Mr.Grey back again: Theft of 1.2 billion log-in credentials

Mr. Grey, not again! A Reuter report has confirmed that the famous hacker Mr. Grey’s involvement in stealing 1.2 billion internet credentials.

Mr. Grey, who had got the access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N), now linked by the FBI through a Russian email address to the theft of a record 1.2 billion Internet credentials.

According to the documents, which were made public by a federal court in Milwaukee Wisconsin, the hacker was associated with a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites.

The investigation started last year when Milwaukee-based cybersecurity firm obtained information that a Russian hacker group it dubbed CyberVor had stolen the 1.2 billion credentials and more than 500 million email addresses.

After that the FBI subsequently found lists of domain names and utilities that investigators believe were used to send spam.

It also discovered an email address registered in 2010 contained in the spam utilities for a "mistergrey".

Further, it found out posts of 2011 by the hacker stating that if anyone wanted account information for users of Facebook, Twitter and Russian-based social network VK, he could locate the records.

Alex Holden, Hold Security's chief information security officer, told Reuters this message indicated mr.grey likely operated or had access to a database that amassed stolen data from computers via malware and viruses.

Hilton payment system attacked

One of the largest US based hotel chain Hilton revealed that hackers had infected some of their point-of-sale computer systems with malware crafted to steal credit card information.

They didn’t disclosed what data was taken, but cautioned everyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5 of last year or April 21 and July 27 of this year to check for any irregular activity from their debit or credit cards.

In an online post Hilton said that the Malware that infected system had a potential to retrieve cardholders' names, account numbers, security codes and expiration dates.

They further wrote that they are investigating the breach with the help of third-party forensics experts, law enforcement and payment card companies.

Starwood hotels, which operate the Sheraton and Westin chains, announced four days before Hilton that hackers had attacked their payment system resulting in leaking of customer credit card data in some of their establishments.

"The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date," the group said in a statement.

Starwood and Hilton are not the only one whose payment system has been hacked but last month Trump hotels has face the similar incidence of cyber attack.

"We believe that there may have been unauthorised malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels," Trump Hotel Collection said at a website devoted to details of the incident.

According to Trump hotels, the access could have taken place in between May 19 of last year and June 2 of this year.

Brian Krebs, cyber threat blogger at explained the cyber attack on payment systems as "just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments."

Dell says "sorry" for installing vulnerable digital certificate

Dell has apologized as it confirmed via a blog post that a certificate (eDellRoot), installed on its PCs that introduced a security vulnerability.

It is said that the certificate allows attackers to cryptographically impersonate HTTPS-protected websites. However, the company has issued a software tool that removes the transport layer security credential from affected machines.

The certificate will not reinstall itself, once it is properly removed using the recommended Dell process.

“The certificate was implemented as part of a support tool and intended to make it faster and easier for our customers to service their system. Customer security and privacy is a top concern and priority for Dell; we deeply regret that this has happened and are taking steps to address it,” the company said in the blog post.

According to the blog post, Dell’s customers, Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, informed the company about the presence of such certificate on its PC.

Dell has claimed that the certificate was not a malware but was there to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service their customers.

“We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward,” the company added. 

Cyber Criminals from Russia steal $790 million in three years

It seems like Russian cybercriminals, who steal money from banks using Trojan, have been increasing every year.

Kaspersky Investigation Unit (KIU) has shown that more than 160 Russian hackers from small to large criminal gangs accused of stealing cash using Trojan.  

"This estimate is based both on the analysis of public information about the arrests of people suspected of committing financial cybercrime in the period between 2012 and 2015 and on Kaspersky Lab’s own data," Ruslan Stoyanov, chief of the KIU, said.

"Of course, this figure only includes confirmed losses, the details of which were obtained by law enforcement authorities during the investigation. In reality, cybercriminals could have stolen a much larger amount," Stoyanov added.

The security firm has said to have investigated more than 300 online financial attacks since 2013.
Recently, Stoyanov, has said that a hacking group stole US $790 million in three years from the World Bank’s account.

According to Stoyanov, a Russian cyber-crooks group, which includes 20 professional hackers, has stolen $509 million from the individuals and businesses from the U.S., and across the European Union since 2012.

The security experts’ research have suggested that these 20 people play leading roles in criminal activities that involve the online theft of money and information.

Similarly, the hackers have skill sets that mirror legit tech shops, including web designers, programmers, and BOFHs, along with cryptors who obfuscate malware in ways that help it to evade security software.

