It’s a mystery, member of the Lurk gang admits creation of WannaCry ransomware for intelligence agencies
30.12.2017 securityaffairs Ransomware
A hacker belonging to the Lurk cybercrime gang admits the creation of WannaCry ransomware and DNC hack on request of intelligence agencies.
In an interview to Dozhd TV channel, one of the members of the Lurk crime group arrested in the Russian city of Ekaterinburg, Konstantin Kozlovsky, told that he was one of the authors of the dreaded WannaCry ransomware and that the job was commissioned by intelligence agencies.
The Lurk cybercrime gang was known in the criminal ecosystem because it developed, maintained and rent the infamous Angler Exploit Kit. A joint investigation conducted by the Russian Police and the Kaspersky Lab allowed the identification of the individuals behind the Lurk malware. The members of the Lurk cybercrime crew were arrested by Russian law enforcement in the summer of 2016.
Law enforcement arrested the suspects in June, authorities accused them of stealing around $45 million USD from Russian financial institutions by using the Lurk banking trojan.
According to the Cisco Talos researchers, after the arrests of the individuals behind the Lurk banking trojan, it has been observed a rapid disappearance of the Angler EK in the wild.
According to Kozlovsky, WannaCry was developed to target corporate networks and rapidly spread by infecting the larger number of machines. The intent was to paralyze the activities of the target organization with just ‘one button.’
“The virus was tested on computers of the Samolet Development company which is engaged in construction of housing in Moscow area. Also hackers planned to hack a network of Novolipetsk Steel and to try to stop its blast furnaces.” reported the Russian Website crimerussia.com.
Konstantin Kozlovsky, that is now being held in a pre-trial detention center, already admitted to have worked for intelligence agencies.
Earlier the hacker told that cracked servers of the Democratic party of the USA and e-mail of Hillary Clinton for the Russian Intelligence Agency FSB.
Kozlovsky explained that the actions were coordinated by Dmitry Dokuchaev from the Center of Information Security of the FSB. Dmitry Dokuchaev is one of the two Russian intelligence officers (Dmitry Dokuchaev and Igor Sushchin) charged in March by the US Justice Department along with hackers Alexsey Belan and Karim Baratov for breaking into Yahoo servers in 2014.
Dokuchaev through his lawyer denied knowing Kozlovsky.
The Kozlovsky’s story is quite strange, he is currently under the custody of Russian authorities and anyway continues to accuse the FSB also of other hacks. Is this a new disinformation campaign? Who and why is orchestraing it?
In December, the US Government attributes the massive attack Wannacry to North Korea.
The news of the attribution was first reported by The Wall Street Journal, according to the US Government, the WannaCry attack infected millions of computers worldwide in May is an act of Information Warfare.
WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.
WannaCry ransomware on a Bayer radiology system – Source Forbes
Chinese censorship – authorities have shut down 13,000 websites since 2015
30.12.2017 securityaffairs BigBrothers
China continues to strengthen its online censorship, it has shut down or revoked the licenses of 13,000 websites since 2015 for violating the country’s internet rules.
State media also reported that service providers have closed nearly 10 million internet accounts for “violating service protocol.”
“These moves have a powerful deterrent effect,” Xinhua quoted Wang Shengjun, vice chairman of the Standing Committee of the National People’s Congress (NPC), as saying.
Chinese authorities have summoned more than 2,200 websites operators since 2015. According to Xinhua more than 10 million people who refused to register using their real names had internet or other telecoms accounts suspended over the past five years.
Within China, websites must register with authorities and are responsible for “ensuring the legality of any information” that is published on them.
These data confirm the strict control powered by China on the digital lives of its citizens.
According to Freedom House, China is the country with the most restrictive online use policies.
The new Chinese cyber security law gives more power to the Government and enforces new rules especially for those companies that produce software that could be used to circumvent the country’s censorship.
The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.
Recently the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.
Since early this year, the Chinese authorities started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.
People resident in the country make use of VPN and Proxy services to bypass the censorship implemented by the Great Firewall and access website prohibited by the Government without revealing their actual identity.
A 28-year-old Kansas man was shot and killed by police in a swatting attack
30.12.2017 securityaffairs Hacking
Andrew Finch, a 28-year-old man from Wichita, Kansas, was killed last week in a swatting attack by police who were responding to a call reporting a hostage situation at the man’s house.
