Search This Blog

Showing posts with label FBI. Show all posts

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks


The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


 COAP 

In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


WS-DD 

In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


ARMS 

In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


JENKINS 

In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

BEC Scams Cost American Companies Billions!


Business Email Compromise (BEC) scams have surfaced among several US companies and have caused them damage costing along the lines of Billions, mentions a warning of the Federal Bureau of Investigation.

Per sources, BECs are “sophisticated scams” aiming at businesses involving electronic payments encompassing “wire transfers or automated clearing house transfers”. Usually, these scams include a cyber-con penetrating a legitimate business email account via device intrusion procedures.

Once the access has been acquired, the cyber-con is free to deceitfully dive into the email account to obtain funds by sending emails to suppliers, loaded with invoices of modified bank account details.

The hit list mostly consists of organizations that employ cloud-based email services, which makes it easier to go for Business Email Compromise (BEC) scams.

Per FBI, specially engineered “phish kits” with the ability to impersonate the cloud-based email services are used to prompt these scams only to exploit the business accounts and request or mi-sallocate funds.

Sources mention that the Internet Crime Complaint Center (IC3) received numerous complaints over the past years about companies having experienced damages amounting to a couple of Billions in “actual losses” as a result of the BEC scams.

The IC3 focused their attention on the BEC scams right after their number began to multiply rapidly across all the states of America.

The issue allegedly stands in the configuration of the cloud-based services which makes it almost effortless for cyber-criminals to exploit the company’s email accounts.

Obviously most cloud-based services are laden with security measures that intend to block all the BEC attempts. But that depends on the ability of the users to make good use of them. The maximum of these features needs to be enabled and manually configured.

Per sources, what makes these scams dangerous is that any organization, big or small, with kerbed IT resources is vulnerable.

The cyber-cons in addition to having control over the email accounts, usually also retrieve the address books of the exploited accounts to have a list of potential targets. Hence, a single bad apple could affect the entire basket, meaning a single affected organization could have ramifications for the entire business industry.

Russian-Based Online Platform Taken Down By the FBI


The Federal Bureau of Investigation as of late brought down the Russian-based online platform DEER.IO that said to have been facilitating different cybercrime products and services were being sold according to announcements by the Department of Justice.

The Russian-based cyber platform known as DEER.IO has for quite some time been facilitating many online shops where illicit products and services were being sold.

A little while back, there happened the arrest of Kirill Victorovich Firsov as revealed by authorities, he was the supposed main operator behind Deer.io, a Shopify-like stage that has been facilitating many online shops utilized for the sale of hacked accounts and stole user data. Convicts ware paying around $12/month to open their online store on the platform.

When the 'crooks' bought shop access through the DEER.IO platform, a computerized set-up wizard permitted the proprietor to upload the products and services offered through the shop and configure the payment procedure by means of cryptocurrency wallets.

Arrested at the John F. Kennedy Airport, in New York, on Walk 7, Firsov has been arrested for running the Deer.io platform since October 2013 and furthermore publicized the platform on other hacking forums.

“A Russian-based cyber platform known as DEER.IO was shut down by the FBI today, and its suspected administrator – alleged Russian hacker Kirill Victorovich Firsov – was arrested and charged with crimes related to the hacking of U.S. companies for customers’ personal information.” - the official statement distributed by the DoJ.

While Feds looked into around 250 DEER.IO stores utilized by hackers to offer for sales thousands of compromised accounts, including gamer accounts and PII documents containing user names, passwords, U.S. Social Security Numbers, dates of birth, and victim addresses.

A large portion of the casualties is in Europe and the US. The FBI agents effectively bought hacked information from certain stores facilitated on the Deer.io platform, offered data were authentic as indicated by the feds.

When asked to comment for the same FBI Special Agent in Charge Omer Meisel states, “Deer.io was the largest centralized platform, which promoted and facilitated the sale of compromised social media and financial accounts, personally identifiable information (PII) and hacked computers on the Internet. The seizure of this criminal website represents a significant step in reducing stolen data used to victimize individuals and businesses in the United States and abroad.”

