- At least six thousand Lantronix Serial-To-Ethernet devices are leaking Telnet passwords
- Anonymous launch Brazilian Corrupt Public Sector Entities Data Leak
- Kaspersky case – Now we know who is the NSA hacker who kept Agency’s cyber weapons at home
- Europol and law enforcement agencies dismantled a criminal ring specialized in ATM attacks and payment Card Fraud
Posted: 02 Dec 2017 09:06 AM PST
Security researcher discovered thousands of Lantronix Serial-to-Ethernet devices connected online that leak Telnet passwords.
The security researcher Ankit Anubhav, principal researcher at NewSky Security, has discovered thousands of Serial-to-Ethernet devices connected online that leak Telnet passwords.
Hackers can use the leaked passwords to launch cyber attacks against the equipment that is connected to them.
Serial-to-Ethernet “device servers” are used by companies to connect to remote equipment that only exposed a serial interfaces.
The flawed Serial-to-Ethernet “device servers” are manufactured by the US vendor Lantronix.
The “device servers” are widely adopted in to give connectivity to ICS (Industrial Control Systems), most of them are very old equipment that only comes with serial ports.
According to Ankit Anubhav, a half of Lantronix device servers are exposed online leaking their Telnet passwords. An attacker can take over the device via Telnet and use the privileged access to send serial commands to the connected devices.
“6,464 Lantronix device servers that may be connected to critical ICS-grade equipment are proudly exposing their passwords,” Anubhav told Bleeping Computer. “This accounts for 48% of the devices on Shodan.”
Imagine the potential dangers of a cyber attack against an ICS equipment exposed online through the vulnerable Lantronix device.
Anubhav explained that data exposure is an old flaw that could be exploited by attackers to retrieve the setup config of Lantronix devices by sending a malformed request on port 30718.
The Metaploit hacking platform includes a Lantronix “Telnet Password Recovery” module that could be exploited to retrieve the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default on old versions of Lantronix devices) and extracts the Telnet password in plain text.
Once again patch management is the root cause of the problem, vulnerable devices have not installed security updates to fix the issue.
(Security Affairs – hacking, Serial-To-Ethernet devices)
The post At least six thousand Lantronix Serial-To-Ethernet devices are leaking Telnet passwords appeared first on Security Affairs.
Posted: 02 Dec 2017 06:07 AM PST
In an astonishing move, Anonymous leak public sector entities infrastructure topology data for the people of Brazil in the midst of Lava Jato scandal.
The compromised data includes IP addresses from the public sector, ranging law enforcement agencies and local municipality. This data leak comes at a moment where a strong fight against corruption is taking place.
The data leak represents a lack of maturity in adopting a framework, like NIST, for maintaining the secret of information in today’s country information technology marketplace.
Nowadays, it may seem quite usual see these events take place in the evolving, and changing, the threat landscape of digital menaces, but it was expected to take place as hackers usually comes with new attacks as the year approaches its end.
The data reveal in high details, how is structured the network topology of critical services infrastructure including routers, firewalls and other open services.
It is important to notice that all IP ranges from São Paulo military and civil police was leaked, including servers related to public identification and public safety. The compromised data also describes the police servers entirely exposing not only the identity of every police officer, but also the entire public security office.
As it is presented with a message, the intent of the hackers were in the fight against corruption in Brazil, where it took a new ground: the 5th domain. The cyber domain has reached the public opinion where the scrutinity of the society claiming for justice can be reached on the click of a mouse. These corrupt law enforcement agencies are globally known to be involved in extortion, drug traffic dealing, murdering, oppression, violation of the United Nations Human Rights and violence against minorities like black people and homosexuals alike.
The fight against corruption, abuse of power and authority can be a new front line to Lava Jato operation, including the police of the state of São Paulo, where the population lives as hostages to the public service colluding with the organized crime. As shown in the media outlets this week, a strong instance must be taken to reach out the public demands of justice and morality in the tax paid from every citizen.
This single event brings forth an important question: The importance of developing and implementing a security framework like NIST to address the cyber security on ICS/SCADA industrial control system. It is important to notice that the framework is structured in such way that it can be adapted to the existing current model in use. The critical infrastructure, in the face of today’s challenge of information security, must address rogue nation’s threat like North Korea and China.
The data leak is available at the following URL
“In accordance with corruption fight around the world, we are leaking the complete network infrastructure topology of public sector entities so anyone can hack into and discover the undoings paid with your money.” reads the Anonymous’s message.
Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e-Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics, and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.
