Category Archives: Deep Web

Hackers stole card details from BriansClub carding site

BriansClub, one of the biggest a dark web “carding store,” which specializes in the sale of stolen payment card data, has been hacked. 

Hackers have breached BriansClub (BriansClub[.]at), one of the biggest black market sites, that specializes in the sale of stolen credit card data. According to the security experts Brian Krebs, who first reported the data breach, the hackers stole data of more than 26 million payment cards.

Experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards available on the black market.

““BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked.” reads the post published by Brian Krebs. “The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.”

Krebs reported that last month, a source shared with him, a file containing the full BriansClub database, the archive included cards currently available for sale and historically data.

The file contains details stolen from bricks-and-mortar retailers over the past four years, including nearly eight million records that were uploaded in 2019 alone.

People who reviewed the stolen data confirmed that the same credit card records could be found in a more redacted form by searching the BriansClub Web site using a valid and funded account.

Historical data in the archive show the rapid growth of the carding site, in 2015 the platform added just 1.7 million card records for sale, in 2016, 2.89 million stolen cards, 4.9 million cards in 2017; and 9.2 million in 2018. Between January and August 2019, BriansClub added approximately 7.6 million cards.

BriansClub acts as a broker of card data stolen by other cyber criminals, resellers or affiliates, who earn a fee from each sale.

BriansClub sold roughly 9.1 million stolen credit cards, allowing the site and its resellers to earn a total of $126 million in sales since 2015.

“There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.” states Krebs.

According to a follow-up post published by Krebs, the administrator of BriansClub confirmed that the data center hosting his site had been hacked earlier in the year. The administrator claims that stolen data had been removed from BriansClub store inventories, but multiple sources confirmed they are still available for sale at BriansClub.

According to Krebs, the administrator of the Russian cybercrime forum Verified, BriansClub was hacked by “a fairly established ne’er-do-well who uses the nickname ‘MrGreen’ and runs a competing card shop by the same name.”

“The Verified site admin said MrGreen had been banned from the forum, and added that “sending anything to Krebs is the lowest of all lows” among accomplished and self-respecting cybercriminals. I’ll take that as a compliment.” concludes Krebs.

That said, if the remainder of BriansClub’s competitors want to use me to take down the rest of the carding market, I’m totally fine with that.”

Pierluigi Paganini

(SecurityAffairs – BriansClub, carding)

The post Hackers stole card details from BriansClub carding site appeared first on Security Affairs.

Trojanized Tor Browser targets shoppers of Darknet black marketplaces

A tainted version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and gather information on their browsing activity.

A Trojanized version of the Tor Browser is targeting shoppers of black marketplaces in the dark web, threat actors aim to steal their cryptocurrency and gather information on their browsing activity.

At the time of writing, attackers have already stolen about $40,000 worth of Bitcoin through more than 860 transactions registered to three of the attackers’ wallets.

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.” reads a post published by ESET.

The weaponized version of the Tor Browser is promoted on Pastebin as the Russian version of the popular software. The Pastebin posts advertise the version saying that it also includes an anti-captcha feature that allows users to speed-up the browsing activity.

The trojanized Tor browser variant is hosted on the following two domains created in 2014 that are designed to appear as the official Russian version of the software:

  • tor-browser[.]org
  • torproect[.]org (the URL is missing “j”)

Threat actors also optimized the posts promoting the malicious software to appear as top results for queries for drugs, censorship bypass, and Russian politicians.

Between 2017 and early 2018, crooks promoted the webpages of the trojanized Tor Browser using spam messages on multiple Russian forums.

The home page of both sites displays a warning to the visitors informing them that they have an outdated Tor Browser, even if the visitors are using the most up-to-date Tor Browser version.

Trojanized Tor browser

“Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update” reads the English translations.

When the users click on the “Update Tor Browser” button, they are redirected to a second website that delivers a Windows installer.

“This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.” continues the analysis.

“No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.”

The Trojanized Tor Browser has disabled the update feature to prevent victims from updating to a non-tainted version, attackers also changed the default User-Agent to the unique hardcoded value that is used by threat actors as a fingerprint.

“The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons.” reads the post. “Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.”

Crooks also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed on load in the context of every webpage.

The JavaScript payload uses a standard webinject mechanism that allows stealing content in forms, hiding original content, showing fake messages, or adding its own content.

The only JavaScript payload observed by ESET was used to target visitors of three of the largest Russian-speaking darknet markets. This script attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.

Using this trick, attackers are able to hijack payments by changing the wallet address of the shoppers with the ones belonging to the attackers.

“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.” concludes ESET that also shared IoCs. “This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.”

Pierluigi Paganini

(SecurityAffairs – Trojanized Tor Browser, hacking)

The post Trojanized Tor Browser targets shoppers of Darknet black marketplaces appeared first on Security Affairs.

