According to an expert report, Google removed about 63 million files from Google Docs, which Glupteba operators used to distribute their malware, as well as 1183 Google accounts, 908 cloud projects and 870 Google Ads accounts, which hackers also used to host various parts of their botnet.

In addition, over the past few days, Google has been working with several hosters and internet infrastructure companies (such as Cloudflare) to work out the issue of shutting down Glupteba’s C&C servers.

Unfortunately, the company admits that this operation will only cause temporary problems in the operation of the botnet, since the malware was originally created with a backup C&C system that runs on top of the Bitcoin blockchain. However, Google hopes that Glupteba will reduce its activity for at least a few months.

The Glupteba botnet was first documented in an ESET report back in 2011. Today it is one of the oldest botnets in the world, which attacks users in the United States, India, Brazil and Southeast Asia.

On compromised machines, Glupteba steals credentials and cookies, mines cryptocurrency, and deploys and exploits proxy components targeting Windows systems and IoT devices.

One of the most famous botnet modules is capable of spreading infection from a Windows computer to MikroTik routers found on internal networks. It is believed that this particular module was used at the beginning of this year to build the Mēris botnet, responsible for some of the largest DDoS attacks to date.

In addition to creating technical problems for the work of Glupteba, Google experts say that they have managed to identify two Russian citizens who are associated with some of the deactivated domains and accounts.

In court documents, Google claims that Dmitry Starovikov and Alexander Filippov are the creators and operators of Glupteba, and another 15 unknown persons are their accomplices. According to the company, they operated several sites where they advertised the capabilities of their botnet. For example, dont.farm, where they sold access to hacked Google and Facebook ad accounts. It is believed that the hackers obtained the credentials for these accounts through their botnet and later sold the access to other attackers.

Moreover, Google believes that this is all just part of Glupteba, a larger “criminal enterprise”, which also included the management of AWMProxy.net (later vd.net) and abm.net. These resources made it possible to rent access to proxies hosted on the computers of Glupteba victims.

As part of its lawsuit, Google is seeking compensation for the damages, an injunction against two suspects barring them from interacting with any Google services, and an order that the creators of Glupteba violated a number of US laws: the Racketeers and Corrupt Organizations Act (RICO), the Computer fraud and abuse, the Electronic Communications Privacy Act, the Lanham Act (Federal Trademark Act of 1946), and engaged in improper business interference to obtain illicit enrichment.

Let me remind you that I also wrote that the US authorities accused the Ukrainian citizen of running a brute force botnet.

The post Google Stops Glupteba Botnet and Sues Two Russians appeared first on Gridinsoft Blog.

Spamhaus, a non-profit spam-tracking organization, reported that such emails were delivered to tens of thousands of recipients in two waves. At the same time, experts believe that about 100,000 letters are only a small part of the campaign.

According to Spamhaus, messages came from a legitimate address eims@ic.fbi.gov, with IP 153.31.119.142 (mx-east-ic.fbi.gov), and the subject line said “Urgent: Threat actor in systems”.

Spamhaus said the mailing was followed by a rash of phone calls and letters from concerned organizations seeking more information on the attacks on FBI offices. Although the letters were clearly fake (they contained many spelling errors), the newsletter caused serious panic, as the letters passed the SPF and DKIM security checks, that is, they were sent from real FBI servers and bypassed all spam filters.

Worse, messages from the attackers reported that a certain Vinny Troia was responsible for these attacks. Troy is a renowned cybersecurity researcher who leads darknet research at NightLion Security and Shadowbyte. The fact that the attackers blamed Vinnie Troy for non-existent attacks was well commented on by renowned information security specialist Markus Hutchins.

Troia himself writes on Twitter that, in his opinion, the accident is the work of a man known as pompomourin. In the past, this person has already been involved in incidents aimed at damaging the investigator’s reputation.

Moreover, a few hours before the attack on the FBI mail server and the sending of spam, pompompurin contacted the researcher on Twitter and advised him to “enjoy” what was about to happen.

The FBI has already confirmed the break-in. The agency said it was already investigating the incident, and the compromised server was temporarily shut down to stop spamming.

