Search This Blog

Showing posts with label Hacking. Show all posts

Metropolitan Transportation Authority Systems Hacked

 

The MTA document outlining the breach reckoned that in April a hacker organization having links to the Chinese government breached the computer systems of the Metropolitan transport authority, highlighting vulnerabilities in a large transit network that carries millions of people every day. 

Transit officials also said that the hackers did not have access to systems that do not jeopardize the operation of train cars and driver safety, stressing that there was minimal harm if any to the intruder. 

Transit authorities said that a forensic assessment of the attack has so far not uncovered any proof either and that attackers have not affected the personal information of consumers. The agency reported the incident to the police and other governmental authorities but has not announced it publicly. 

The intrusion was the third – and perhaps the most major – cyber attack by hackers, according to transit authorities, on North America's largest transit network in recent times. 

According to FireEye, a private cyber-security company working with the federal government to recognize the offense said that the attack did not involve financial demands and instead appears to form part of a recent wide range of intrusions by sophisticated hackers supported by the Chinese government. 

The wider hacking campaign affected hundreds and was found at the end of April by federal organizations, defense contractors, banking institutions, etc. These Routine hacking activities are denied by the Chinese government. 

Researchers have different theories as to why the M.T.A was chosen to be the campaign's objective, however, the actual reason remains unknown. One of the main objectives is the attempt by China to control the multibillion-dollar railway market—an effort to get insight into the inner workings of a transport system that awards profitable contracts. 

Another view is that attackers wrongly have accessed the M.T.A. system and have found that it was not exceptional, as cybersecurity specialists say. 

However, hacking companies have made no adjustments to the operational activities of the company and have not collected any employees or customer data, such as credit card information. Notably, they did not compromise any M.T.A. accounts, transit authorities stated, referring to a forensic audit of the agency's attack by a leading cybersecurity firm, IBM and Mandiant. 

“The M.T.A.’s existing multi-layered security systems worked as designed, preventing the spread of the attack,” said Rafail Portnoy, the M.T.A.’s chief technology officer. “We continue to strengthen these comprehensive systems and remain vigilant as cyberattacks are a growing global threat.” 

The attacks against the M.T.A. also came into play because of increasing concerns about China Railway Rolling Stock Corporation, which is the world's largest producer of train cars. 

As the threat from cyber strikes has increased and trade disputes between the US and China have also increased, the dominance by the state-owned company has raised concerns among legislators, defense officials, and industry experts that crucial US transport infrastructures have been left vulnerable to cyber-attacks. 

In the second week of April, it seems that the M.T.A. systems were targeted on two days, and access persisted at least until the breach was reported on April 20. The hackers used the so-called "Zero-day," or an unknown code defect in software that was found unpatched. 

Thus according to the M.T.A. document describing the violation, hackers got special access to the system being used by New York City Transit, which monitors both the metro and the buses. 

Mr. Portnoy said, there was “no employee or customer information breached, no data loss, and no changes to our vital systems.” 

“Our response to the attack, coordinated and managed closely with State and Federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through M.T.A. systems,” he added.

OTP Generating Firm at a Risk, as Hacker Claims to have Sold its Sensitive Data

 

A hacker seems to sell confidential information that is claimed to have been robbed from an OTP firm. And this OTP firm perhaps has some of the most prominent technology and business giants on its customer's board list which includes Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter, etc. 

A one-time password ( OTP ), also called a one-time pin or dynamic password is a legitimate password on something like a computer system, or even on a digital device, for a single login or transaction. Besides, the very same hacker claims to also have real-time access to the company's OTP device. The InfoSec researcher, Rajshekar Rajaharia, however, didn’t agree with the hacker behind the identification of such a suspected breach. 

“The seller was active on the dark web forum for a long time claiming to sell live access to OTP and 2FA but from what we have seen there are some chances that the data might be old as we have found some clues that changes have been made with dates. Nevertheless, we are still investigating because data seems real otherwise,” stated Rajaharia. 

Rajaharia also provided sample information with confirmation of the presence of one-time codes and even if not all of them are currently available or legitimate, a purchaser might find valuable work throughout the platform and its policies. It offered 50GB of exfiltrated data, among several other details. The cost of access was reduced from $18,000 to $5,000 for the introductory mark. Though the name of the company is listed in the listing, for security purposes it is considered unethical to disclose it. 

Other details included in the selling package are PII, including SMS logs, mobile numbers, e-mail addresses, SMPP details, customer documentation, and much more. Since 2017, the data itself is comprehensive. The seller switched the listing from the dark web marketplace to Telegram, as per the latest revelation, where sales were continued, however, the number of buyers was unknown. Also, 10 million OTPs appear in the data packs. 

The company in conversation refused all data infringement charges by claiming that perhaps the systems were as stable as ever and it could not verify the authenticity of the alleged data. 

Also, the National Stock Exchange of India received a letter from them, which reads, “We would like to highlight that unverified posts and claims are being circulated about an alleged data breach at [company’s name retracted]. Based on the evidence we have seen thus far, it is not from any of our current systems, and therefore we cannot verify the authenticity of the alleged data breach.” 