The FBI arrested a Russian associated with Deer.io


The Federal Bureau of Investigation arrested a Russian citizen who allegedly supported the sale of hacked accounts and personal data of Internet users. The arrest occurred at the John F. Kennedy Airport.

"We received information from American law enforcement agencies that he was detained on March 7. He is in New York now in a Manhattan detention center," said Alexei Topolsky, a spokesman for the Russian Consulate.

According to him, the initial initiative for the arrest comes from the San Diego FBI. The Russian has not yet contacted the Consulate.

According to the FBI, Mr. Firsov managed the platform Deer.io where online stores engaged in illegal activities were located. The arrest warrant indicates that Firsov took part in the work Deer.io since its launch (October 2013).

According to the prosecution, Firsov is the administrator of this platform, which is located in Russia and provides an opportunity for criminal elements to sell their "products and services". The prosecution claims that the platform is selling the hacked American and international financial and corporate information, personal data, stolen accounts of many American companies.

The prosecution said that a cybercriminal who wants to sell contraband or offer criminal services through the platform can do it for $12 a month. The monthly fee is paid in bitcoins or via a number of Russian payment systems, such as WebMoney. According to Firsov, more than 24 thousand stores worked on the site, which brought in more than $17 million.

American law enforcement officers opened a criminal case, according to which Deer.io almost completely used for cybercrime purposes. FBI found stores on the Firsov site that sell access to hacked accounts, servers and personal data of users.

The Bureau said that Kirill Firsov was aware of who uses his platform, and more than once advertised Deer.io on cybercrime forums.

Website Puts 12 Billion User Records Up For Sale and Gets Seized By US Authorities


Are you fond of buying stolen'/leaked data? Because, one such domain, named ‘WeLeakInfo.com’ recently got seized by the US authorities.

WeLeakInfo, with its absolutely convenient name, had been selling stolen data from other hacked websites, online for the past three years.

The website provided an online service where hacked data was made available to people willing to pay for it.

Per sources, hackers were made available people’s “cleartext passwords” which aided them to purchase a subscription on the site in order to attain access to tons of user credentials.

Apparently, this illegal website was doing so well that it had gotten quite a popular fan-base for itself in the hacking “underworld”.

Reportedly, people were even providing them with consignments to execute recon on targeted individuals and organizations alike.

The modus operandi was in the way, that hackers would buy access to the site. They’d then search for names, emails and usernames of people they want to hack. The site would come up with results in the affirmative as to in which data breaches exactly were the required user’s data available.

The hackers would then have complete access to people’s passwords which they could easily run against that person’s other online profiles as well.

The cost of the website was incredibly low making it easily accessible to all sorts of hackers of all sorts of abilities and financial attributes.

Reportedly, for a lowly amount of $2/day hackers could fully wring the website for unlimited searches for any user’s data which was ever in a data breach.

During the silence before the storm period, WeLeakInfo was proudly flaunting on its website its expanded network of over 12 billion user records owing it to more than 10,000 data breaches, reports mentioned.

The storm hit and WeLeakInfo got taken down together by FBI, authorities from the Netherlands, Northern Ireland, the UK, and Germany.
Also, per sources, two arrests were made in the Netherlands and Northern Ireland each. Reportedly, the arrested suspects are allegedly staff members of the site.

After the US authorities took down “LeakedSource” in February 2017, “WeLeakInfo happens to be the second most major website to go down the same drain.

There still exist several websites that are providing people access to stolen data especially cleartext password, as you read this.

Per sources, similar websites, allegedly by the name of “Detached”, “Leak-Lookup” and “Sunbase” have been created on the model of a website “Have I Been Pwned” which is a website created by Australian researchers, per reports.

The model of the three websites and “Have I Been Pwned” may be the same but the latter never permits access to cleartext passwords.

Department Of Homeland Security Monitoring the Apparent Hack of a Government Website


The Federal Depository Library Program website, run by the Government Publishing Office recently fell victim to a hacking operation being referred to as "defacement" by a senior administration official.

