Category Archives: a little sunshine

Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

On May 25, The New York Times cited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security systems] systems, or the target might already be patched for it.”

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand.

“We’ve come to the conclusion Robbinhood was set up to be a multi-tenant ransomware-as-a-service offering,” Stewart said. “And we’re wondering if maybe this is all an effort to raise the name recognition of the malware so the authors can then go on the Dark Web and advertise it.”

This redacted message is present on the Dark Web panel set up by the extortionists to accept payment for the Baltimore ransomware incident and to field inquiries or pleas from them. The message repeats the last tweet from the @robihkjn Twitter account and conclusively ties that account to the attackers. Image: Armor.

There was one other potential — albeit likely intentional — clue that Stewart said he found in his analysis of the malware: Its code included the text string “Valery.” While this detail by itself is not particularly interesting, Stewart said an earlier version of the GandCrab ransomware strain would place a photo of a Russian man named Valery Sinyaev in every existing folder where it would encrypt files. PCRisk.com, the company that blogged about this connection to the GandCrab variant, asserts Mr. Sinyaev is a respectable finance professional who has nothing to do with GandCrab.

Finally, since we’re on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft, which took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable.”

That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a reminder about the urgency of patching this bug, Microsoft on May 30 published a post saying while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the Eternal Blue exploit in March 2017 for WannaCry to surface.

“Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began,” Microsoft warned. “Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.”

NY Investigates Exposure of 885 Million Mortgage Documents

New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful.

On May 24, KrebsOnSecurity broke the news that First American had just fixed a weakness in its Web site that exposed approximately 885 million documents — many of them with Social Security and bank account numbers — going back at least 16 years. No authentication was needed to access the digitized records.

On May 29, The New York Times reported that the inquiry by New York’s Department of Financial Services is likely to be followed by other investigations from regulators and law enforcement.

First American says it has hired a third-party security firm to investigate, and that it shut down external access to the records.

The Times says few people outside the real estate industry are familiar with First American, but millions have entrusted their data to the company when they go to close the deal on buying or selling a new home.

“First American provides title insurance and settlement services for property sales, which typically require buyers to hand over extensive financial records to other parties in their transactions,” wrote Stacy Cowley. “The company is one of the largest insurers in the United States, handling around one in every four transactions, according to the American Land Title Association.”

News also emerged this week that First American is now the target of a class action lawsuit alleging the Fortune 500 mortgage industry giant “failed to implement even rudimentary security measures.”

Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors

Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software.

In March 2019, the Canadian Radio-television and Telecommunications Commission (CRTC) — Canada’s equivalent of the U.S. Federal Communications Commission (FCC), executed a search warrant in tandem with the Royal Canadian Mounted Police (RCMP) at the home of a Toronto software developer behind the Orcus RAT, a product that’s been marketed on underground forums and used in countless malware attacks since its creation in 2015.

The CRTC was flexing relatively new administrative muscles gained from the passage of Canada’s Anti-Spam Legislation (CASL), which covers far more than just junk email. Section 7 of CASL deals with the alteration of transmission data, including botnet activity. Section 8 involves the surreptitious installation of computer programs on computers or networks including malware and spyware.

And Section 9 prohibits an individual or organization from aiding, inducing, procuring or causing to be procured the doing of any of the above acts.

CRTC Director Neil Barratt said this allows his agency to target intermediaries who, through their actions or through inaction, facilitate the commission of CASL violations. Businesses found to be in violation of CASL can be fined up to $10 million; individuals can face up to a $1 million fine.

“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said in an interview with KrebsOnSecurity.

“CASL defines spam as commercial electronic messages without consent or the installation of software without consent or the intercepting of electronic messages,” Barratt said. “The installation of software is under Section 8, and this is one of the first major investigations under that statute.”

Barratt added that the CRTC also was counting on CASL to help tidy up the reputation of the Canadian Web hosting industry.

“We’ve been trying to make sure that service providers operating in Canada — whether or not they are Canadian — are not unduly contributing to the infection of machines and hosting malware,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”

The enforcement division of the CRTC recently took action against two companies — Datablocks Inc. and Sunlight Media Network Inc — for having violated CASL section 9 by disseminating online ads that caused malicious computer programs to be downloaded onto the computers of unsuspecting victims.