However, the company stated that they were engaged with an expert in a third party to support them in its system audit, so it would be noticed and uprooted if there was a web shell in there.

Visa: Hackers Use Web Shells to Compromise Servers and Steal Credit Card Details

Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. A kind of tools  (scripts or programs) Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim's compromised network, or attach extra payloads (malicious). Since last year, VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming (also known as web skimming, e-skimming, or Magecart attacks).  

If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, "throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape."

As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c (command and control) infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops' servers, exploiting vulnerabilities in unsafe infrastructure (administrative), apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites. These Visa findings were confirmed earlier this February when Microsoft Defender Advanced Threat Protection (APT) team revealed that these web shells implanted on compromised servers have grown as much as twice since last year.  

"The company's security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021," reports Bleeping Computer.  "In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019," it further says.

Active Email Threat from Microsoft Hack, Warns White House

 

The administration of Biden is highly alarming about a series of recently found cyber intrusions that were associated with China as stated by Microsoft this week. The White House has cautioned that the use of newly disclosed vulnerabilities in Microsoft applications that has affected "a significant number of victims" in the US.

"This is an active threat," White House press secretary Jen Psaki said on Friday. "Everyone running these servers - government, private sector, academia - needs to act now to patch them." 

Microsoft said hackers were attacking their targets using its mail server. Tens of thousands of American organizations have indeed been confirmed to be affected. For a long time, the US has suspected the Chinese administration of cyber-espionage. 

On Saturday, the U.S. National Security Council stated, "essential that any organization with a vulnerable server take immediate measures". Later on Friday, the Cybersecurity and Infrastructure Security Agency underlined the danger in an unusually straightforward tweet saying that maltreatment could "enable an attacker to gain control of an entire enterprise network." 

White House officials encouraged private sector companies running Microsoft Exchange Server software to install several crucial upgrades, which were reported as an emergency patch. This week Microsoft announced that it was aware of many vulnerabilities that Chinese hijackers have exploited in its server program. The hacker party, which Microsoft calls Hafnium, has gone after, "infectious disease researchers," law firms, higher education institutions, defense contractors, policy think-tanks, and NGOs, Microsoft stated previously. According to Microsoft, the party concerned had not recently been identified by the public. 

In the US, over 20,000 organizations, with many more impacted globally, have been hacked, Reuters said. In recent days, an unusually active Chinese cyber spying unit has infiltrated at least 30,000 organizations in the USA — including a large number of small companies, towns, cities, and local governments — aiming at robbing e-mail from victim organizations. 

Microsoft did not confirm the figures but said that it was working closely with the US government agencies in a further statement on Friday. They advised clients that "the best protection" was "to apply updates as soon as possible across all impacted systems." However, it said that it had implemented such mitigation strategies to support those who are not able to rapidly update but cautioned that they are not "a remediation if your Exchange servers have already been compromised, nor are they full protection against attack."

Microsoft Lures Populate Half of Credential-Swiping Phishing Emails

 



According to the sources nearly half of the emails, phishing attacks in the year 2020 aimed to swipe credentials using Microsoft-related lures – from the Office 365 enterprise service lineup to its Teams collaboration platform. 

As per the Tuesday report by Cofense, which has studied the numbers of emails related attacks including 57 percent of attacks which were phishing emails targeting victims’ sensitive credential information such as usernames and passwords. Additionally, 45 percent of those phishing emails were Microsoft-themed, according to the researchers: threat actors are using both methods for their targets including Microsoft-themed lures for their emails, along with, ensuing phishing landing pages that will either leverage or spoof legitimate Microsoft domains or services. 

“With the number of organizations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organization as a legitimate user to go undetected,” researchers with Cofense told the press. They added that they “highly recommend organizations enable [multi-factor authentication] along with their [Office 365] migration/ implementation.” 

Malicious actors email trap can vary; sometimes it could display straightforward “‘Joe wants to share a document with you’ SharePoint alert you would normally see from Microsoft,” researchers explained — or it could attach a file with documents that will include a link to a website asking users to login with Microsoft credentials. 

In October, a phishing campaign was reported which appeared to be an automated message from the team of Microsoft telling users that they had a missed Teams chat but in reality, it was a trap, attacking Office 365 recipients’ login credentials. 

Another attack with a different patter had occurred in December which employed embedded URLs that redirect to the fake, never-seen-before Microsoft Office 365 phishing pages. For instance, the attack displayed emails that were impersonating businesses like eFax (which allows consumers to receive faxes via email or online with help of internet service.) 

“We also see [cybercriminals] giving the user options to choose from the most commonly used email platforms. The phishing emails often contain URLs hosted on legitimate domains that maintain a broad consumer base to avoid being blocked by content rules and filters.” said, researchers. 

