Home Tags Pastebin

Tag: Pastebin

From Shamoon to StoneDrill

Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East.

The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.

Free decryption tools now available for Dharma ransomware

Computer users who have been affected by the Dharma ransomware and have held onto their encrypted files can now restore them for free. Researchers have created decryption tools for this ransomware strain after someone recently leaked the decryption keys.Dharma first appeared in November and is based on an older ransomware program known as Crysis.
It’s easy to recognize files affected by it because they will have the extension: .[email_address].dharma, where the email address is the one used by the attacker as a point of contact.[ 18 surprising tips for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]On Wednesday, a user named gektar published a link to a Pastebin post on the BleepingComputer.com technical support forum.

The post, he claimed, contained the decryption keys for all Dharma variants.To read this article in full or to leave a comment, please click here

Breach site LeakedSource apparently raided by feds

A message on Pastebin said its servers were "subpoenaed" and the site is under federal investigation.

Hacker claims FBI CMS zero day hack, dumps 155 purported logins

Amnesty nobs Plone CMS bug A hacker is claiming to have breached the FBI's content management system, dumping email addresses and SHA1 encrypted passwords with salts online. The hacker using the handle (@cyberzeist) claims to have breached the Plone CMS using a zero day flaw allegedly for sale on an unnamed dark web site. The Register has contacted the FBI to confirm the allegations. It was not immediately available for comment, however an operative was aware of the claimed incident. Cyberzeist claims to have conducted the hack last month and has posted to Twitter what they claim are screen captures showing the FBI patching against the vulnerability, which appeared to permit public access. The hacker dumped the 155 purported stolen credentials to online clipboard pastebin, claiming a vulnerability resides in a Plone Python module. They said the websites of the European Union Agency for Network and Information Security and the National Intellectual Property Rights Coordination Center are also vulnerable. Cyberzeist also claimed the FBI contacted the hacker requesting a copy of the stolen credentials, which they declined to provide. The hacker reckoned the CMS was hosted on a virtual machine running a custom FreeBSD. They said they will tweet the zero day flaw once it is no longer for sale. FBI trying to patch-up their Plone CMS #0day at https://t.co/IRhqdQjNbp, too late!! #ComingSoon #NewYearsEve pic.twitter.com/u7KOXNO3qV — CyberZeist (@cyberzeist2) December 31, 2016 The FBI is a confirmed user of the Plone CMS, as is Amnesty International. The latter organisation acknowledged a warning from Cyberzeist that its CMS was exposed. The hacker claimed the FBI's site was offline on New Year's Eve, but none of the dozen WayBackMachine site captures of the FBI's homepage on 31 December and 1 January indicated it was unavailable. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Nemucod Downloader Spreading Via Facebook

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook's file extension filter: 'Photo_9166.svg' What is an .svg file? From Wikipedia: Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.

The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.
More specifically, this means that you can embed any content you want (such as JavaScript), additionally, any modern browser will therefore able to open this file.Contents of our 'photo' are as follows: Copy of file on Pastebin here It's a heavily obfuscated script, which, after opening, redirected you to the following website: Fake Youtube A website purporting to be Youtube, wih a video from Facebook - of course, you needed to install an additional extension to view it :)The extension has no icon and thus seems invisible, additionally it can do the following: Currently, I'm not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.One of my security colleagues had in fact noticed similar behavior and got ransomware (Locky) as payload: — peterkruse (@peterkruse) November 20, 2016 The extensions' description can be one of the following, and seem semi-random. Note that other variations are possible: One ecavu futolaz corabination timefu episu voloda  Ubo oziha jisuyes oyemedu kira nego mosetiv zuhum The Facebook security team as well as Google Chrome's store security team have been notified.RemovalRemove the malicious extension from your browser immediately: Additionally, run a scan with your antivirus and change your Facebook password afterwards.Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected.
If you keep receiving the same message from your friend, you may want to temporarily block their messages.ConclusionAs always, be wary when someone sends you just an 'image' - especially when it is not how he or she would usually behave.Additionally, even though both Facebook and Google have excellent security controls/measures in place, something bad can always happen.For those interested, all related files have been uploaded to VirusTotal, and their hashes and domains can be found, as always, on AlienVault's OTX:Nemucod downloader spreading via Facebook

CrySis Ransomware Master Decryption Keys Released

The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public. Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3 now have a means of recovering their lost files. The key was posted at 1 a.m.

Eastern time to the BleepingComputer.com forums by a user known only as crss7777, said founder Lawrence Abrams.