Apparently, the hackers took advantage of a vulnerability in the software running on the server to send messages. At the same time, the compromised machine was isolated from the agency’s corporate mail and did not give access to any data or personal information on the FBI network.

Well-known cybersecurity journalist Brian Krebs notes that the LEEP (Law Enforcement Enterprise Portal) allowed anyone to apply for an account, but the registration process required filling out contact information.

As a result, using a special script, the attackers were able to change the parameters, specify the subject and text of the email of their choice, and automate the sending of messages.

Let me remind you that I also wrote that List of suspects in terrorism that are monitored by the FBI leaked to the network.

The post Hackers broke into FBI mail server and sent fake cyberattack alerts appeared first on Gridinsoft Blog.

Gadgets are susceptible to a stored XSS vulnerability. Rauch has revealed the issue, although the patch is not yet available, as he was disappointed in Apple’s bug bounty program.

The root of the vulnerability lies in the fact that when an AirTag user turns on “lost mode”, that is, he cannot find his item, he can add his phone number and a custom message that will be displayed to anyone who finds and scans the AirTag using any device with NFC support.

Rauch noticed that the unique page created on found.apple.com for each AirTag is prone to stored XSS and the problem could be exploited by inserting malicious data into the phone number field.

The researcher describes the following attack scenario: an attacker turns on the “loss mode” for his own AirTag and intercepts the request associated with this operation. Then he enters malicious data into the phone number field.

After that, the attacker can only drop the AirTag device in the place where his target (or a bystander, if the attack is opportunistic) will find the key fob and scan it. After scanning such an AirTag, a malicious payload will be launched immediately.

Rauch demonstrated such an attack by injecting a payload that redirects the victim to a phishing page that mimics iCloud. Since we are talking about an Apple product, the iCloud login page may not raise suspicion from the victim, although, in fact, no credentials need to be provided when scanning the found AirTag.

In a similar way, a criminal can lure his victim to any other site, including one that distributes malware, or create another payload, which, for example. will intercept session tokens and clicks.

Rauch also notes that it is possible to use a malicious link to found.apple.com on its own by sending it directly to your target. In this case, the payload will be launched after accessing the link, and there will not even be a need to scan the AirTag.

Rauch told the well-known cybersecurity journalist Brian Krebs that he notified Apple of the problem on June 20, 2021, but the company reacted very slowly, constantly sending replies that specialists were studying the bug. Apple also refused to answer the expert’s questions about the possible reward for the detected error. As a result, Rauch was completely disappointed in Apple’s bug bounty and decided to publish the details of the vulnerability in the public domain.

Let me remind you that recently another information security specialist disclosed the details of bypassing the lock screen in iOS, and also wrote that this is a kind of revenge to Apple for the fact that earlier in 2021 the company downplayed the significance of similar problems of bypassing the lock screen, which he reported. Shortly thereafter, a researcher known by the nickname Illusion of Chaos published detailed descriptions and exploits for three 0-day vulnerabilities in iOS. He explained that he had reported these issues to Apple at the beginning of the year, but the company has never released any patches.

The Washington Post devoted a long article to this problem, in which many cybersecurity specialists talked about the same problems and argued that the company has never left their bug reports unattended for months, released ineffective patches, understated the size of rewards and generally prohibited researchers from participating in the bug bounty further, if they started to complain.

Let me also remind you that I wrote that Experts showed fraudulent payments from a locked iPhone with Apple Pay and a Visa card.

The post Users can be lured to a malicious site through a vulnerability in Apple AirTag appeared first on Gridinsoft Blog.

This should protect Exchange servers from attacks and give administrators more time to install full-fledged patches when Microsoft releases them. The fact is that zero-day vulnerabilities in Microsoft Exchange have recently been regularly exploited by “government hackers”, as well as by groups pursuing financial gain.

For example, I recently wrote about US and UK accused China for attacks on Microsoft Exchange servers. Moreover, Sophos experts have discovered the Epsilon Red ransomware that exploits vulnerabilities in Microsoft Exchange servers to attack other machines on the network.