“Other popular brands we observed asking for credentials were other various cloud hosting services such as Adobe, Dropbox, Box, DocuSign or WeTransfer,” researchers told the press. “Threat actors have been able to scour the internet looking for file-sharing websites that are deemed ‘business related’ in order to make it past the secure email gateway controls, as well as the web proxy filters.”

Sequoia Capital Told Investors it was Hacked

 

Sequoia Capital told its investors on Friday that some personal and financial data may have been accessed by a third party after one of its employees succumbed to a successful phishing assault, as per a report of Axios. Sequoia Capital is one of Silicon Valley's most seasoned and most successful venture capital firms with more than $38 billion in assets under management, as per Pitchbook data. The 49-year-old venture capital firm has invested in organizations like Airbnb, DoorDash, and 23andMe. It has likewise put resources into cybersecurity organizations like FireEye and Carbon Black, as indicated by its site. 

Sequoia was established by Don Valentine in 1972 in Menlo Park, California. During the 1990s, Valentine gave control of the organization to Doug Leone and Michael Moritz. In 1999, Sequoia extended its tasks to Israel. Sequoia Capital China was set up in 2005 as an offshoot to the U.S. firm. The organization is driven by Neil Shen. In 2006, Sequoia Capital procured Westbridge Capital Partners, an Indian venture capital firm. It later was renamed Sequoia Capital India. CB Insights perceived Sequoia Capital as the main funding firm in 2013. The U.S. firm had 11 accomplices as of 2016.

Sequoia told investors that it has not yet seen any sign that undermined data is being exchanged or in any case misused on the dark web, Axios reported. A Sequoia representative affirmed on Saturday that it had "recently experienced a cybersecurity incident" that its security team was investigating. It had additionally notified law enforcement and was working with outside cybersecurity experts, the firm said.

A Sequoia spokesperson said, "We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems." He also said, "We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats."

It doesn't create the impression that the hack was associated with the Solarwinds assaults, which incorporated a bigger breach of FireEye and has affected government agencies and large technology companies like Microsoft.

Australian Cyber Security Centre Hit by Cyber Security Attack

 

The Australian Cyber Security Centre is on high alert for the vulnerability lately. The Australian corporate regulator has been the latest high-profile survivor of a hacking attack on the same program that used to target both the New Zealand Reserve Bank and the Allens law firm. On Monday (25th January) evening, a 'cyber safety incident involving a server used by ASIC' was said to have been hit by the Australian Securities and Investments Commission. 

It all started when the Australia Securities Regulator reported that a server that was used to move files, including credit license applications, recently had a data security violation, where possibly some information has been viewed. The ASIC (Australian Securities and Investments Commission) said it became aware of the case on 15 January, but the credit license form(s) or attachments did not seem to have been downloaded, however. 

Furthermore, the ASIC stated that “This incident is related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorized access to a server which contained documents associated with recent Australian credit license applications.” Moreover, the regulator also said that “While the investigation is ongoing, it appears that there is some risk that some limited information may have been viewed by the threat actor. At this time ASIC has not seen evidence that any Australian credit license application forms or any attachments were opened or downloaded.” Accellion's file transfer program framework is a two-decade-old product but was revised last year after it heard about system vulnerabilities. The same incident occurred with the file-sharing software provided by Accellion based in California. The same software was also used by the New Zealand Central Bank, which suffered a cyber attack earlier this month. 

The server was disabled and there was no abuse of any other tech infrastructure, added the ASIC, “No other ASIC technology infrastructure has been impacted or breached. ASIC is working with Accellion and has notified the relevant agencies as well as impacted parties to respond to and manage the incident.” 

“ASIC’s IT team and cybersecurity advisers engaged by ASIC are undertaking a detailed forensic investigation and working to bring systems back online safely,” says the regulator.

Hacker Who Stole Information From Nintendo Now Sentenced

 


A computer hacker who stole data from Nintendo and was recently caught with the possession of child pornography on his computer was condemned to three years in prison.

A resident of Palmdale, California, the accused goes by the name of Ryan S. Hernandez.

He had previously pleaded in January to 'one count of computer fraud and abuse and one count of possession of child pornography'.

The federal judge ordered Hernandez to be on seven years of supervised release following his term in the prison and register as a sex offender.

However, this isn't the first time when he was found engaging in illegal work. At the point when he was a minor, Hernandez was caught stealing 'confidential Nintendo files' in 2016. 

The FBI at that point had examined the matter and reached out to Hernandez and his parents following which he consented to quit hacking the company, as indicated by court records. 

Nonetheless, according to the prosecutors, Hernandez hacked Nintendo services and stole 'confidential info' about some rather well-known video games, gaming consoles, and developer tools from June 2018 to June 2019.

The FBI at that point had looked through his home and computers in 2019 and discovered several confidential Nintendo files also videos and images of minors engaged in a sexual act. 

The judge recommended Hernandez be imprisoned at a federal prison for detainees with cognitive challenges and hence ordered him to pay $259,323 in compensation to Nintendo.

