Search This Blog

Showing posts with label Hacking. Show all posts

SGS Servers Compromised In a Data Leak; Customers in Jeopardy!



Firms including MG Motors, Shell India and Daimler India commercial vehicles got in jeopardy as the servers of SGS Group got compromised.

The private data saved on those servers was up for sale for a mere amount of $10,000 on ‘Dark Web’ or on the private internet forums.

Per sources, the data includes quality reports of the few very prominent oil and gas firms and truck manufacturers.

The firm in question mentioned that the leak’s been plugged, the anomalies have also been corrected and all the possible measures have been taken. Also the clients have been informed.

The firm’s Korean division which contains over 6,000 reports and French division were also under attack outing thousands of user data and test reports of its clients.

SGS servers are probably going to have quite a financial impact for its clients and customers.

“The SGS company servers have laid bare legitimate reports and it’s bound to have serious implications as hackers have all the access to the kind of files on the DarkWeb”, said J Prasanna, CEO, Cyber Security and Privacy Foundation Pte Ltd, Singapore.

According to him the situation clearly points to the actual storage devices being compromised.

The concerned firms were questioned about the damage to which Shell replied that they are strongly focused on ensuring high standards for its customers.

JPMorgan hacker to plead guilty next week in New York




One of the key suspects in the enormous JPMorgan Chase hack in 2014, a Russian hacker Andrei Tyurin, is all set to plead next week in New York.

He was one of the several people charged for the case in 2015, and was on the loose until Georgian officials caught hold of him a year ago. Gery Shalon, the supposed instigator of the conspiracy, was arrested in Israel in 2015 and handed over to the US as he has allegedly been in touch with American authorities.

During Tyurin's first New York court appearance; it was proposed that his associations in the criminal world may enable specialists to examine the Russian endeavours to disrupt the 2016 US presidential election through cyber-attacks and hacking.

Tyurin was first produced in a US court in September the previous year after he was handed over from the Republic of Georgia and he had pleaded not guilty to charges including hacking, wire fraud, identity theft and conspiracy.

From that point forward, various hearings for his situation have been cancelled as prosecutors and defence attorneys worked through for an agreement and just last week, the Manhattan US attorney's office endeavoured to solidify his New York case with one in Atlanta, in which he is one of the few accused for hacking E*Trade.

Kraken Bug: Traders Buy Bitcoins and Sell Them For Almost Double?



Kraken, the world’s oldest crypto-currency exchange medium recently revealed that a bug allegedly allowed specific customers to purchase and then resell $8,000 worth Bitcoin for $12,000.

It was mentioned on Twitter that the bug was found in an “unreleased advanced order type”.

The bug caused the orders to automatically execute without having cleared the requisite liquidity. Stop orders were immediately activated and filled at market rate.

The victims of this incident were strongly advised to submit “support tickets” with their questions. Nevertheless, the exchange was vehemently condemned.

Kraken’s CEO in response tweeted that he’s not sure how a “legitimate” trade takes place for pricing reasons or at least what boundaries it exists within.

The charts tell the story that a few over-fortunate traders quickly bought for a low price and sold for a fairly higher amount but the tweets tell another story.

WhatsApp’s Bug Leaves Private Chats Compromised?




Security researchers allegedly dug up some bug which apparently lets hackers access private chats and impacts user security heavily.

Per sources, WhatsApp immediately shunned the reports and hinted that it was absolutely preposterous to even think that WhatsApp would harm its users in such a way.

The people behind the massively successful messaging application are always keen on advising users on updating and following every security measure.

iOS users are especially advised to be cautious of this bug specifically when they’re surfing unknown websites. They are suggested to securely click on websites.

Users per usual are strongly advised to update their devices to the latest, download anti-virus apps and software and keep the security on high alert.

Per the source reports, allegedly, the hacked messages from the WhatsApp chats are floated on other servers.

Users should steer clear of unauthorized websites for the sake of their safety.


Cyber Space Is Now A New Domain?


All the member countries of The North Atlantic Treaty Organization (NATO) are confident that all the member countries would retaliate if even a single member country is under cyber-attack.

The member countries include European countries, the US and Canada.

According to Article 5 of the founding treaty of NATO, “a collective defence commitment” could be made under the above circumstances. The article hasn’t been provoked since the 9/11 attack.

Per sources, “Cyber-space” has been designated as a domain which shall be defended and operated effectively like land, sea and air.

