As the global infosec community continues to fight back against the threat of new attacks, the cybercriminals behind the WannaCry ransomware attacks are still at it, attempting to reap as much profits as possible. Security experts have detected new ransom demands made by the WannaCry hackers. Some experts working to mitigate the attacks and come up with a decryption key for infected users have reportedly been targeted by DDoS attacks, leveraging the proliferate Mirai botnet.

The attacks are an attempt to go after the kill switch, activated by 22-year-old British security researcher working for Kryptos Logic, Marcus Hutchins aka MalwareTech, who became the "accidental hero" by stopping the first wave of global ransomware attacks that hit numerous companies and networks across 150 countries.

Mirai-powered DDoS attacks against the WannaCry kill switch

Once news broke out about MalwareTech stopping the attacks, the sinkhole – the kill switch website used to direct malware to a specific web address to contain it – almost immediately came under attack from the WannaCry hackers.

How the global WannaCry ransomware attacks were stopped by this 'accidental hero'

"Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole," MalwareTech told Wired. He added that the DDoS attacks may not have been the work of the original WannaCry authors. Instead, he believes that this may be the work of other hacker groups that want to restart the WannaCry epidemic just for fun.

"They've obviously got no financial incentive. They're not the ransomware developers," the researcher said. "They're just doing it to cause pain." He added that the attacks appear to be coming from known Mirai-based botnets that appeared when the botnet's source code was first publicly released by its creator Anna_Senpai. Hutchins believes that the attacks are the work of low-level hackers using publicly available tools.

"Now any idiot and their dog can set up a Mirai botnet," Hutchins says.

However, Hutchins is confident that he and his colleagues at Kryptos Logic can keep the attackers at bay. The firm has also enlisted the help of an unspecified DDoS mitigation company to help defend against the hackers.

New ransom demands

Despite the spread of the attacks having been stopped, the WannaCry attackers are sending out new ransom demands to victims. According to a tweet post by Symantec, as of 18 May, victims were still receiving new messages from the WannaCry hackers.

A Twitter account cataloguing the activity of the three bitcoin wallets tied to the WannaCry attacks in real time shows that numerous people have paid ransoms and some continue to do so. As of now, over $94,000 has been raked in by the attackers, according to the Twitter bot.

However, so far, none of the money has been transferred out, indicating that the attackers controlling the bitcoin wallets may be playing it safe, in efforts to avoid attracting the attention of the numerous law enforcement agencies now actively hunting them.

WannaCry: What happens if you pay the ransom?

There's still uncertainity surrounding the identity of the WannaCry authors. Although some security experts said the North Korea hacker group Lazarus, also believed to be behind the infamous Sony hack, may be linked the ransomware, a recent statement by Interpol indicates that attribution is yet to be nailed down conclusively.

Experts are tirelessly working on creating viable decryption tools that may help WannaCry victims get back access to their lost data. Find out more about how you can recover your lost data here.

Source: This article was published International Business Times By India Ashok

Categorized in Internet Privacy

The clandestine data hosted within the Dark Web is not secret anymore and has been compromised.

A group affiliated with hacker collective Anonymous has managed to bring down one fifth of Tor-based websites in a vigilante move. The group infiltrated the servers of Freedom Hosting II and took down almost 10,000 websites as they were sharing child porn.

For the unfamiliar, Dark Web is a part of World Wide Web that exists on overlay networks and darknets. Dark Webs uses public Internet but access to it can only be gained through some specific software, authorization codes or a particular configuration.

The Dark Web or Deep Web as some call it, in not listed by search engines and keeps the identity and activity of the user anonymous.

Freedom Hosting II is the single largest host of sites on the Dark Web. The hacker group has managed to breach down the servers of the host and currently, has access to gigabytes of data that they managed to download from the service.

Looks like Freedom Hosting II got pwned. They hosted close to 20% of all dark web sites (previous @OnionScan report) https://t.co/JOLXFJQXiH

— Sarah Jamie Lewis (@SarahJamieLewis) February 3, 2017

Dark Web researcher Sarah Jamie Lewis states that, Freedom Hosting II hosts almost 15 percent to 20 percent of all underground sites on the Dark Web.

“Since OnionScan started in April we have observed FHII hosting between 1500 and 2000 services or about 15-20% of the total number of active sites in our scanning lists,” stated Lewis in her OnionScan 2016 report.

All these underground websites hosted by Freedom Hosting II are .onion and can be accessed through browser Tor.