Clothing Brand 'The North Face' Hit By Credential Stuffing Attack, Suffers Data Breach

 

After North Face's website faced a credential stuffing attack, the company has reset the customers' credentials. In a recent cybersecurity incident, North Face informed its customers that it suffered a data breach attack. On its website, the customers can explore through clothing and accessories collection and buy apparel; they can also earn loyalty points when they buy a thing. Further inquiry revealed that hackers attacked The North Face on 8th and 9th October. 

The North Face says, "we strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com. Besides, we recommend avoiding using easy-to-guess passwords." In credential stuffing, hackers attack users who re-use their login credentials for different accounts or platforms. The hackers use ID and passwords stolen from other attacks, for instance, a data breach, and use the credentials for hacking purposes. The hackers use stolen login credentials to gain unauthorized access to websites. The entire process is mostly automatic, and now the hackers have modified their strategies and gained leverage in these types of attacks. 

Hackers have been successful in stealing data from prominent organizations like Dunkin Doughnut. The company suffered two cyberattacks in three months. As per the investigation, The North Face believes that it is probable that the hackers stole user credentials from any other source or website and used that information to attack the company's user accounts. According to StatSocial, The North Face leads the U.S market in the clothing and accessories segment, generating $2 Billion of the total $4 Billion revenue in 2019. 

The company didn't reveal the number of customers attacked; however, SimiliarWeb says that The North Face website had 6.96 Million customers in October. "We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution," says The North Face.

Impact of Covid-19 Web Threats on Cybersecurity, A Report from Beginning to End

 

Cyberattacks during the Covid-19 pandemic exposed the flawed systems of cybersecurity. We should glance at these attacks and learn new ways to strengthen cybersecurity infrastructure from experience.

Impact of cyberattacks during the pandemic- 

Until the first quarter of 2020, the FBI's cyber division reported a 3-4 times surge in cyberattacks complaints since the start of Covid-19. According to Interpol and FBI data, there has been a massive increase in ransomware, phishing, DDoS and malware attacks; since the coronavirus pandemic. Hackers used email platforms to carry out their web threats. 

Interpol reports, "Cybercriminals are taking advantage of the widespread global communications on the coronavirus to mask their activities. Hospitals, medical centers, and public institutions are being targeted by cybercriminals for ransomware attacks – since they are overwhelmed with the health crisis and cannot afford to be locked out of their systems, the criminals believe they are likely to pay the ransom. The ransomware can enter their systems through emails containing infected links or attachments, compromised employee credentials, or exploiting a system's vulnerability."  

Most of the attacks are disguised under the theme of Covid-19. Hackers copy fake organization platforms like WHO to commit frauds and target victims. Via these platforms, the hackers lure their victims into transferring money, providing banking details, stealing personal user data. All these attacks resulted in making COVID-19 themed attacks the highest in 2020. 

What can we learn from these attacks? 

Hackers use panic and fear to target their victims. The malware and phishing attacks during the Covid-19 pandemic prove that attackers use fear to intimidate their targets. In March alone, experts discovered more than 40000 high risk and 2000 malicious domains. In April 2020, Google reported around 240 million coronaviruses themed malware and spams. Google website says, "Every day, Gmail blocks more than 100 million phishing emails. During the last week, we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models have evolved to understand and filter these threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users."

Nintendo Confirms Around 160,000 User Accounts Affected in Recent Hacks


On Friday, the Japanese gaming giant, Nintendo confirms that around 160,000 user accounts of Nintendo Switch users have been affected in the recent hacking attempts.

Nintendo's Switch game console is immensely popular among avid gamers and its demand has risen dramatically amid the lockdown forced by COVID-19 pandemic, making it out of stock almost everywhere. As the number of people turning to Nintendo is rapidly increasing, the number of hackers targeting digital accounts has also increased as a result.

In the wake of the breach, Nintendo has disabled the option of logging into a Nintendo account via Nintendo Network ID (NNID)– login IDs and passwords of the users have been acquired in an unauthentic way by some means other than Nintendo's service, the company confirmed. Notably, these attempts to access accounts illegally have been made since the beginning of April. The information compromised during the breach includes usernames, DOB, email addresses, and country.

The company has notified all the affected users of the breach through an email, alerting them to reset their passwords.
Meanwhile, the company also warned the users in case they have used a common password for their NNID and Nintendo account, and said, “your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop.”

The company further recommended the users to enable two-factor authentication as some accounts are already being used to make fraudulent purchases. Affected users are advised to contact Nintendo so that the company can examine their purchase history and cancel fraudulent purchases.

"We will soon contact users about resetting passwords for Nintendo Network IDs and Nintendo Accounts that we have reason to believe were accessed without authorization," the company said.

While apologizing to the customers, Nintendo said, "We sincerely apologize for any inconvenience caused and concern to our customers and related parties,"

"In the future, we will make further efforts to strengthen security and ensure safety so that similar events do not occur." the company added.

