Too many Websites hacked, ransom demanded

Today is a very sunny day, but cloudy online. After the hack of the webpage of the  Ukranian ministry of Energy as shown in figure 1 below.

329f9cc2-82e8-4ff9-9bfd-b3a14d8089c9-original
Figure 1

http://www.mev.gov.ua was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server as in the figure 2 below. Meaning the administrator took it offline.

apache
Figure 2

As an investigator, I decided to run a secure search with the terms ”ooops, your website have been encrypted ” using DuckDuckgo as a search engine, and all the sites hacked were indexed as show in figure 3 below.

website encrypted
Figure 3

Too many websites , victims as of today of the ransomware attack. All those live websites displaying the same  message, the attackers even included music this time. The clock showing the time left to pay the ransom.The currency accepted is Bitcoin because it wont be possible to know who received the money.

The only way to bypass this it to make sure that the vulnerability used by the software and third party applications have been patched.

Stay Secured.

 

Advertisements

Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on blockchalna.info and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.

Reference

https://blog.talosintelligence.com/2018/02/coinhoarder.html

https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/02/26230545/BTC_IOCs.pdf

https://umbrella.cisco.com/blog/2016/12/22/protecting-bank-pocket-rise-criminal-activity-correlates-bitcoin-price-surge-holidays/

5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from browseraloud.com , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The browseraloud.com server was hacked , obfuscated javascript was added to download the code from coinhive.com and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.

References

Sophos

Skynews

Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.

HSDFSDCrypt-spam-email

The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.

HSDFSDCrypt-ransom-note

The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open

CNET Hacked, Remote Servers accessed

CNET the most popular review technology websites has been hacked. A twitter user going by the name of worm and the handle @rev-priv8 posted a photo of a remote access to CNET.com server . The exploit was done through a vulnerability in the content management system probably WordPress or Joomla. CNET is not saying much about the attack but claims that username and password were not accessed.According to Forbes, Worm has even sold a database of CNET.com at a price of one Bitcoin.
http://www.forbes.com/sites/thomasbrewster/2014/07/14/russian-hacker-breaches-cnet-servers/
http://betanews.com/2014/07/15/1-million-users-affected-by-cnet-com-hack/

French manufacturer LaCie admits data breah

LaCie is a french manufacturer of  hard drive. It was a victim of a security breach and obviously sent notifications to customers about the incident . The breach was detected by the FBI on March 19,2014 which forwarded the alarm. A malware was used to gain access to customer’s transactions made between March 27,2013 and March 10,2014. Names, addresses,email addresses,payment card numbers and cards expiration dates belonging to customers  have been accessed by the unauthorized party. LaCie urged everyone to change their password believing that customers’ usernames and passwords  on LaCie’s website could have also been accessed.

Ukraine , target of Snake or Uroburo malware

Image

A dangerous cyber weapon has infected many computers in Ukraine in 2014. It is a spyware designed to steal sensitive secret information from high potential networks . Experts believe that this rootkit has been undetected for more than three years. Due to the complexity and the estimated high cost of this malware, G Data the German security company believes a sponsored state is behind this attack, possibly linked to Russia, since the developers of this malicious program speak Russia language.

Uroburo works autonomously and works on peer-to-peer mode .The infected computers spy on documents and send those to a PC connected to the internet. It supports 32 and 64 bit Windows Operating System.