Daily Archives: January 10, 2020

Alleged Member of Neo-Nazi Swatting Group Charged

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2019, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumb drives included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Investigators say on one of Kelley’s phones they found a photo of he and others in tactical gear holding automatic weapons next to pictures of Atomwaffen recruitment material and the neo-Nazi publication Siege.

As I reported last summer, several Deadnet members maintained a site on the Dark Web called the “Doxbin,” which listed the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family. After those indexed on the Doxbin were successfully swatted, a blue gun icon would be added next to the person’s name.

One of the core members of the group on Deadnet — an individual who used the nickname “Chanz,” among others — stated that he was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason (whose various books call on followers to start a violent race war in the United States).

Deadnet chat logs obtained by KrebsOnSecurity show that another key swatting suspect on Deadnet who used the handle “Zheme” told other IRC members in March 2019 that one of his friends had recently been raided by federal investigators for allegedly having connections to the person responsible for the mass shooting in October 2018 at the Tree of Life Jewish synagogue in Pittsburgh.

At one point last year, Zheme also reminded denizens of Deadnet about a court hearing in the murder trial of Sam Woodward, an alleged Atomwaffen member who’s been charged with killing a 19-year-old gay Jewish college student.

As reported by this author last year, Deadnet members targeted dozens of journalists whose writings they considered threatening to their worldviews. Indeed, one of the targets successfully swatted by Deadnet members was Pulitzer prize winning columnist Leonard G. Pitts Jr., whose personal information as listed on the Doxbin was annotated with a blue gun icon and the label “anti-white race/politics writer.”

In another Deadnet chat log seen by this author, Chanz admits to calling in a bomb threat at the UCLA campus following a speech by Milo Yiannopoulos. Chanz bragged that he did it to frame feminists at the school for acts of terrorism.

On a personal note, I sincerely hope this arrest is just the first of many to come for those involved in swatting attacks related to Deadnet and the Doxbin. KrebsOnSecurity has obtained information indicating that several members of my family also have been targeted for harassment and swatting by this group.

Finally, it’s important to note that while many people may assume that murders and mass shootings targeting people because of their race, gender, sexual preference or religion are carried out by so-called “lone wolf” assailants, the swatting videos created and shared by Deadnet members are essentially propaganda that hate groups can use to recruit new members to their cause.

The Washington Post reports that Kelley had his first appearance in federal court in Alexandria, Va. on Friday.

“His public defender did not comment on the allegations but said his client has ‘very limited funds,'” The Post’s courts reporter Rachel Weiner wrote.

The charge against Kelley of conspiracy to make threats carries up to five years in prison. The affidavit in Kelley’s arrest is available here (PDF).

Threat Roundup for January 3 to January 10

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 3 and Jan 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More


TRU01102020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for January 3 to January 10 appeared first on Cisco Blogs.

Datacenter Security: How to Balance Business Agility with Great Protection

When IDC consults with enterprise customers or performs worldwide surveys, security is invariably an acute concern. That’s regardless of geography, industry, and identity of respondent (executive, LoB, IT, DevOps, etc.). While the challenge of providing protection and security extends across all places in the network, the problem is especially vexing in the datacenter.

There’s good reason for that, of course. The parameters of the datacenter have been redrawn by the unrelenting imperative of digital transformation and the embrace of multicloud, which together have had substantive implications for workload protection and data security.

As workloads become distributed – residing in on-premises enterprise datacenters, in co-location facilities, in public clouds, and also in edge environments – networking and network-security challenges proliferate and become more distributed in nature. Not only are these workloads distributed, but they’re increasingly dynamic and portable, subject to migration and movement between on-premises datacenters and public clouds.

Data proliferates in lockstep with these increasingly distributed workloads. This data can inform and enhance the digital experiences and productivity of employees, contractors, business partners, and customers, all of whom regularly interact with applications residing across a distributed environment of datacenters. The value of datacenters is ever greater, but so are the risks of data breaches and thefts, perpetrated by malevolent parties that are increasingly sophisticated.

In that cloud is not only a destination but also an operating model, the rise of cloud-native applications and DevOps practices have added further complications. As DevOps teams adopt continuous integration and continuous deployment (CI/CD) to keep up with the need for business speed and as developers leverage containers and microservices for agility and simplicity, traditional security paradigms – predicated on sometimes rigid controls and restrictions – are under unprecedented pressure. For enterprises, the choice seems to be between the agility of cloud and cloud-native application environments on one side and the control and safety of traditional datacenter-security practices on the other.