L4NC34 Ransomware Teaches That Ransomware Attacks Ought To Never Be Trifled With




There is no denying the fact that whenever the word ransomware is mentioned computers are an instinctive afterthought to have been largely infected by the same. The impact is without a doubt an extremely serious one and so it always escapes our notice that it’s the websites also that are touched upon by this impact.

While Ransomware is normally thought to be a method wherein files are encrypted in a super-perplexing way, alongside a ransom note asking hundreds to thousands of dollars’ worth of cryptocurrency.

Typically this is kind of the reality — however, attackers aren't very similar to each other and not all may have the technical ability or would even attempt to go to such lengths.

Thus as of late, there was a case where the entire website files were apparently encrypted and had their file names changed to affix a ".crypt".

Among the files, we additionally found the ransom note one might usually discover in this type of malware, but this one was somewhat unusual — it wasn't an HTML or a .txt file. Rather, the ransom note was actually located inside a PHP file and appeared to contain actual capacities.

Here is a more critical look at the file.



The code of the malicious PHP file is as follows:

'.base64_decode('PHRpdGxlPkw0TkMzNCBSYW5zb213YXJlPC90aXRsZT4KPGx[pbmsgcmVj[REDACTED BASE64 CODE]dCBNYWlsIDogbDRuYzM0MEBnbWFpbC5jb20=').'

At first glance, nothing looks particularly surprising here, when decoded the result is:

L4NC34 Ransomware "; } function decdir($dir){ $files = array_diff(scandir($dir), array('.', '..')); foreach($files as $file) { if(is_dir($dir."/".$file)){ decdir($dir."/".$file); }else { decfile($dir."/".$file); } } } decdir($_SERVER['DOCUMENT_ROOT']); echo "
Webroot Decrypted
"; unlink($_SERVER['PHP_SELF']); unlink('.htaccess'); copy('htabackup','.htaccess'); echo 'Success !!!'; } else { echo 'Failed Password !!!'; } exit(); } ?>

L4NC34 ransomware


Your Website Is Encrypted

Don't Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First
Send Me $10 For Back Your Website

Bitcoin Address :


Contact Mail: l4nc340@gmail.com

Now the portions of code responsible for displaying the ransom note, along with the actual decryption process for the files are very clearly visible.

However, this code contains a few specific characteristics that are worth noting.

$input = $_POST['pass']; $pass = "9c6679accb84e3ef938b1f4c24158355"; if(isset($input)) { if(md5($input) == $pass) {


This 'snippet' basically verifies if the password inputted on the page coordinates the hardcoded md5 hash. That appears to be somewhat odd; one may expect that the alleged key was not hardcoded — yet if so, at that point there might be a purpose behind these apparently encrypted files.

This next bit is answerable for the ransomware's file decryption function:

function decfile($filename){ if (strpos($filename, '.crypt') === FALSE) { return; } $decrypted = gzinflate(file_get_contents($filename)); file_put_contents(str_replace('.crypt', '', $filename), $decrypted); unlink('crypt.php'); unlink('.htaccess'); unlink($filename); echo "$filename Decrypted !!!
";


While there really isn’t anything special or very complex about it. The decryption process just seems to take into account the actual contents of the file and then gzinflate them.

From what is clearly evident here, it’s safe to assume that the only way this hacker “encrypted” the files was to gzdeflate the files and change their file name.

This is what one of the encrypted files looked like:



Backing up to the original ransom note/script and modifying it to execute the decryption function without affecting anything else.

We can go ahead and run it either through a terminal or through the browser directly. And when done so with the following command:

$php ransom.php
Webroot Decrypted
Success !!!


What’s visible is the decrypted contents of the previous file, which look as expected.



Well, thankfully the ransomware encryption was easily and quickly reverted without paying the $10 fee.

But the question that still stands strong is that since it’s so easy to reverse this infection, ‘Did someone ever even end up paying the attacker?’

The answer to which can be found if we take a look at the bitcoin wallet address



Fortunately, it appears that there were no transactions on this wallet. Ideally, that implies that none of the infected sites wound up paying the ransom and had the option to return the malignant file without issues.

In any case, this being observed the Ransomware attacks ought to never be trifled with as in the United States alone, potential expenses surpassed $7.5 billion in 2019. What's more, much like other ransom included crimes, but still, there's no guarantee that paying a ransom will end in a positive result.

A Brand New Virus That Incorporates Mining, Hacking and Backdoor Modules


Dubbed as CrazyCoin, a brand new virus has been recently discovered by researchers, which spreads through the NSA leaked EternalBlue exploit kit. The researchers came across this new computer virus as they found that it incorporates numerous capabilities in its arsenal. 

The virus allegedly incorporates mining, hacking, and 'backdoor' modules. After it taints a user's machine, it downloads mining and data-stealing modules. Later it plants the Double Pulsar backdoor program so that every one of these modules cooperates with one another and plays out their own activities. 

As indicated by researchers from 360 Baize Labs who found the infection, “The powershell script is responsible for downloading various modules to the victim’s machine for execution.” They state that the mining module incorporated in the virus is utilized to mine Monero and HNS coins. 