Under CASL, and for the purposes of verifying compliance or determining whether any of sections 6 to 9 were violated, the CRTC may compel individuals and organizations to provide any information in their possession or control, and ask a justice of the peace to issue a warrant authorizing entry into a place of residence.

It’s good to see a civil anti-spam law being used to go after people involved in selling malware couched as legitimate software, as seems to be the case with the Orcus RAT investigation. A relatively competent remote access trojan author can earn a tidy income selling their wares, but CASL may give Canadians interested in this line of a work a reason to reconsider if the end result is a million dollar fine.

More to the point, Canada (anecdotally at least) seems to have far more than its fair share of computer criminals, and yet unfortunately far less appetite than many other western countries for prosecuting those individuals criminally. In this regard, CASL offers a welcome alternative.

“One of the key takeaways of CASL was that it wasn’t just about emails that were annoying people, but also the use of email as a vector to mislead or defraud people and cause harm to computers and computer networks,” Barratt said. “Our parliamentarians decided to ensure the legislature covered a broad ambit. The search warrant executed in this case was a great example of criminal and civil law enforcement working together by using our unique tools and powers under the act to achieve the greatest good we could.”

Should Failing Phish Tests Be a Fireable Offense?

Would your average Internet user would be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).

John LaCour is founder and chief technology officer of PhishLabs, a Charleston, S.C. based firm that helps companies educate and test employees on how not to fall for phishing scams. The company’s training courses offer customers a way to track how many employees open the phishing email tests and how many fall for the lure.

LaCour says enacting punitive measures for employees who repeatedly fall for phishing tests is counterproductive.

“We’ve heard from some of our clients in the financial industry that have similar programs where there are real consequences when people fail the tests, but it’s pretty rare across all types of businesses to have a policy that extreme,” LaCour said.

“There are a lot of things that organizations can do that aren’t as draconian and still have the desired effect of making security posture stronger,” he said. “We’ve seen companies require classroom training on the first failure, to a manager has to sit through it with you on the second time, to revoking network access in some cases.”

LaCour said one of the most common mistakes he sees is companies that purchase a tool to launch simulated phishing campaigns just to play “gotcha” with employees.

“It really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks,” he said. “Each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something phishy. Otherwise, it just creates resentment among employees.”

Rohyt Belani, CEO of Leesburg, Va.-based security firm Cofense (formerly PhishMe), said anti-phishing education campaigns that employ strongly negative consequences for employees who repeatedly fall for phishing tests usually create tension and distrust between employees and the company’s security team.

“It can create an environment of animosity for the security team because they suddenly become viewed as working for Human Resources instead of trying to improve security,” Belani said. “Threatening people usually backfires, and they end up becoming more defiant and uncooperative.”

Cofense provides a phish reporting system and encourages customers to have their employees flag suspected phishing attacks (and tests), and Belani said those employee reports can often stymie real phishing attacks.

“So what happens a lot of times is a person may click on link in a real phishing email, and three seconds later realize, ‘Oops, I shouldn’t have clicked, let me report it anyway’,” Belani said. “But if that person knew there was a punitive angle to doing so, they’re more likely not to report it and to say, ‘You know what, I didn’t do it. Where’s the proof I clicked on the link?'”

LaCour says PhishLabs encourages clients to use positive reinforcement in their employee training campaigns.

“Recognition — where employees and departments that do especially well are acknowledged — is very common,” LaCour said. “We also see things like small gifts or other things that companies would typically use to reward employees, such as gift cards or small bonuses for specific departments or people.”

LaCour said his offices make a game out of it.

“We make it competitive where we post the scores of each department and the lowest scoring department has to buy lunch for the rest of the department,” he said. “It teaches people there are real consequences and that we all need to be diligent when it comes to phishing.”

What about you, dear readers? Does your employer do phishing awareness training and testing? What incentives or disincentives are tied to those programs? Sound off in the comments below.