The new functionality is called Microsoft Exchange Emergency Mitigation (EM) and is based on the Exchange On-premises Mitigation Tool (EOMT), released in March this year to help identify and fix ProxyLogon problems.

EM runs as a Windows service on Exchange Mailbox servers and will be automatically installed on Exchange Server 2016 and Exchange Server 2019 mailbox servers after the September 2021 cumulative update (or newer) is deployed. Administrators can disable EM if they don’t want Microsoft to automatically apply security measures to their servers.

The new functionality will detect Exchange servers that are vulnerable to one or more known issues and automatically apply temporary mitigation measures to them (until administrators can apply full patches).

So far EM offers three types of protection:

• A custom rule blocks certain patterns of malicious HTTP requests that could compromise the Exchange server.
• disabling the vulnerable service on the Exchange server;
• disabling the vulnerable application pool on the Exchange server.

Let me also remind you that I talked about the fact that Hackers attack Microsoft Exchange servers on behalf of Brian Krebs.

The post New feature in Exchange Server will apply fixes automatically appeared first on Gridinsoft Blog.

This database, devoid of any personal information, will be available to information security specialists and law enforcement officers for free download. Unfortunately, such a database can be easily corrupted by fake material, but to counter this, Cable plans to study all submissions, and in the future plans to add a voting system for individuals so that reports can be flagged as fake.

In general, the site is very simple: it allows victims of ransomware attacks and security specialists to transfer copies of their ransom notes to Ransomwhere, as well as report the amount of the ransom and the bitcoin address to which the victims transferred the payment. Then this address will be indexed in the public database.

The main idea is to create a centralized system that tracks payments sent by hackers, which will allow them assessing the scale of their profits and operations more accurately, about which very little is known. The creator of the project hopes that the anonymous exchange of payment data through a third-party service, such as Ransomwhere, will remove some barriers in the information security community, such as nondisclosure agreements and business competition.

So far, Cable relies only on publicly available materials to expand its database, but the researcher told The Record that he is already exploring “the possibility of partnerships with analytical companies in the field of information security and blockchain to integrate the data they may have about the victims.”

Reporters note that the launch of the Ransomwhere project is very similar to the launch of the ID-Ransomware project created by Michael Gillespie in early 2016. Initially, it was a site where hacker victims could download the ransom notes they received, and the site told them which malware family was attacking their systems and where they could get help recovering their files. As a result, ID-Ransomware has become an indispensable tool for many incident response specialists.

Let me remind you that I also talked about the fact that HIBP (Have I Been Pwned?) Leak aggregator opens the source code.

The post The Ransomwhere project creates a database of ransomware payments appeared first on Gridinsoft Blog.

The cybercriminal group DarkSide behind the attack on the Colonial Pipeline hastened to disown any political motives.

According to the hackers, they are apolitical and “do not participate in geopolitics.” However, according to journalist Brian Krebs, the cybercriminals’ statement is not true.

According to the journalist, similarly to other ransomware programs, DarkSide contains an embedded list of countries in which it does not infect computer systems. As a rule, this list includes the countries of the former USSR and the CIS countries. In particular, the DarkSide list includes: Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Romania, Syria, Turkmenistan, Tajikistan, Tatarstan, Ukraine and Uzbekistan.

Before installing on a system, the malware checks for the presence of the language of the country from the list and, if it is detected, is not installed.

However, the refuse from language check increases the security risk of cybercriminals themselves and reduces profits, explained the chief researcher of the New York-based information security company Unit221B Allison Nixon.

Because of Russia’s “unique legal culture”, Nixon said, Russian cybercriminals use language tests to make sure their victims are abroad.

Does this mean that installing the Russian layout will one hundred percent secure the system from hackers? Not. There are many groups in the cybercriminal world that, unlike DarkSide, don’t care about the victims of their attacks. Changing language settings cannot replace cyber hygiene and cybersecurity best practices, Krebs emphasizes. However, the expert sees no reason why not to try such simple preventive way to keep yourself safe.

Let me remind you that I also wrote that NATO experimented with deceptive techniques to combat Russian hackers.

The post Cyrillic on the keyboard may become a “vaccine” against Russian hackers appeared first on Gridinsoft Blog.

