TP-Link Wi-Fi Extenders: Detected With Vulnerability Making Them Hacker Prone!

The popular router company left its users shocked when researchers discovered a crucial vulnerability with its Wi-Fi extenders.

The vulnerability immensely compromised the extender to the hacker and let them have entire control of the device.

Victim’s traffic could easily be redirected via the taking over of the extender and could lead them to malware, the researchers cited.

To enhance the range of the Wi-Fi signals these extenders are used to “extend” the range. They provide a significant boot in the signal’s strength.

Security cameras, doorbells and other security equipment could easily be connected via the extender to the router.

But quite like the routers they are prone to vulnerabilities and need to be maintained and patched from time to time to ensure a safe network.

Allegedly, the particular extenders that were affected were the RE365, the RE350, the RE650 and the RE500.

According to sources, the researchers who were behind the digging up of this glitch belong to IBM’s X-Force of researchers.

Ever since then IBM collectively with TP-Link has released updates for the affected users.

The to-be attackers don’t necessarily need to be within the range of the Wi-Fi extender for him to exploit the weakness.

The attacks procedure begins with the hacker sending a malicious HTTP request to the Wi-Fi extender.

The vulnerability in turn aids the attacker to execute such commands form the request which is not the case with proper extenders which have limited access.

The attacker would need to know the extender’s IP address to abuse the vulnerability. Thousands of exposed devices could be easily found on “Shodan” and similar search engines.

The misuse of the vulnerability is not only limited to malicious code execution or simple taking control of the extender.

More sophisticated malicious activity could also be followed through using shell commands on the device’s operating system, sources cited.

Also creating a botnet out of the extender and redirecting the users to malicious pages are other things on the list of probable attacks.

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic

A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.

The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.

Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.

Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.

But, it’s actually PE32 executable files and the three payloads act as follows:

· A Key logger

· A mail credential viewer

· A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.

Two hackers who stole more than 15,000$ were detained in Ukraine

The press service of the Department of Cyber Police of the National Police of Ukraine reported that Ukrainian hackers transferred from the account of the entrepreneur more than 400 000 UAH using a bug in the online currency exchange service.

According to the police, they received a message from a 30-year-old resident of the Kyiv region that he got suspicious letters at his email address at night. The e-mail said the withdrawal of funds from his Bank account. According to the victim, the attackers managed to withdraw about 420 000 UAH.

During a pretrial investigation, law enforcement officers found two 33-year-old men who were involved in the crime. It turned out that one of them was engaged in the configuration and support of Internet resources.

The attacker used the vulnerability of the victim's online resource to steal funds. First of all, he blocked the work of the resource and the owner’s access to it. After that, the hacker transferred to his electronic wallets all the owner's funds.

According to investigators, the second participant of the criminal group who at that time was in another city began his part of the work. He conducted a number of transactions with various e-wallets to redirect funds, transferred them to cryptocurrency and then cashed.

Cyber Police officers together with Police investigators conducted six authorized searches at the same time. According to their results, computer equipment, additional media, draft records and mobile phones were seized.

According to the article on unauthorized intervention in work of computers, hackers face up to three years of imprisonment.

Massive HIV Data Leak; No Closure Yet!

Singapore: Finally the authorities have come up with some background details as to the circumstances that led to 14,200 people’s personal details along with their HIV status leakage.

The lingering questions, ever since the data was compromised have been intriguing. Such as, the reason behind not making it public in May 2016 when it was known that the information was in wrong hands?

According to a recent media briefing the Permanent Secretary of Health, cited that the ministry of health did wasn’t sure as to the whether the news’ being public was in the interest of the citizens.

They did mention though that they will take conservative measures and better approaches now that they know the persons in registry have concerns regarding a public announcement.

It’s disturbing that years after the incident took place no one knows why the data still remained with the unauthorized people.

According to sources, the Ministry of Health had lodged a police report in May 2016 after finding out that Mikhy Farrerra Brochez was in custody of the leaked information from the HIV registry.

After, the properties owned by Brochez and his partner Ler Teck Siang were searched by the police officials and all pertinent material found was seized.

Even after that Brochez managed to keep some information back and in turn leaked it later on. The Permanent Secretary of Health voiced that the police should have had a better search.