Account Hijacking Forum OGusers Hacked

Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

On May 12, the administrator of OGusers explained an outage to forum members by saying a hard drive failure had erased several months’ worth of private messages, forum posts and prestige points, and that he’d restored a backup from January 2019. Little did the administrators of OGusers know at the time, but that May 12 incident coincided with the theft of the forum’s user database, and the wiping of forum hard drives.

On May 16, the administrator of rival hacking community RaidForums announced he’d uploaded the OGusers database for anyone to download for free.

The administrator of the hacking community Raidforums on May 16 posted the database of passwords, email addresses, IP addresses and private messages of more than 113,000 users of Ogusers[.]com.

“On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected,” the message from RaidForums administrator Omnipotent reads. “I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”

The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).

The publication of the OGuser database has caused much consternation and drama for many in the community, which has become infamous for attracting people involved in hijacking phone numbers as a method of taking over the victim’s social media, email and financial accounts, and then reselling that access for hundreds or thousands of dollars to others on the forum.

Several threads on OGusers quickly were filled with responses from anxious users concerned about being exposed by the breach. Some complained they were already receiving phishing emails targeting their OGusers accounts and email addresses. 

Meanwhile, the official Discord chat channel for OGusers has been flooded with complaints and expressions of disbelief at the hack. Members vented their anger at the main forum administrator, who uses the nickname “Ace,” claiming he altered the forum functionality after the hack to prevent users from removing their accounts. One user on the Discord chat summed it up:

“Ace be like:

-not replace broken hard drives, causing the site to time warp back four months
– not secure website, causing user info to be leaked
– disable selfban so people can’t leave”

It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.

Credit Union Sues Fintech Giant Fiserv Over Security Claims

A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that “baffling” security vulnerabilities in the company’s software are “wreaking havoc” on its customers. The credit union said the investigation that fueled the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring security weaknesses in a Fiserv platform that exposed personal and financial details of customers across hundreds of bank Web sites.

Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.8 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions.

In August 2018, in response to inquiries by KrebsOnSecurity, Fiserv fixed a pervasive security and privacy hole in its online banking platform. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers and email addresses.

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

Bessemer claims Fiserv’s systems let anyone reset a customer’s online banking password just by knowing their SSN and account number.

Recall that in my Aug 2018 report, Fiserv’s own systems were exposing online banking account numbers for its customers. Thus, an attacker would only need to know the last four digits of a target’s SSN to reset that customer’s password, according to Bessemer. And that information is for sale in multiple places online and in the cybercrime underground for a few bucks per person.

Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

The lawsuit says the fix Fiserv scrambled to put in place after Bessemer complained was “pitifully deficient and ineffective:”

“Fiserv attempted to fortify Bessemer’s online banking website by requiring users registering for an account to supply a member’s house number. This was ineffective because residential street addresses can be readily found on the internet and through other public sources. Moreover, this information can be guessed through a trial-and-error process. Most alarmingly, this security control was purely illusory. Because some servers were not enforcing this security check, it could be readily bypassed.”

Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”

Fiserv did not immediately respond to requests for comment. But Fiserv spokesperson Ann Cave was quoted in several publications saying, “We believe the allegations have no merit and will respond to the claims as part of the legal process.”

Charles Nerko, the attorney representing Bessemer in the lawsuit, said to protect the credit union’s members, the credit union is replacing its core processing vendor, although Nerko would not specify where the credit union might be taking its business.

According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share. And it’s poised to soon get much bigger.

In January 2019, Fiserv announced it was acquiring payment processing giant First Data in a $22 billion all-stock deal. The deal is expected to close in the second half of 2019, pending an antitrust review by the U.S. Justice Department.

That merger, should it go through, may not bode well for Fiserv’s customers, argues Paul Schaus of American Banker.

“Banks should take this trend as a warning sign,” Schaus wrote. “Rather than delivering new innovations that banks and their customers crave, legacy vendors are looking to remain relevant by acquiring existing products and services that expand their portfolios into new areas of financial services. As emerging technologies grow more critical to everyday business, these legacy vendors, which banks have deep longstanding relationships with, likely won’t be on the leading edge in every product or channel. Instead, financial institutions will need to seek out newer vendors that have deeper commitments and focus in cutting-edge technologies that will drive industry change.”