As a result, OGUSERS was temporarily disabled and put into maintenance mode, and users were notified of a password reset, urging everyone to turn on two-factor authentication for their accounts so that the stolen data could not be used to hack accounts.

Let me remind you that another OGUSERS hack occurred in May 2019. Then the attackers entered the server through a vulnerability in one of the custom plugins and gained access to a backup dated December 26, 2018. The site was then hacked again in November 2020.

OGUSERS started out as a website selling stolen accounts on a wide variety of platforms and services.

In addition, Motherboard reporters turned their attention to OGUSERS back in 2018, when they were preparing a series of articles on the increasing cases of SIM card fraud. Such attacks with the capture of someone else’s phone numbers are used to steal accounts on social networks, steal large amounts of cryptocurrency, and so on. OGUSERS is one of the largest trading platforms where accounts stolen under such circumstances were sold.

As the information security company KELA now reports, the administrator of the OGUsers forum said that the site was hacked again, as unknown persons uploaded the web shell to the server. At first, the site administration doubted that the database was damaged, but soon a rival hack forum began selling the stolen OGUsers database for $3,000.

Bleeping Computer, citing its own sources, writes that OGusers were hacked on April 11, 2021, and the attackers had full access to the database dump. The database included records of approximately 350,000 users and private messages.

A source told the publication that OGUsers uses a variety of plug-ins that contain vulnerabilities that attackers can chain together to install a web shell.

Vitaly Kremez, head of Advanced Intel, says that such leaks from criminal forums may be beneficial to law enforcements and information security researchers:

Let me remind you that I talked about the fact that the Netherlands police posted warnings on hacker forums.

The post Attackers Hacked OGUsers Hacking Forum Again appeared first on Gridinsoft Blog.

The fact is that Krebs is famous for his investigations and revelations, and over the long years of his career, he helped find and de-anonymize more than a dozen criminals, which the latter, of course, do not like at all.

Criminals have been taking revenge on the journalist for many years. So, criminals have been already sent a SWAT team to Krebs home, they took a loan on his behalf for $20,000, transferred $1,000 to his PayPal account from a stolen payment card, and the PayPal account itself was compromised more than once. They even tried to transfer money from Krebs’ account to the terrorist the ISIS subsidiary. After disclosure of the Mirai IoT malware authors, Krebs’ website suffered one of the most powerful DDoS attacks in history at that time.

A couple of years ago, users of the German imageboard Pr0gramm (pr0gramm.com), with which the operators of the Coinhive cryptojacking service were associated, standed against the journalist. Offended by the Krebs investigation, users launched the #KrebsIsCancer campaign on social networks (“Krebs is cancer”). The fact is that in German the surname of the journalist, Krebs, translates as “cancer”, and on Pr0gramm they decided to literally “fight cancer”: they trolled Krebs and eventually donated more than $120,000 to this fight.

It is also worth noting that malware authors often mention Brian Krebs in the code of their programs as a kind of “hello”. According to the journalist, a complete list of such cases would consist of hundreds of pages.

Yesterday there was a post on KrebsOnSecurity titled “No, I Didn’t Hack Your MS Exchange Server“. In it, Krebs says that now “on his behalf” attacks are taking place on servers that are vulnerable to ProxyLogon problems.

The researcher writes that the Shadowserver Foundation found that Microsoft Exchange servers are being attacked by the KrebsOnSecurity and Yours Truly malware.

For example, the attackers first host the Babydraco web shell on the vulnerable server at /owa/auth/babydraco.aspx. The malicious file krebsonsecurity.exe is then loaded via PowerShell, which transfers data between the victim server and the attacker’s domain – Krebsonsecurity[.]top.

Shadowserver has found more than 21,000 Exchange servers running the Babydraco backdoor, although they do not know how many of those systems were downloading secondary payloads from a rogue version of Krebsonsecurity.

The researcher cites the December post of one of the website visitors:

Krebs explains that instead of “XXX-XX-XXX”, that address was his social security number. “I was killed through DNS,” he sums up.

Let me also remind you that we reported that Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange.

