Brian Krebs Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/brian-krebs/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 25 Apr 2022 21:10:23 +0000 en-US hourly 1 https://wordpress.org/?v=72436 200474804 T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/ https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/#respond Mon, 25 Apr 2022 21:03:56 +0000 https://gridinsoft.com/blogs/?p=7574 Information security specialist Brian Krebs found out that even before the arrests, the Lapsus$ hack group managed to compromise the telecom giant T-Mobile. The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time,… Continue reading T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

]]>
Information security specialist Brian Krebs found out that even before the arrests, the Lapsus$ hack group managed to compromise the telecom giant T-Mobile.

The company confirmed this information, saying that a few weeks ago, hackers penetrated the company’s network, gained access to internal tools and source codes. It is emphasized that at the same time, the attackers were unable to steal confidential information about T-Mobile customers.

Let me remind you that we have already talked about the strange hack group Lapsus$, which blackmailed Nvidia, leaked the source codes of Microsoft, as well as Ubisoft, and Samsung, compromised Okta, but fame for hackers was clearly more important than financial gain.

The well-known investigative journalist Brian Krebs, who has specialized in information security for many years and has repeatedly exposed various hack groups and helped law enforcement officers in their investigations, reported on the T-Mobile hack.

Krebs, who got into the private chats of the group members, writes that the attack on T-Mobile took place some time ago, even before the arrests of seven alleged Lapsus$ members, which UK law enforcement agencies reported at the end of March 2022.

According to the chat logs, the VPN credentials that the group used for initial access were purchased and stored on the dark web, on sites such as Russian Market. The goal of the attackers was to compromise the accounts of T-Mobile employees, which ultimately allowed them to carry out SIM-swap attacks.

T-Mobile and hack group Lapsus$

When Lapsus$ lost access to a T-Mobile employee’s account (due to the employee trying to log in or change their password), they simply found or bought a different set of T-Mobile VPN credentials. T-Mobile currently has about 75,000 employees worldwide.Krebs notes.

In addition to accessing an internal customer account management tool called Atlas, the hackers’ discussions suggest they gained access to Slack and Bitbucket accounts, using the latter to download 30,000 source code repositories.

At the same time, hackers were looking for T-Mobile accounts associated with the FBI and the US Department of Defence in Atlas (see screenshot below). To their disappointment, it turned out that additional verification procedures were needed to work with such accounts.

T-Mobile and hack group Lapsus$

Interestingly, after failing to keep records of the FBI and other intelligence agencies, the leader of the group, a 17-year-old teenager from the UK, known by the nicknames White, WhiteDoxbin and Oklaqq, told other hackers to focus on stealing source codes and breaking the VPN connection with Atlas, which WhiteDoxbin considered “garbage”. The other members of the band were extremely unhappy with this decision.

T-Mobile and hack group Lapsus$

After the publication of Krebs’s article, T-Mobile representatives confirmed the hack. The company stated:

A few weeks ago, our monitoring tools detected an attacker using stolen credentials to access internal systems hosting operational tools. The systems that were accessed contained no customer, government or other sensitive information, and we have no evidence that the attacker was able to obtain anything of value. Our systems and processes were running as normal, the attack was quickly stopped and stopped, and the compromised credentials used were retired.

The post T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/t-mobile-admits-that-lapsus-stole-its-source-codes/feed/ 0 7574
Cyrillic on the keyboard may become a “vaccine” against Russian hackers https://gridinsoft.com/blogs/vaccine-against-russian-hackers/ https://gridinsoft.com/blogs/vaccine-against-russian-hackers/#respond Tue, 18 May 2021 16:08:54 +0000 https://blog.gridinsoft.com/?p=5482 After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers. The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives. According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian… Continue reading Cyrillic on the keyboard may become a “vaccine” against Russian hackers

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers.

The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives.

According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian Krebs, the cybercriminals’ statement is not true.

Here’s the thing: digital ransomware groups like DarkSide are very concerned about making their entire platform geopolitical because their malware is specifically designed to work only in certain parts of the world.Krebs writes.

According to the journalist, similarly to other ransomware programs, DarkSide contains an embedded list of countries in which it does not infect computer systems. As a rule, this list includes the countries of the former USSR and the CIS countries. In particular, the DarkSide list includes: Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Romania, Syria, Turkmenistan, Tajikistan, Tatarstan, Ukraine and Uzbekistan.

Before installing on a system, the malware checks for the presence of the language of the country from the list and, if it is detected, is not installed.

Cybercriminals are known to react quickly to defenses that reduce their profitability, so why don’t the bad guys just make a difference and start ignoring language checks? Well, they certainly can and maybe even will (the latest version of DarkSide analyzed by Mandiant does not check the system language).the journalist said.

However, the refuse from language check increases the security risk of cybercriminals themselves and reduces profits, explained the chief researcher of the New York-based information security company Unit221B Allison Nixon.

Because of Russia’s “unique legal culture”, Nixon said, Russian cybercriminals use language tests to make sure their victims are abroad.