Data: E-Retail Hacks More Lucrative Than Ever

For many years and until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply-and-demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target e-commerce stores.

Traditionally, the average price for card data nabbed from online retailers — referred to in the underground as “CVVs” — has ranged somewhere between $2 and $8 per account. CVVs are are almost exclusively purchased by criminals looking to make unauthorized purchases at online stores, a form of thievery known as “card not present” fraud.

In contrast, the value of “dumps” — hacker slang for card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems — has long hovered around $15-$20 per card. Dumps allow street thieves to create physical clones of debit and credit cards, which are then used to perpetrate so-called “card present” fraud at brick and mortar stores.

But according to Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in both types of data, over the past year the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other.

Median price of card not present (CNP) vs. card-present (CP) over the past year. Image: Gemini

Stas Alforov, director of research and development at Gemini, says his company is currently monitoring most underground stores that peddle stolen card data — including such heavy hitters as Joker’s Stash, Trump’s Dumps, and BriansDump.

Contrary to popular belief, when these shops sell a CVV or dump, that record is then removed from the inventory of items for sale, allowing companies that track such activity to determine roughly how many new cards are put up for sale and how many have sold. Underground markets that do otherwise quickly earn a reputation among criminals for selling unreliable card data and are soon forced out of business.

“We can see in pretty much real-time what’s being sold and which marketplaces are the most active or have the highest number of records and where the bad guys shop the most,” Alforov said. “The biggest trend we’ve seen recently is there appears to be a much greater demand than there is supply of card not present data being uploaded to these markets.”

Alforov said dumps are still way ahead in terms of the overall number of compromised records for sale. For example, over the past year Gemini has seen some 66 million new dumps show up on underground markets, and roughly half as many CVVs.

“The demand for card not present data remains strong while the supply is not as great as the bad guys need it to be, which means prices have been steadily going up,” Alforov said. “A lot of the bad guys who used to do card present fraud are now shifting to card-not-present fraud.”

One likely reason for that shift is the United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash. This same increase in card-not-present fraud has occurred in virtually every other country that long ago made the chip card transition, including AustraliaCanadaFrance and the United Kingdom.

The increasing value of CVV data may help explain why we’ve seen such a huge uptick over the past year in e-commerce sites getting hacked. In a typical online retailer intrusion, the attackers will use vulnerabilities in content management systems, shopping cart software, or third-party hosted scripts to upload malicious code that snarfs customer payment details directly from the site before it can be encrypted and sent to card processors.

Research released last year by Thales eSecurity found that 50 percent of all medium and large online retailers it surveyed acknowledged they’d been hacked. That figure was more than two and a half times higher than a year earlier.

BIG BANG VS. LOW-AND-SLOW

Much of the media’s attention has been focused on recent hacks against larger online retailers, such those at the Web sites of British Airways, Ticketmaster, and electronics giant NewEgg. But these incidents tend to overshadow a great number of “low-and-slow” compromises at much smaller online retailers — which often take far longer to realize they’ve been hacked.

For example, in March 2019 an analysis of Gemini’s data strongly suggested that criminals had compromised Ticketstorm.com, an Oklahoma-based business that sells tickets to a range of sporting events and concerts. Going back many months through its data, Gemini determined that the site has likely been hacked for more than two years — allowing intruders to extract around 4,000 CVVs from the site’s customers each month, and approximately 35,000 accounts in total since February 2017.

Ticketstorm.com did not respond to requests for comment, but an individual at the company who answered a call from KrebsOnSecurity confirmed Ticketstorm had recently heard from Gemini and from card fraud investigators with the U.S. Secret Service.

“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” Alforov said. “Ticketstorm is just one of ten or twenty different breaches we’ve seen where the fraudsters sell what they collected and then come back and collect more over several years.”

