Russian Central bank loses $31 million in cyber heist

It’s official, hackers have stolen 2 billion rubles, roughly 31 million US dollars, from accounts at the Russian central bank.

While I was reporting the news that the FSB unnamed foreign hackers are planning to undermine Russian Banks, the Russian Central Bank confirmed hackers have stolen 2 billion rubles (roughly $31M) in cyber attacks

Central bank official Artyom Sychyov confirmed the incident and added that the hackers had attempted to steal much more, about 5 billion rubles.

“We were lucky to return some of money,” said a Russian central bank spokesperson.

russian-banks

Sychyov was commenting on a central bank report released yesterday by the FSB. The hackers broke into bank accounts by faking a client’s credentials. The bank provided few other details in its lengthy report.

“Hackers stole more than 2 billion rubles ($31 million) from correspondent accounts at the Russian central bank, the bank said on Friday, the latest example of an escalation of cyber attacks on financial institutions around the globe.” reported the Reuters.

At the time I was writing there are no details about the attack.

The recent string of attacks against the SWIFT system urged financial regulators around the world to force banks to beef up cyber security.

In September the SWIFT disclosed more attacks against banks worldwide, pressures banks on security and urged member banks to implement the new SWIFT software by November 19.

In the last months, a worrisome string of cyber attacks against banks worldwide through the SWIFT system has alarmed the banking industry. The so-called “SWIFT hackers” have conducted multiple cyber attacks against financial institutions. We reported the successful cyber heists on the Bangladesh bank, against a Ukrainian bank, and the Ecuadorian bank, meanwhile, a Vietnam bank reported to have blocked an ongoing cyber heist.

In May, a fourth Bank in the Philippines was a victim of the SWIFT hackers and the experts at Symantec confirmed the malware used by the crooks shares code with tools used by the notorious Lazarus group linked to the North Korean Government.

According to the Reuters agency, the SWIFT issued a new warning urging member banks to implement the new SWIFT software by 19 November.

The latest version of SWIFT’s software implements new security features specifically designed to defeat such kind of attacks. The authentication processes have been improved such as the implementation of mechanisms to early detect fraudulent activities.

Stay tuned!

Pierluigi Paganini

(Security Affairs – Cyber heist, Russian Central bank)

The post Russian Central bank loses $31 million in cyber heist appeared first on Security Affairs.

50 Million installations potentially impacted by AirDroid issues

At least 10 million Android users are exposed to cyber attacks due to multiple vulnerabilities affecting the popular AirDroid app.

According to experts from the firm Zimperium, multiple vulnerabilities in the Android remote management tool AirDroid could expose more than 50 million devices

The flaws could be exploited to abuse built-in features and use them against the application’s users.

Experts highlight that AirDroid uses insecure communication channels allowing attackers to power Man-in-the-Middle (MitM) attacks and other types of attacks.

Researchers from Zimperium discovered that communication channels used to send authentication data to the statistics server are not properly protected because the encryption key is hardcoded inside the application.

An attacker that shares the same network with the victim could run MitM attacks to capture authentication credentials from the first HTTP request the application performs, and use them to act on behalf of the user.

“A malicious party could perform a MITM network attack and grab the device authentication information as shown in the “Details” section from the very first HTTP request the application performs.” reads the blog post published by Zimperium. “This HTTP request can be decrypted at runtime using the 890jklms key hardcoded inside the application and the authentication fields parsed from the resulting JSON.
Having this information, the attacker can now impersonate the victim’s device and perform various HTTP or HTTPS requests on its behalf to the AirDroid API endpoints.
For instance, a payload like the following ( encrypted in DES with the same exact key ) can be sent to the https://id4.airdroid.com/p14//user/getuserinfoviadeviceid.html endpoint :”

Tha attacker could craft a payload encrypted in DES with the same key to trick the server into revealing user information, including the email and password hash.

airdroid-mitm

The attacker could power a MitM attack alto to redirect HTTP traffic to a malicious transparent proxy that allows him to modify the response for the /phone/vncupgraderequest. In this way the attacker could inject a fake update or could execute malicious code remotely.

“Moreover, an attacker performing a MITM attack and redirecting HTTP traffic to a malicious transparent proxy, could modify the response for the /phone/vncupgrade request which is normally used by the application to check for addons updates:

GET /p14/phone/vncupgrade/?q=[DES ENCRYPTED PAYLOAD]&ver=20151 HTTP/1.1

Host: srv3.airdroid.com

Connection: close

User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)

Injecting a new update, thus remotely executing custom code on the target device, is just a matter of modifying this response:”

In order to fix these issues, the AirDroid should use only secure communication channels (HTTPS), should implement key pinning to avoid SSL MitM, should use safe key exchange mechanisms, and should leverage and digital verify the update files.