International operation dismantled largest Dark Web Child abuse site

The United States Department of Justice announced the arrest of hundreds of criminals as part of a global operation against a dark web child abuse community.

The US Department of Justice announced the arrest of hundreds of criminals as part of a global operation conducted against the crime community operating the largest dark web child porn site, ‘Welcome to Video’.

The operation involved law enforcement agencies from several countries, including the IRS-CI, the US Homeland Security Investigations, the NCA, the Korean National Police of the Republic of Korea, and German Federal Criminal Police (the Bundeskriminalamt), 

Officials have arrested the administrator of the site, Jong Woo Son of South Korea (23), along with 337 suspects in 38 countries that have been charged for allegedly being users of the site.

Two former federal law enforcement officials were allegedly involved in the child porn site, Paul Casey Whipple and Richard Nikolai Gratkowski.

The US authorities issued a warrant for Son’s arrest on February 2018, and South Korean police arrested the man on March 5, 2018, and seized the server used to operate Welcome To Video.

According to the indictment, the ‘Welcome to Video’ child abuse site was launched in June 2015 and operated until March 2018. The site received at least 420 BTC in three years through at least 7300 transactions.

Experts from the National Center for Missing and Exploited Children (NCMEC) are currently analyzing over 250,000 unique videos hosted on the website, 45 percent of them contain new images that have not been previously known to exist.

“According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.” reads a press release published by the DoJ.  “The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.”

The great news is that the operation allowed to rescue tens of children living in the United States, Spain, and the United Kingdom.

According to the indictment, the law enforcement experts discovered the Child abuse website was hosted on the IP address 121.185.153.64 and 121.185.153.45 that was registered by a provider in South Korea and were registered with an account serviced at the defiant’s home.

Experts also identified more than one million unique bitcoin addresses that were used to receive payments from the users of the website. Two users of the Darknet market committed suicide subsequent to the execution of search warrants.

“Welcome To Video offered these videos for sale using the cryptocurrency bitcoin.  Typically, sites of this kind give users a forum to trade in these depictions.  This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.  In fact, the site itself boasted over one million downloads of child exploitation videos by users.  Each user received a unique bitcoin address when the user created an account on the website.” continues the press release. “An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users.”

Though Son is currently serving an 18-month sentence in South Korea, a federal grand jury in Washington DC unsealed a 9-count indictment against him just yesterday, with the U.S. authorities seeking his extradition to face justice.

Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This Administration will not allow child predators to use lawless online spaces as a shield. Today’s announcement demonstrates that the Department of Justice remains firmly committed to working closely with our partners in South Korea and around the world to rescue child victims and bring to justice the perpetrators of these abhorrent crimes.”

Pierluigi Paganini

(SecurityAffairs – Child abuse, cybercrime)

The post International operation dismantled largest Dark Web Child abuse site appeared first on Security Affairs.

Feds Shut Down Largest Dark Web Child Abuse Site; South Korean Admin Arrested

The United States Department of Justice said today that they had arrested hundreds of criminals in a global crackdown after taking down the largest known child porn site on the dark web and tracing payments made in bitcoins. With an international coalition of law enforcement agencies, federal officials have arrested the administrator of the child sexual abuse site, 23-year-old Jong Woo Son of

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

Tor Project is going to remove End-Of-Life relays from the network

Maintainers at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.

Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of the Tor Project announced they have removed relay servers running outdated and EOL versions of the Tor software.

Tor Project experts pointed out that they currently maintain only 5 Tor version series, 0.2.9.x (LTS), 0.3.5.x (LTS), 0.4.0.x, 0.4.1.x, 0.4.2.x (Stable on Dec 15th, 2019).

Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.

The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it also impacts maintenance activities because it is not easy to roll out important fixes and new features for them.

“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the tor-relays mailing list on September 3rd 2019 of this upcoming change.” reads the announcement published by the Tor Project.

“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”

The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.

Instruction to upgrading End-Of-Life relays are included in the announcement.

Pierluigi Paganini

(SecurityAffairs – Tor, privacy)

The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.

Hacker is auctioning a database containing details of 92 million Brazilians

A database containing details of 92 million Brazilians was auctioned by a threat actor on underground forums along with a search service focused on Brazilians.

Someone is auctioning on several restricted underground forums a database containing personal information of 92 million Brazilian citizens. The threat actor, registered as X4Crow, is also advertising a search service that allows retrieving detailed information on Brazilian citizens.

Brazilians
Source: Bleeping Computer

The records are arranged per province, they include names, dates of birth, and taxpayer ID (CPF – Cadastro de Pessoas Físicas), taxpayer details about legal entities, or the CNPJ (Cadastro Nacional da Pessoa Jurídica).