They do it for legal protection. Installing a Cyrillic keyboard or changing a specific registry entry to “RU”, etc., may be enough to convince malware that you are Russian. Technically, this can be used as a “vaccine” against Russian malware.Nixon explained.

Does this mean that installing the Russian layout will one hundred percent secure the system from hackers? Not. There are many groups in the cybercriminal world that, unlike DarkSide, don’t care about the victims of their attacks. Changing language settings cannot replace cyber hygiene and cybersecurity best practices, Krebs emphasizes. However, the expert sees no reason why not to try such simple preventive way to keep yourself safe.

The worst thing that can happen is that you accidentally switch language settings, and all your menu items will be in Russian.writes Krebs.

Let me remind you that I also wrote that NATO experimented with deceptive techniques to combat Russian hackers.

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vaccine-against-russian-hackers/feed/ 0 5482
Hackers attack Microsoft Exchange servers on behalf of Brian Krebs https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/ https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/#respond Tue, 30 Mar 2021 16:27:42 +0000 https://blog.gridinsoft.com/?p=5317 The well-known information security expert, journalist and author of the KrebsOnSecurity blog has repeatedly become a target for attacks and mockery of hackers. Now hackers are attack Microsoft Exchange servers with Proxylogon vulnerabilities on behalf of Brian Krebs. The fact is that Krebs is famous for his investigations and revelations, and over the long years… Continue reading Hackers attack Microsoft Exchange servers on behalf of Brian Krebs

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

]]>
The well-known information security expert, journalist and author of the KrebsOnSecurity blog has repeatedly become a target for attacks and mockery of hackers. Now hackers are attack Microsoft Exchange servers with Proxylogon vulnerabilities on behalf of Brian Krebs.

The fact is that Krebs is famous for his investigations and revelations, and over the long years of his career, he helped find and de-anonymize more than a dozen criminals, which the latter, of course, do not like at all.

Criminals have been taking revenge on the journalist for many years. So, criminals have been already sent a SWAT team to Krebs home, they took a loan on his behalf for $20,000, transferred $1,000 to his PayPal account from a stolen payment card, and the PayPal account itself was compromised more than once. They even tried to transfer money from Krebs’ account to the terrorist the ISIS subsidiary. After disclosure of the Mirai IoT malware authors, Krebs’ website suffered one of the most powerful DDoS attacks in history at that time.

A couple of years ago, users of the German imageboard Pr0gramm (pr0gramm.com), with which the operators of the Coinhive cryptojacking service were associated, standed against the journalist. Offended by the Krebs investigation, users launched the #KrebsIsCancer campaign on social networks (“Krebs is cancer”). The fact is that in German the surname of the journalist, Krebs, translates as “cancer”, and on Pr0gramm they decided to literally “fight cancer”: they trolled Krebs and eventually donated more than $120,000 to this fight.

It is also worth noting that malware authors often mention Brian Krebs in the code of their programs as a kind of “hello”. According to the journalist, a complete list of such cases would consist of hundreds of pages.

Yesterday there was a post on KrebsOnSecurity titled “No, I Didn’t Hack Your MS Exchange Server“. In it, Krebs says that now “on his behalf” attacks are taking place on servers that are vulnerable to ProxyLogon problems.

The researcher writes that the Shadowserver Foundation found that Microsoft Exchange servers are being attacked by the KrebsOnSecurity and Yours Truly malware.

For example, the attackers first host the Babydraco web shell on the vulnerable server at /owa/auth/babydraco.aspx. The malicious file krebsonsecurity.exe is then loaded via PowerShell, which transfers data between the victim server and the attacker’s domain – Krebsonsecurity[.]top.

Shadowserver has found more than 21,000 Exchange servers running the Babydraco backdoor, although they do not know how many of those systems were downloading secondary payloads from a rogue version of Krebsonsecurity.

The motives behind the cybercriminals behind the Krebonsecurity[.]top domain are unclear, but the domain itself has recently been linked to other types of cybercriminal activity and attacks on me. I first heard about this domain in December 2020, when one of the readers told me that his entire network was hijacked by a cryptocurrency mining botnet that contacted this domain.says Krebs.

The researcher cites the December post of one of the website visitors:

I noticed this morning that the cooler on the server in my home lab was making a lot of noise. At first, I didn’t think much of it, but after cleaning and testing, it still made noise. After completing other work related matters, I checked and found that a cryptominer had entered my system pointing to XXX-XX-XXX.krebsonsecurity.top. He ended up infecting all three Linux servers on my network.

Krebs explains that instead of “XXX-XX-XXX”, that address was his social security number. “I was killed through DNS,” he sums up.

Let me also remind you that we reported that Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange.