The post Hackers attack Microsoft Exchange servers on behalf of Brian Krebs appeared first on Gridinsoft Blog.

The ZDNet publication says that just recently analysts at Cyber R&D Lab conducted an interesting experiment related to EMV cards.

The researchers issued EMV cards with a chip in 11 banks in the US, UK and EU, and then used hacking tools against them, which are usually used to copy information stored on EMV cards and their magnetic stripes.

As a result, the researchers were able to extract data from EMV cards and created clones with the same magnetic stripe, but without the actual chip.

“This became possible due to the fact that all EMV-cards have a magnetic stripe just in case, for example, for a situation when a user has gone abroad and cannot use EMV, or there is an old PoS-terminal”, – told ZDNet journalists.

The fact that it is possible to copy the magnetic stripe of EMV cards has been known since 2008, but it was believed that this feature could hardly be abused, since banks planned to transfer all users to EMV and often refused to use magnetic stripes. As practice has now shown, this did not happen, and Cyber R&D Labs specialists reported that they managed to clone four cards in the above described way and carry out transactions.

However, until this week, the problem was still considered rather theoretical, since it was not known about the massive use of this technique by hackers, and now experts at Gemini Advisory have discovered such precedents.

The researchers write that the EMV cards data were stolen from the American supermarket chain Key Food Stores Co-Operative Inc., as well as from the American liquor store Mega Package Store.

Gemini Advisory believes that the method that criminals began to use was described as early as in 2008, and that this technique, EMV-Bypass Cloning, was the subject of recent research by Cyber R&D Labs.

“I demonstrated cloning from chip data to magstripe, but the banks said that cards issued after 2008 would not be vulnerable and chip data would be “useless to the fraudster ”. This new research shows that the problem still has not been fixed, 12 years on”, – said engineer Steven Murdoch, who described the cloning technique in 2008.

In theory, it is not too difficult to defend against such attacks: it is enough for banks to conduct more thorough checks when processing transactions from magnetic stripes of EMV cards. However, unfortunately, as a study by Cyber R&D Labs has shown, not all banks pay attention to this.

By the way, here the hacker Tamagotchi instantly collected on Kickstarter an amount 7 times more than necessary – hacking is in fashion, and your personal data, including bank accounts and cards, is always in danger. Let me also remind you that BlackRock Trojan steals passwords and card data from 337 applications on Android OS.

The post Attacks on EMV cards, which were only a theory for 12 years, noticed in reality appeared first on Gridinsoft Blog.

According to KrebsOnSecurity sources, the incident disrupted some systems, but care for the patients continues.

Germany-based Fresenius company includes four independent companies: Fresenius Medical Care, a leading provider of services for people with kidney failure; Fresenius Helios, Europe’s largest private hospital operator; Fresenius Kabi, a pharmaceutical and medical device company; and Fresenius Vamed, medical facility manager.

Overall, Fresenius employs nearly 300,000 people in more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States.

“This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies”, — reports KrebsOnSecurity.

We live in truly difficult times – I recall that the other day, the Indian techno giant Jio disclosed data of people tested for COVID-19.

One Fresenius Kabi employee in the United States said that the computers in his company’s office were hacked and a cyberattack affected company’s operations around the world.

During the attack, hackers used Snake ransomware, which is a relatively new malware. Snake operators attack mainly large companies, turn off their IT systems and demand a ransom in bitcoins for access to data.

“I can confirm that Fresenius IT systems have been the victim of the malware. As a precaution, have been taking steps to prevent further spread. We also informed the relevant investigating authorities, and although some functions in the company are currently limited, patient care continues,” – said Fresenius representative.

According to security researchers, Snake ransomware is unique as it tries to identify IT processes associated with enterprise management tools and large automated process control systems. The malware is written in Golang and has a higher level of obfuscation than other ransomware.

After starting, Snake deletes shadow copies of computer volumes and then disables numerous processes associated with SCADA systems, virtual machines, industrial management systems, remote management tools, network management software, etc. Then it encrypts files on the device, skipping those located in the Windows system folders, and various system files.

The post Europe’s largest private hospital operator Fresenius attacked with Snake ransomware appeared first on Gridinsoft Blog.