The initial price to participate in the auction is $15,000, participants can raise the price of 110 each time.

“A post on one of the forums seen by BleepingComputer informs that the database is 16GB large, in SQL format. The starting price for the auction is $15,000 with a step up bid of $1,000.” reported Bleeping computer.

According to BleepingComputer researchers that received a sample of the database, the data are authentic.

At the time of writing, it seems that the seller has not received any bid.

X4Crow also advertises a search service that allows retrieving detailed information on Brazilians (i.e. Email address, profession, education level, possible relatives, neighbors, license plates, vehicle, ID card, driver’s license) simply providing a full name, taxpayer ID, or phone number.

“There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above.” continues BleepingComputer.

Querying the service to retrieve data on a specific company and its corporate structure could cost up to $150.

According to BleepingComputer, X4Crow is a reliable actor in cybercrime underground even if it isn’t operating for a long time.

Pierluigi Paganini

(SecurityAffairs – Brazilians, cybercrime)

The post Hacker is auctioning a database containing details of 92 million Brazilians appeared first on Security Affairs.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

German police arrest suspects in raid network hosting Darknet marketplaces

German police have shut down a network hosting Darknet marketplaces focused on the trading of drugs, stolen data and child pornography.

German police announced to have shut down a network hosting Darknet black marketplaces trading drugs, stolen data, and child pornography.

The black marketplaces were also offering stolen data and fake documents, and other illegal goods.

Authorities conducted an investigation on the operators of the “Bulletproof Hoster” service that was provided through servers hidden in a former NATO bunker, the so-called “Cyber Bunker.”

Law enforcement arrested seven suspects were arrested in a series of raids, four Dutch citizens, two Germans and one Bulgarian.

“Thursday’s raids involved hundreds of officers and came after years of following up on leads in cooperation with other agencies. Police believe that the data center was involved in a hack attack three years ago on the national communications provider, Telekom.” reported the DW agency.

“Officials said the server seized on Thursday had also hosted the second-largest darknet trading platform, Wall Street Market.  Authorities in the European Union and the US shut that platform down in May, claiming it was used to traffick stolen data, forged documents, computer malware and illicit drugs.”

According to prosecutors, the criminal ring behind the illegal network was composed at least thirteen members, 12 men and one woman, aged from 20 to 59. The suspects ran the powerful servers inside the former NATO bunker in the town of Traben-Trarbach in Rhineland-Palatinate state.

The operation involved hundred police agents in Germany and other European countries, they seized 200 servers, numerous data carriers and mobile phones and a large sum of cash.

The police also confirmed that the popular “Wall Street Market” black marketplace was hosted on the seized server. In May, the German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

Prosecutors also revealed that the same cyber bunker was used to host the C2 behind a botnet involved in a massive attack that hit the German provider Deutsche Telekom in November 2016.

Pierluigi Paganini

(SecurityAffairs – darknet, hacking)

The post German police arrest suspects in raid network hosting Darknet marketplaces appeared first on Security Affairs.

Fraudulent purchases of digitals certificates through executive impersonation

Experts at ReversingLabs spotted a threat actor buying digital certificates by impersonating legitimate entities and then selling them on the black market.

Researchers at ReversingLabs have identified a new threat actor that is buying digital certificates by impersonating company executives, and then selling them on the black market. The experts discovered that digital certificates are then used to spread malware, mainly adware.

Threat actors sign their malware with legitimate digital certificates to avoid detection.

The experts provided details of a certificate fraud that leverages on the executive impersonation. The researchers provided evidence that the threat actors sold the purchased certificates to a cybercrime gang that used them to spread malware.

The analysis published by Reversinglabs provides technical details for each phase of the certificate fraud carried out by impersonating executive.

The fraud begins with the reconnaissance phase in which the attackers select the target to impersonate. Threat actors use publicly available information to select candidates that are usually well-established people working in the software industry.

Once identified, the threat actors scrape victim’s information from open sources, such as their public LinkedIn profile page. Then attackers set up legitimate-looking infrastructure for the entity they are impersonating in the attempt to deceive certificate authorities.

“The attacker aims to use the top-level domain confusion in order to mislead the certificate authority during their identity verification process. The gamble is that the person verifying the certificate issuance request will assume that the same company owns both the global .COM and the regional .CO.UK domains for their business.” reads the analysis published by the experts.

“Here’s where the choice of registrar becomes truly important. Since GDPR legislation came into effect, most EU domain registrars have agreed that WHOIS records are considered private and personally identifiable information. This makes knowing the true identity behind the registered domain name subject to a data release process – a bureaucratic procedure meant to be fulfilled in cases of a legitimate enquiry such as a trademark dispute or a law enforcement request.”

Once set up the infrastructure, the threat actors then proceed to purchase the certificates and verify them. The verification is done using a public antivirus scanning service, then the threat actors use the file scan record as “a clean bill of health” for potential buyers.