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-attack-exchange-servers-on-behalf-of-brian-krebs/feed/ 0 5317
Microsoft bought the domain Corp.com, so criminals would not do it https://gridinsoft.com/blogs/microsoft-bought-the-domain-corp-com-so-criminals-would-not-do-it/ https://gridinsoft.com/blogs/microsoft-bought-the-domain-corp-com-so-criminals-would-not-do-it/#respond Thu, 09 Apr 2020 16:18:04 +0000 https://blog.gridinsoft.com/?p=3660 The well-known IS journalist Brian Krebs drew attention to an interesting fact: this week Microsoft bought the domain Corp.com, so that criminals would not do it. The sum of transaction is not disclosed. Krebs first turned his attention to this domain when a man named Mike O’Connor, who owned it for 26 years, put it… Continue reading Microsoft bought the domain Corp.com, so criminals would not do it

The post Microsoft bought the domain Corp.com, so criminals would not do it appeared first on Gridinsoft Blog.

]]>
The well-known IS journalist Brian Krebs drew attention to an interesting fact: this week Microsoft bought the domain Corp.com, so that criminals would not do it. The sum of transaction is not disclosed.

Krebs first turned his attention to this domain when a man named Mike O’Connor, who owned it for 26 years, put it up for sale in February this year. Then the domain was put up for auction, and its starting price was $1.7 million.

Speaking with Krebs, O’Connor said he was very worried that the domain would buy Microsoft, but explained that he desperately needed money.

Why is Corp.com so dangerous? The fact is that when setting up Active Directory, many companies’ administrators use it as a stub.

“This problem is known as a namespace collision: when domain names that are intended to be used exclusively on a company’s internal network end up intersecting domains that can resolve onto the open Internet”, – Explains Brian Krebs.

Unfortunately, in earlier versions of Windows with Active Directory support (for example, Windows 2000 Server), “corp” was used as an example or Active Directory path by default, and many companies apparently used this parameter without changing it.

The situation is complicated by the fact that some companies are building or assimilating vast networks based on this erroneous setup.

What happens if an employee who works for a company that uses the Active Directory corp path takes their corporate laptop with them to their local Starbucks?

“Most likely, some resources on his laptop will try to access this internal “corp ”domain. By virtue of how Windows DNS name resolution works, this corporate laptop that has gone online via the Starbucks wireless network is likely to search resources on corp.com”, — says Brian Krebs.

In essence, this means that the person under the control of corp.com can passively intercept the private communications of hundreds of thousands of computers that are outside their corporate environment, where the designation “corp” was used for the Active Directory domain.

In fact, if Microsoft had not acquired the domain, its buyer could use Corp.com to collect passwords, emails, and other sensitive data from a variety of misconfigured corporate machines.

Mike O’Connor, who is 70 years old, says this was one of the reasons for the sale: many computers constantly tried to share data with his domain.

Ok, now Microsoft has corp.com, but it seems that the company has not fixed issues in its problematic subdomains, and I recently wrote about.

The post Microsoft bought the domain Corp.com, so criminals would not do it appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-bought-the-domain-corp-com-so-criminals-would-not-do-it/feed/ 0 3660
Google AdSense users receive threat emails https://gridinsoft.com/blogs/google-adsense-users-receive-threat-emails/ https://gridinsoft.com/blogs/google-adsense-users-receive-threat-emails/#respond Wed, 19 Feb 2020 17:42:31 +0000 https://blog.gridinsoft.com/?p=3475 Intruder sends threatening and ransom letters to website owners and users of the Google AdSense advertising service. Unknowns threaten to generate fake banner views with the help of bots and thus provoke blocking the site, reports KrebsOnSecurity website. [box]“Very soon you will receive a warning notification in the control panel of your AdSense account! We… Continue reading Google AdSense users receive threat emails

The post Google AdSense users receive threat emails appeared first on Gridinsoft Blog.

]]>
Intruder sends threatening and ransom letters to website owners and users of the Google AdSense advertising service.

Unknowns threaten to generate fake banner views with the help of bots and thus provoke blocking the site, reports KrebsOnSecurity website.

[box]“Very soon you will receive a warning notification in the control panel of your AdSense account! We are going to invade your site with a huge amount of direct web traffic generated by bots with a 100% bounce rate and thousands of IP addresses – a nightmare for any AdSense user. We’ll configure our bots to open every AdSense banner that runs on your site in an endless cycle of varying lengths,” said the message from the attackers. An increase in traffic due to fake activity threatens site owners by setting a limit on showing ads and returning income to the advertiser, as well as completely bGoogle defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources”[/box]

In one case, the criminals demanded $5,000 in bitcoins and began to carry out their threats – the amount of invalid AdSense traffic on one of the users’s resources has increased significantly over the past month.

“The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially”, – reports Brian Krebs.

Google said it has extensive tools and processes to protect against invalid traffic across its products, and that the most suspicious traffic is filtered from its systems before advertisers and publishers are ever impacted.

Additionally, Google urged users to ignore any messages demanding a ransom, as well as report such cases to company representatives.

Perhaps this is a false alarm: better read the study on the methods of the ransomware operator REvil (Sodinokibi) – they definitely have something to brag about.

The post Google AdSense users receive threat emails appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/google-adsense-users-receive-threat-emails/feed/ 0 3475