Abrams speculates that it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them. “Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” Abrams said. “Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.” CrySis surfaced in February after a report by researchers at Eset said the ransomware was quickly gaining favor from hackers after the decryption of TeslaCrypt ransomware.

CrySis spread via email attachments with double file extensions or through links in spam messages.
It was also found lurking in Trojanized versions of freely available software such as compression programs like WinRAR. Like most ransomware, it could encrypt a large number of file types and sought to encrypt data stored on shared drives.

Documents encrypted by CrySis have their filenames changed to include a .xtbl extension and an email address, similar to [filename].id-[id].[email_address].xtbl, BleepingComputer said. Kaspersky researchers said CrySis accounted for 1.15 percent of ransomware infections this year, with most of the victims found in Russia, Japan, South and North Korea, and Brazil. A number of virulent ransomware families have been extinguished this year, including CryptXXX, TeslaCrypt, Chimera, Jigsaw and others. Ransomware has been among the most feared malware threats of the year; attacks have taken large organizations in a number of industries offline and have impacted customer service.

A number of high-profile attacks against hospitals and utilities put ransomware on the map as patient care was impacted in a couple of attacks as organizations wrestled with the question of whether to pay the attackers’ demands. In the meantime, the FBI put out a number of warnings about ransomware, urging businesses to be vigilant about patching software that could be targeted by exploit kits spreading the malware, or about email campaigns spreading these infections. “The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation,” the FBI said in May. In September, the FBI made a public plea to organizations that have been ransomware victims to share incident reports, looking for details on how the infection happened, any losses incurred, the attackers’ Bitcoin wallet address and more.

6.6 million plaintext passwords exposed as site gets hacked to the...

Reusing four-year-old passwords from MySpace for GitHub?ABC Photo Archives / Getty Images reader comments 21 Share this story Plaintext passwords, usernames, e-mail addresses, and a wealth of other personal information has been published for more t...

Inside Eve: Online’s propaganda machine—from Photoshop to DDoS

reader comments 48 Share this story On June 30, 2016, a costly battle took place in Eve: Online.

An alliance of players calling themselves the Imperium—assisted by allies in the game's low security region—destroyed four Titan-class ships (the game's largest and most expensive) and inflicted damage worth half a trillion of the in-game currency (ISK) on their enemies in the Money Badger Coalition (MBC).

This battle was one of the largest since the so-called Bloodbath of B-R5RB in 2014, which resulted in losses of 11 trillion ISK—worth roughly $300,000 (£228,000) in real-world money.The Imperium’s recent assault on the MBC is hardly a left-field event; Eve players blast the hell out of each other on an almost daily basis.

But this battle was special; it took place just days after the MBC declared that it had won once and for all the game's latest large-scale war, with forum posts, fan sites, and Facebook feeds featuring links showing how the Imperium and its allies had been driven back across Eve's map of space.

The MBC was gleeful in its declaration of victory in the months-long struggle it had taken to calling "World War Bee;" it was over and MBC had won. "Our goal was to dismantle the CFC coalition [a looser collection of groups accounting for more than 40,000 players, including the Imperium]," says Killah Bee, a fleet commander in Pandemic Legion, which is part of the MBC. "We dismantled the coalition—the only thing left is the Imperium, the others have left—and we freed the north [territories].

That's what we set out to do." Enlarge / The Money Badger Coalition's logo. However, cast an eye at TheMittani.com, a major Eve fan news site, or even SomethingAwful.com, and a very different narrative emerges.

Both sites are supporters of the Imperium—whose ultimate leader runs the former—and by extension the Goonswarm, a coalition of factions the Imperium heads up.

To hear them tell it, World War Bee (a name they thoroughly resent) is far from over.
In fact, it's just getting started. "The war's not over at all," says the Mittani himself, Alex Gianturco. "All of [what you're hearing from the MBC], including the victory declaration, is what we predicted they'd do after only a couple of months—so we're right on schedule.