Perhaps that isn’t true, though. There is a way to move forward that gives organizations both agility and effective security controls, without compromise on either front. Put another way, there needn’t a permanent unresolved tension between the need for business agility and the require for strong security, capable of providing the controls that organizations want while aligning more closely with business outcomes.

The first step toward this goal involves achieving visibility. If you can’t see threats, you can’t protect against them. This visibility must be both pervasive and real-time, capable of sensing and facilitating responses to anomalies and threats that span users, devices, applications, workloads, and processes (workflow). From a network standpoint, visibility must be available within datacenters – into north-south and east-west traffic flows –between them, and out to campus and branch sites as well as to clouds. The visibility should extend up the stack, too, all the way to application components and behavior, giving organizations views into potentially malicious activity such as data exfiltration and the horizontal spread of malware from server to server.

Once visibility is achieved, organizations can leverage the insights it provides to implement policy-based segmentation comprehensively and effectively, mitigating lateral propagation of attacks within and between datacenters and preventing bad actors from gaining access to high-value datacenter assets.

The foundations of visibility and policy-based segmentation, in turn, facilitate a holistic approach to threat protection, helping to establish an extensive network of capabilities and defenses that can quickly detect and respond to threats and vulnerabilities before they result in data loss or prohibitively costly business disruptions.

While it might seem that cloud-era business agility and effective security are irreconcilable interests, there is a path forward that merges the two in unqualified alignment.

For more information, see the Cisco-IDC webinar.


The post Datacenter Security: How to Balance Business Agility with Great Protection appeared first on Cisco Blogs.

The Consequences of Security Breaches Are Becoming More Severe

Job Security

With the prevalence of cyberattacks, breaches, and data leaks heading into 2020, it’s becoming commonplace for employees to part ways with their organization after a security incident. Although the consequences from a breach were less severe in the past, reactions are shifting as data leaks are deemed more dire than ever before.

A 2018 report from Kaspersky Lab surveyed 6,000 people in 29 countries and found that, globally, 31 percent of cybersecurity incidents resulted in the layoff of employees at impacted companies. In roughly a third of these cases, those employees holding senior IT positions were most often let go from their roles after a breach or security incident.

The results from Kaspersky’s survey also revealed that 32 percent of C-level managers and CEOs in the United States were laid off post-breach. That number is lower in other countries but still higher overall than most functional roles within and outside of IT, representing a growing trend in how organizations respond to breach backlash. As cybersecurity professionals are in high-demand and C-level managers cost a pretty penny, making the decision to part ways is not always easy.

Weathering the post-breach storm

With great power comes great responsibility. In 2017, the CIO of Equifax U.S. Information Solutions, Jun Ying, was sent to jail and forced to pay $55,000 for insider trading after it was discovered that he shared information about a breach before it was made public by the company. In the same year, Uber’s CSO Joe Sullivan was let go after he allegedly helped cover up a bug bounty pay-out for over $100,000, paying attackers in exchange for the deletion of stolen data on 57 million drivers and passengers. Both Sullivan and security lawyer Craig Clark were fired from the company.

Sometimes privacy-minded employees clash with their own organization’s policies and can eliminate a role altogether. For example, Facebook’s former CSO, Alex Stamos, left a security role at the social media powerhouse after he allegedly disagreed with how Facebook handled the very public Cambridge Analytica scandal. In 2018, Facebook made the decision not to replace Stamos and to instead rely on introducing security engineers, analysts, investigators, and other specialists into their engineering and product teams. It was a testament to how fast things can change within an organization’s security team.

In other situations, ex-employees can cause unanticipated headaches with ripple effects of their own. Capital One fell prey to cyberattacker Paige Thompson when she infiltrated the company’s third-party cloud server to access 106 million customer records in 2019. Thompson, previously an Amazon Web Services software engineer, allegedly built a scanning tool that looked for misconfigured cloud servers on the web providing easy access to username and password credentials.

These examples lead to a logical question: if your business is unable to fortify its internal processes and protect sensitive information, is it trustworthy to consumers? With a solid plan for security and remediation in place, the risk of job loss and consumer distrust diminishes.