It was later in May 2018 when the people whose information as in the “unauthorized” hands were informed a\bout the entire leakage scenario.

In May 2018 the police found out that Brochez had managed to hold some records back which was a month after Brochez completed serving his jail sentence for other offenses and was deported from Singapore.

There is no way of knowing though, that how many people were informed that their persona details were in wrong hands.

MOH lodged a police report and had contacted the concerned individuals. The number of people was very small according to PSH Mr. Chan.

Where Brochez was deported to is still under wraps and the immigration department couldn’t share the details due to confidentiality concerns.

He is known to have arrived in the Kentucky state of the US. There’s no knowing if he’s being monitored, the sources said.

He had called at his mother’s house despite being warned to stay away and that’s when she informed the police about it.

After he refused to leave he was taken into custody and was charged. He has been asked to return to the district to face criminal trespass.

The Singapore police force is reportedly taking help of their foreign counterpart but didn’t mention which organizations or countries.

Brochez’s partner was charged with the Official Secrets Act for “failing to retain the possession of a thumb drive” containing data from the leak but was stood down and there is no answer as to why that happened.

According to Article 35(8) the AG gets a wide discretion as public prosecutor in the conduct of criminal proceedings. The prosecution “is not required to give reasons for why they decide to proceed with certain charges and not others”.

Another question that has yet to be addressed is how was the access to the confidential information disabled? We do know that the MOH had worked with “relevant parties” to disable the access.

Stolen information of such sorts is uploaded on various hack forums and file sharing sites such as “Pastebin” and “Mega” and is commonly hosted on web servers overseas.

If taking down a web domain. It could be done on a registrar level. Domain registrars are company people who create websites. But taking down a website can’t totally solve the problem.

Because once, data is on the dark web it’s almost irretrievable. As it could be copied or distributed across quite easily.

Absolutely different from the internet the commoners use, the Dark Web is “unregulated and decentralized and has no point of authority or disabling access to anything.

Estonian hackers forged electronic identity card

As we all know, the introduction of electronic Identity Card has begun in many developed countries. According to the leaders of the States, this allows citizens to receive a large number of services without long standing in queues, as it only requires the availability of the Internet.

Estonian citizens can use about 600 different online services, and 2.4 thousand more services are offered to businesses. An electronic ID allows you to remotely sign documents, pay for cellular communication, use transport, etc.

Another important advantage of electronic identity cards is that they cannot be faked. This is very important for the security of States. Leading experts on cybersecurity argue that such electronic documents are highly reliable. But, as it turned out, this statement is incorrect.

Recently it became known that Estonian hackers were able to fake an electronic ID. The Estonian socio-political daily newspaper Postimees reported the incident.

In February 2019 some Estonian residents began to receive SMS messages from one of the largest Banks in the country. The message offered to update their personal information by clicking on the link which led to a page visually similar to the home page of the Bank. There, users had to log in using their Mobile Electronic Identity Card (Mobile ID) by entering two codes. These two codes were enough to fake the identity of the victims. The scammers created new accounts in the Smart-ID application, which allows them to connect to services in Estonia.

It’s important to note that Smart-ID application allows people to use various services including managing Bank accounts. In total, 2.2 million people are using this app, including 433 thousand in Estonia. However, the damage caused to Estonians is only 1000 Euros.

It should be noted that the last failure in the Mobile-ID was recorded in May, when users could not make money transfers and use other services for several hours. However, there were no cases of identity forgery before.

The introduction of electronic passports is also planned in Russia. It is known that such innovation may appear in the Russian Federation no earlier than 2021.

The Head of the hacker group Lurk accused the court of working for the CIA

The alleged leader of the hacker group Lurk Konstantin Kozlovsky accused the Chairman of the Court Larisa Shangina of working for foreign intelligence services. According to him, the actions of the Kirov District Court of Yekaterinburg threaten the constitutional system of the Russian Federation.

This week the Kirov District Court of Yekaterinburg began to reconsider the case of hackers from the group Lurk. The defendants Alexander Safonov and Konstantin Kozlovsky again announced that they worked for the Russian intelligence services.

In addition, the defendants petitioned for the removal of the President of the Court from the trial. According to Kozlovsky, his petition is due to the fact that the Court refused to close the process from journalists during the preliminary hearing in mid-May.