People visiting the hacked websites were greeted with the message: “Hello, Freedom Hosting II, you have been hacked.”

A petty ransom of 0.1 bitcoin, which is about $100 in today’s exchange rate, has been demanded by the hackers who managed to compromise and download 75 GB of files and 2.6 GB of database from the host servers.

The Anonymous affiliated hackers shared that it decided to attack Freedom Hosting II servers as it learnt that the host was managing child pornography sites and they have zero tolerance for the same. About half of the data downloaded contains child pornography.

The hackers claim they found 10 child pornography sites with almost 30 GB of files and asserts that Freedom Hosting II was aware of these sites and had their content.

“This suggests they paid for hosting and the admin knew of those sites. That’s when I decided to take it down instead,” said the hacker group to Motherboard.

Although it is tough to believe the claims of the hacker group, it does fall in line with past history of the previous Dark Web hosting companies. The original version of Freedom Hosting was prosecuted for child pornography in 2013 by law enforcement officials.

The hackers which took down Freedom Hosting confessed to Motherboard that it was their first hack. The leaked data may now attract law enforcement officials in intervening and it would not be too surprising to hear of arrests since this data could be used in many ways.

Author : TIMOTHY SMITH

Source : http://www.themarshalltown.com/anonymous-attack-thousands-of-websites-on-the-dark-web/19265

Categorized in Deep Web

Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains.

Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four group of attackers defaced over 67,000 pages.

The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war.

Mass defacements started this week

The vulnerability at the core of these series of attacks is a bug discovered by Sucuri researchers, which the WordPress team fixed with the release of WordPress 4.7.2, on January 26.

According to Sucuri, attackers can craft simple HTTP requests that allow them to bypass authentification systems and edit the titles and content of WordPress pages. This vulnerability only affects sites running on WordPress version 4.7.0 and 4.7.1.

Initially, the vulnerability was deemed of a very high-risk, and the WordPress security team kept it a secret for almost a week, allowing a large number of WordPress site owners to update their CMS without being in peril from impending attacks.

Nonetheless, WordPress and Sucuri experts realized they couldn't keep this a secret, and after a week, both teams revealed to the world that the WordPress 4.7.2 release included a secret fix for the WordPress REST API.

Sucuri's initial fears became reality a few days later, as both Sucuri and WordFence started seeing attacks leveraging the REST API flaw against sites the two were protecting.

Defacement attempts via REST API flaw over time
Defacement attempts via REST API flaw over time (via Sucuri)
 
Defacement attempts via REST API flaw over timeDefacement attempts via REST API flaw over time (via WordFence)

As time passed by, the number of attacks against the REST API flaw grew in numbers, and it became clear for both companies that attackers had discovered how to exploit the flaw on sites that were left without an update, although nobody expected this sharp rise in hacked pages in such a short time.

"This vulnerability has resulted in a kind of feeding frenzy where attackers are competing with each other to deface vulnerable WordPress websites," said Mark Maunder, Wordfence Founder and CEO. "During the past 48 hours we have seen over 800,000 attacks exploiting this specific vulnerability across the WordPress sites we monitor."

Hacking groups engaging in recent WordPress defacementsHacking groups engaging in recent WordPress defacements

In reality, the number of attacks is way higher, if we take into account that not all sites are protected by WordFence and Sucuri firewalls.

WordPress REST API flaw at the heart of recent defacement attacks

According to Maunder, the REST API flaw blew new life into the activity of many defacers, a term used to describe hackers that take over websites and rewrite the content of pages.

Based on Google Trends data that took into consideration the signature (name) of each of these hacking crews, we can see sharp increases in popularity and mentions for various groups, right after Sucuri revealed the REST API flaw in a blog post at the start of February.

WordPress REST API attacks reflected in Google TrendsWordPress REST API attacks reflected in Google Trends (via WordFence)

Most of the defaced sites are easily reachable via a Google query, just by searching the hacking group's name. All defacements are just a simple image or some text, but Sucuri CTO Daniel Cid believes these will change in the future after more capable SEO spamming groups get involved.

Defaced websites indexed by GoogleDefaced websites indexed by Google

At the time of writing, there's a feeding frenzy in regards to defacing unpatched WordPress sites, with many groups rewriting each other's defacement message.

We've seen a similar behavior involving recent database ransom attacks targeting MongoDB servers, where different groups were rewriting each other's ransom notes.