Furthermore, among the data stolen by the virus' stealing module are the victim's sensitive documents, like the ID cards, passwords, bitcoin wallets and so on. 

This stolen information is later sent back to a server controlled and handled by the attackers. Exhorting the users the researchers warn them about a few certain things as CrazyCoin 'leverages' the EternalBlue endeavor to proliferate across systems. This exploit kit is known for abusing a vulnerability in SMBv1, it is important to further update security patches against it. 

The vulnerability CVE-2017-0144 exists on the grounds that the SMB version 1 server in different variants of Microsoft Windows mishandles exceptionally created packets from remote attackers, permitting them to execute arbitrary code on the targeted computer. 

The CrazyCoin virus is said to listen and receive commands on port 3611.

HACKED- Windows 10, macOS, Adobe, VMware, Apple and Oracle at The Pwn2Own 2020!


Pwn2Own is a well-known computer hacking contest which is held once every year at the CanSecWest security conference. In this contest, the contestants are tested on how well they could exploit commonly used software and mobile devices with formerly unheard of vulnerabilities.

An issue as grave as the Coronavirus pandemic has clearly not affected the spirits of the Pwn2Own 2020 hacking competition which got done with its first two days.

On Day 1, security researchers and participants bagged a handsome amount of over $180,000 for exploiting the Windows 10, Ubuntu Desktop and macOS, mention sources.

Reportedly, a “team from the Georgia Tech Systems Software and Security Lab succeeded in exploiting a kernel privilege escalation to execute code on macOS” by way of Safari. The attack mechanism that ended up winning for the team $70,000 was comprised of 6 vulnerabilities.

Per the event page (thezdi.com), Georgia Tech employed a “6 bug chain to pop calc and escalate to root”.

The team that has won several preceding editions of the hacking contest, Team Fluoroacetate, won themselves a victorious $40,000 after they employed a “local privilege escalation exploit” meant for the Windows 10.

Reports mention that one of the two members of the aforementioned team also won himself a smashing amount of $40,000 for yet another privilege escalation exploit pursuing Windows 10.

As per sources, the RedRocket CTF team got themselves a win, owing to it to one of their members, Mafred Paul, who bagged an attractive amount of $30,000 for a local privilege escalation exploit focused on Ubuntu Desktop. The hack was about the manipulation of the ‘Input validation bug’.

On Day 2, The Fluoroacetate successfully targeted the Adobe Reader with a local privilege escalation by employing a pair of UAFs, mentioned sources and grabbed an amount of $50,000.

Per reports, the Synacktiv team targeted the VMware Workstation but unfortunately to no avail in the given duration of time. There also were special demonstrations of the Zero Day Initiative against the Oracle VirtualBox.

This was the very first time the organizers allowed “conditional remote participation” in the Pwn2Own hacking contest, understandably because of the increased concerns of people about traveling due to the Coronavirus outbreak.



Encryption Flaws Allow Hackers to Steal Vehicles without Leaving a Trace


New vulnerabilities were revealed earlier this week in the encryption frameworks utilized by immobilizers, the radio-enabled gadgets within cars that usually communicate at short range with a 'key fob' to easily unlock the car's ignition and permit it to start as discovered by researchers from KU Leuven in Belgium and the University of Birmingham in the UK. 

Issues were particularly identified in Toyota, Hyundai, and Kia who utilize and further implement a Texas Instruments encryption system called DST80. Aside from these, a couple of other influenced vehicles incorporate Camry, Corolla, and RAV4; Kia Optima, Soul, and Rio; the full rundown of vehicles that the researchers have found to have the cryptographic defects in their immobilizers is below:


In spite of the fact that the list likewise incorporates the Tesla S, the researchers announced the DST80 vulnerability to Tesla a year ago, and the company pushed out a firmware update that blocked the assault. Toyota has affirmed that the cryptographic vulnerabilities the researchers discovered are genuine. 

Be that as it may, their technique likely isn't as simple to pull off as the "relay" attacks that thieves have utilized over and overused to steal luxury cars and SUVs. Those, by and large, require just a couple of radio devices to expand the range of a key fob to open and start a victim's vehicle. One can pull them off from a reasonable distance, even though the walls of a structure. 

The researchers built up their key cloning technique by purchasing an assortment of immobilizers' electronic control units from eBay and reverse engineering the firmware to break down how they communicated with key fobs. They regularly saw it far as too simple to even consider cracking the secret value that Texas Instruments DST80 encryption utilized for authentication. 

Anyway, the issue lies not in DST80 itself however in how the carmakers implemented it: The Toyota fobs' cryptographic key depended on their serial number, for instance, and furthermore openly transmitted that serial number when checked with an RFID reader. What's more, Kia and Hyundai's key fobs utilized 24 bits of randomness instead of the 80 bits that the DST80 offers, making their secret values simple to figure. At the point when the affected carmakers and Texas Instruments were reached out for comments, Kia and Texas Instruments didn't respond. 

