Category Archives: Hackers

Thousands of xHamster login credentials surface online

Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online.

The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of xHamster’s 12 million registered users. While xHamster doesn’t require viewers to register with the site, those who do can comment and make video playlists.

Still, the leaked information has the potential to embarrass users — several of the accounts are linked to U.S. Army and other government email addresses. If xHamster’s subscribers reused their passwords on other sites, their accounts on those sites are at risk of compromise, as well.

“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” an xHamster spokesperson told Motherboard.

But according to LeakBase,  the passwords were hashed with the MD5 algorithm, which is considered insecure. “MD5 hashes are trivial and easy to crack,” according to LeakBase. “The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Locky Ransomware Encrypts Files Even When Machine Is Offline

The Locky ransomware has added a fallback mechanism in the latest strain of  malware created for situations where the code can’t reach its Command & Control server.

Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the Command & Control server because the computer is offline or a firewall blocks outgoing communications.

Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a Command & Control server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.

Why? The encryption routine needs unique public-private key pairs that are generated by the Command & Control server for each infection. How does this work? Here is a simplified sequence of events.

  1. The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
  2. It reaches out to a Command & Control server and asks that machine to generate an RSA key pair for the newly infected system.
  3. The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the Command & Control server and is the key that you get when you pay the ransom and is used for decryption.

As you see, a lot of ransomware  strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however…

As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected.

The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims as well, so expect a free decryptor to become available in the near future.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers

As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.

petya_figure1

This is the routine of a new crypto-ransomware variant dubbed “Petya”. Not only does this malware have the ability to overwrite the affected system’s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).

This isn’t the first time that malware has abused a legitimate service for its own gain; however, this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.

Infection Routine

Reportedly, Petya is still distributed via email. Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV).

In samples analyzed, the Dropbox folder the link points contains two files: a self-extracting executable file, which purports to be the CV, and the applicant’s photo. Further digging revealed that the photo is a stock image that is most likely used without permission from the photographer.

petya_archive

Of course, the file downloaded isn’t actually a resume at all, but rather a self-extracting executable file which would then unleash a Trojan onto the system. The Trojan then blinds any antivirus programs installed before downloading (and executing) the Petya ransomware.

Infection Symptoms

Once executed, Petya overwrites the MBR of the entire hard drive, causing Windows to crash and display a blue screen. Should the user try to reboot his PC, the modified MBR will prevent him from loading Windows normally and instead greet him with an ASCII skull and an ultimatum: pay up with a certain amount of bitcoins or lose access to your files and computer.

Another thing to point out here is that the edited MBR also disallows restarting in Safe Mode.

The user is then given explicit instructions on how to do this, just like any crypto-ransomware currently making the rounds: a list of demands, a link to the Tor Project and how to get to the payment page using it, and a personal decryption code.

petya_figure2

Looking at its very professionally-designed Tor website, we discover that its ransom price is currently at 0.99 Bitcoins (BTC), or US$431 – and that said price would be doubled if the on-screen deadline for payment is missed.

petya_figure3

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Weird New Cerber Ransomware Speaks To Its Victims

There is a new strain of ransomware called Cerber that takes creepiness to the next level.

It drops three files on the victim’s desktop named “# DECRYPT MY FILES #.” These files contain instructions about the ransom amount and how to pay it. One of the files is your standard TXT format, one is HTML and the third is plain weird. It contains a Visual Basic Script, which contains text-to-speech code that converts text into an audio message.

“When the above script is executed, your computer will speak a message stating that your computer’s files were encrypted and will repeat itself numerous times,” Larry Abrams from Bleepingcomputer said in a blog post. They have a sample in that post you can listen to.

Cerber’s criminal developers are selling the tool as Ransomware-as-a-Service (RaaS) so that practically anyone can use it without any coding experience. It is easy to find out where this new strain originated.  When first run, Cerber will check to see if the victim is from a particular country. If the computer appears to be from any of the following countries, it will terminate itself and not encrypt the computer: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, Uzbekistan.