Over the weekend, Google also warned WordPress website owners registered in the Google Search Console. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners, but some emails reached WordPress 4.7.2 owners, some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Author : Catalin Cimpanu

Source : https://www.bleepingcomputer.com/news/security/attacks-on-wordpress-sites-intensify-as-hackers-deface-over-1-5-million-pages/

Categorized in Internet Privacy

Since last week, ransomware attacks on Elasticsearch have quadrupled. Just like the MongoDB ransomware assaults of several weeks ago, Elasticsearch incursions are accelerating at a rapid rate.

The vast majority of vulnerable Elasticsearch servers are open on Amazon Web Services.John Matherly

There are an estimated 35,000 Elasticsearch clusters open to attack. Of these, Niall Merrigan, a solution architect who has been reporting on the attack numbers on Twitter, states that over 4,600 of them have been compromised.

If your Elasticsearch server is hacked, you'll find your data indices gone and replaced with a single index warning. The first example read:

SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS...

In return for the .2 BitCoins (not quite $175), you might get your data back.

Elasticsearch is a popular, open-source distributed RESTful search engine. When used with the Lucene search-engine library, it's used by major websites such as Pandora, SoundCloud, and Wikipedia for search functionality. When used by amateurs without any security skills, it's simple to crack.

These wide-open to attack instances are typically being deployed without much on Amazon Web Services (AWS) clouds. Perhaps the people deploying them are under the illusion that AWS is protecting them. Wrong.

AWS does tell you how to protect your AWS Elasticsearch instances, but you still have to do the work. In short, RTFM.

The worst thing about this? Just like the MongoDB attacks, none of this would have happened if its programmers had protected its instances with basic, well-known security measures.

For starters, as Elasticsearch consultant Itamar Syn-Hershko explained in a blog on how to protect yourself against Elasticsearch attacks: "Whatever you do, never expose your cluster nodes to the web. This sounds obvious, but evidently this isn't done by all. Your cluster should never-ever be exposed to the public web."

In a word, "duh!"

Elasticsearch was never meant to be wide-open to internet users. Elastic, the company behind Elasticsearch, explained all this in 2013. This post is filled with such red-letter warnings as "Elasticsearch has no concept of a user." Essentially, anyone that can send arbitrary requests to your cluster is a "super user."

Does this sound like a system you should leave wide-open on the internet for any Tom, Dick, or Harry to play with? I don't think so!

So, what can you do? First, if you're using Elasticsearch for business, bite the bullet and get the commerical version of Elasticsearch. Then, add X-Pack Security to your setup and implement its security features.

By itself, Elasticsearch has no security. You must add it on.

If you're committed to doing it on your own, practice basic security. At a bare minimum this includes:

  • Don't run on internet-accessible servers.
  • If you make your Elasticsearch cluster internet accessible, restrict access to it via firewall, virtual private network (VPN), or a reverse proxy.
  • Perform backups of your data to a secure location and consider using Curator snapshots

In short, practice security 101, and don't be the fool who lets anyone invade their servers. After all, you could very well end up paying a lot more than just some petty-cash if a truly malicious hacker came by to raid your servers.

Author: Steven J. Vaughan-Nichols
Source: http://www.zdnet.com/article/elasticsearch-ransomware-attacks-now-number-in-the-thousands

Categorized in Internet Ethics

Hotel and restaurant chains, beware. A notorious cybercriminal gang is tricking businesses into installing malware by calling their customer services representatives and convincing them to open malicious email attachments.

The culprits in these hacks, which are designed to steal customers’ credit card numbers, appear to be the Carbanak gang, a group that was blamed last year for stealing as much as $1 billion from various banks.

On Monday, security firm Trustwave said that three of its clients in the past month had encountered malware built with coding found in previous Carbanak attacks.

This particular campaign has been preying on the hospitality industry, said Brian Hussey, Trustwave’s global director of incident response. The hackers start by calling a business’s customer service line and pretending to be clients who can’t access the online reservation system.

To spread the malware, the hackers also send an email to the customer service agent with an attached word document purportedly containing their reservation information. In reality, this document is designed to download malware to the computer.

The hackers are very persistent, Hussey said. “They’ll stay on the line with the customer service rep until they open up the attachment,” he said. “They have excellent English.”

The hackers can also be very convincing. They appear to be researching their targets on business networking site LinkedIn and finding out the names of company department heads.  “During the call, they’ll do some name-dropping to establish credibility,” Hussey said.

Once the malware is installed, it can download other malicious tools to tamper with the rest of a business’s network. The goal of the attack is to record credit card numbers from point-of-sale machines or e-commerce payment processes, according to Hussey.