In some ways, CVVs are more versatile for fraudsters than dumps. That’s because about 90 percent of dumps for sale in the underground do not come with other consumer data points needed to complete a various online transactions — such as the cardholder’s name or billing address, Gemini found.

This is particularly true when CVV data is collected or amended by phishing sites, which often ask unwitting consumers to give up other personal information that can aid in identity theft and new account fraud — including Social Security number, date of birth and mother’s maiden name.

All of which means e-commerce retailers need to be stepping up their game when it comes to staving off card thieves. This in-depth report from Trustwave contains a number of useful suggestions that sites can consider for a defense-in-depth approach to combating an increasingly crowded field of criminal groups turning more of their attention toward stealing CVV data.

“There is a lot more incentive now than ever before for thieves to compromise e-commerce sites,” Alforov said.

Who’s Behind the RevCode WebMonitor RAT?

The owner of a Swedish company behind a popular remote administration tool (RAT) implicated in thousands of malware attacks shares the same name as a Swedish man who pleaded guilty in 2015 to co-creating the Blackshades RAT, a similar product that was used to infect more than half a million computers with malware, KrebsOnSecurity has learned.

An advertisement for RevCode WebMonitor.

At issue is a program called “WebMonitor,” which was designed to allow users to remotely control a computer (or multiple machines) via a Web browser. The makers of WebMonitor, a company in Sweden called “RevCode,” say their product is legal and legitimate software “that helps firms and personal users handle the security of owned devices.”

But critics say WebMonitor is far more likely to be deployed on “pwned” devices, or those that are surreptitiously hacked. The software is broadly classified as malware by most antivirus companies, likely thanks to an advertised feature list that includes dumping the remote computer’s temporary memory; retrieving passwords from dozens of email programs; snarfing the target’s Wi-Fi credentials; and viewing the target’s Webcam.

In a writeup on WebMonitor published in April 2018, researchers from security firm Palo Alto Networks noted that the product has been primarily advertised on underground hacking forums, and that its developers promoted several qualities of the software likely to appeal to cybercriminals looking to secretly compromise PCs.

For example, RevCode’s website touted the software’s compatibility with all “crypters,” software that can encrypt, obfuscate and manipulate malware to make it harder to detect by antivirus programs. Palo Alto also noted WebMonitor includes the option to suppress any notification boxes that may pop up when the RAT is being installed on a computer.

A screenshot of the WebMonitor builder panel.

RevCode maintains it is a legitimate company officially registered in Sweden that obeys all applicable Swedish laws. A few hours of searching online turned up an interesting record at Ratsit AB, a credit information service based in Sweden. That record indicates RevCode is owned by 28-year-old Swedish resident Alex Yücel.

In February 2015, a then 24-year-old Alex Yücel pleaded guilty in a U.S. court to computer hacking and to creating, marketing and selling Blackshades, a RAT that was used to compromise and spy on hundreds of thousands of computers. Arrested in Moldova in 2013 as part of a large-scale, international takedown against Blackshades and hundreds of customers, Yücel became the first person ever to be extradited from Moldova to the United States.

Yücel was sentenced to 57 months in prison, but according to a record for Yücel at the U.S. Federal Bureau of Prisons, he was released on Nov. 1, 2016. The first advertisements in hacker forums for the sale of WebMonitor began in mid-2017. RevCode was registered as an official Swedish company in 2018, according to Ratsit.

Until recently, RevCode published on its Web site a value added tax (VAT) number, an identifier used in many European countries for value added tax purposes. That VAT number — first noted by the blog Krabsonsecurity.com (which borrows heavily from this site’s design and banner but otherwise bears no relation to KrebsOnSecurity.com) — has since been removed from the RevCode Web site and from historic records at The Internet Archive. The VAT number cited in that report is registered to Alex Yücel, and matches the number listed for RevCode by Ratsit AB.

Yücel could not be immediately reached for comment. But an unnamed person responded to an email sent to the customer support address listed at RevCode’s site. Presented with the information and links referenced above, the person responding wrote, “nobody working for/with RevCode is in any way related to BlackShades. Anything else suggesting otherwise is nothing but rumors and attempts to degrade our company by means of defamation.”