The website makes federal government records and data accessible to the public, including an image that is speculated to have been the reason behind the hack. The website is offline and the Department of Homeland Security is now monitoring the whole situation.

Gary Somerset, the chief public relations officer for the US Government Publishing Office says, "An intrusion was detected on GPO's FDLP website, which has been taken down. GPO's other sites are fully operational. We are coordinating with the appropriate authorities to investigate further,"

Despite the fact that the authorities didn't comment on who could be behind the hack, the site on the fourth of January displayed a picture of President Donald Trump bleeding from his mouth with an Islamic Revolutionary Guard fist in his face.


The picture showed up alongside the claim that is a message from the Islamic Republic of Iran, and that the webpage was "Hacked by Iran Cyber Security Group Hackers." The text is in Arabic, Farsi, and English and passes on a message of support for "oppressed" people in the Middle East.

While Sara Sendek, a spokesperson for DHS's Cybersecurity and Infrastructure Security Agency further added, "We are aware the website of the Federal Depository Library Program (FDLP) was defaced with pro-Iranian, anti-US messaging. At this time, there is no confirmation that this was the action of Iranian state-sponsored actors. The website was taken offline and is no longer accessible. CISA is monitoring the situation with FDLP and our federal partners."

According to sources, the FBI is yet to comment on the matter.

FBI issues warning against dating sites




An intelligence and security service of the United States has issued a warning for its people to be wary of "confidence/romance scams," after the Bureau saw a 70% annual rise in fraud cases.

The Federal Bureau of Investigation found an exponential increase in the cases where dating sites are used to trick people into money scams, sometimes victims were asked to send money or buy expensive gift items for people met online. 

In 2018 alone more than 18,000 complaints were registered and the total monetary loss was more than $362 million.

The warning issued by the FBI warns actors, "often use online dating sites to pose as U.S. citizens located in a foreign country, U.S. military members deployed overseas, or U.S. business owners seeking assistance with lucrative investments."

Crimes like these target people from all age group, but elderly women—especially those widowed—are especially vulnerable.

The U.S. Department of Defense also issued a warning about "online predators on dating sites claiming to be deployed, active-duty soldiers."

According to the U.S. military, there are now "hundreds of claims each month from people who said they've been scammed on legitimate dating apps and social media sites—scammers have asked for money for fake service-related needs such as transportation, communications fees, processing, and medical fees—even marriage."

The Ukrainian Security Service and the FBI eliminated a powerful hacker group


Previously, Ehacking News reported that on July 16, it became known that the Ukrainian Security Service and the FBI detained hackers controlling 40% of the Darknet. Since 2007, members of the group have provided hackers and criminals from around the world access through Ukrainian networks in the Darknet.

Intelligence service established that the organizer of the group is the citizen of Ukraine, a resident of Odessa Mikhail Rytikov (Titov). He got serious about hacking in Moscow in the mid-2000s. In 2007, he began to provide services to hackers around the world through Ukrainian networks, carefully hiding the actual location of his equipment. From time to time, Ukrainian, Russian, and American law enforcement officers found the equipment, confiscated it, but the hacker group soon resumed its activities.

It turned out that about 10 accomplices were under command of Ukrainian hacker, as well as dozens of intermediaries in different countries and thousands of customers. Among them, for example, Eugene Bogachev, the developer of the virus ZeuS, who is wanted by the FBI.

It is established that Rytikov sold his services through closed hacker forums and specialized web resources, claiming that his server equipment is located in data centers in Lebanon, Iraq, Iran, Germany, Panama, the Netherlands, Belize, Russia. In fact, the equipment was located near Odessa, in one of the unfinished houses. The room was equipped with secret telecommunication channels and even had its own elevator.