NATO hasn’t made such claims for the first time. The “Wannacry ransomware” attack which had wreaked havoc in the UK and NHS didn’t get the support of the Article 5.

There is no doubting the fact that considering an attack on one country as an attack on other countries too will be a herculean task when it comes to implementation.

The aspects and dimensions of an attack when it comes to cyber-crime and cyber-space are way different and abstract as compared to other forms of war.

Countries like Russia and Ukraine have been a part of such debates for quite some time now and there is no resolving and finding out the actual dimensions of an “attack”.

iPhone hacking sites were also after Android, Windows users


Those hackers Google’s researchers sussed out earlier this week apparently went after more than just iPhone users. Microsoft’s operating system along with Google’s own were also targeted, according to Forbes, in what some reports are calling a possibly state-backed effort to spy on the Uighur ethnic group in China.

Google’s Threat Analysis Group was the first to discover the scheme earlier this year (news of the campaign was first disclosed Thursday). It involved a small group of websites aiming to infect visitors’ devices to gain access to their private information, including live location data and encrypted information on apps like on WhatsApp, iMessage, and Telegram. These websites were up for two years, during which thousands of visitors purportedly accessed them each week.

In February, Google notified Apple of 14 vulnerabilities the site’s malware exploited, which the company fixed within days with iOS 12.1.4. Apple disclosed in that update that the flaws, referred to as “memory corruption” issues, were fixed with “improved input validation.” The company hasn’t publicly addressed Google’s account of the hack since the news broke earlier this week.

While the Google team only reported iPhone users being targeted by this attack, sources familiar with the matter told Forbes that devices using Google and Microsoft operating systems were also targeted by these same sites. Thus widening the potential scale of an already unprecedented attack.

Whether Google found or shared evidence of this is unclear, as is whether the attackers used the same method of attack as they did with iPhone users, which involved attempting to sneak malicious code onto users’ phones upon their visit to the infected websites. When asked about these reported developments, a Google spokesperson said the company had no new information to disclose. We also reached out to Microsoft and will update this article with their statements.

Hacking Attack Neutralized: France



A recent hacking attack was neutralized by the French government where 850,000 computers had been taken control of. The malware had been removed from the infected devices.

Retadup, a software worm was responsible for taking over of the devices in the Paris region according to sources.

The number of computers infected was massive which certainly indicates that it was a gigantic operation on the part of the hackers.

The police officials created a copy of the server which was responsible for the attack and allowed the hackers get into systems and take control.

All the infected computers were advised to uninstall Retadup malware which according to researchers had a part to play in the Monero Crypto-currency creation.

A few suggestions made by the researchers to ensure safety against malware attacks included:
·       Don’t open emails from unknown senders.
·       Don’t click attachments that pretend to offer anti-viruses for free.
·       Install and activate the anti-virus software immediately.

Windows Users Beware of the “Complete Control” Hack Attack; Update Imperative!





The hardware device drivers of Microsoft Windows due to a common design flaw left the entire systems of users compromised giving it to a recently resuscitated Remote Tojan Access (RAT).

The RAT brought about a hack attack tool with a modified format which as it turns out is absolutely free of cost.

The NanoCore RAT as it’s called, has been hovering around the dark web for quite some time now. It was sold initially for $25 which is a minimal amount for a hacking tool for Windows OS.

NanoCore’s cracked version, as soon as it appeared caused quite a commotion amongst researchers and hackers.

Initially the “premium plugins” were especially paid for privileges but the latest cracked version has it all for free.

The NanoCore coder had to be arrested given the rising familiarity of the product and the fact that he was a part cybercrime!
Despite that, NanoCore thrived and generated other tool variants RAT, Surprise Ransomware, LuminosityLink and of course the free “highly modified” latest version.

The NanoCore RAT, per researchers is controlled by way of easy security measures, no particular entry troubles and a really uncomplicated interface to aid even the novice hackers.

There was an outburst of campaigns using the very malware including:
·       Remote shutdown and restart of Windows systems
·       Remote file browsing on the infected system
·       Access and control of Task Manager, mouse and Registry editor
·       Disabling webcam lights to spy
·       Taking over open webpages
·       Recovering passwords and obtaining credentials
·       Remotely operated “locker” for encryption

Owing it to the long presence of NanoCore the techniques it uses are well known to the researchers. Scripting, registry keys and malicious attachments are the three main categories that the researchers found out.


The scripting threat’s basic solution is to check Microsoft office files for macro code and “anomalous execution” of legitimate scripting programs like PowerShell or Wscript.