Yup, that was easy. Another Eastern European cyber gang with another strain.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Malicious adware’s latest trick is replacing your whole browser

Just recently, infosec celebrity Swift on Security pointed out a new piece of adware called the “eFast Browser.” It does the kind of malicious crap that we’ve all seen quite often over the years: throwing pop-up and pop-under ads on your screen, putting other ads into your web pages, pushing you towards other websites with more malware, and (of course) tracking your movements on the web so that nefarious marketers can send more crap your way.

But what’s nefariously intriguing about this software is that it isn’t trying to hijack your current browser, it’s straight-up replacing it. As reported by Malwarebytes, eFast tries to delete Chrome and take its place, hijacking as many link and file associations as it can. Its icon and window looks a lot like Chrome’s and it’s based on the open source Chromium project in the first place, so it acts a lot like Chrome too. The software comes from a company calling itself Clara Labs, which is actually behind a slew of similar browsers with names like BoBrowser, Tortuga, and Unico.

Chrome really lead the way to the new paradigm of how to do extensibility correctly. Firefox/Edge is almost literally working on copying it.

— SecuriTay (@SwiftOnSecurity) October 16, 2015

The weird thing about this software is that it’s actually kind of good news, security wise. As Swift on Security points out, it’s easier for malware to just try to replace your browser than it is to infect it. That’s because Chrome moved toward locking down extensions by requiring that they come through Google’s web store (and thereby Google’s code review and code signing). Mozilla’s Firefox and Microsoft’s Edge browsers are moving in the same direction. So while replacing your whole browser isn’t totally new for malware, the fact that it’s the best vector for attack now might be.

According to PCrisk, eFast and its ilk try to get on your computer by burrowing themselves into the installers for free software from dubious sources on the web. It should be relatively easy to avoid installing it and, fortunately, should also be relatively easy to uninstall if you’ve found it on your computer.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

An Android Porn App Takes Your Photo and Holds It to Ransom

Android-Porn-Randsom

Users of the “Adult Player” Android app are in for a shock: it’s emerged that the Android app has been secretly taking photos of users – and wants their cash in exchange for deletion.

The Register reports that security firm Zscaler was first to spot the app, which presents itself as a normal video playing app, albeit for playing videos of an adult nature. Apparently once it has silently snapped photos of its victim it will display a message on screen demanding that they pay $500 . Otherwise, well… do you want people knowing you’ve used the app?

Apparently once the ransom message appears it will stay fixed on your phone screen, even if you reboot. Whilst no doubt highly illegal and bad and wrong, you have to admire how clever the ruse is.

But there is good news: Adult Player isn’t actually available on the Google Play store, and to use it users will have to have installed the app’s APK file manually, checking the box in settings to allow their phones to run apps from non-trusted sources. So there’s no need to be too nervous when downloading new apps to your phone. If an app was listed in the app store, apart from the fact that Google would probably stop it from being published in the first place, if it wanted to use your camera you would have to grant it explicit permission.

So let this be a lesson: If you want to let a porn app do anything to your phone, make sure you use an app that ensures that it does it, umm, explicitly.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Affair Site Ashley Madison Hacked, Info Stolen For 37 Million Accounts

You won’t find Ashley Madison on any of my recommendations. However, the site aimed at helping people in existing relationships have an affair has been hacked, with 37 million users’ data stolen. And worse yet, that data’s currently being held for ransom. Who knows where this could lead?

According to security site Krebs on Security (who previously reported the Home Depot hack), Ashley Madison’s parent company Avid Life Media suffered a security breach at the hands of a hacker group calling itself the Impact Team. The group is currently holding data on 37 million of Avid Life Media’s users for ransom, demanding that Ashley Madison, as well as sister-site Established Men, be taken offline permanently.

The personal data stolen includes real names, financial records, and private details for users of the site. While the data has not yet been revealed to the public, a small sample data set was initially released before being taken offline.

Avid Life Media released a statement saying that it has secured the unauthorized access points and is currently working with law enforcement to identify the perpetrators of the attack and prevent the data from being released. It’s unclear whether there’s anything users can do to protect their accounts.

Online Cheating Site AshleyMadison Hacked | Krebs on Security

Facebooktwittergoogle_plusredditpinterestlinkedinmail