It is worth noting that this time journalists were again allowed into the courtroom for photo and video shooting.

"An open demonstration of this case may be associated with the incompetence or malicious intent of the judge in relation to the constitutional system of the Russian Federation," Kozlovsky said.

During the meeting Kozlovsky also stated that they have "technical evidence of very serious stories," and instructed that the meeting should be held behind closed doors "so as not to distort the information." According to him, the case contains important information that could damage the State security of the Russian Federation.

"We have serious technical evidence of very serious stories, and the wrong interpretation of journalists can damage the interests of Russia. There is evidence that Russia interfered in the US elections! Our arguments have not been studied. Maybe you're a CIA agent?" Kozlovsky said to the judge.

"I believe that the judge is an employee of foreign intelligence services," he added.

The judge answered to defend that "she is not a member of the foreign intelligence services", causing laughter in the courtroom, and retired to the Advisory room to consider the removal of the President of the Court. The petitions of the defendants were rejected after an hour break.

Ehackingnews.com has previously reported that (https://www.ehackingnews.com/2018/08/group-lurk-who-claims-to-have-hacked.html), in 2017, Kozlovsky took responsibility for hacking into the Hillary Clinton's Email accounts, servers of National Committee of the Democratic Party of the United States and Military Enterprises of the United States.

He claimed that he was recruited by FSB in 2008 and done various cyber attacks for a long time. He also mentioned that his supervisor was FSB major Dmitry Dokuchaev.

Recall that the theft of hacker group amounted to 1 billion 264 million rubles (19 million dollars). The most successful grouping operation occurred on February 29, 2016. 677.6 million rubles (10 million dollars) were withdrawn from the accounts of the Public Joint Stock Company "Metallinvestbank" with the help of fake details.

Microsoft Warns Users against BlueKeep RDP Flaw; Immediate Update Advised, Again!

Microsoft has beseeched its users all over again to get their systems updated because as it turns out hackers already have exploits of the BlueKeep RDP flaw, already.

The patch has been fabricated for the “wormable” BlueKeep Remote Desktop Protocol (RDP) vulnerability; therwise the hackers could easily perform a “WannaCry” level attack.

The first warning was sent by Microsoft on May 14 when they’d released a patch for another serious Remote Code Execution vulnerability, CVE-2019-0708.

Successful exploitation of this vulnerability leads to the hacker executing an arbitrary code on the windows machine and installing programs.

The term “Wormable” refers to the fact that any future malware exploits could contagiously spread from one system to another.

According to sources, this vulnerability is of pre-authentication type and needs no user interaction.

Any attacker who could easily exploit this vulnerability could install programs, edit, and view or delete data and even create new accounts with complete user rights.

Microsoft has a strong hunch that the cyber-cons already have fully developed plans for exploiting the aforementioned vulnerability.

More than a million PCs are susceptible to these wormable, BlueKeep RDP flaws.

A security researcher conducted RDP scan hunting for port 3389 used by Remote Desktop to find potentially and current vulnerable devices.

Major Anti-Virus brands such as Kaspersky, McAfee, Check Point and Malware Tech developed a Proof-of-Concept (PoC) that would use the CVE-2019-0708 to remotely execute the code on victim’s system.

So it happens, numerous corporate networks are under the threat and are still vulnerable more than individuals are as more systems are connected in a single network.

A single compromised system of a corporate network could put the entire organization and its systems in danger.

The compromised device could be used as a gateway and as it’s a “wormable” attack it could easily propagate across networks.

The most the users could do is keep their systems updated and their security as tight as possible as future malware could also try hacking back in.

Solutions

· Update systems as soon as possible

· Block Remote Desktop Services if they are not in use

· Block TCP port 3389 at the Enterprise Perimeter Firewall

· Apply the patch to the vulnerable systems and devices that have RDP enabled

Victoria health systems vulnerable to cyber attacks: Report

An audit by the office of the Auditor-General found patient data stored in Victoria's public health system is highly vulnerable to cyber-attacks, and many health agencies have low risk awareness of the security flaws.

The audit exploited weaknesses in four audited agencies and accessed patient data to demonstrate the multitude of risks to the security of patient data and hospital services.