All begun on the evening of December 28, two gamers bet they could complete the Call of Duty game by ‘swatting’ each other, but one of them gave the wrong address to a nearby known swatter.
“The two CoD players reportedly got into an argument over a small money loss on UMG’s wager platform online (view match) and threatened to swat each other, with one of the players sending the other incorrect details of an address nearby to a known swatter, who was reportedly responsible for the CWL Dallas bomb hoax evacuations.” reported the website Dexerto.
29 Dec
Christopher Duarte
✔
@Parasite
Unbelievable, two kids in the community got in a verbal dispute and thought it would be funny to swat each other which resulted in an innocent man being killed by police officers responding to the swat calling. Disgusted.
Christopher Duarte
✔
@Parasite
pic.twitter.com/ZCTqzucWwnhttp://www.kansas.com/news/local/crime/article192081124.html …
5:29 AM - Dec 29, 2017
View image on TwitterView image on Twitter
47 47 Replies 191 191 Retweets 347 347 likes
Twitter Ads info and privacy
Yes, you heard right, the absurd death was the result of a “swatting” attack gone wrong.
According to the popular expert Brian Krebs, the dispute originated on Twitter, one of the parties allegedly using the Twitter handle “SWauTistic” threatened to swat another user who handles the account “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.
“Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.” wrote Krebs.
“Not long after that, Swautistic was back on Twitter saying he could see on television that the police had fallen for his swatting attack. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn’t get anyone killed because he didn’t pull the trigger (see image above).
Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks’ worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter — meaning he has claimed responsibility for a number of other recent false reports to the police.”
“I heard my son scream, I got up, and then I heard a shot,” said Lisa Finch, the mother of the shooting victim, in a video interview with the Wichita Eagle.
Police then handcuffed Lisa Finch and took her outside, along with “my roommate and my granddaughter, who witnessed the shooting and had to step over her dying uncle’s body.”
Andrew was unarmed and the police did not find any weapon in the house.
A typical “Swatting” scenario sees someone calls police from the target’s home and describes a fake emergency situation urging the intervention of the law enforcement. This is what has happened at the Finch’s house.
“We were told that someone had an argument with their mother, and dad was accidentally shot and that now that person was holding brother, sister, and mother hostage,” a police official told reporters.
According to the official, Andrew Finch “came to the front door” and “one of our officers discharged his weapon,” killing the man, but he declined to explain why the agent opened the fire.
To be clear, Andrew Finch was not a Call of Duty player and he was no linked with the two gamers.
The police are investigating the case to track the person who called them first reporting the fake emergency.
The recording of the call to 911 operators that prompted this tragedy can be heard at this link.
Swatting is a serious problem, a member of Congress has proposed legislation to combat this illegal practice.
Back in 2013, the popular expert Brian Krebs was the victim of a swatting attack, fortunately with a happy ending.
Samsung Android Browser is affected by a critical SOP bypass issue, a Metasploit exploit code is available
30.12.2017 securityaffairs Android
The browser app pre-installed on Samsung Android devices is affected by a critical SOP bypass issue, tracked as CVE-2017-17692.
The browser app pre-installed on Android devices is affected by a critical flaw, tracked as CVE-2017-17692, that could be exploited by an attacker to steal data from browser tabs if the user visits an attacker-controlled site.
The SOP bypass issue in the Samsung Internet Browser was discovered by the security researcher Dhiraj Mishra.
The CVE-2017-17692 vulnerability is a Same Origin Policy (SOP) bypass issue that affects the Samsung Internet Browser version 5.4.02.3 and earlier.
The Same Origin Policy is one of the most important security mechanisms implemented in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin.
A SOP bypass occurs when a sitea.com is somehow able to access the properties of siteb.com such as cookies, location, response etc.
An attacker can copy victim’s session cookie or hijack his session and read and write webmail on your behalf.
Mishra developed a Metasploit Module for the exploitation of the SOP bypass issue and reported the flaw to the MITRE to assign CVE.