The registry keys should be monitored for updates and patch cycles and rigorous security implementations should be made for behavioural detection.

Windows users should immediately go ahead and get their systems updated and make sure all their applications are running the way they actually should.

Additionally, Windows 10, 8.1 and 7 users should especially keep a keen check on regular updates and patching!

Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.

State of Texas Hit By a Ransomware Attack; 23 Agencies Shut Down!





The state of Texas got hit recently by a cyber-attack as a result of which 23 government agencies were taken down offline.

Per the DIR (Department of Information Resources) of Texas most of the aggrieved parties were small local government agencies which are unnamed so far.

The Texas state networks however are still unharmed. The State Operations center of the state has been rigorously working towards the problem.

Sources mention that all the state and federal agencies handling the case hint at the fact that the attack was coordinated by a single actor.

The attack has been categorized as a sure shot ransomware attack. Per sources in it was a stain which was identified as “Nemucod”.

The aforemetioned ransomware generally “encrypts files and then at the end adds the .JSE extension”, a researcher mentioned.

Allegedly, the US have been the target for a lot of cyber-attacks of late. With an apparent total of 53% of the entire global number, the US have been victimized the most by cyber-attacks.

A state emergency was declared on Louisiana in July this year in response to a ransomware attack on school computer systems.

The situation is very critical from the point of cyber-security as municipalities falling prey to such attacks and ransomware in particular is not a good sign at all.

Mass scale attacks and their increase in number are disconcerting on so many levels. Because threat actors willing to put so many efforts, like the researchers like to say, are numerous.

Hackers Can Intercept What’s Being Typed Just By The Sound Of It?




Hack Alert! Hackers could listen to the sound of typing on a person’s phone via a nearby smartphone and intercept what’s being typed.

Possibly, the acoustic signals or sound waves produced when a message is typed on a computer or a keyboard could be picked up by a smartphone.

The sound could later be processed leading an expert hacker to easily decode which keys were hit and ultimately what was it that was typed.
 
Allegedly, this trick could work in a busy hall filled with people chattering and typing as well, because researchers tried it out.

Sources mention that the researchers could intercept what’s being typed with a “41% word accuracy rate”. It might take only a couple of seconds to know what’s being typed.

The results of the research sure are disconcerting and privacy and security levels of the smartphones and their sensors have got to be taken to a higher level.

From detecting if a phone is still or in a pocket, to detecting if it’s on the move; with the enhanced technology, sensors too have come a long way.



Some sensors need permission whereas most of them are set to function as a default. Per sources, the researchers had in their analysis used the later.

All they did was develop an application that could intercept the sound of typing and detect which key exactly is hit.

According to researchers the material of the table at which the keyboard is placed, plays a crucial role in the entire process as the keys sound different on different materials.

Apps Generating Untraceable International Phone Numbers ?






Applications that generate international phone numbers that are super difficult to track are being employed by cyber criminals to rip people off.

A recent victim that had called the cyber-crime branch complained that they received a call from two spate numbers one with 001 and the other with 0063 as the country codes.

Per sources the app stores happen to contain 40 to 60 such apps through which cyber-cons could easily get these numbers.

Sources mentioned that allegedly “Dingtone” is an app via which a user can easily sift through a variety of country codes which are absolutely untraceable.

These cases according to the cyber-crime branch aren’t categorized separately but these are surely being registered and deliberated upon.



According to the cyber-security researchers a minimum of 500 cases come into existence per day in India alone with 40 cases pinning on major cities.

The police lack the technological efficiency as well as resources to possibly track the users of such applications. There is also a matter of jurisdiction.

Mostly, the above-mentioned apps are ‘not’ developed by Indian initiators but ironically originated from countries that have strict laws on removal of apps.

Information of the caller could seemingly be obtained by requesting the telecom service providers as such services are always linked together.

However, requesting the details of the callers from a telecom service provider abroad is extremely time-consuming. Besides, the CBI would require Mutual Legal Assistance Treaty with that very country.

As of now, such treaties exist with only 39 countries. In addition some countries could also demand a court order and furthermore the procedure in itself takes six to eighteen months.

Cyber-Crime On Rise; One of A Kind Ransomware Hits Cloud Computing Giant iNSYNQ!







iNSYNQ, the cloud hosting giant recently was targeted by a ransomware attack which led to the company’s servers being shut down to confine the damage.

The Microsoft, Sage, and Intuit host provides customers with cloud-based virtual desktops aimed at hosting business applications.