"Cybercriminal system administrators configure management servers, buy abuse-resistant hosting for servers, ensure the availability of tools for anonymous connection to the servers (VPN) and resolve other technical challenges, including the interaction with remote system administrators hired to perform small tasks," he said.

According to him, employees can be paid as freelancers or permanent staff, and are recruited through forums or in brazen public advertisements that often target underprivileged techs in areas like war-torn Ukraine.

It is said that the small group would buy crime kit like exploit kits and traffic services, while large criminal outfits with a dozen or more heads would do it themselves and target businesses, not just individuals.

Lenovo releases updates to fix some privilege escalation vulnerabilities

PC maker, Lenovo had released a new version of its System Update software to fix some privilege escalation vulnerabilities discovered by an IO Active researcher, Sofiane Talmat.

Lenovo System Update is software which is designed to help users obtain driver, BIOS and application updates for Lenovo and Think systems. Previously it was also known as Think Vantage System Update.
The system update validates all system update files when they are downloaded from Lenovo servers. 

However, in cases of a malware being present, the downloaded updates can be altered before installation. The latest version released eliminates this possibility.

The System uses SUService.exe to run updates. The service only accepts command when a valid security token is passed along with the command. This process is part of the authentication and validation process.

Though utmost precaution was taken during system updates a big vulnerability was discovered on how the security token was generated allowing an attacker to run commands. The latest Lenovo System Update released fixed the token authentication flaws.

Talmat also discovered a local underprivileged attacker could execute commands like a privilege user of Windows system.

In the system update, an application, GUI is executed with temporary administrator account which includes link to various Lenovo website’s pages. As the link is clicked, the web pages open in a browser launched by temporary admin account which allows an attacker to leverage this browser session.

The vulnerabilities were reported to Lenovo on November 2 and they were patched on November 19 with the release of System Update 5.07.0019.

Apart from this, the PC Company has released many new versions of its system update software to address issues, including that of researchers from Trustwave, IOActive and Tencent’s Xuanwu Lab.

Security flaws in LastPass allows attackers to access user passwords

Using a single password for multiple accounts is unsafe as it leads to the increased chances of hacking.  Even password managers have turned to be unsafe. This was found by a pair of Spanish researchers, Alberto Garcia Illera and Martin Vigo, who claimed that LastWord, a popular password manager, was also hacked.

Last year, both the researchers had managed to crack LastPass' master password for installations where the "remember password" option was activated.  The two have now presented a new series of attacks at  Black Hat Europe security conference in Amsterdam.

The two researchers studied three different scenarios. The first one is the client-side attacks. It was possible because of a LastPass design flaw in its session cookie. The cookie stored a password decryption key to encrypt the password vault key. Through various decryption steps, the access was granted to all user passwords.

In cases where 2FA  (two-factor authentication) was enabled, the password was not kept safer. This is because LastPass earlier used a method relying on locally stored tokens, in which 2FA could be easily bypassed. Moreover the same token was used for all browsers, and it was injected inside a page’s DOM structure, allowing attackers to steal it via XSS attacks.

The second one is the server-side attacks, where the researchers looked at LastPass' mechanism of injecting usernames and passwords into Web pages. Here, the LastPass used custom JavaScript and the attackers affixed malicious code to the custom_js LastPass parameter. This led to the stealing of data from login pages.
 There are also attackers that are not on the client nor on LastPass servers side.

The two researchers, however, said that the company was notified of the issues and it was quick to release fixes.

World Bank site hacked to launch PayPal phishing page

A report published in SecurityWeek confirmed that the official website of a World Bank’s Climate Smart Planning Platform (CSPP) project had been hacked by two hackers which, was later used to host a well-designed PayPal phishing page.

According to the news report, the CSPP project, which focuses on helping developing countries create and implement climate-smart policies, was ideal for phishing attacks as it used an Extended Validation (EV) SSL certificate issued by Comodo for the World Bank Group.

Since the website carried EV and SSL certificate issued for the World Bank Group, it gave the phishing website enough credibility for the visitors to easily fall for it.

It is said that the certificate gives the “highest available level of trust” as it is offered after an extensive verification process.

After that it displays the name of the owner.

Now, the PayPal phishing site tricked the visitor into logging in with their PayPal credentials. Soon after, the data was submitted and stolen, the user was prompted that the site was unable to load the user’s account and required confirmation of their personal information.

The site then required the user to share their email address, name, postal address, date of birth, and phone number.