Getting serious about your security

As breaches and cyberattacks lead to high-profile firings that play out in the media, the public is paying attention. A recent IDG Survey Report, Security as a Competitive Advantage, found that 66 percent of respondents are more likely to work with a vendor whose application security has been validated by an established, independent expert.

Additionally, 99 percent of those surveyed for the report welcome the advantages of working with a certified and secure vendor, such as improved protection of IP data that leads to peace of mind for their customers. There are measures your organization can take to boost customer confidence, give you a competitive advantage, and potentially prevent the loss (monetary or otherwise) from a breach or cyberattack.

In addition to incorporating security testing into your software development, third-party validation of your security efforts shows prospects and customers alike that securing data is a top priority in your organization’s application development process.

Independent security validation comes with a number of benefits, enabling vendors to:

  • Proactively address any questions a prospect might have about security
  • Instill confidence in buyers that they’re choosing a vendor who cares about their data
  • Speed up sales cycles by eliminating the need for back-and-forth validation
  • Stay one step ahead of security concerns from customers and prospects
  • Integrate more efficiently with development teams to improve security

With third-party validation in place, you not only have proof positive that your organization cares about security, but also a roadmap for maturing your application security program. The risk of losing employees to high-profile incidents also diminishes. Eliminating concern and doubt sets you apart with a competitive advantage in the marketplace that sends a clear message to buyers: you’re serious about security.  

Learn how the Veracode Verified program can help position you as a trusted and secure vendor so that you’re ready when a prospect comes calling.

Police Surveillance Tools from Special Services Group

Special Services Group, a company that sells surveillance tools to the FBI, DEA, ICE, and other US government agencies, has had its secret sales brochure published. Motherboard received the brochure as part of a FOIA request to the Irvine Police Department in California.

"The Tombstone Cam is our newest video concealment offering the ability to conduct remote surveillance operations from cemeteries," one section of the Black Book reads. The device can also capture audio, its battery can last for two days, and "the Tombstone Cam is fully portable and can be easily moved from location to location as necessary," the brochure adds. Another product is a video and audio capturing device that looks like an alarm clock, suitable for "hotel room stings," and other cameras are designed to appear like small tree trunks and rocks, the brochure reads.

The "Shop-Vac Covert DVR Recording System" is essentially a camera and 1TB harddrive hidden inside a vacuum cleaner. "An AC power connector is available for long-term deployments, and DC power options can be connected for mobile deployments also," the brochure reads. The description doesn't say whether the vacuum cleaner itself works.


One of the company's "Rapid Vehicle Deployment Kits" includes a camera hidden inside a baby car seat. "The system is fully portable, so you are not restricted to the same drop car for each mission," the description adds.


The so-called "K-MIC In-mouth Microphone & Speaker Set" is a tiny Bluetooth device that sits on a user's teeth and allows them to "communicate hands-free in crowded, noisy surroundings" with "near-zero visual indications," the Black Book adds.

Other products include more traditional surveillance cameras and lenses as well as tools for surreptitiously gaining entry to buildings. The "Phantom RFID Exploitation Toolkit" lets a user clone an access card or fob, and the so-called "Shadow" product can "covertly provide the user with PIN code to an alarm panel," the brochure reads.

The Motherboard article also reprints the scary emails Motherboard received from Special Services Group, when asked for comment. Of course, Motherboard published the information anyway.

DSG Retail Limited Fined £500K by ICO Following Malware Attack

The UK Information Commissioner’s Office (ICO) fined DSG Retail Limited £500,000 following a malware attack that affected millions of the retailer’s customers. As the result of an investigation, the ICO learned that the DSG Retail Limited had suffered a security incident in which an attacker installed malware on 5,390 tills at Currys PC World and […]… Read More

The post DSG Retail Limited Fined £500K by ICO Following Malware Attack appeared first on The State of Security.

This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how Trend Micro’s collaboration with INTERPOL’s Global Complex for Innovation helped reduce cryptojacking by 78% in Southeast Asia. Also, read about three malicious apps in the Google Play Store that may be linked to the SideWinder threat group.

Read on:

First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group

Trend Micro found three malicious apps in the Google Play Store that work together to compromise a device and collect user information. The three malicious apps — disguised as photography and file manager tools — are likely to be connected to SideWinder, a known threat group that has reportedly targeted military entities’ Windows machines.