The person responding from the RevCode support email address contended that the Alex Yücel listed as owner of the company was not the same Alex Yücel convicted of co-authoring Blackshades. However, unless the Ratsit record is completely wrong, this seems unlikely to be true.

According to the Ratsit listing, the Alex Yücel who heads RevCode currently lives in a suburb of Stockholm, Sweden with his parents Can and Rita Yücel. Both Can and Rita Yücel co-signed a letter (PDF) in June 2015 testifying to a New York federal court regarding their son’s upstanding moral character prior to Yücel the younger’s sentencing for the Blackshades conviction, according to court records.

A letter from Alex Yücel’s parents to the court in June 2016.

Wipro Intruders Targeted Other Major IT Firms

The crooks responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, India’s third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant, new evidence suggests. The clues so far suggest the work of a fairly experienced crime group that is focused on perpetrating gift card fraud.

On Monday, KrebsOnSecurity broke the news that multiple sources were reporting a cybersecurity breach at Wipro, a major trusted vendor of IT outsourcing for U.S. companies. The story cited reports from multiple anonymous sources who said Wipro’s trusted networks and systems were being used to launch cyberattacks against the company’s customers.

A screen shot of the Wipro phishing site securemail.wipro.com.internal-message[.]app. Image: urlscan.io

In a follow-up story Wednesday on the tone-deaf nature of Wipro’s public response to this incident, KrebsOnSecurity published a list of “indicators of compromise” or IOCs, telltale clues about tactics, tools and procedures used by the bad guys that might signify an attempted or successful intrusion.

If one examines the subdomains tied to just one of the malicious domains mentioned in the IoCs list (internal-message[.]app), one very interesting Internet address is connected to all of them — 185.159.83[.]24. This address is owned by King Servers, a well-known bulletproof hosting company based in Russia.

According to records maintained by Farsight Security, that address is home to a number of other likely phishing domains:

securemail.pcm.com.internal-message[.]app
secure.wipro.com.internal-message[.]app
securemail.wipro.com.internal-message[.]app
secure.elavon.com.internal-message[.]app
securemail.slalom.com.internal-message[.]app
securemail.avanade.com.internal-message[.]app
securemail.infosys.com.internal-message[.]app
securemail.searshc.com.internal-message[.]app
securemail.capgemini.com.internal-message[.]app
securemail.cognizant.com.internal-message[.]app
secure.rackspace.com.internal-message[.]app
securemail.virginpulse.com.internal-message[.]app
secure.expediagroup.com.internal-message[.]app
securemail.greendotcorp.com.internal-message[.]app
secure.bridge2solutions.com.internal-message[.]app
ns1.internal-message[.]app
ns2.internal-message[.]app
mail.internal-message[.]app
ns3.microsoftonline-secure-login[.]com
ns4.microsoftonline-secure-login[.]com
tashabsolutions[.]xyz
www.tashabsolutions[.]xyz

The subdomains listed above suggest the attackers may also have targeted American retailer Sears; Green Dot, the world’s largest prepaid card vendor; payment processing firm Elavon; hosting firm Rackspace; business consulting firm Avanade; IT provider PCM; and French consulting firm Capgemini, among others. KrebsOnSecurity has reached out to all of these companies for comment, and will update this story in the event any of them respond with relevant information.

WHAT ARE THEY AFTER?

It appears the attackers in this case are targeting companies that in one form or another have access to either a ton of third-party company resources, and/or companies that can be abused to conduct gift card fraud.

Wednesday’s follow-up on the Wipro breach quoted an anonymous source close to the investigation saying the criminals responsible for breaching Wipro appear to be after anything they can turn into cash fairly quickly. That source, who works for a large U.S. retailer, said the crooks who broke into Wipro used their access to perpetrate gift card fraud at the retailer’s stores.

Another source said the investigation into the Wipro breach by a third party company has determined so far the intruders compromised more than 100 Wipro systems  and installed on each of them ScreenConnect, a legitimate remote access tool. Investigators believe the intruders were using the ScreenConnect software on the hacked Wipro systems to connect remotely to Wipro client systems, which were then used to leverage further access into Wipro customer networks.