Then, it asked the user to verify their PayPal payment information, including credit card number, expiry date, its CVV number, and 3D Secure password if the card required verification. After collecting this personal and payment information, the phishing site then directed the user to the legitimate PayPal website.

The phishing page was hosted on, the fact that the green address bar in the browser displayed “World Bank Group” might have convinced users that the page was legitimate.

According to various news reports, the same CSPP website was also targeted by a different type of hacker. Although, the phishing page was removed by the CSPP webmasters, the site’s homepage was defaced by an Iraqi hacker who appears to deface random websites in an effort to boost his reputation among his peers.

Today, the site’s EV certificate has been revoked.

Nested Backdoor risks the security of 600,000 security modems

Deploying two backdoors in its hardware products, a cable modem manufacturer, Arris, put the modems at the risk of being hijacked.

Though the company added two backdoors just to be sure of security, but it turned out to be a major flaw risking around 600,000 cable modems.

This flaw was discovered by a Brazilian security researcher, Bernardo Rodrigues who explained in his blog post that as cable modems already have a backdoor in their firmware, they get affected by another backdoor.

The first backdoor is activated via the admin’s password which loads the library on the modem. When users or attackers will access the backdoor, they will be able to access the modem and enable SSH or Telnet ports which in turn will help them to launch more powerful sessions.

When Rodrigues analyzed the backdoor deeply, he found another backdoor which launched a BusyBox shell which could be accessed by last five digits of the device’s serial number and later the researcher created a tool which could generate this password automatically.

BusyBox shell is a software package that provides various UNIX utilities inside an executable file which is usually used on embedded devices where memory and storage restrictions cannot allow a more powerful Linux Operating system to run.

The company was warned about the flaw in first backdoor back in 2009 and it assured of fixing it but till now they did not bother to fix it. After the major flaw in second backdoor was discovered, the researcher gave the company time to fix it but when they failed to do so, he published his findings after 65 days.

One should avoid consumer grade routers if they care about the security of their router because the ISP can configure the router/gateway in an insecure way.

Moreover, now-a-days, router software is developed cheaply. Security seems hardly a concern for the manufacturers.

Balckhole exploit kit: Back with a bang; proving to be a threat again

Blackhole exploit tool, a tool for running drive-by download attacks, has made a comeback two years after its author arrest, according to Malwarebytes.

The security firm has detected that cybercrooks have been using Blackhole as a malware to make use of leaked code from the software. It has been highly using in active drive-by download campaigns via compromised websites.

“We noticed Java and PDF exploits collected by our honeypot which we haven’t seen in ages. Looking closer at the structure of this attack, we were surprised when we realized this was the infamous Blackhole,” the researchers from Malwarebytes wrote in a blog.

According to the researchers, the new drive-by download attacks on the same structure as the original Blackhole, even reusing the old PDF and Java exploits.

“The only difference is the malware payload being dropped, which is current and had very low detection on VirusTotal,” they said.

The server used to host the exploit infrastructure happens to be fully browsable (thanks @MeJz024 for the tip). The folder structure shows with no doubt this is taken straight from the Blackhole source code that had been leaked.

The researchers have analyzed that although the exploits are old, there are probably still vulnerable computers out there who could get compromised.

And, it is also believed that the author of the Blackhole edition was working on new landing pages, so it is possible there might be additional changes in the future.

“We are not quite sure why this old exploit kit is being used in live attacks considering the infection rate would be quite low due to the aging exploits,” they added.

However, they have assumed that the reason could be that the source code being public, it is a free platform that can be built upon and updated.

A Security bug in MetroPCS could allow hackers to access customer data

A critical security bug in MetroPCS could allow anyone who knew your phone number access your personal details from the website including your home address, phone’s model and serial number .

It was revealed in a report by Motherboard that a pair of researchers discovered a bug that left the customer’s personal data exposed to cybercriminals.

With the personal details in hand, cybercriminals could easily move on to identity theft and accessing bank accounts.

 Eric Taylor and Blake Welsh found the flaw on MetroPCS's payment page in mid-October. Motherboard independently verified the flaw and reached out to T-Mobile, which owns MetroPCS, on October 22.

Well-known researchers have claimed it as a pretty nasty bug and a serious privacy exposure.  MetroPCS was unaware of the problem before being contacted by Motherboard prior to their published report. A spokesperson for T-Mobile told Motherboard that the flaw was fixed and the data is not exposed anymore.

But the thing that raised eyebrows was that the hacker won’t even need someone's phone number. An attacker could just run an automated script and obtain the personal data of many MetroPCS customers.