Operation Goldfish Alpha Reduces Cryptojacking Across Southeast Asia by 78%

Interpol announced the results of Operation Goldfish Alpha, a six-month effort to secure hacked routers across the Southeast Asia region. The international law enforcement agency said its efforts resulted in a drop of cryptojacking operations across Southeast Asia by 78%, compared to levels recorded in June 2019. Private sector partners included the Cyber Defense Institute and Trend Micro.

Celebrating Decades of Success with Microsoft at the Security 20/20 Awards

Trend Micro, having worked closely with Microsoft for decades, is honored to be nominated for the Microsoft Security 20/20 Partner awards in the Customer Impact and Industry Changemaker categories. Check out this blog for more information on the inaugural awards and Trend Micro’s recognitions.

Security Predictions for 2020 According to Trend Micro

Threat actors are shifting and adapting in their choice of attack vectors and tactics — prompting the need for businesses and users to stay ahead of the curve. Trend Micro has identified four key themes that will define 2020: a future that is set to be Complex, Exposed, Misconfigured and Defensible. Check out Digital Journal’s Q&A with Greg Young, vice president of cybersecurity at Trend Micro, to learn more about security expectations for this year.

The Everyday Cyber Threat Landscape: Trends from 2019 to 2020

In addition to security predictions for the new year, Trend Micro has listed some of the biggest threats from 2019 as well as some trends to keep an eye on as we begin 2020 in this blog. Many of the most dangerous attacks will look a lot like the ones Trend Micro warned about in 2019.

5 Key Security Lessons from the Cloud Hopper Mega Hack

In December 2019, the U.S. government issued indictments against two Chinese hackers who were allegedly involved in a multi-year effort to penetrate the systems of companies managing data and applications for customers via the computing cloud. The men, who remain at large, are thought to be part of a Chinese hacking collective known as APT10.

The Summit of Cybersecurity Sits Among the Clouds

Shifts in threats in the security landscape have led Trend Micro to develop Trend Micro Apex One™, a newly redesigned endpoint protection solution. Trend Micro Apex One™ brings enhanced fileless attack detection and advanced behavioral analysis and combines Trend Micro’s powerful endpoint threat detection capabilities with endpoint detection and response (EDR) investigative capabilities.

New Iranian Data Wiper Malware Hits Bapco, Bahrain’s National Oil Company

Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain’s national oil company. The incident took place on December 29th and didn’t have the long-lasting effect hackers might have wanted, as only a portion of Bapco’s computer fleet was impacted and the company continued to operate after the malware’s detonation. 

Ransomware Recap: Clop, DeathRansom, and Maze Ransomware

As the new year rolls in, new developments in different ransomware strains have emerged. For example, Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications; DeathRansom can now encrypt files; and Maze ransomware has been targeting U.S. companies for stealing and encrypting data, alerted by the Federal Bureau of Investigation (FBI).

4 Ring Employees Fired for Spying on Customers

Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage. The disclosure comes in a recent letter to senators from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year.

Web Skimming Attack on Blue Bear Affects School Admin Software Users

A web skimming attack was recently used to target Blue Bear, a school administration software that handles school accounting, student fees, and online stores for educational institutions. Names, credit card or debit card numbers, expiration dates and security codes, and Blue Bear account usernames and passwords may have been collected.

Patched Microsoft Access ‘MDB Leaker’ (CVE-2019-1463) Exposes Sensitive Data in Database Files

Researchers uncovered an information disclosure vulnerability (CVE-2019-1463) affecting Microsoft Access, which occurs when the software fails to properly handle objects in memory. The vulnerability, dubbed “MDB Leaker” by Mimecast Research Labs, resembles a patched information disclosure bug in Microsoft Office (CVE-2019-0560) found in January 2019.

Cryptocurrency Miner Uses Hacking Tool Haiduc and App Hider Xhide to Brute Force Machines and Servers

A Trend Micro honeypot detected a cryptocurrency-mining threat on a compromised site, where the URL hxxps://upajmeter[.]com/assets/.style/min was used to host the command for downloading the main shell script. The miner, a multi-component threat, propagates by scanning vulnerable machines and brute-forcing (primarily default) credentials.

What are your thoughts on the rise of cryptomining malware and cryptojacking tactics? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: INTERPOL Collaboration Reduces Cryptojacking by 78% and Three Malicious Apps Found on Google Play May be Linked to SideWinder APT Group appeared first on .

Cyber News Rundown: Snake Ransomware

Reading Time: ~ 2 min.

