who knows little about computers and nothing about ransomware.

F-Secure researchers used “her” to contact the operators and support agents of several ransomware families. (Ransomware operations now commonly have “support portals” where victims can get help to understand how to unlock files or use bitcoin to pay for the ransom).

In their exchanges, the ransomware agent told “Christine,” that they were surprised she got infected because their operation was targeting specific victims chosen by a corporate client.

“I don’t even know how you got it,” the agent said. “Never have we done anything in Finland.”

The agent never gives too many details, just tantalizing hints. At one point, they say that “the purpose was just to lock files to delay a corporation’s production time to allow our clients to introduce a similar product into the market first.”

“Yes, big name corporation. Fortune 500 company. What I still don’t understand is that the target is in the USA and you and another person in Finland got the email and the client always gives us the contact emails so you are on someone’s mailing list,” the agent told “Christine,” according to F-Secure.

I tried reaching out to the agent via email, but didn’t get an answer for days. When I prodded them again for an interview, I simply got a short response: “I decline. Thank you.”

“If this indeed was a case where ransomware was used on purpose to disrupt a competitor’s operation, it’s the only case we know of.”

The agent’s claim that the gang was getting paid by a corporate client to target a specific organization is unprecedented, according to F-Secure.

“If this indeed was a case where ransomware was used on purpose to disrupt a competitor’s operation, it’s the only case we know of,” Mikko Hypponen, the chief research officer at F-secure, told me in an email.

In their last message with “Christine,” the agent says their gang does a lot of for-hire jobs, and even offered “Christine” some advice on how to stay more secure.

“It’s not just corporations. Politicians, governments, husbands, wives. People from all walks of

life contract us to hack computers, cell phones, etc. Once again I believe you are on the wrong contact list because we have no customers in Finland and we don’t target individuals with family photos or music on their system. It’s usually something much more complicated than that,” the agent said. “You were lucky. If the virus would have been a self-destruct virus your computer would have crashed beyond recognition. Get a good antivirus.”

Without knowing who the actual target was, and without more details from the agent, it’s impossible to verify this story. Still, given the situation, the agent didn’t really have many reasons to make it up.

“We have no way of confirming the claims of the operator,” Hypponen said. “But I don’t know why he would lie about something like this during a random chat with one of their victims.”

If this is true, the ransomware epidemic is about to get even nastier.



Auto Industry Develops Security Best Practices

Car manufacturers have released a new best practices document designed to improve vehicle cybersecurity in the industry.

The doc was penned by the 15 car-maker members of the Automotive Information Sharing and Analysis Center (Auto-ISAC) and draws on the expert advice of over 50 automotive cybersecurity experts.

It includes advice in seven key topic areas: governance; risk assessment & management; security by design; threat detection and protection; incident response; awareness & training; and collaboration & engagement with third parties.

Auto-ISAC claimed the advice features deep technical expertise and draws on established frameworks such as ISO and NIST, but tailored for the automobile industry.

“Automakers are committed to being proactive and will not wait for cyber threats to materialize into safety risks,” said Auto-ISAC chairman Tom Stricker in a statement.

“The Best Practices initiative represents this commitment to proactive collaboration that our industry made when we stood up the Auto-ISAC last year. I’m proud of the way we have united in our endeavor to minimize the risks our consumers might face from cyber security and privacy threats.”

Threat levels in the industry are on the rise, with even the FBI being forced to release cyber security advice for car owners recently.

Its tips include ensuring car software is patched and up-to-date, to be cautious when modifying on-board software, and to exercise discretion when connecting third party devices to the vehicle.

According to reports from earlier this month, car thieves in Houston managed to gain access to and drive away Jeep Wranglers and Cherokees by hacking them.

As the industry moves towards driver-less cars the threat becomes even greater.

Experts have already warned the UK government to ensure cyber security risks are taken into account during the current consultation into self-driving technologies.

The US attorney general’s office has even warned that rogue nation states could remotely hack connected vehicles in assassination attempts.



India’s Union Bank Reports Cyber Breach of Offshore Account

Union Bank of India Ltd said on Friday one of the bank’s offshore accounts was breached in a cyber attack, but the money trail was traced and the movement of funds was blocked.

“There is no loss caused to the bank,” the state-run bank said in a statement, adding it had informed authorities about the breach.

Separately, Arun Tiwari, the bank’s chairman, told Reuters that the breach of the “nostro” account – which a bank maintains with an overseas bank in foreign currency – took place in New York. A source familiar with the matter originally had said the breach occurred in Hong Kong.

Tiwari declined to say how much money was transferred in the breach, but said the bank had already recovered 70 percent of the amount and the remainder was due to come back in the next few days.

Following a recent cyber attack on a Bangladesh central bank’s account at the New York Federal Reserve, the Reserve Bank of India last month asked Indian banks to immediately put in place a cyber security policy.

Some $81 million was stolen from the Bangladesh central bank account with the New York Fed in one of the biggest-ever cyber heists.

“A cyber security forensic audit has commenced to identify, plug any gaps, and strengthen the system,” Union Bank said in a statement to Indian stock exchanges.

By Suvashree Dey Choudhury

Editing by Larry King