They've now commenced infighting in earnest. We, on the other hand, have been very aggressive in dropping Citadels [space stations] and assisting chunks of the MBC against each other.
I think our enemies would be unwilling to acknowledge this." This all sounds strange; conflict isn't supposed to be up for debate in a video game.
In most games, you're in no doubt as to whether you're under fire from your opponents.
So what gives? Why are two of Eve's biggest factions not only at odds with each other in the game, but in total disagreement as to whether they're even fighting in the first place? The answer lies in Eve's grand narrative and the dogged determination of players to own it. In Eve, as in the real world, the winners write the history books. Or blog posts, as the case may be. Spin a yarn Eve's story is written by its players. While nearly every other story-based game, including almost all other MMOs, has a plot that's based on the vision of its developer, Eve's lore relies not on what its developer CCP wants, but on the actions of its declining, but still sizeable player base.
In Eve, legendary characters aren't AI controlled—like, say, the iconic Garrosh Helllscream or Sylvanas Windrunner in World of Warcraft—they're real people. The reason for this is due to the game's structure. Eve is divided into three main regions: High Security (High-Sec), Low Security (Low-Sec) and No-Security (Null-Sec). High-Sec is the starting area, where players get to grips with Eve's mechanics in relative safety through one of the worst tutorials ever made in gaming.

The rewards for staying there are slender, but if anyone tries to grief a new player in this region, the AI shuts them down. Low-Sec is where players take off their water-wings; it's a little more of a free-for-all, but the game still provides some semblance of protection.
Footage from the Bloodbath of B-R5RB shows just how vast battles in Eve: Online can be. Null-Sec is the heart of Eve, and it's about as forgiving as the post-apocalyptic world presented in Mad Max. Here, Darwin's law applies; only those that band together survive, and lone wolves are quickly picked off. Players band together in factions, which in turn team up as coalitions, with the larger ones boasting tens of thousands of members. It's also in Null-Sec where the plot unfolds. Eve’s myriad coalitions battle one another for territory and resources using assets both in and outside of the game. Yes, gigantic dogfights take place, ambushes are set and triggered, and fleets move to contain chokepoints on the map.

But unlike other games, where conflicts are mostly confined to the game itself, the wars in Eve spill out in the real world: players make shady deals over chat channels, secrete sleeper cells within one another's ranks, and grief enemies on social media. The reason is that the stakes are always high in Eve. Unlike other MMOs—where death usually causes the player to respawn with all of their weapons, skills, and equipment intact—death in Eve can see assets that have taken hundreds of hours and piles of in-game money to accrue reduced to ash in the blink of an eye.

Damage is permanent: if your ship is blown up in Eve, it's gone for good. In an effort to control the narrative—particularly when things don't go in their favour—players flood forums, fan sites, and social media with disinformation and propaganda, making it impossible for outsiders to obtain a true picture of the state of play. Hop onto an Eve social media stream and you'll see World War II posters photoshopped to represent the views of either side of the war, lengthy propaganda videos on YouTube, and deep think-pieces. One op-ed the Mittani published during World War Bee even called into question whether IWantISK.com, an online "space casino" where players gamble using in-game cash to win modules, ships, implants, or even ISK payouts, was even legal under meatspace Florida law, the state where the site is based. Enlarge / An example of player-made propaganda from Eve: Online. Rixx Javix Enlarge Jason Kollat "It's not at Gamergate levels," says Gianturco. "You don't have people receiving, say, bomb threats.

Death threats have happened in Eve, but there's nothing that has ever reached the level of full-on harassment.
In general, the community looks at it all as good clean fun.

The metagame has always been there. People in the media will always look at platforms like Facebook or Pastebin as a sign of modernisation.

Back in the day the outside game interaction was confined to online forums." "CCP has a zero-tolerance policy for these things happening on their official forums, but it's so hard to police on other forums," says Peter Farrell, aka Elise Randolph, one of the high-ranking members of Pandemic Legion. "The Eve community is robust, and it is very hard to police. CCP has levied severe bans when harassment has taken place on out-of-game forums and the end-user license agreement is broad enough that they can take action on basically anything. Hopefully we'll never have to see them make use of this." And yet, despite what some players maintain, harassment levels in the game have now escalated far beyond a few crude photoshop jobs.

There have been instances where factions have launched DDoS attacks against the comms channels of their enemies just before a major battle, while key players have also been anonymously sent pictures of their homes by opponents as a form of intimidation. "As far as I'm aware, nobody in Eve has ever released the home address or anything of the sort," says Farrell. "However, outing a player's sexual preference, exposing real-world relationships and professions, and attempting to glean information based on posting on other non-Eve related forums and social media are some of the more prominent doxxing stories." According to Killah Bee, most of the metagame is instigated by individuals within each faction.
It's not something the fleet commanders on each side usually coordinate. "There are very small groups that do that kind of stuff.
It rarely happens and it hasn't happened in World War Bee," he says. So the poor old ostrich died for nothing Like all wars—both real and virtual—World War Bee wasn't triggered by a single event. While some have pointed to a failed Kickstarter which the Imperium organised to turn the history of The Fountain War (a major military victory in 2013) into a novel, others have pointed to a feud that the Space Monkey Alliance (SMA), a part of the Goonswarm, had been having with the owners of IWantISK.com as the cause. When the SMA/IWI conflict came to a head, one of the site's owners—who goes by the in-game name of Lenny Kravitz2—started bankrolling mercenary factions in Eve to go after SMA and its allies, and things started snowballing from there. The injection of in-game cash into what became the MBC caused thousands of players to sign up to the new coalition. Having been battered by the Goonswarm, a long-dominant and not entirely friendly force in the game, for years, lots of players wanted revenge, so it was easy for MBC to recruit. Killah Bee says that the involvement of Pandemic Legion gave the movement a boost.