Be that as it may, Hyundai noted in a statement that none of its affected models are sold in the US. Toyota reacted in an explanation that “the described vulnerability applies to older models, as current models have a different configuration." 

In any case, the researchers have chosen to distribute their findings to uncover the genuine condition of immobilizer security and permit car owners to choose for themselves if it's sufficient. Protective car owners with hackable immobilizers may choose, like whether or not to utilize a steering wheel lock or not.

Hackers made $82 Million through Bug Bounties in 2019


Hacking as a profession has now become a viable option for the hackers out there. Yes, you've heard it right, ethical hackers have made more than $82 Million in Bug Bounties held at HackerOne. To top that, the ethical hacking community on HackerOne has now reached over 600,000, with around 850 new hackers joining every day. According to a '2020 Hacker Report' published by HackerOne, a Bug Bounty platform in San Francisco, around 18% of the members are full-time hackers, whose job is to find vulnerabilities and assure that internet becomes a safe place for everyone.


On the HackerOne platform, hackers from across the world, 170 countries to be accurate, which includes India too, are working every day to ensure the cybersecurity of 1700 organizations, which include Zomato and OnePlus also. The US tops the 2109 list in the earnings made by hackers through Bug Bounty with 19%, India comes second with 10%, Russia has 8%, China a 7%, Germany 5%, and at last Canada with 4%. These countries are the top 6 highest earning ones on the list.

According to Luke Tucker, who is the Senior Director of Global Hacker Community, Hackers are a global power working for a good cause to ensure the safety the connected society on the internet. The motivations for hacking may differ, but it is good to see that global organizations are embracing this new change and providing hackers a new platform to compete and grow as a community, making the internet a safe place for everyone, all together. Hackers from various countries earned a lot more than compared to what they did last year.

Hackers from Switzerland and Austria made more than 950% earnings than last year. Similarly, hackers belonging to Singapore, China, and other Asian countries made more than 250% compared to their earnings of 2018. Competitions like these Bug Bounty programs have helped Hackers land into respectful expert knowledge, as 80% of the hackers use this experience to explore a better career or jobs. According to the reports, these hackers spent over 20 hours every week to find vulnerabilities.

Hackers Gain Access to Sensitive Data; Release Veterans’ Stolen Data Related To PTSD Claims


Hackers become increasingly serious in their game as they begin targeting sensitive data that incorporates pain diary entries from veterans' very own physical injury cases. Breaching a few law firms, the local government databases and other organizations, demanding payments for data recuperation and deletion Maze, a hacking and ransomware group, as a major element of a ransomware attack against U.S. law firms released V.A documents, patient care records, legal fee agreements, and privacy consent forms. 

Screenshot of a VA claims document released in a data dump by hacking group Maze as part of a ransomware attack against U.S. law firms. (Screenshot/Brett Callow)

Two of those hacks focused explicitly on Texas-based law firm Baker Wotring in November and Woods and Woods LLC in Evansville, Indiana, this month. As per Brett Callow, a threat analyst with Emsisoft, Maze hacks an organization's servers, informs them of the breach and demands ransom payments to prevent data dumps and if the group doesn't receive what it demanded, it proceeds to publish small quantities of compromised information — "proofs" — online, open to anybody with internet access. 

And the group has actually done it. After previously demanding payments ranging from $1 million to a few million dollars, if the payment isn't received, Maze has released additional sensitive information on a 'staggered basis'. 

Screenshot of a pain diary document released in a data dump by hacking group Maze as part of a ransomware attack against U.S. law firms. The image has been redacted by Military Times. (Screenshot/Brett Callow)

According to Callow, the Ransomware group has already released a part of individual archives from Woods and Woods, and the group professes to have more data. Aside from this, it has likewise posted the compromised information on a Russian hacker forum. While other hackers utilize the stolen data to target and demand ransom from individual patients or clients, Maze doesn't do that. 

The hacking group works a bit differently here as they themselves write on their site, “Use this information in any nefarious way that you want.” 

Nonetheless as per Bleeping Computer, keeping in mind the current developments from the group the Federal Bureau of Investigation (FBI) has issued a Flash Alert just a month ago to privately owned businesses in order to advise them of expanded Maze ransomware exercises, as a prudent step.

Hacked! SCPI Protocol Vulnerabilty; Measurement Instruments Could be Hacked!


A leading cyber-security firm recently alerted all the netizens about a vulnerability discovered in the measurement tools that support the Standard Commands for Programmable Instruments (SCPI) protocol, mentioned reports.

According to sources, SCPI is an ASCII-based standard especially crafted out for the purposes of testing and measurement machines that came into existence in 1990.

SCPI still happens to be used quite a lot given its easy and user-friendly interface and the inclusion of commands that could help alter any setting on the devices.

In recent times, most of the measurement devices are connected to networks and in some cases even to the internet. Hence, SCPI’s holding no authentication mechanism is a matter of risk and insecurity for all its users.

Per sources, when one of the major cyber-security research firms ran analytic research on SCPI they uncovered all the devices that use it and therefore are vulnerable to cyber-crime.