Snake Ransomware Slithers Through Networks

A new ransomware variant, dubbed “Snake,” has been found using more sophisticated obfuscation while targeting entire networks, rather than only one machine. In addition, Snake will append any encrypted file extensions with five random characters following the filetype itself. Finally, the infection also modifies a specific file marker and replaces it with “EKANS,” or SNAKE spelled backwards. A free decryptor hasn’t been released yet, and the malware authors have specified that that encryption will be for entire networks only.

Minnesota Hospital Data Breach

Sensitive information belonging to nearly 50,000 patients of a Minnesota hospital has been illicitly accessed after multiple employee email addresses were compromised. While in most cases the information accessed was medical data and basic contact info, some patients may have also had their Social Security and driver’s license numbers compromised. Alomere Health has already contacted affected patients and begun providing credit and identity monitoring services.

Cyberattack Finally Cracks Las Vegas Security

For a city that is the target of roughly 280,000 cyber attacks every month, one attack was finally able to make it through Las Vegas security protocols. The attack appears to have stemmed from a malicious email but was quickly quarantined by city IT officials before it could do any critical damage. Earlier in 2019, Las Vegas officials proposed a measure to refuse payments to any cybersecurity threat actors.

Travelex Falls Victim to Sodinokibi Ransomware

On the first day of 2020, foreign travel service provider Travelex experienced a ransomware attack that used unsecured VPNs to infiltrate their systems. To make matters worse, a demand of $6 million has been placed on the company for the return of their data, or else the ransom will be doubled. Since this attack, a scoreboard has been created to track the six additional victims of the Sodinokibi/REvil ransomware campaign.

ATM Skimmer Arrested in New York

At least one individual has been arrested in connection to an ATM skimming ring that has taken over $400,000 from banks in New York and surrounding states. From 2014 to 2016, this group installed card skimmers in an unidentified number of ATMs in order to steal card credentials and build up fraudulent charges. Eleven other people are connected with this incident and will also likely be charged.

The post Cyber News Rundown: Snake Ransomware appeared first on Webroot Blog.

Skype audio graded by workers in China with ‘no security measures’

Exclusive: former Microsoft contractor says he was emailed login after minimal vetting

A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company.

The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor.

Continue reading...

Weekly Update 173

Weekly Update 173

I really should have started the video about 3 minutes earlier. Had I done that, you'd have caught me toppling backwards into the frangipani tree whilst trying to position my chair and camera which frankly, would have made for entertaining viewing. Instead, this week's update is focused primarily on a completely different epic fail, namely Surebet247's handling of a breach impacting their customers. I chose those words carefully as it now seems almost certain the breach was actually of BtoBet and I've linked to the story on that below. Regardless, have a listen to hos the Nigerian gambling service handled the incident, holy shit...

Weekly Update 173
Weekly Update 173
Weekly Update 173
Weekly Update 173


  1. NDC is coming to Melbourne! (also check out the CFP if you're interested in delivering a talk)
  2. Do you have less, the same or more passwords now than 10 years ago? (also check out the second poll in the thread about what it'll be like in 10 years from now)
  3. Surebet247 set a new bar for bad breach handling (their behaviour on this is rather stunning)
  4. It looks like the source of the breach is almost certainly BtoBet (who also seems to be doing their damndest not to just own up to it)
  5. Sponsored by Varonis. Check out their free video course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

Hackers check Citrix servers for weakness in remote code execution

At least eighty thousand organisations could be at risk.

Cyber attackers scan Citrix servers, which are vulnerable to a critical ADC and Gateway security vulnerability, as researchers have warned. 

Disclosed in December, the Citrix Application Delivery Controller (ADC), previously known as NetScaler ADC, has a serious vulnerability monitored under CVE-2019-19781 next to the Citrix Gateway formerly identified as the NetScaler Gateway. The crucial flaw, originally reported by Positive Technologies Mikhail Klyuchnikov, facilitates directory cross-cutters and allows threatening actors to execute remote code execution (RCE) attacks if used. 

