Russian hacker Alexander Zhukov extradited by Bulgaria to US

Posted: 20 Jan 2019 10:54 AM PST

Bulgaria has extradited a Russian hacker that was indicted by a US court for mounting a sophisticated hacking scheme to the United States.

According to the Russian embassy in Washington, the Russian hacker Alexander Zhukov was extradited on January 18. The Russian embassy has chosen to disclose the news on the VK social network, the Russian version of Facebook. The hacker is currently held in a jail in Brooklyn, New York.

“Employees of the Consulate General in New York will visit him in jail soon,” the embassy said.

Zhukov is accused of being involved in a sophisticated ad fraud scheme that leverages advertising and malware to compromise computer networks.

In November, law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice indicted 8 individuals from Russia, Kazakhstan, and Ukraine, one of them is Zhukov.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors' activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

Zhukov 3ve campaigns

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts, fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

Zhukov, aka Nastra, was arrested in Bulgaria, where he had lived since 2010, in November.

According to Kommersant newspaper, which claims to have spoken with a friend of Zhukov, the hacker stood out on the dark web for the selective way he chose his jobs, staying away from credit-card theft or child pornography.” reported the AFP.

“Zhukov was earning about $20,000 per month on his fake ad-view contracts, but was exposed after a conflict with his US client, Kommersant said.”

Pierluigi Paganini

(SecurityAffairs – Zhukov, ad fraud)

The post Russian hacker Alexander Zhukov extradited by Bulgaria to US appeared first on Security Affairs.

Security Affairs newsletter Round 197 – News of the week

Posted: 20 Jan 2019 05:32 AM PST

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal
Computers at the City Hall of Del Rio were infected by ransomware
German Watchdog will request Facebook changes
Unsecured MongoDB archive exposed 202 Million private resumes
Which is the link between Ryuk ransomware and TrickBot?
Zurich refuses to pay Mondelez for NotPetya damages because its 'an act of war
A flaw in vCard processing could allow hackers to compromise a Win PC
Cranes, drills and other industrial machines exposed to hack by RF protocols
Mozilla will disable Adobe Flash by default starting from Firefox 69
Too many issues in Pentagon networks expose it to cybersecurity risks
Critical bug in Amadeus flight booking system affects 141 airlines
Experts link attack on Chilean interbank network Redbanc NK Lazarus APT
GreyEnergy: Welcome to 2019
I swiped right, Viewing sensitive data cached in your Safari browser.
Multiple Fortnite flaws allowed experts to takeover players accounts
Collection #1 dump, 773 million emails, 21 million passwords
Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6
South Korea: hackers compromised Defense Acquisition Program Administration PCs
Unprotected server of Oklahoma Department of Securities exposes millions of government files
Android apps use the motion sensor to evade detection and deliver Anubis malware
Attacks in the wild leverage flaw in ThinkPHP Framework
Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day
Oracle critical patch advisory addresses 284 flaws, 33 critical
Twitter fixed a bug in its Android App that exposed Protected Tweets
6 Reasons We Need to Boost Cybersecurity Focus in 2019
A bug in Microsoft partner portal 'exposes ' support requests to all partners
ES File Explorer vulnerabilities potentially impact 100 Million Users

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.

DarkHydrus adds Google Drive support to its RogueRobin Trojan

Posted: 19 Jan 2019 11:31 PM PST

Security experts attributed new malicious campaigns to the DarkHydrus APT group (aka Lazy Meerkat), threat actors used a new variant of the RogueRobin Trojan and leveraged Google Drive as an alternative C2 channel.

DarkHydrus was first discovered by experts at Palo Alto Networks’ Unit 42 team in July when the group carried out attacks aimed at a government agency in the Middle East.

Threat actors focused their activity in the Middle East, they used weaponized Microsoft Excel documents to compromise victims’ systems.

On January 9, experts at 360’s Threat Intelligence Center (360 TIC) first observed attacks leveraging lure Excel documents written in Arabic.

“This malware is a lure Excel document with name 'الفهارس.xlsm'. When it is opened, embedded VBA macro is trigged to run. That macro drops 12-B-366.txt to '%TEMP%' directory first, then leverages regsvr32.exe to run 12-B-366.txt “reads the analysis published by TIC.

The final stage malware is a backdoor written in C#.

According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) file that once concatenated delivers a version of the RogueRobin trojan.

“The New_Macro function starts by concatenating several strings to create a PowerShell script that it will write to the file %TEMP%\WINDOWSTEMP.ps1. The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\12-B-366.txt.” reads the analysis published by PaloAlto Networks.

“While .sct files are used by a multitude of applications, in this instance it is being used as a Windows Script Component file. The function then uses the built-in Shell function to run the following command, which effectively executes the .sct file stored in 12-B-366.txt

The samples of the RogueRobin Trojan analyzed by Palo Alto Networks implement additional functionality, they include the use of Google Drive API. This new feature allows the attackers to use Google Drive as an alternative Command and Control channel and make hard the detection of malicious traffic.