The report found deficiencies in how health services manage user access to digital records, including unused and terminated employee accounts still enabled, and failure to keep user access forms as proof that users have had their access approved.

The work also uncovered a lack of any formal, regular user access review to ensure only staff who need access have it—only one audited health service was found to provide mandatory cyber and data security training to all staff.

“Given that staff actions can undermine ICT and physical controls, it is vital that all staff—including clinical staff—can identify and manage the risks to patient data,” the audit reported.

The report stated that Victoria’s public health system is “highly vulnerable” to the kind of cyber attacks recently a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.

The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report concluded.

The Auditor-General Andrew Greaves examined Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), and also examined how two areas of the Department of Health and Human Services (DHHS), the Digital Health branch and Health Technology Solutions (HTS), are supporting health services.

“This weak security culture among government staff is a significant and present risk that must be urgently addressed,” the report said. “At one site, we accessed discarded, sensitive information too easily.

Matrimonial Sites an Easy and Fast Platform to Dupe Brides-To-Be

Cybercrimes are at a rise once again and this time it's the matrimonial sites turning into a rather easy platform for those out to dupe the brides-to-be.

The recent case of a Hyderabad based software engineer who in the hopes of finding an ideal counterpart for her on a rather well-known and popular matrimonial site wound up giving up Rs 30,000 to somebody impersonating an All India Institute of Medical Sciences (AIIMS) Doctor.

Neha Saxena, the victim, has lodged a complaint at the Cyber-Crimes police station against the individual who hoodwinked her, said that she had given him the cash supposing he was a surgeon at AIIMS. First it was Rs 30,000 on the 7th of March and then it was Rs 20,000 more on the 20th of March.

Alarmingly, this is a not an irregular case as cyber matrimonial fraud is on the quick ascend, much to the worry of the cops, as in the previous six months alone more than 100 such cases have resurfaced.

U Rammohan, SP, Digital Violations, CID, says "There was an instance where an employee of a star hotel, posing as an IIT graduate with a salary of Rs 50 lakh per annum, duped up to 11 women. However, only one woman was ready to lodge a complaint, which is also a reason for the lack of swift action,"

Top cybercrime specialists said that most women neglect to report such cases as they dread harm of their reputation. In many cases though, women are also subjected to physical molestation and in some the victim were contacted over telephone and hoodwinked citing to personal emergency even surgery in some instances.

By and large, as the police say the fraudsters use profile information of actual person to reach the victim to anticipate doubt and shockingly enough women also are into matrimonial fraud.

The cybercrime police of the city thusly caution the many individuals who are already registered on such sites advising them to stay wary and alert.

Big Bug Bounty Hunts by Cyber Giants Fetch Ethical Hackers Millions!

As a part of being more aware and secure in terms of cyber-crime and to stay clear off any possible hazards that may or may not come their way, organizations have started paying up millions to those people who find bugs in their systems.

Recently, a concerned cyber-space user received a message that allegedly said, “Hey, we’ve got some money for you. Do you want it?”

This message had come from Yahoo in response to a bug that the person had sent to the organization. As of now this bug-sending business has paid up a profit of $1.5m.

Yahoo like many companies pays up to people who find bugs and loopholes for them that could be potentially exploited by hackers or cyber-cons.

These ethical hackers sign-up with organizations like Bug Crowd, Synack, Hacker One etc. who conduct bug bounty programs on behalf of other organizations.

To participate in this, a person need not even have a profound knowledge of coding and other technical skills cited the aforementioned user.

However, he had always been a part of the security industry where he learned deeply about the protocols regarding the swapping of data.

Nevertheless, there is a substantially enormous difference between the way professionals work on cyber issues and the way beginners do.

It’s been long since people actually felt inclined towards working in the cyber security industry even if they weren’t getting paid much.

Earlier and even now to some remote extent there exists an underlying need for more professionally oriented skillful hands in the cyber-security industry.

Many countries have government funded educational schemes for school kids to help them have a sense of the cyber-security.

With 25,000 school children as their intake UK’s scheme, Cyber Discovery had a fabulous first year. It’s an initiative to let kids know that the daily work of pros is fun.

Participants get points when they complete each section and the top performers get to attend residential courses that help them get better.

The big bug bounty hunts could be a great way to attract the attention of young minds and help them get a taste of what defeating bad guys feels like.