The Imperium's enemies could finally see its throat exposed.
Eve: Online's news network The Scope discusses the fight in World War Bee earlier this year. "The players in Eve had been hesitating to go all in on the war," he says. "They didn't know if they could do it without Pandemic Legion.

As soon as we declared war and they knew this was for real, everybody [with a problem with the Goons] joined us." Faced with such an onslaught, the Goonswarm responded using Fabian strategy—the practice of avoiding pitched battle in order to frustrate enemies—by ceding territory and retreating without much of a fight. Not only did this have the effect of making the game more boring, which encouraged new players to leave, it allowed the Goonswarm to keep most of its fleet intact. On the downside, it was forced to abandon most of its territory and flee into Low-Sec. "They are completely abandoning the north and are moving down south with the rest of what's left of their coalition," says Killah Bee. "I never expected that to happen, not this fast, but with that happening, World War Bee is basically over." Not over 'til it's over Killah Bee's appraisal of the war isn't one Mittani shares. "After stating that they [Pandemic Legion] were out to destroy Goonswarm and that Goonswarm would never be allowed to field more than 200 people in a fleet, they left," he says. "They've moved their goalposts." Gianturco also points to Eve's most recent expansion, Citadel, which allows players to build gigantic space cities, as possibly providing the Imperium and its allies the means to return the territory they've lost without technically retaking it. Enlarge / A Citadel in Eve: Online. "Using citadels allows us to be more independent of the vicissitudes of the Sov System (the in-game method of claiming territory)," he says. "Citadels, when they're used in large numbers, allows us to—kind of how Zerg Creep [in Starcraft] works—build a carpet of these structures expanding outwards that do not show up on the in-game map at all." "In previous versions of Eve: Online, the Sov System required factions to scout and use recon.
In order to contest territory you needed to see where your enemy's assets were," he continues. "The current Sov System doesn't require this, so players have even more of an advantage when you’re defending.

Citadels don't play to this. You need to scout them out to see if they're vulnerable. We've been throwing down extremely large numbers of these citadels, which have inherent defences that we've used to vaporise a number of attackers. You won't see us advance until a system is filled with citadels." Is World War Bee over? The MBC seems to thinks so, but the Mittani is adamant it's not. "The goal here is the complete obliteration of our enemies," he says. "We're not going to just retake our empire; we're going to take revenge on anyone who participated in this war against us." A sincere threat or idle propaganda? In Eve, you can never be sure. This post originated on Ars Technica UK

Blackhat wannabes proffer probably bogus Linux scamsomware

'We nicked your files, pay us or we'll leak,' warns pastebin note A new purported ransomware variant is hitting Linux servers, deleting files and demanding payment for the return of lost data. The scam is possibly a bluff, since it does not follow the regular format of encrypting files and leaving ransom notes for slick and automated payment. Information on the attacks is scarce.

Bleeping Computer researcher Lawrence Abrams suspects it is likely a copy of the deleted files with the web folder uploaded to an attacker's server, rather than complex encryption being applied. "In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control," Abrams says. "At this time it is unknown if the attacker actually retains the victim's files and will return them after ransom payment. "Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first." At least one user reported the attackers were breaking into servers by way of brute-force SSH attacks. Attackers use a pastebin note to warn victims their files will be leaked if payment of two bitcoins (US$1,141) is not made within a fortnight. The scam seems to El Reg to be classic ransomware in name only, since there is no encryption of local files for security researchers to attempt to reverse.