This is remarkably similar to activity that was directed against a U.S. based company in 2016 and 2017. In May 2018, Maritz Holdings Inc., a Missouri-based firm that handles customer loyalty and gift card programs for third-parties, sued Cognizant (PDF), saying a forensic investigation determined that hackers used Cognizant’s resources in an attack on Maritz’s loyalty program that netted the attackers more than $11 million in fraudulent eGift cards.

That investigation determined the attackers also used ScreenConnect to access computers belonging to Maritz employees. “This was the same tool that was used to effectuate the cyber-attack in Spring 2016. Intersec [the forensic investigator] also determined that the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 attack.”

According to the lawsuit by Maritz Holdings, investigators also determined that the “attackers were accessing the Maritz system using accounts registered to Cognizant. For example, in April 2017, someone using a Cognizant account utilized the “fiddler” hacking program to circumvent cyber protections that Maritz had installed several weeks earlier.”

Maritz said its forensic investigator found the attackers had run searches on the Maritz system for certain words and phrases connected to the Spring 2016 eGift card cashout. Likewise, my retailer source in the Wipro attack told KrebsOnSecurity that the attackers who defrauded them also searched their systems for specific phrases related to gift cards, and for clues about security systems the retailer was using.

It’s unclear if the work of these criminal hackers is tied to a specific, known threat group. But it seems likely that the crooks who hit Wipro have been targeting similar companies for some time now, and with a fair degree of success in translating their access to cash given the statements by my sources in the Wipro breach and this lawsuit against Cognizant.

What’s remarkable is how many antivirus companies still aren’t flagging as malicious many of the Internet addresses and domains listed in the IoCs, as evidenced by a search at virustotal.com.

Update, April 19, 11:25 a.m. ET: I heard back from some of the other targets. Avanade shared the following statement:

“Avanade was a target of the multi-company security incident, involving 34 of our people in February. Through our cyber incident response efforts and technologies, we swiftly contained and remediated the situation. As a result, there was no impact to our client portfolio or sensitive company data. Our review has concluded this was isolated incident. Our security defenses have continued to protect against any potential threat related to this matter. And, we continue take our responsibility to safeguard our clients’ data with the utmost seriousness.”

Cognizant replied:

“We are aware of reports that our company was among many other service providers and businesses whose email systems were targeted in an apparent criminal hacking scheme related to gift card fraud. Since the criminal activity first surfaced earlier this week and following reports that another service provider’s email system was allegedly compromised, Cognizant’s security experts took immediate and appropriate actions including initiating a review.”

“While our review remains ongoing, we have seen no indication to date that any client data was compromised. It is not unusual for a large company like Cognizant to be the target of spear phishing attempts such as this. The integrity of our systems and our clients’ systems is of paramount importance to Cognizant. We continuously monitor, update and strengthen our systems against unauthorized access and have put additional protocols in place related to this specific industry-wide incident.”

Infosys said it has not observed any breach of its network based on its monitoring and threat intelligence. “This has been ascertained through a thorough analysis of the indicators of compromise that we received from our threat intelligence partners,” the company said in a statement.

Rackspace said it has no evidence to indicate that there has been impact to the Rackspace environment: “Rackspace Security Operations continuously monitors our environment for threats and takes appropriate action should an issue be identified.”

Capgemini said its internal Security Operation Center (SOC) detected and monitored suspicious activity that showed similar patterns to the attack faced by WIPRO. “This occurred between March 4 and March 19. The activity concentrated on a very limited number of laptops and servers. Immediate remedial action took place. There has been no impact on us, nor on our clients to date.”

Slalom, another company listed above, said it can “confirm that phishing attack activity was detected and prevented between March 4 and March 19, which correlates to the information that you have published on the Wipro event.  A combination of 24×7 Security Operations Center advanced security monitoring, security awareness training and threat intelligence automation enabled us to detect, alert, and prevent an event, sourcing from the phishing attacks.  We have verified this through internal forensics and with the support of our threat intelligence partners.”