In recent years, retailers, restaurants and hotels all have been hit by similar attacks intended to steal payment card data. The malware in this case is more broad-reaching than most. It includes the ability to snap screenshots from the desktop, steal passwords and email addresses and scan a network for valuable targets.

Most, if not all, antivirus engines have failed to detect the malware used in these hacks, according to Trustwave. 

"We've talked to our law enforcement contacts, and they are seeing the same thing," Hussey said. 

In a blog post, TrustWave outlined the technical details of the malware and other indicators that businesses can use to determine if they’ve been compromised.

“Once this malware finds what it wants, it can steal every single credit card that passes through your servers,” Hussey said. “For a large restaurant chain, that can be a million customers over a period of time.”

Source : pcworld.com
Categorized in Internet Privacy

Imagine a major attack against the Internet on Election Day with a singular goal: disrupt voter turnout.

It sounds like pure paranoia, but that's the gist of a debate that started on Twitter this weekend and quickly drew in some big names in Silicon Valley.

Adam D'Angelo, Facebook's (FBTech30) former chief technology officer and founder of Quora, tweeted on Sunday he believes there's a "good chance of major internet attack Nov 8th."

"Many groups have the ability and incentive. Maps outage alone could easily skew the election," D'Angelo wrote.

Put another way: If an organized group could somehow take down a service like Google Maps though a brute-force attack or security hole, perhaps it would prevent some voters from finding their voting locations. After all, many big services like Twitter (TWTRTech30), Netflix (NFLXTech30) and Spotify suffered outages this month from a prolonged cyberattack.

Such an attack might disproportionately affect "young people who rely on phones" and lean Democrat, at least according to D'Angelo.

Many on Twitter dismissed D'Angelo's comments as "conspiracy theories" that lacked "sources" to back it up, but one group appeared to take it surprisingly seriously: the tech industry.

"Is there anything to be done about it?" Dustin Moskovitz, a Facebook cofounder and billionaire backer of Hillary Clintontweeted in response to D'Angelo.

Mike Vernal, a venture capitalist at Sequoia, called it a "scary thought." Elad Gil, a former Twitter exec, suggested it "would be great if major internet cos had maps available either in products or offline."

"There's often chatter here and there [about election cybersecurity in Silicon Valley], but since Nov. 8 is so close, the volume has definitely turned up a bit," says David Byttow, a former Google engineer and founder of Secret, who also joined the Twitter debate.

Byttow tossed out other blockbuster targets that that would be particularly disruptive, including Google's search engine (yes, Google (GOOG) again) and cell providers like AT&T (TTech30) and Verizon (VZTech30) that connect millions to online services.

"I think the chances of a large-scale orchestrated attack [are] very low," Byttow added. "But, given all that's at stake in this election and the seemingly unprecedented tensions that have been stirred up on all sides, I wouldn't be surprised if it did happen."

Security experts mostly shrugged off the doomsday scenario as little more than tech execs getting carried away with themselves.

"Silicon Valley is filled with smart people thinking to themselves, 'If I was going to disrupt the election, what would I do?'" says Jeremiah Grossman, chief of security strategy at SentinelOne, which makes security software.

In reality, it's nearly impossible. Not only would the supposed group have to find a way to take down Google Maps, a difficult feat on its own, it would also have to interrupt competing mapping services from Apple (AAPLTech30) or Yahoo (YHOOTech30) to really cut off voters.

"Taking down all three, I don't think that's terribly doable," Grossman says. Even then, a voter could just call their local election board.

That doesn't necessarily mean all will be quiet online this Election Day, however.

Another more likely scenario, according to security experts and some in the tech industry, is hackers would go after easier targets like news websites and prominent social media accounts to stop or distort the flow of information at pivotal moments that day.

"It wouldn't have the practical effect of preventing voting, but it could have the effect of making people feel the system isn't under control," says Joshua Corman, a cybersecurity expert at the Atlantic Council think tank.

 

Byttow, the ex-Google engineer, agreed that "smaller scale attempts" are "much more likely." Still, he sounded a cautionary note.

"The best thing that people can do is have a plan for November 8th," he says. "Have a set time and set a local reminder on their phone, take some screenshots of the directions to the polling location and keep their head down until they cast their ballot."

Source : money.cnn

Categorized in Others

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.
Please wait

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Newsletter Subscription

Receive Great tips via email, enter your email to Subscribe.
Please wait

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now