Pierluigi Paganini

(Security Affairs – AirDroid, hacking)

The post 50 Million installations potentially impacted by AirDroid issues appeared first on Security Affairs.

HexorBase – Administer & Audit Multiple Database Servers

HexorBase is a database application designed to administer and to audit multiple database servers simultaneously from a centralised location, it is capable of performing SQL queries and brute-force attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL). It allows packet routing through proxies or even...

Read the full post at darknet.org.uk

FSB accuses foreign hackers of plotting to undermine the Russian banks

According to the FSB unnamed foreign hackers are planning to undermine Russian Banks with cyber attacks and PSYOPS via social media.

The Kremlin is accusing unnamed foreign hackers of plotting to undermine the Russian banks in the country.

The Russian Government believes that foreign powers plan to conduct a PSYOps to destabilize the banks. Hackers could combine the diffusion of fake documents about the status of Russian banks with massive cyber attacks.

The news was spread by the Russia’s intelligence service, the FSB. According to the Russian intelligence, a group of servers in the Netherlands and leased to the Ukrainian web hosting firm BlazingFast were ready to launch an assault next Monday.

“Russia’s domestic intelligence agency, the Federal Security Service (FSB), said that the servers to be used in the alleged cyber attack were located in the Netherlands and registered to a Ukrainian web hosting company called BlazingFast.” reported the Reuters.

“The attack, which was to target major national and provincial banks in several Russian cities, was meant to start on Dec. 5, the FSB said in a statement.”

russian banks

Servers physically located in the Netherlands and leased to BlazingFast, a Ukrainian web-hosting firm, were primed to launch an assault next Monday.

“It was planned that the cyber attack would be accompanied by a mass send-out of SMS messages and publications in social media of a provocative nature regarding a crisis in the Russian banking system, bankruptcies and license withdrawals.” reads a statement issued by the FSB. 

“The FSB is carrying out the necessary measures to neutralise threats to Russia’s economic and information security.”

The Russia’s central bank confirmed to the Reuters agency that it was aware of the imminent threat, for this reason, it is working with the security services.

“The situation is under control. Banks have been given necessary guidance,” the central bank said. “Banks have been given necessary guidance.”

Anton Onoprichuk, the director of the firm BlazingFast, told Reuters that he was not aware of the alleged plan of attack, neither the FSB nor any other intelligence agency had been in touch with him.

Recently Russian banks were targeted by a series of massive DDoS attacks powered by the Mirai IoT botnet.

Pierluigi Paganini

(Security Affairs – Russian banks, hacking)

The post FSB accuses foreign hackers of plotting to undermine the Russian banks appeared first on Security Affairs.

‘Avalanche’ botnet takes a tumble after Europol cyber-bust

Multi-agency global operation takes down longstanding cybercrime platform

New iOS lockscreen bypass renders Activation Lock useless

Security researchers have found a new bug that allows bypassing the Activation Lock feature.

Visa Delays Chip Deadline for Pumps To 2020

Visa this week delayed by three years a deadline for fuel station owners to install payment terminals at the pump that are capable of handling more secure chip-based cards. Experts say the new deadline — extended from 2017 — comes amid a huge spike in fuel pump skimming, and means fraudsters will have another three years to fleece banks and their customers by installing card-skimming devices at the pump.

Until this week, fuel station owners in the United States had until October 1, 2017 to install chip-capable readers at their pumps. Under previous Visa rules, station owners that didn’t have chip-ready readers in place by then would have been on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip (currently, card-issuing banks eat most of the fraud costs from fuel skimming). The chip card technology standard, also known as EMV (short for Europay, MasterCard and Visa) makes credit and debit cards far more expensive and difficult for thieves to clone.

This week, however, Visa said fuel station owners would have until October 1, 2020 to meet the liability shift deadline.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

A Bluetooth-based pump card skimmer found inside of a Food N Things pump in Arizona in April 2016.

“The fuel segment has its own unique challenges, which we recognized when we first set the chip activation date for automated fuel dispensers/pumps (AFDs) two years after regular in-store locations,” Visa said in a statement explaining its decision. “We knew that the AFD segment would need more time to upgrade to chip because of the complicated infrastructure and specialized technology required for fuel pumps. For instance, in some cases, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete. Furthermore, five years after announcing our liability shift, there are still issues with a sufficient supply of regulatory-compliant EMV hardware and software to enable most upgrades by 2017.”