“Nearly one hundred and fifty servers were seized during the authorized investigative actions on the territory of a private house with a hidden data center with a backup autonomous power supply, security and powerful Internet access channels. Thousands of hacker resources were placed on them, some remained encrypted, many were set up in such a way as not to keep traces of criminal activity”, said the acting Head of the Cyber Security Department of SBU (the Ukrainian Security Service) Nikolay Kuleshov.

According to law enforcement officers, they seized 146 servers for hundreds of terabytes of illegal information. The total cost of the equipment, a powerful electric generator, construction and home improvement, agreements with power engineers on a dedicated electric line is estimated at 700 thousand dollars. Only one generator could cost about 150 thousand dollars. The data center could work for a long time even in the absence of electricity.

It’s interesting to note that among the crimes committed with the participation of Rytikov, law enforcement officers distinguish the spread of malicious software ZeuS, which was used to steal financial, the case of hacking the NASDAQ exchange, called "the greatest fraudulent scheme of this type ever implemented in the United States."

US Senator Chuck Schumer urges FBI to investigate FaceApp




Senate Minority Leader Chuck Schumer has suggested for an investigation into FaceApp, citing its privacy concern and fear over data transfer to the Russian government.

In a letter posted on Twitter, Mr. Schumer called the FBI and Federal Trade Commission to investigate the popular app. 

"I have serious concerns regarding both the protection of the data that is being aggregated as well as whether users are aware of who may have access to it," his letter to FBI Director Christopher Wray and FTC Chairman Joseph Simons.

‘’Furthermore, it is unclear how long FaceApp retains a user’s data or how a user may ensure their data is deleted after usage. These forms of “dark patterns,” which manifest in opaque disclosures and broader user authorizations, can be misleading to consumers and may even constitute a deceptive trade practice.’’

‘’In particular, FaceApp’s location in Russia raises questions regarding how and when the company provides access to the data of U.S. citizens to third parties, including potentially foreign governments,’’ the letter reads.

However, the app makers have previously denied the allegations. 

In the meantime, the Democratic National Committee has reportedly warned all its 2020 presidential candidates and their campaigners not to use the app. 

"It's not clear at this point what the privacy risks are, but what is clear is that the benefits of avoiding the app outweigh the risks," security officer Bob Lord reportedly told the staff.


In between all the controversies, the company has more than 80 million active users.

US issues warning against malware 'Electricfish' linked with North Korea








The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint security warning about a new malware called "Electricfish,’’ which is allegedly linked to a state-sponsored North Korean cyberattack group.

The investigators uncovered the malware while they were tracking the activities of Hidden Cobra, it is believed that the group is sponsored by the North Korean government. 

The warning released by the US Computer Emergency Readiness Team on Thursday says that the malware is a 32-bit Windows executable program. After reverse engineering the sample, the malware was found to contain a custom protocol which permits traffic to be funneled between source and destination IP addresses.

‘’The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) addressaa. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session.’’

‘’The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network,’’ read warning. 


The whole list of Indicators of Compromise (IOC) for Electricfish can be downloaded here

World’s largest dark web marketplace shut down by authorities








In a joint operation between European and U.S. authorities servers of the major dark web marketplaces Wall Street Market and Valhalla has been seized in Germany and Finland, and its operators have been arrested from Germany, the U.S. and Brazil.

Both platforms were highly popular for peddling unlawful goods with over 1 150 000 and 5 400 vendors.  The Wall Street market was the second largest dark web marketplace that could be accessed via the Tor network.

The German authorities have arrested three suspects and have “seized over €550 000 in cash, alongside cryptocurrencies Bitcoin and Monero in 6-digit amounts, several vehicles and other evidence, such as computers and data storage.” 

“These two investigations show the importance of law enforcement cooperation at an international level and demonstrate that illegal activity on the dark web is not as anonymous as criminals may think,” said Europol’s Executive Director, Catherine De Bolle.

“Europol has established a dedicated Dark Web Team to work together with EU partners and law enforcement across the globe to reduce the size of this underground illegal economy.”


On dark web vendors could sell almost anything, from drugs to malware. You can also find out forged documents and cryptocurrencies. 