Anyone who wished to enter in the big bug bounties should contemplate the fact that it requires a lot more than sheer luck to work as an actual cyber-security guy.

“Also, companies should have their own set of defenses set against the cyber cons rather than letting the bounty hunters know what the inner situation is.”, said a source.

Nonetheless, it should always be more about being a concerned citizen, trying to solve problems, and make a better and safe cyber-world.

GetCrypt Ransomware: Modus Operandi and Solutions

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.

Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns.

First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device.

If all goes well it will download and install GetCrypt into Windows.

How GetCrypt Works

Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian.

If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer.

The Id is used to create a 4 character string which is used as an extension for encrypted files.

The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted

Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command.

Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:

· :\$Recycle.Bin

· :\ProgramData

· :\Users\All Users

· :\Program Files

· :\Local Settings

· :\Windows

· :\Boot

· :\System Volume Information

· :\Recovery

· AppData

According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.

GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt

The aforementioned ransom note commands the victim to contact getcrypt@cook.li for payment instructions.

GetCrypt would also change the victim’s desktop background to an image with the ransom note written all over it which is stored at %LocalAppData%\Tempdesk.bmp

In addition to all the other things GetCrypt does, it will also try to encrypt files on network shares. When encrypting, it would also attempt to brute force the network account credentials.

It would use an embedded list of usernames and passwords to connect to the network shares using the WNetEnumResourceW function.

It could also try to brute force the credentials and mount them using the WNetAddConnection2W function.

Solution

All you need to get your files decrypted for free is an unencrypted copy of your encrypted file.

Simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

https://www.emsisoft.com/decrypter/getcrypt

Once downloaded, run the decryptor and select an encrypted file you wish to decrypt and its unencrypted version.

Click on the start button. The decyptor will now brute force your decryption key and VOILA! Your files will get decrypted.

Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software

A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.

A Defensive Malware On The Cyber To-Do List of Japanese Government

Japanese government likes to stay ahead of disasters, be it natural or for that matter, cyber-crime related.

In the same spirit Japan’s Defense Ministry has decided to create and maintain cyber-weapons in the form of “Malware”.

The malware is all set to contain viruses and backdoors and would be the first ever cyber-weapon of Japan’s.

According to sources, it will be fabricated not by government employees but professional contractors tentatively by the end of this fiscal year.

The capabilities and the purpose or the way of usage hasn’t been out in the open yet.

Reports have it that the malware is just a precautionary measure against the attacker if in case the Japanese institutions are ever under attack.

As it turns out the malware is one of the endeavors of the Japanese government towards modernizing and countering China’s growing military threat.

The country also plans on widely expanding its reach into cyber battlefield (which is now an actual battle field) tactics.

Many major countries ambiguously have been using cyber weapons and now Japan’s next on the list.

The country’s government believes, being cyber ready and holding a major cyber-weapon in hand would keep countries that wish to attack at bay.

But as it turns out, this tactic hasn’t fared well with other countries as much as they’d like to believe.

This happens to be the second attempt at creating a cyber-weapon stash after 2012 which didn’t bear results like it should’ve.

Earlier this year the Japanese government passed a legislation allowing the National Institute of Information Communications Technology to hack into the citizens’ IoT devices using default or weak credentials during a survey of insecure Iot devices.

All this was planned to secure the Iot devices before the Tokyo 2020 Olympics to avoid Olympic Destroyer and attacks like VPNFilter.

So it turns out, that these efforts at strengthening the cyber game of Japan’s originate from the chief of Japan’s Cyber-security department who happens to not even OWN or USE a computer.

There are tens of thousands of cyber criminals in the world, says kaspersky

Russian experts from Kaspersky Lab, the company, specializing in the development of protection systems against computer viruses, spam, hacker attacks and other cyber threats, revealed the details of hackers. According to them, there are currently tens of thousands of cybercriminals on the Internet, of which at least 14 hacker groups specializing in certain groups of users and organizations are Russians.

According to experts, financial cybercriminals are the largest group. They attack banking infrastructure, business and individuals. There are several schemes giving the opportunity to withdraw funds from corporate accounts and go unpunished.

There are also a number of hacker groups developing phishing and spyware programs. They are the most technically equipped.