Attackers claim to be encrypting files they then steal, which appears to be an unnecessary step unless they are attempting to prevent an early accidental leak of files. Researchers have pooled their to-date successful anti-ransomware efforts under the No More Ransom joint effort between McAfee and parent company Intel, Kaspersky Labs, Europol's EC3 cybercrime division, and Dutch police. ® Sponsored: 2016 Cyberthreat defense report

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

'Shadow Brokers' Claim to Breach NSA-Linked Hackers

The Shadow Brokers published hacking tools allegedly belonging to the NSA-linked Equation Group. A group calling itself The Shadow Brokers over the weekend published hacking tools allegedly belonging to the Equation Group, another hacking group reportedly linked to the NSA, and they plan to auction off those tools for a starting bid of 1 million bitcoin (nearly $570 million). "Attention government sponsors of cyberwarfare and those who profit from it," The Shadow Brokers wrote in a manifesto posted to Pastebin.
In broken English, the statement asks readers how much they would pay for their enemies' cyber weapons or other state-sponsored tool sets. They claim to have found cyber weapons made by the creators of Stuxnet, Duqu, and Flame, three strains of malware that have been connected to the US government. The announcement from The Shadow Brokers was also published on GitHub and Tumblr, but both entries were quickly deleted. As security firm Kaspersky reported last year, Equation Group is a mysterious and sophisticated malware distributor that is perhaps associated with the US National Security Agency (NSA). Named after its penchant for encryption algorithms, Equation Group targeted more than 30 countries—including Iran, Russia, Pakistan, Afghanistan, India, and China—with a focus on those in government, nuclear research, military, and nanotechnology, as well as companies developing cryptographic technologies. The hackers' malware can reprogram hard drive firmware, and has, in the past, been found on devices from Seagate, Western Digital, and Samsung.

The exploit, carried out via physical interceptions like infected USB drives and CD-ROMs, is undetectable and cannot be removed. According to Kaspersky, Equation Group dates back to 2001, but could have been active as early as 1996. The Shadow Brokers alledge to have breached the Equation Group and stolen its hacking tools. On Sunday, they tweeted a link to what they say are the documents—with names like "BANANAGLEE," "BANANASURPER," and "EPICBANANA." It remains unclear whether the data has indeed been stolen.

Either way, it caught Edward Snowden's attention.

The former NSA contractor, who leaked NSA documents to the press and is currently living in exile in Russia, today tweeted a series of comments on the hack. While the breach of an NSA malware staging server is not unprecedented, he writes, "the publication of the take is." 6) What's new? NSA malware staging servers getting hacked by a rival is not new.

A rival publicly demonstrating they have done so is. — Edward Snowden (@Snowden) August 16, 2016 9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. — Edward Snowden (@Snowden) August 16, 2016 13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast. — Edward Snowden (@Snowden) August 16, 2016 Shadow Brokers promised more Equation Group files—"same quality, unencrypted, for free, to everyone"—if its ongoing auction raises 1 million bitcoin. "We want to make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control," the hackers wrote. "Your wealth and control depends on electronic data. You see what 'Equation Group' can do. … If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? … Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?" The NSA did not immediately respond to PCMag's request for comment.

IT analyst: Oz census data processed as plain text

Data appears to be encrypted in transit, but not at rest An Australian IT consultant has cast doubt about whether the country's Census is as secure as the Australian Bureau of Statistics thinks it is. The technical infrastructure for the Census is being delivered by IBM using its SoftLayer cloud in Australia. While the online Census completion process uses transport layer security (TLS) – and is therefore kept from preying eyes – the tunnel terminates not at the ABS, but at IBM's end, claims Justin Warren, chief analyst and managing director of consultancy PivotNine. Exploring the behaviour of the JavaScript code that implements the form, Warren demonstrated that if a user is interrupted, the saved data that pre-populates the form when the user resumes isn't decrypted at the user's browser. In other words, he says, it's been saved as clear text in the SoftLayer infrastructure – and would therefore be accessible at the server end. The resume function sends back your answers so far to populate the form. #CensusFail — Justin Warren (@jpwarren) August 7, 2016 So IBM can absolutely look at your partially completed answers. #CensusFail — Justin Warren (@jpwarren) August 7, 2016 Warren posted his data grab to Pastebin here. His work comes as the Australian Privacy Foundation (APF) has called on the government to assure Australians that IBM's involvement in the Census doesn't expose Australians to America's notorious PATRIOT Act. In this letter, the APF also seeks confirmation that Census data will remain onshore; whether user telecommunications metadata such as IP address is being collected; and whether the JavaScript has been subject to independent verification. Public resistance to the retention of names in Australia's 2016 census has sparked a long-running #CensusFail hashtag on Twitter, and has demographers concerned at the risk of a boycott resulting in a less-than-optimal data set. ® Sponsored: Global DDoS threat landscape report