Mishra also reported the flaw to Samsung, who acknowledged it and confirmed that “the patch is already preloaded in our upcoming model Galaxy Note 8, and the application will be updated via Apps store update in October.“
Here is the Source Code for Bypassing Same Origin Policy in Samsung Internet Browser in Metasploit,
“When the Samsung Internet browser opens a new tab in a given domain (say, google.com) through a Javascript action, that Javascript can come in after the fact and rewrite the contents of that page with whatever it wants,” reads a blog post published by researchers from security firm Rapid7.
“This is a no-no in browser design since it means that Javascript can violate the Same-Origin Policy, and can direct Javascript actions from one site (controlled by the attacker) to act in the context of another site (the one the attacker is interested in). Essentially, the attacker can insert custom Javascript into any domain, provided the victim user visits the attacker-controlled web page first.”
The experts from Rapid7 have also published a video PoC of the attack.
The availability online of the Metasploit exploit code pose a serious risk to Android users that are still using the old Android Stock browser.
A Kernel Exploit for Sony PS4 Firmware 4.05 is available online
30.12.2017 securityaffairs Exploit
The developer SpecterDev finally released a fully-functional kernel exploit for PlayStation 4 (firmware 4.05) dubbed ‘namedobj’.
Good news for PlayStation gamers, the developer SpecterDev finally released a fully-functional kernel exploit for PlayStation 4 (firmware 4.05) dubbed ‘namedobj’.
PS4 gamers who are running firmware version lower than 4.05 need to update their gaming console to trigger the exploit.
The Kernel exploit was released two months after Team Fail0verflow revealed the technical details about the first PS4 Kernel Exploit.
The kernel exploit ‘namedobj’ is now available on Github, it works for the PlayStation 4 on 4.05FW and allows users to run arbitrary code on the device.
“In this project you will find a full implementation of the “namedobj” kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.” reads the description published on GitHub.
The availability of the kernel exploit could allow developers to write a working jailbreak and kernel-level modifications to the system.
Jailbreaking allows removing hardware restrictions implemented by the operating system, it allows users to run custom code on the console and install mods, games, and third-party applications bypassing the anti-piracy mechanisms implemented by Sony.
“This release, however, does not contain any code related to defeating anti-piracy mechanisms or running homebrew,” SpecterDev said.
“This exploit does include a loader that listens for payloads on port 9020 and will execute them upon receival.”
Reading the “Notes” we can notice that the developer warns that the exploit should not work for some users.
“This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel. I’ve built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads,” SpecterDev warned.
At this point, experts at Sony will work to identify the flaws triggered by the kernel exploit and fix them.
Pavel Lerner, head of EXMO cryptocurrency exchange, was kidnapped in Ukraine
30.12.2017 securityaffairs Cyber
According to Ukrainian media, the head of the EXMO cryptocurrency exchange Pavel Lerner has been kidnapped in Kiev, the police is investigating the case.
According to Ukrainian media, the Russian IT expert Pavel Lerner has been kidnapped in Kiev.
Pavel Lerner (40) is a and managing director EXMO, one of the largest cryptocurrency exchanges, and according to a Ukrainian media Strana.ua he stopped responding to phone calls on December 26.
“According to the applicant in the case, Lerner was abducted near his workplace – an office center in Stepan Bandery Street (before renaming – Moscow Avenue). The programmer was dragged into the car of Mercedes-Benz Vito brand (state number AA 2063 MT) by unknown persons in dark clothes and balaclava, and taken away to an unknown destination.” states the Strana.ua.
Lerner has been kidnapped while he was leaving his office in Stepan Bandera Prospect in Kiev.
The IT specialist led a number of startups, related to blockchain technology and cryptocurrency mining.
Ukrainian police are investigating the case, at the time I was writing it is still unclear who and why kidnapped the man.
EXMO confirmed the news of the kidnapping and clarified that company operations were not affected by what has happened. EXMO also added that Lerner did not have direct access to any cryptocurrency account or other personal data.
“We are doing everything possible to speed up the search of Pavel Lerner. Any information regarding his whereabouts is very much appreciated,” PR-department of EXMO said.
“Despite the situation, the exchange is working as usual. We also want to stress that nature of Pavel’s job at EXMO doesn’t assume access either to storages or any personal data of users. All users funds are absolutely safe.”