‘Plane hacker’ says “I got bored, so I hacked NASA”


A hacker who is notoriously believed to be involved in several plane hacking revealed that he hacked the famous U.S space agency NASA just because he was bored.

During Digital Age Summit in Istanbul, Roberts spoke to  Anadolu Agency (AA) and said he enjoyed exploiting the vulnerabilities in  cyber securities from big institutes like NASA.

He said, "We have found that the communication security between the satellite and land systems is not well encrypted. We were able to access the system by passing NASA's International Space Station access control measures," .

Roberts Stressed that there are no unbreakable systems, and the transport companies should take serious steps to protect their networks from being hacked as suggested by “Good hackers”.

There was an investigation on Roberts by  Federal Bureau of Investigations (FBI) in 2015 for the suspected hacking of an airplane’s computer system via in-flight wireless Internet

In a search warrant provided by Federal Bureau Of Investigation(FBI) to the federal court,the FBI stated that Roberts had admitted of hacking entertainment systems on flight through in flight internet almost 15 and 20 times between the years 2011 and 2014
In an affidavit Roberts claimed that through in flight hacking he had accessed the controls of the flight and  caused planes to drift sideways.
However Roberts, who is also popularly  known as “Plane Hacker” insists that he did all the hacking just for showing the vulnerabilities in systems available in aviation industry.

Digital Grenades Implanted In Industrial Networks




Industrial digital sabotage is an on-going yet an unyielding growing concern to the United States, particularly after the US spearheaded the utilization of cyber weapons when it shattered Iran's nuclear centrifuges in 2010.

The weapon, as per the experts is known to turn off power grids, derail trains, cause offshore oil rigs to list,  transform petrochemical plants into bombs and close down factories.

The federal authorities have, twice in two months, issued open alerts, better known as public warnings that remote hackers are seeking for different ways to penetrate the U.S. electric grid and different parts of the national critical foundation. With the sole intent of embedding digital grenades that are lethargic until the point that the hacker's sponsor considers it to.

 Md., author and CEO Robert M. Lee of Dragos, a modern cyber security firm in Hanover with his researchers chart the exercises of remote hacking groups plotting industrial damage. They say hackers are growing new, more complex, cyber weapons at an animating pace, and are becoming bolder simultaneously.

"My Intel team is tracking eight different teams that are targeting infrastructure around the world, what we're seeing almost exclusively maps to nation states and intelligence teams,..” says Lee, 30, who put in five years working at the National Security Agency and the Pentagon's Cyber Command before forming his own organization three years prior.

Director of National Intelligence Dan Coats, in his yearly evaluation to Congress in February said that Russia, China, Iran and North Korea represent the greatest cyber danger to the United States. Paul N. Stockton, a former assistant secretary of defence for homeland security who is currently managing chief of Sonecon LLC, an economic and security advisory firm in Washington says that,

"Adversaries want to hold our infrastructure at risk. They are seeking to establish persistent, sustained presence in infrastructure networks. They are preparing the battlefield today so that if needed they can attack in the future,"

U.S. what's more, Israeli cyber warriors pioneered the trail on the industrial cyber damage when they utilized the Stuxnet digital worm to cause axes at Iran's Natanz nuclear facility to spin out of control and thus break, perpetrating a noteworthy mishap on Iran's endeavors to enhance uranium to control nuclear weapons and reactors.

Lee says that Dragos has identified signs that the hacking group is working far outside of the Middle East, their underlying target, and have focused on various types of safety systems.

Indeed, even last October, the Department of Homeland Security and the FBI issued an alert that foreign hackers had focused on "vitality, water, avionics, atomic, and critical manufacturing divisions." Private cyber security organizations, like the FireEye, a Milpitas, Calif., cyber security company that additionally explored the Triconex attack, pointed the finger at North Korea for the probing.

Presently while a limited local outage could caution citizens, Lee is unmistakably worried about the hitting gas pipelines, petrochemical plants, transportation systems and high-end manufacturing plants also including pharmaceutical organizations.