The drops, which are responsible for contacts with the physical world, risk more than others. Next in the list are botters, or operators, who remotely control malicious computer software.

"In total, there are several tens of thousands of hackers in the world who must be constantly trained. Inexperienced hackers can simply lose their jobs without new knowledge due to the active development of technology ", — said the experts of Kaspersky Lab.

Hackers mainly communicate among themselves in half-closed or closed forums. They have the opportunity to discuss, group and involve third-party experts to cooperate. Every day several dozens of new topics appear on such forums. An entry ticket to closed forums can be an entrance fee or recommendation from a hacker with a reputation. Top spyware developers usually ignore the forums. According to experts, only several hundred people in the world are in the highest category of hackers.

Hackers reportedly helped the daughter of a celebrity to win the show "The Voice Kids Russia"

A loud scandal occurred on the weekend at the Russian television program "Voice of Children". The reason is the final vote, as a result of which Mikella Abramova, the daughter of the famous Russian singer Alsu, won the final of the show with a huge difference of votes. The management of the First Channel Russia demanded a thorough investigation of the incident. Some stars of show business expressed that there was a falsification.

The experts believe that there are several possibilities why the daughter Alsu unexpectedly won with a huge margin, without being the favorite in the final. Experts do not exclude that there was a hacker attack.

Alsu's family decided not to comment on the incident until the results of the vote verification in the final of the show, which the First channel instructed to make an international company Group-IB, are announced. It is noteworthy that this company is an official partner of Interpol. It is known that the counting of votes took place automatically, so now there is a manual verification of each vote, which can take a long time.

A specialist in independent cybercrime investigations said that high-level hackers could substitute the final results of the vote or install an algorithm in the automatic vote counting system, according to which one vote was taken as several.

"It is quite easy to check, there will be a significant difference between the recorded votes and the controversial result. Also, insiders, who in their own interests influence the process, can conduct an attack,” the expert explained.

The expert noted that his colleagues will first analyze the electronic journals of the site to identify deviations. Moreover, manual cheating was used when interested people buy several SIM cards and send SMS in favor of the desired people. The specialist stressed that they need more time and court permission to check this method of fraud.

According to the expert, the second possibility why the daughter Alsu unexpectedly won the show, is the mistakes of the voting system. The expert does not completely exclude the second possibility because from time to time there are news that bugs were discovered on the websites of law enforcement agencies. And not so long ago, students found a vulnerability in the ambulance substation program.

Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data

In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.

Justdial Smacked By a Subsequent Security Breach in Two Weeks; Poor OpSec To Blame!

Justdial is a renowned Indian hyper-local search engine which recently became prone to two security breaches in the span of two weeks.

Only a few weeks ago, the database of all the customers of Justdial was laid bare on the dark web and now the reviewers’ data got on the line.

The company that has beyond 134 million QUA can’t afford to make such reckless mistakes.

April 18^th saw the private data including names, addresses, email IDs etc. of over 100 million users which was stored in the search engine’s database to be laid out in the open.

The organization owed the breach to an expired API which allowed anyone to access the data of users. Major percentage of the affected included the hotline number users.

Security researchers were the first to discover the breaches that so thrashed Justdial. They also cited that no specific actions against them were taken.

These claims were denied by Justdial mentioning that the data was stored in a double-encrypted format.

The same group of researchers again found out a lacuna in the API of Justdial on April 29^th.

Herein the people who post reviews were harmed in the form of their data being exposed.

Reportedly, the API connected to Justdial’s reviewers’ database had been unprotected since the company’s foundation.

Hence, the reviewers’ names, mobile numbers, locations and all became easily accessible thanks to the loophole.

But this issue was immediately fixed, according to the reporters.

No matter what happened, the unprotected database and the loophole contributed largely to the data breaches.

Justdial employs a humongous database and hence has large number of data stored within it.

Weak API and poor “Operation Security” is majorly to blame for all the breaches Justdial saw in these couple of weeks.

According to security researchers, API handlers and managers should be employed. Also easily implemented software switch could help in protecting the access points.

Also the first breach should have been taken seriously and used as a means of learning to help secure the system from future attacks.

It is evident that the company needs to strengthen their operational security and up their game in terms of securing the present loopholes and possible lacunae.