Visa said fuel pump skimming accounts for just 1.3 percent of total U.S. payment card fraud.

“During this interim period, Visa will monitor AFD fraud trends closely and work with merchants, acquirers and issuers to help mitigate any potential counterfeit fraud exposure at AFDs,” Visa said.

Avivah Litan, a fraud analyst with Gartner Inc., said the deadline shift wasn’t unexpected given how many U.S. fuel stations are behind on costly updates, noting that in some cases it can cost more than $10,000 per pump to accommodate chip card readers. The National Association of Convenience Stores estimates that station operators will spend approximately $30,000 per store to accommodate chip readers, and that the total cost to the fuel industry could exceed $4 billion.

“Some of them you can just replace the payment module inside the pump, but the older pumps will need to be completely removed and replaced,” Litan said. “Gas stations and their unattended pumps have always been an easy target for thieves. The fraud usually migrates to the point of least resistance, and we’re seeing now the fraudsters really moving to targeting unattended stations that haven’t been upgraded.”

The delay comes as some states — particularly in the southern United States — are grappling with major increases in fuel station skimming attacks. In September, KrebsOnSecurity published a detailed look at nine months’ worth of fuel pump skimming incident reports filed by police and regulators in Arizona, which said it saw more fuel station skimming attacks in the month of August 2016 than in all of 2015 combined.

That report about Arizona’s skimmer scourge found that thieves tend to target pumps that are furthest from the pump station and closest to the street. They also favored stations that did not employ basic security measures such as tamper-evident security tape and security cameras.

Crooks involved in fuel pump skimming generally are tied to organized crime gangs, as evidenced by this Nov. 2015 investigation into fuel theft gangs operating in Southern California . The thieves most often use stolen master keys or bribery to gain access to the pumps. Once inside the pumps, the thieves hook up their skimmer to the pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely. Increasingly, these thieves are installing Bluetooth-based skimmers that can transmit stolen data wirelessly, allowing thieves to avoid taking the risky step of retrieving their skimmer gear.

Some pump skimming devices are capable of stealing debit card PINs as well, so it’s good idea to avoid paying with a debit card at the pump. Armed with your PIN and debit card data, thieves can clone the card and pull money out of your account at an ATM. Having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

“That’s exactly the sort of advice fuel station owners don’t want given to consumers,” Litan said. “For filling stations, credit is their least favorite form of payment because it’s the most expensive for them, which is why some stations offer lower prices for debit card transactions. But consumers should never use a debit card at a gas station.”

Want to learn more about skimming devices? Check out my series, All About Skimmers.

News in brief: meals on robot wheels; Mirai blamed for new attacks; police bypass iPhone encryption

Your daily round-up of what else is in the news

Kapustkiy hacked a website belonging to the Venezuela Army

The hacker Kapustkiy has breached the Venezuela Army and leaked 3000 user records containing personal information such as names, emails, and phones.

We left the young hacker Kapustkiy after his hack at the High Commission of Ghana & Fiji in India when he also confirmed to have joined the Powerful Greek Army hacked crew.

The hacker breached the India Regional Council as well as organizations and embassies across the world. Recently he hacked the ‘Dipartimento della Funzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (www.embapartwroc.com.tw), and the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and LibyaKapustkiy.

Now the hacker is back announcing that he left the Powerful Greek Army and that he hacked the Venezuela Army.

Kapustkiy has hacked the Venezuela Army and leaked 3000 user records on Pastebin containing personal information such as names, emails, and phones.

venezuela army

The hacker breached the CATROPAEJ (“Caja de Ahorros de la Tropa Profesional del Ejercito Bolivariano Venezolano”) database, he also discovered some logins for the Army’s webmail system, but he did use them.

I reached Kapustkiy that confirmed me the exploitation of an SQLi vulnerability in the target application.

He triggered an Error-Based SQL Injection, this means that he tried to trigger errors in the database by passing unsanitized input in the URL.

Kapustkiy reported the problem to Venezuela Army more than a week ago, but he received no reply.

He told me that he is focusing on South America Governments and Asian organizations.

Pierluigi Paganini

(Security Affairs – Kapustkiy, Venezuela Army)

The post Kapustkiy hacked a website belonging to the Venezuela Army appeared first on Security Affairs.

Penetration Testing Methodologies and Standards

Cyber criminals are targeting personal and corporate information by using different attacking vectors. The main reason behind their success is the lack of efficient policies and standards. That allows them to exploit the system and steal the information. To prevent the attackers, some tough protocols were developed previously that are somehow working effectively and preventing […]