Per reports, the aforementioned measurement devices encompass of multimeters, signal analyzers, oscilloscopes, data acquisition systems, and waveform generators.

The researchers carried forward their analysis on different brands and different products of the same type and came across the fact that all the vendors’ products could be equally susceptible to cyber-attacks of similar nature if they used SCPI.

A multimeter was analyzed by the researcher wherein they found that its web and other interfaces were quite easily available and were very easy to get to as they were neither password-protected nor had any security functions by default.

Therefore, any cyber-attack that even a basic attacker plans could have a high possibility of success as the “configuration panel” could be very easily accessed and the password could be changed to anything in accordance with the attacker’s whims.

And as if all this wasn’t enough, the attacker could actually configure the measurement instruments to cause physical harm to people. The devices could be set to show illogical and unsystematic text any number of times, as well.

Per sources, the memory of the measurement instruments could be written for a definite number of times but incessant writing could lead to the devices’ physical distortion which couldn’t be reversed without changing the parts.

The power supply units of the devices could also be easy targets for attackers, according to sources, and could trigger DoS leading to physical corruption of the device.

Amazon Chief’s Phone Hacked by the Saudi Arab Crown Prince



Referring to anonymous sources, a British daily newspaper came up with reports on details regarding Amazon Chief Jeff Bezos' cell phone being hacked in the wake of accepting a message from the Saudi Arabian crown.

Theft of information from Bezo's cell phone, however, is said to have been started in 2018 with a contaminated video file sent by means of WhatsApp from the personal account of Mohammed bin Salman, according to the previously mentioned British daily.

The report apparently comes about a year after the unexpected announcement that Bezos and his wife, MacKenzie, would separate following 25 years of marriage. The National Enquirer along these lines uncovered an extramarital affair between Bezos and Lauren Sanchez, a former TV anchor, in a progression of reports that depended, to some degree, on some intimate text messages sent by Bezos.

Bezos in this way distributed an extraordinary blog entry blaming the newspaper for taking steps to distribute all the more humiliating text messages and photographs except if he freely attested that there was no political motivation or outside force behind the newspaper's coverage.

Gavin de Becker, a security consultant for Bezos, later said he believed the Saudi Arabian government had gained access to Bezos' phone before the Enquirer uncovered the whole affair. He didn't give any immediate evidence to back up his claims, which he said originated from "our investigators and a few experts." De Becker referred to the Enquirer's business association with the Saudis, just as the intense coverage of the homicide of a critic of the Saudi regime by the Bezos-owned Washington Post, as reasons why bin Salman may look to harm the Amazon founder.

The newspaper reported a year ago that the Central Intelligence Agency connected the crown prince to the 2018 murder of Post Columnist Jamal Khashoggi. De Becker declined to remark past the rather lengthy statement a year ago, which was posted on the news site The Daily Beast.

The Saudi embassy didn't quickly react to a message looking for more inputs. In spite of the fact, it's still extremely unclear whether the supposed hack of Bezos' phone got to any sensitive Amazon corporate information.

While the company is yet to remark on the issue in the nine months since de Becker's allegation, the company representatives haven’t yet returned the messages seeking comment on the 21st of January.

52 Hackers get into the US Army system in the last 5 weeks


Last year, during October and November, 52 hackers were able to hack the US army. "It only strengthens our security systems as the hackers who hacked our systems did it on ethical principles, as the participants of second 'Hack the Army' event that is taking place since the year 2016," says the spokesperson of the US Department of Defense Defense Digital Service.



In today's world of cyber attacks and hacking, it is right to assume that inviting hackers to try and invade your system's security is not safe, not even for the US army. The hackers don't need a mere invite to hack into any organizations' cybersecurity. This statement raises a bit of doubt as lately, the US government warned users to update specific Virtual Private Network (VPN), or suffer from persistent cybersecurity attacks. Also, recently, the New York airport and New Orleans city suffered a cyberattack.

But still, there exists a plan in this obvious cyber insanity. 'Hack Army 2.0' was a mutual undertaking between the U.S. Army, a bug bounty program called 'HackerOne,' and the Defense Digital Service.

What is HackerOne?
In simple words, HackerOne is a platform where various exploits or vulnerabilities can be tested by hackers. This platform has allowed some of its best hackers to win millions of dollars. Surprisingly, one hacker was even able to hack the program itself. This reflects the caliber and potential of the hackers, who register in HackeOne.
Therefore, the whole reason for organizing 'Hack Army 2.0' is to find out any threats or vulnerabilities that might affect the security of the US army. This is crucial as it ensures the US army from other unethical hackers and national threats, for instance, Iran.

146 bugs detected, the Army pays $275,000-
The results after this drill revealed that a total number of 60 open US army assets were under the potential threat of hacking. The US army rewarded the hackers a total amount of $274,000 for their efforts. "The assistance of hackers can be helpful for the Army to increase its defense systems exceeding fundamental agreement lists to attain maximum security," said the spokesperson Alex Romero.