The attack was executed by an unknown party and affected the iNSYNQ clients making the data inaccessible, as was mentioned in a citing from the sources.

The servers of the infected organization were immediately shut down and the next step was to safeguard the clients’ data and backup.

Cyber-security experts have been hired by the organization to help restore the infected data and eradicate any further possibility of such attacks.

The backups aren’t yet available to the customers despite repeated requests for them. The company’s doing everything in their control to mitigate the situation.


The clients’ data backups were on the unaffected servers but on the same network nevertheless.

The problem is not related with stolen data it is actually about the data being encrypted and hence being inaccessible.

On a mysterious note, the twitter account of iNSYNQ seems to have disappeared and is no longer accessible.

The data will take a good amount of time to reach the clients’ because after it’s retrieved it will be needed to be checked for any residual traces of the malware.

The company though, did not forget to mention that the kind of malware that hit them was of a new kind and had never been detected before.

Due to security reasons the organization can’t reveal much about the complexities of the attack and the entire situation because it might lead to the customers’ data being in danger.

With the help of leading experts the process of backing the data up is on full speed and the organization’s trying their hardest to get their clients’ data back to them.

Vulnerability in Chrome Allows To Virtually Take Over Any Android-Based Device



A critical vulnerability in Chrome for Android apparently exploited and displayed in a quite popular hacking contest is now being known to empower anybody with specialized technical expertise to remotely take control for all intents and purposes any Android-based device. 
Found by PacSec speaker Guang Gong from Qihoo 360 at Pwn2Own the vulnerability in Google's JavaScript v8 is said to purportedly influence all renditions of Android running the latest version of Chrome. 
What makes this specific vulnerability stand out amongst the remaining of the already established hazardous and risky ones is that being a 'one shot exploit', just one is sufficient to remotely hack the device. 
At first, the user is tricked into visiting a vindictive website on Chrome and once there, an attacker effectively installs an arbitrary application into the device thusly gaining full privileges. 
"As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone," it was reported.
Despite the fact that android fixed 33 vulnerabilities, in which, 9 vulnerabilities were categorized under critical severity and rest of the 24 were fixed under "high" severity.
Until now no more insights regarding the exploits have been unveiled. Google, on the other hand has purportedly been made mindful of the Chrome vulnerability, regardless of whether it has been fixed is yet to be affirmed.

OceanLotus’ Ratsnif (A Remote Access Trojan)- Thinngs You Need To Know




OceanLoutus’ Ratsnif, an especially undetected remote access Trojan which mainly is used for cyber-espionage purposes has become better and is now capable of SSL hijacking and modifying web pages.

The very prominent malicious actor OceanLotus is quite fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty, SeaLotus and APT-C-oo are few of its aliases in the infosec community.

The hackers behind this malicious threat actor usually combine “commercially available tools” such as Cobalt Strike with unique malware.

Four separate variants of the Ratsnif RAT family were analysed by prominent researchers only to find out that it evolved from a debug build to a release version.

It now comes filled with fresh features like DNS and MAC spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection, setting up remote shell access and ARP poisoning.

Per sources, the three early versions were found out to have a compilation date from 2016 whereas the most recent one was from August 2018.

The oldest variant of the Ratsnif, per the researchers, apparently was a debug build compiled in August 2016. The domain for its command and control (C2) server was activated the very day.

A newer version with no so gigantic changes was compiled the very next day. Both the samples were tested for detection against the anti-virus engines present on VirusTotal service at the same time.

A third version with September 2016 as its compilation date appeared with almost similar functioning and is believed by the researchers to be one of the earlier builds.

It wasn’t loaded with all the features but surely was capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing and HTTP redirection.

In its early stages it collects information such as usernames, computer names, Windows system directory, and network adapter info and workstation configuration and sends it to C2.



The fourth Ratsnif sample was no longer accompanied by a list of C2 servers and delegated communication to a different malware used on the host victim.

It also, originally happened to introduce a configuration file and to extend the set of features to make it more effectual.

If one wishes to decrypt the traffic it could be done by using version 3.11 of the wolfSSL library which was earlier known as CyaSSL.

The configuration file happens to be unsecured and is simply a “text file encoded in Base64 with a parameter on its own line”.

Ratsnif could also cause a memory red violation owing it to a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed as a string when it should be a pointer to a string.