These products are affected according to a Citrix security advisory:

  • All supported Citrix ADC and Citrix Gateway 13.0 builds versions 
  • 12.1 Citrix ADC and NetScaler Gateway all supported Citrix ADC 
  • NetScaler Gateway 12.0, Citrix ADC
  • NetScaler Gateway versions 11.1 all supported Citrix Citrix NetScaler ADC
  • NetScaler Gateway 10.5 builds all supported builds

Researchers estimated that, in 158 countries, at least 80,000 organizations are ADC users and could thus be at risk. The shooting corporations are mainly based in the US – about 38% – as well as the United Kingdom, Germany, the Netherlands and Australia.

“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP),” Positive Technologies says. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”

Cybersecurity researchers have detected an incidence of Citrix server scans potentially vulnerable to the bug as reported by Bleeping Computer.

Researcher Kevin Beaumont said on Twitter that one of his honeypots had leaked

“attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue).”

No public exploit code appears to be widely used— at least not yet. In his own honeypot checks, SANS Technology Institute Dean of Research Johannes Ullrich noted that the current scans seem in no sense “developed”–some of which are only GET requests–but added that “other sources I believe to be credible have shown that they can produce a code execution exploit.” A patch is not yet released but Citrix has released it. The organization advises that IT administrators use a series of instructions, which can be found here, to adjust reaction policies.

“Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix says

In March of last year, in a password spraying method, Citrix revealed a security violation caused by weak account credentials.

The post Hackers check Citrix servers for weakness in remote code execution appeared first on .

How credential stuffing attacks use weak passwords to compromise accounts?

Estimated reading time: 2 minutes

In November 2019, over 2000 users of NordVPN, a service offering Virtual Private Networks (VPNs,) saw their accounts being compromised. It was an example of credential stuffing, a type of cyberattack that takes advantage of human frailty regarding passwords to take over accounts.

Credential stuffing may seem similar to data breaches and brute force attacks but there are various points of difference. In the case of a data breach, much of the data that is stolen from an organization comprises user names and passwords. The people who steal this data often sell it on the dark web for inordinate amounts of money.

The weakest link is weak passwords

Attackers obtain these credentials from different sources and take advantage of the fact that most individuals do not change their user names or passwords across websites. In fact, most people use the same (credentials) almost on every website.

Hackers use automated credential stuffing software to stuff websites using these credentials. The rate of success is extremely low (0.1-0.2%) but when an attacker has access to more than a billion credentials, even such a low rate of success can enable them to get successful matches for 1,000 accounts.

The rest is easy and also scary to guess – once inside these accounts, attackers can use them at their disposal. They can do unauthorized transactions, send malware to other accounts and basically create havoc. Credential stuffing attacks are getting more and more prevalent – big names like Nest, Uber, Superdrug and even Dunkin’ Donuts have recently had to deal with credential stuffing attacks.

The importance of maintaining strong credentials

Preventing credential stuffing attacks is only possible by following an age-old cybersecurity strategy: strong passwords. Enterprises at risk of credential stuffing attacks need to keep on reiterating the importance of maintaining strong passwords along with other good cybersecurity habits to all their employees and partners across the supply chain.

Some of the key messages that need to be reinforced are:

Don’t use the same credentials across different websites

Employees don’t like remembering passwords so they create one strong password and use it everywhere. It’s a big no-no and as credential stuffing attacks demonstrate, if attacks can gain access to a password through one site, it’s quite probable that they’ll be able to gain access to all other services you use (including financial information).

Enforce and popularize multi-factor authentication

Multi-factor authentication is the best defence against credential stuffing attacks. With an additional layer of security being provided and users required to put in a mandatory validation every time, it helps reduce the dependency on passwords. While it may be difficult for enterprises to implement an organization-wide multi-factor authentication policy, it should be used in as many places as possible.

Train employees to use strong, complex passwords

Security is a habit, rather than a process. Enterprises need to ensure they have a cybersecurity first mindset and the way to cultivate that is by continuously training and reminding employees about the importance of creating strong, dynamic passwords. This should be done at an onboarding stage and continuously in the employee lifecycle.

Blacklist suspicious IPs

Security teams should always be scanning the data and identify where threats to their enterprises originate from. It’s a good practice to blacklist any suspicious IPs that keep cropping up regularly to lessen the chances of a cyberattack.

Seqrite Endpoint Security helps enterprises prevent credential stuffing and other dangerous cyberattacks through its top-of-the-line protection solutions, integrating advanced technologies like Anti Ransomware, Advanced DNA Scan and Behavioral Detection System.

The post How credential stuffing attacks use weak passwords to compromise accounts? appeared first on Seqrite Blog.