(Security Affairs –Data Leak, Anonymous Brazil)
The post Anonymous launch Brazilian Corrupt Public Sector Entities Data Leak appeared first on Security Affairs.
Posted: 02 Dec 2017 03:54 AM PST
A former NSA hacker pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian cyber spies.
A member of the US National Security Agency Tailored Access Operations hacking team, Nghia Hoang Pho (67) pleaded guilty in a US district court in Baltimore on Friday to one count of willful retention of national defense information.
The Vietnam-born American citizen, who lives in Ellicott City, Maryland, has been charged with illegally removing top secret materials.
The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.
The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.
Kaspersky Lab, published recently a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee's Windows PC.
According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.
On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee's PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.
Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee's PC and uploaded it to Kaspersky's cloud for further analysis.
Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.
Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as "HEUR:Trojan.Win32.Equestre.*". The experts found a few test signatures in place that produced a LARGE number of false positives.
The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature "HEUR:Trojan.Win32.Equestre.m" and a 7zip archive (referred below as "[undisclosed].7z"). This is the beginning of the analysis of the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.
The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.
Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.
Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren't related to the Equation Group.
Kaspersky found that the Mokes' command and control servers were apparently being operated by a Chinese entity going by the name "Zhou Lou", from Hunan, using the e-mail address "email@example.com."
The security firm explained that it's also possible that the NSA contractor's PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.
The NSA hacker Pho now faces roughly six to eight years in prison, with sentencing set for April 2017.
According to the plea deal, Pho broke federal law because he took the codes at home multiple times, he admitted that, over a five-year period starting in 2010, he copied the information from NSA machines and took it all home with him.
“Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. Government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information,” the US Department of Justice said in disclosing the guilty plea.
“This material was in both hard-copy and digital form, and was retained in Pho's residence in Maryland.”
The positive aspect of the story is that Pho did act with cyber espionage purposes, he wasn’t charged to sell or pass off any of the data.
The fact that Pho was the third NSA employee charged in the past two years for taking home top-secret information is embarrassing and highlights the risk of insiders.
(Security Affairs – NSA hacker, Kaspersky)
The post Kaspersky case – Now we know who is the NSA hacker who kept Agency's cyber weapons at home appeared first on Security Affairs.
Posted: 02 Dec 2017 01:59 AM PST
Law enforcement agencies dismantled a criminal ring and arrested four key members responsible for ATM attacks and performing illegal transactions.
European law enforcement agencies announced the success of an operation called “Neptune” that allowed to dismantle a criminal ring and arrest of four key members responsible for stealing payment card data and performing illegal transactions.
The investigation supported by the Europol, involved law enforcement agencies in Italy, Bulgaria, and the Czech Republic.
“The operation run by the Italian Carabinieri, in cooperation with the Bulgarian General Directorate of Combating Organised Crime, and the National Police of Czech Republic, supported by Europol's European Cybercrime Centre (EC3) culminated today with the arrest of four Bulgarian citizens.” states the press release published by the Europol
“The leaders of the transnational criminal group actively supervised all stages of criminal activities, including placing technical equipment on ATMs in the central areas of European cities, producing counterfeit credit cards and subsequently cashing out money from ATMs in non-European countries, for example Belize, Indonesia and Jamaica.”
The four criminals were arrested on November 30, 2017, they are all Bulgarian citizens.
Crooks targeted ATMs in central areas of European cities to steal credit card data by placing skimmers and hidden cameras. The stolen data were used to clone the cards and use the fake cards to cash out money from ATMs in non-European countries, including as Belize, Indonesia and Jamaica.
Investigators identified dozens of ATMs that have been compromised by the crooks.
Law enforcement seized more than 1,000 counterfeit credit cards and collected of evidence of many fraudulent international transactions worth more than EUR 50,000.
“The coordination and exchange of intelligence has been supported by the Joint Cybercrime Action Taskforce (J-CAT) set up at Europol. Since most of the illegal transactions with counterfeit cards took place overseas, the cooperation through dedicated investigative networks set up by Europol has been instrumental.” continues the press release.
In September, a report published by the Europol warned of a rise of cyber attacks against ATM machines. Criminal organizations are targeting ATM machines through the banks' networks, the operations involve squads of money mules for the cashout.
Earlier this week, Europol shared the results of the European Money Mule Action 'EMMA3', a global law enforcement operation against money mulling. The operation resulted in 159 arrested, 409 suspects interviewed, and 766 money mules and 59 money mule organizers identified.
(Security Affairs – cybercrime, ATM skimming)
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|