The main communication channel with the C2 server is the DNS tunneling.

“A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode. This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API.” continues Palo Alto Networks. “The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests.”

Once activated, the malware will receive via DNS tunneling from the C2 server a list of settings that allows it to interact with the Google Drive.

The commands are exchanged leveraging a file uploaded by the Trojan to Google Drive, every change to the is interpreted as a command.

The RogueRobin Trojan also checks is it is running in a virtualized environment or a sandbox before triggering the payload.

According to Palo Alto Networks, the malware also checks for common analysis tools running on the system and the presence of a debugger.

“Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co. The domain is legitimate and owned by Google. The subdomain 676f6f646c75636b is a hex encoded string which decodes to goodluck.” states Palo Alto Networks.

Experts speculate the DarkHydrus group continues its operations and improved its techniques and its arsenal. The recent attacks show DarkHydrus group is abusing open-source penetration testing techniques such as the AppLocker bypass. 

Further information, including IoCs for the malware used by the group, are reported in the analysis published by both 360 TIC and Palo Alto Networks.

Pierluigi Paganini

(SecurityAffairs – hacking, DarkHydrus)

The post DarkHydrus adds Google Drive support to its RogueRobin Trojan appeared first on Security Affairs.

“Collection #1” Data Breach Analysis – Part 1

Posted: 19 Jan 2019 10:31 PM PST

Cybersecurity expert Marco Ramilli has analyzed the huge trove of data, called Collection #1, that was first disclosed by Troy Hunt.

Few weeks ago I wrote about "How Data Breaches Happen", where I shared some public available "pasties" within apparently (not tested) SQLi vulnerable websites. One of the most famous data breaches in the past few years is happening in these days. I am not saying that the two events are linked, but I have fun in thinking that events happen in bursts. Many magazines all around the world wrote about the data breach (Collection #1) published by Troy Hunt on 773 Millions of new Records (here). Today I'd like to write a quick partial analysis that I've been able to extract from those records (I grabbed data from public available pasties website). First of all, let me say that the work done has been super difficult (at least to me) since it required a huge amount of computational power and very high-speed internet access because of the humongous collected data. In order to make analysis over such a humongous data breach, I used a powerful Elastic Search Cloud instance and I wrote a tiny python script to import super dirty data into a common format. Some records were unable to load since the format type, the charset or whatever it had, so please consider a relative error about 4 to 5 % (circa) in the following data analyses.

PARTIAL Analysis of Collection #1

One of the first questions I wanted to answer was: "What are the most used passwords ?". I am aware that many researches wrote about the most used passwords, but now I do have the opportunity to measure it. To get real used passwords and to evaluate the reality. So let's see what are the most used passwords out there!

Collection #1 PARTIAL Analysis on used passwords

So far the most used passwords are: "123456", "q1w2e3r4t5y6", "123456789", "1qaz2wsx3edc", followed by most common passwords like "12345678" and "qwerty". By observing the current graph and comparing it to common researches on frequently used passwords such as herehere, and here we might appreciate a significative difference: the pattern complexity! In fact, while years ago the most used passwords were about names, dates or simple patters such as "qwerty", today we observe a significative increase in pattern complexity, but still too easy to be brute-forced.

A second question came by looking at leaked emails. "What are the domain names of the most leaked emails ?" Those domains are not the most vulnerable domains but rather the most used ones. So I'm not saying that those domains are/or have been vulnerable or Pwned, but I am trying to find what are the most leaked email providers. In other words if you receive an email from "@gmail.com" what is the probability that it has been leaked and potentially compromised ? Again I cannot answer to such a question since I do not have the total amount of "@gmail.com" accounts all around the word, but I think it might be a nice indicator to find out what are the most leaked email domain names.

PARTIAL Analysis on most leaked domain

The most leaked emails come from "yahoo.com", "gmail.com", "aol.com" and "hotmail.com". This is quite interesting since we are mostly facing personal emails providers (domains) rather then professional emails providers (such as company.com). So apparently, attackers are mostly focused in targeting people rather then companies (maybe attacking not professional websites and/or distributing malware to people rather then companies domain names). Another interesting data to know is about the unique leaked email domain names: 4426, so far !

Finally, it would be great to know from what sources data is coming from ! At such a point I have no evidences of what I am going to write about, but I made some deductions from the data leaked structure. The following image shows collection-1 structure.

PARTIAL Analysis Collection#1 Structure

Each folder holds .TXT files which have names that look like domain names. Some of those are really domain names (tested), some other are on-sale right now, and many other seem to just look like a domain, but I had no evidence of them. Anyway, I decided to assume that the file names looking like domain names are the domain from which the attacker leaked information. So, having such in mind we might deduce where the attacker extracted the data (username and passwords) and perform a personal evaluation about the leaked information.

Are you interested in Marco Ramilli’ conclusions? Give a look at his post:

Pierluigi Paganini

(SecurityAffairs – hacking, collection #1)

The post "Collection #1" Data Breach Analysis – Part 1 appeared first on Security Affairs.