According to the analyzers, the 2016 versions of Ratsnif contained all packets to a PCAP file but the 2018 version employs multiple sniffer classes for wresting sensitive information from packets.

This lowers the amount of data the attacker requires to collect, exfiltrate and process and also shows what information the attacker is after.

Ratsnif has done an essentially tremendous job at staying out of the limelight. Nonetheless it is not up to the standards of OceanLotus’ other malware endeavors.

Gamers’ Google and Facebook Credentials Unsafe; Android’s “Scary Granny ZOMBYE Mod: The Horror Game” To Blame!






A horror game from Android which has more than 50,000 downloads to its name. The Scary Granny ZOMBYE Mod: The Horror Game showed malicious behavior and is allegedly stealing users’ credentials after they log into their accounts.

The game is specifically designed to hoard downloads from the success of another Android game dubbed “Granny” with 100 million installs as of now.

After the researchers informed Google about the game’s phishing and siphoning abilities, the fully functional game was taken down from the Google Play Store.

A prominent research team realized that the game wouldn’t exhibit any malicious activity up to 2 days to steer clear of security checks.

It would turn in its data-stealing modules lest it were being used on older Android versions with users with new devices which run up to date.

Quite obviously it starts asking for permissions to launch itself on the smartphone or tablet and tries to gain the trust of the users.

Even after the Android users reboot their systems the game still shows full-screen phishing overlays.

Firstly it shows “a notification telling the user to update Google Security Services” and the moment they hit ‘update’ a fake Google Login page appears which looks almost legitimate except for the incorrectly spelled “Sign in”.


Scary Granny, after stealing the users’ credentials it will go on to try to harvest account information like recovery emails, phone numbers, verification codes, DOBs and cookies.

Obfuscated packages are other ways of mimicking official components of the Android apps. For example, com.googles.android.gmspackage attempts to pass itself as the original com.google.android.gms

The Scary Granny would also display some really legitimate looking ads from other prominent applications like Messenger, Pinterest, SnapChat, Zalo or TikTok.

The malicious horror game would make it appear that apps like Facebook and Amazon were actually open when actually they are only ads pretending to be actual applications.

In one of the cases the researchers tried out, the ad directed the user to a page which Google blocked flagging it as being deceptive which clearly implies that it hosts malware or a phishing attack.

After connecting with an ad network by way of com.coread.adsdkandroid2019 package, the ads would get distributed to the compromised Android devices.

At the end, to maximize the profit for its creators, the Scary Granny would try to wrest money form the users by asking them to pay for their playing privileges via a “pre-populated PayPal payment page”.

TP-Link Wi-Fi Extenders: Detected With Vulnerability Making Them Hacker Prone!




The popular router company left its users shocked when researchers discovered a crucial vulnerability with its Wi-Fi extenders.

The vulnerability immensely compromised the extender to the hacker and let them have entire control of the device.

Victim’s traffic could easily be redirected via the taking over of the extender and could lead them to malware, the researchers cited.

To enhance the range of the Wi-Fi signals these extenders are used to “extend” the range. They provide a significant boot in the signal’s strength.

Security cameras, doorbells and other security equipment could easily be connected via the extender to the router.


But quite like the routers they are prone to vulnerabilities and need to be maintained and patched from time to time to ensure a safe network.

Allegedly, the particular extenders that were affected were the RE365, the RE350, the RE650 and the RE500.

According to sources, the researchers who were behind the digging up of this glitch belong to IBM’s X-Force of researchers.

 Ever since then IBM collectively with TP-Link has released updates for the affected users.

The to-be attackers don’t necessarily need to be within the range of the Wi-Fi extender for him to exploit the weakness.

The attacks procedure begins with the hacker sending a malicious HTTP request to the Wi-Fi extender.

 The vulnerability in turn aids the attacker to execute such commands form the request which is not the case with proper extenders which have limited access.

The attacker would need to know the extender’s IP address to abuse the vulnerability. Thousands of exposed devices could be easily found on “Shodan” and similar search engines.

The misuse of the vulnerability is not only limited to malicious code execution or simple taking control of the extender.

More sophisticated malicious activity could also be followed through using shell commands on the device’s operating system, sources cited.

Also creating a botnet out of the extender and redirecting the users to malicious pages are other things on the list of probable attacks.

Houdini Worm’s WSH Remote Access Tool (RAT) for Phishing Tactic




A fresh modified version of Houdini Worm is out in the market which goes by the name of WSH Remote Access Tool (RAT) and has commercial banking customers on its radar.