With respect to the United States' part, the Pentagon's Cyber Command has hostile digital weapons equipped for wreaking annihilation on an adversary country, U.S. authorities say yet it hasn't offered a show of its quality since hitting Iran in 2010. Furthermore, advisors like Stockton say U.S. ventures must plan versatility despite cyber-attack, giving remote countries a chance to soak in stress over what comes next.


Hacker Group threatens students and schools

According to a warning issued by the Cyber Division of the FBI and the Department of Education's Office of the Inspector General on 31 January, a hacker group called “TheDarkOverlord” (TDO) has tried to sell over 100 million private records and as for January, is responsible for over 69 attacks on schools and other businesses.

TDO is also allegedly responsible for the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.

The warning describes the group as “a loosely affiliated group of highly trained hackers” who, since April 2016, have “conducted various extortion schemes with a recent focus on the public school system.”

The warning says that TDO uses remote access tools to breach school district networks and steal sensitive data, which they then use to extort money from its victims, including students.

According to the report, TDO has also threatened violence in case of failure to meet demands.

Initially, TDO communicated their demands via email with threats of publicly releasing stolen data, but the warning notes that in September 2017, “TDO escalated its tactics by threatening school shootings through text messages and emails directed at students, staff, and local law enforcement officials.”

This caused several schools to shut down for few days as a precaution.

TDO was allegedly connected to multiple threats of violence on school campuses, however, the report says that while these threats caused panic, they “provided TDO with no apparent monetary gain.”

In a recent incident, TDO threatened to publicize the sensitive behavioral reports and private health information of students.

The FBI also recommends that victims do not give in to the ransom demands, as it does not guarantee regaining access to sensitive data. Rather, they advice to contact law enforcement, retain the original emails as evidence, and maintain a timeline of the attack, if possible.

Silk Road taken down by FBI

Notorious online marketplace "Silk Road" has been taken down by the FBI and the owner "Ross Ulbricht" a.k.a (Dread Pirate Roberts) has been arrested . Proving that "Perfect security is impossible"

He has been charged with  conspiracy to traffic narcotics, conspiracy to hack computers, and conspiracy to launder money.

The website now shows a "This Hidden Site Has Been Seized" message





Silk Road was the drug dealing website in the world .It used the "TOR hidden network" to hide itself and its users.It seems Ross Ulbricht was caught due to his own mistakes and NOT due to a vulnerability in the TOR network.


This site had been a major point used lawmakers and politicians to try to curtail the growth of the TOR
 network.And now the recent actions by the FBI against many hidden sites in the TOR network is indeed a very big setback for it.

All the transactions in silkroad were done using Bitcoins and since the news of Ross Ulbricht's arrest bitcoin value has dropped quite a bit (Due to paranoid selling). But this is just the currency stabilizing itself, when it stabilizes BTC value will rise again. And the removal of association from such illigal market places might actually be a good thing for bitcoins.

Ross Ulbricht's LinkedIn Profile:http://www.linkedin.com/in/rossulbricht
Full Arrest Warrant: http://www1.icsi.berkeley.edu/~nweaver/UlbrichtCriminalComplaint.pdf
Full Details on how he was caught: https://medium.com/p/d48995e8eb5a



Note: I Will update as the story develops . You can tweet me at @SuriyaME   if you have something to add to this article. 

Almost Half of Tor sites compromised by FBI [Exclusive details]

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet."

But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time.

I also have a fair idea on how the FBI did the "impossible", tracing a person who is using Tor.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd http://pastebin.com/pmGEj9bV he says he found this code in the main page of "freedom host" this further links to this exploit http://pastebin.mozilla.org/2776374 .





This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams)
1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle"
2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on .

It also has an another check
var i = navigator.userAgent.indexOf("Windows NT");
        if (i != -1)
                return true;
        return false;




3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system.
4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe)
5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running.

Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting


Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for.


Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt

PS: If you have anything more that you would like to be added to this article or any corrections you can contact me on Twitter https://twitter.com/SuriyaMe