2019-04-30 07:07:59 – The first signed malicious file appears in the wild. The certificate is used to sign OpenSUpdater, an adware application that can install unwanted software on the client’s machine. This executable is cross-signed for timestamp verification via Symantec Time Stamping Services Signer service.” continues the analysis.

The experts pointed out that even if it is harder for the attacker to acquire digital certificates, the threat actors they tracked has shown that it is in fact possible to do so.

Pierluigi Paganini

(SecurityAffairs – digital certificates, hacking)

The post Fraudulent purchases of digitals certificates through executive impersonation appeared first on Security Affairs.

Tor Project’s Bug Smash Fund raises $86K in August

The Tor Project has raised $86,000 for a Bug Smash fund that it will use to pay developers that will address critical flaws in the popular anonymizing network.

The Tor Project has raised $86,000 for a Bug Smash fund that was created to pay developers that will address critical security and privacy issues in the popular anonymizing network.

In earlier of August, the Tor Project announced the creation of the Bug Smash Fund with the intent to pay professionals that will support the organization in maintaining the work and smashing the bugs.

“The goal of the Bug Smash Fund is to increase the Tor Project’s reserve of funds that allow us to complete maintenance work and smash the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.” reads the announcement published by the Tor Project.

“When we say maintenance and bugs, we are talking about work that is critical—and that we must pay for. This work includes responding quickly to security bugs, improving test coverage, and keeping up with Mozilla’s ESRs. An entire ecosystem relies on us doing so.”

The organization has added donations it received in August 2019 to the Bug Smash Fund.

Any vulnerability that could be used to de-anonymize Tor users or that could be used by attackers to cause a malfunction to the anonymizing network is considered critical and must be addressed rapidly, and part of the Bug Smash Fund will allow paying developers to do it.

The funding project aims to be transparent, any donors can track how that money is being used by the foundation, the Tor Project will tag any bug tickets that utilize the money of the fund with the “BugSmashFund” tag.

“Want to keep up with the work we’re doing with this fund? There are three ways: (1) Follow the “BugSmashFund” trac ticket tag, (2) watch this blog for updates about the progress of these tickets, and (3) make a donation and opt in for our newsletter to get updates directly to your inbox.” concludes the announcement.

“Want to contribute anonymously, with cryptocurrency, or by mail? Here’s how.”

Pierluigi Paganini

(SecurityAffairs – Tor Project, privacy)

The post Tor Project’s Bug Smash Fund raises $86K in August appeared first on Security Affairs.

Security Affairs newsletter Round 231

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Experts found Joker Spyware in 24 apps in the Google Play store
Toyota Boshoku Corporation lost over $37 Million following BEC attack
University, Professional Certification or Direct Experience?
WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws
Belarusian authorities seized XakFor, one of the largest Russian-speaking hacker sites
China-linked APT3 was able to modify stolen NSA cyberweapons
Stealth Falcon New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data
Stealth Falcons undocumented backdoor uses Windows BITS to exfiltrate data
Symantec uncovered the link between China-Linked Thrip and Billbug groups
Telegram Privacy Fails Again
Wikipedia suffered intermittent outages as a result of a malicious attack
DoS attack the caused disruption at US power utility exploited a known flaw
Million of Telestar Digital GmbH IoT radio devices can be remotely hacked
Police dismantled Europes second-largest counterfeit currency network on the dark web
Robert Downey Jrs Instagram account has been hacked
Adobe September 2019 Patch Tuesday updates fix 2 code execution flaws in Flash Player
Dissecting the 10k Lines of the new TrickBot Dropper
Microsoft Patch Tuesday updates for September 2019 fix 2 privilege escalation flaws exploited in attacks
NetCAT attack allows hackers to steal sensitive data from Intel CPUs
Some models of Comba and D-Link WiFi routers leak admin credentials
The Wolcott school district suffered a second ransomware attack in 4 months
Iran-linked group Cobalt Dickens hit over 60 universities worldwide
LokiBot info stealer involved in a targeted attack on a US Company
SAP September 2019 Security Patch Day addresses four Security Notes rated as Hot News
SimJacker attack allows hacking any phone with just an SMS
Poland to establish Cyberspace Defence Force by 2024
The US Treasury placed sanctions on North Korea linked APT Groups
WatchBog cryptomining botnet now uses Pastebin for C2
Expert disclosed passcode bypass bug in iOS 13 a week before its release
Hackers stole payment data from Garmin South Africa shopping portal
InnfiRAT Trojan steals funds from Bitcoin and Litecoin wallets

Pierluigi Paganini

(SecurityAffairs – Newsletter, hacking)

The post Security Affairs newsletter Round 231 appeared first on Security Affairs.