The authors who created the malware released it earlier this June and the HWorm has things tremendously in common with the njRAT and njWorm. (existed in 2013)

WSH RAT uses the legitimate applications that are used to execute scripts on the Windows one of which is Legitimate Windows Script Host.

The malware is being distributed via phishing email campaigns per usual.

The malicious attachment is stuck with the MHT file which is used by the threat operators the very way they use HTML files.

The MTH files contain an “href” link which guides the user to download the malicious .zip archive which releases the original version of WSH RAT.


Researchers report that when WSH RAT’s executed on an endpoint it behaves like an HWorm to the very use of mangled Base64 encoded data.

The WSH RAT uses the very same configuration structure for the above process as HWorm.

It also seeds an exact copy of the HWorm’s configuration including the default variable and WSH RAT command and control server URL structure in similar to that of HWorm.


Firstly WSH Rat communicates with C2 server and then calls out the new URL that releases the three payloads with the .tar.gz extension.
But, it’s actually PE32 executable files and the three payloads act as follows:
·       A Key logger
·       A mail credential viewer
·       A browser credential viewer

These components are extracted from a third party and do not originate from the WSH RAT itself.

The underground price of the WSH RAT was around $50 USD a month with a plethora of features including many automatic startup tactics and remote access, evasion and stealing capabilities.

It’s becoming evident by the hour that by way of simple investment in cheap commands really threatening malware services could be developed and could put any company under jeopardy.



Massive HIV Data Leak; No Closure Yet!






Singapore: Finally the authorities have come up with some background details as to the circumstances that led to 14,200 people’s personal details along with their HIV status leakage.

The lingering questions, ever since the data was compromised have been intriguing. Such as, the reason behind not making it public in May 2016 when it was known that the information was in wrong hands?

According to a recent media briefing the Permanent Secretary of Health, cited that the ministry of health did wasn’t sure as to the whether the news’ being public was in the interest of the citizens.

They did mention though that they will take conservative measures and better approaches now that they know the persons in registry have concerns regarding a public announcement.


It’s disturbing that years after the incident took place no one knows why the data still remained with the unauthorized people.



According to sources, the Ministry of Health had lodged a police report in May 2016 after finding out that Mikhy Farrerra Brochez was in custody of the leaked information from the HIV registry.

After, the properties owned by Brochez and his partner Ler Teck Siang were searched by the police officials and all pertinent material found was seized.

Even after that Brochez managed to keep some information back and in turn leaked it later on. The Permanent Secretary of Health voiced that the police should have had a better search.

It was later in May 2018 when the people whose information as in the “unauthorized” hands were informed a\bout the entire leakage scenario.

In May 2018 the police found out that Brochez had managed to hold some records back which was a month after Brochez completed serving his jail sentence for other offenses and was deported from Singapore.

There is no way of knowing though, that how many people were informed that their persona details were in wrong hands.

MOH lodged a police report and had contacted the concerned individuals. The number of people was very small according to PSH Mr. Chan.


Where Brochez was deported to is still under wraps and the immigration department couldn’t share the details due to confidentiality concerns.

He is known to have arrived in the Kentucky state of the US. There’s no knowing if he’s being monitored, the sources said.

He had called at his mother’s house despite being warned to stay away and that’s when she informed the police about it.

After he refused to leave he was taken into custody and was charged. He has been asked to return to the district to face criminal trespass.

The Singapore police force is reportedly taking help of their foreign counterpart but didn’t mention which organizations or countries.

Brochez’s partner was charged with the Official Secrets Act for “failing to retain the possession of a thumb drive” containing data from the leak but was stood down and there is no answer as to why that happened.



According to Article 35(8) the AG gets a wide discretion as public prosecutor in the conduct of criminal proceedings. The prosecution “is not required to give reasons for why they decide to proceed with certain charges and not others”.

Another question that has yet to be addressed is how was the access to the confidential information disabled? We do know that the MOH had worked with “relevant parties” to disable the access.


Stolen information of such sorts is uploaded on various hack forums and file sharing sites such as “Pastebin” and “Mega” and is commonly hosted on web servers overseas.

If taking down a web domain. It could be done on a registrar level. Domain registrars are company people who create websites. But taking down a website can’t totally solve the problem.


Because once, data is on the dark web it’s almost irretrievable. As it could be copied or distributed across quite easily.


Absolutely different from the internet the commoners use, the Dark Web is “unregulated and decentralized and has no point of authority or disabling access to anything.