Experts tracked a German hacker behind the spreading of Houdini Worm on Pastebin

Security experts at Recorded Future tracked a German hacker for the propagation of the Houdini worm through Pastebin sites.

A German hacker that goes online with the moniker Vicswors Baghdad is the responsible for the propagation of the Houdini malware on Pastebin sites.

According to the expert at Recorded Future, the same threat actor appears to be the author of an open source ransomware variant called MoWare H.F.D.

Experts at Recorded Future have observed three distinct spikes in malicious Visual Basic scripts posted on paste sites, in  August, October, and in March 2017.

houdini worm paste bin

Most of the scripts are used to spread the Houdini worm, a threat that first appeared in 2013 and was updated in 2016.

“In early March 2017, we began to notice an increasing number of malicious VBScripts posted to paste sites. The majority of these VBScripts appeared to be Houdini. Houdini is a VBScript worm that first appeared in 2013 and was updated in 2016.” states the analysis published by Recorded Future. “The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers. After further defining our search criteria, we isolated the Houdini scripts and quickly identified three distinct spikes around August, October, and March of this year.” 

Recorded Future discovered 213 malicious posts to Pastebin sites, involving a single domain with 105 subdomains, the experts have found 190 hashes.

The domains and subdomains are from a dynamic DNS provider, the attribution was impossible because threat actors published the VBScript for the Houdini worm on guest accounts.

However, the experts were able to determine the name of the registrant for one domain, microsofit[.]net, it is  “Mohammed Raad,” and the associated email [email protected],” from “Germany.”

Googling the above information, the researchers discovered a Facebook profile using the identical information. According to the profile, Mohammed Raad is a member of a German cell of Anonymous, it uses Vicswors Baghdad as an alias.

The researchers also highlighted that the Facebook profile also includes a recent conversation related to the MoWare H.F.D ransomware.

houdini worm paste bin

“The Facebook profile displays a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. It appears that they are studying, testing, and possibly configuring a ransomware.”  continues the analysis.

“Upon further inspection of the screenshot posted on the “vicsworsbaghdad” Facebook profile, we noticed that the ransomware being configuring is an open source version available by commenting on the creator’s YouTube video. An account “Vicswors Baghdad” commented asking where he can find the file to download, to which the developer commented that they sent a private message. The account “Vicswors Baghdad” uses the same email [email protected] as the registration of microsofit[.]net.”

Further details, including the threat actor profile, are available in the post published by Recorded Future.

Pierluigi Paganini

(Security Affairs – Houdini Worm, hacking)

The post Experts tracked a German hacker behind the spreading of Houdini Worm on Pastebin appeared first on Security Affairs.

Chipotle Mexican Grill Fast-food chain notified customers a PoS malware breach

The Fast-food chain Chipotle notified users a security breach, hackers compromised its point of sale terminals to steal payment card data.

The Mexican Grill Fast-food chain Chipotle notified users a data breach, hackers infected its point of sale terminals to steal payment card data.

The malicious code infected systems in 47 states and Washington earlier this year from March 24 to April 18.

The list of affected Chipotle restaurants is available here.

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017.” reads the data breach notification published by the company. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.” 

Chipotle data breach

The company highlighted that not all the locations were breached by hackers, you can check a specific location at the following address:

Users who have paid at the compromised stores should stay vigilant on their bank accounts and check any transaction involving their payment card.

The company confirmed to have removed the malicious code from the infected systems.

“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.” reads the statements.

PoS systems attacks are very common, this week Target, the US retail giant that suffered one of the most severe PoS system attacks, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.

Pierluigi Paganini

(Security Affairs – PoS systems, Chipotle data breach)

The post Chipotle Mexican Grill Fast-food chain notified customers a PoS malware breach appeared first on Security Affairs.

Insecure Medical devices are enlarging surface of attacks for organizations

A study conducted by the Ponemon Institute shows insecure Medical devices are enlarging the surface of attacks for organizations.

A study conducted by the Ponemon Institute, based on a survey of 550 individuals, shows that manufacturers and healthcare delivery organizations (HDO) are concerned about cyber attacks on medical devices.

67 percent of medical device makers and 56 percent of HDOs believe that in the next 12 months their medical devices will be targeted by hackers. Unfortunately, only 25 percent of device makers and 38 percent of HDOs believe the security features implemented in the devices can adequately protect patients and the clinicians who use them.

33% of the participants in the survey confirmed they were aware of effects of cyber attacks had a negative impact on patients. Hackers can power a wide range of attacks on the devices, including ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.

The most disconcerting aspect of the research is that only 17 percent of device manufacturers and 15 percent of HDOs have adopted the necessary countermeasures to prevent attacks. 40 percent of HDOs and manufacturers admitted they haven’t adopted anything to prevent attacks.

Unsecured medical devices represent an entry point for hackers in hospitals and other healthcare organizations, the bad news is that the majority of the participant to the survey believe securing medical devices is very difficult.

The study revealed that security practices in place are not effective, manufacturers and HDOs lack of practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. Surveyed organizations noticed 36 percent of manufacturers and 45 percent of HDOs do not test devices. Companies that tested the medical devices admitted finding vulnerabilities and even malware into their systems.

medical devices survey

“Medical device security practices in place are not the most effective. Both manufacturers and users rely upon following specified security requirements instead of more thorough practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. As a result, both manufacturers and users concur that medical devices contain vulnerable code due to lack of quality assurance and testing procedures and rush to release pressures on the product development team.” states the report.

Another worrying data emerged with the survey is that budget increase are usually a consequence of a hacking attack.

“In many cases, budget increases to improve the security of medical devices would occur only after a serious hacking incident occurred. Device makers, on average, spend approximately $4 million on the security of their medical devices and HDOs spend an average of $2.4 million each year. As shown in Figure 9, a serious hacking incident or new regulations would influence their organizations to increase the security budget.” continues the report.

Pierluigi Paganini

(Security Affairs – medical devices, security)

The post Insecure Medical devices are enlarging surface of attacks for organizations appeared first on Security Affairs.

G7 Summit – States demand Internet Giants to join forces against online propaganda

The nations participant at the G7 Summit in Taormina, Italy, demand action from internet service providers and social media giants against extremist content online.

The effort is necessary to fight against terrorism in a wake of the recent tragic Manchester attack.

“The G7 calls for Communication Service Providers and social media companies to substantially increase their efforts to address terrorist content,” the G7 states said in a statement.

“We encourage industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence, and we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism,” 

Investigators believe that the Manchester bomber may have been radicalized online by Islamic State groups active on social media.

“Make no mistake: the fight is moving from the battlefield to the internet,” Prime Minister Theresa May told her G7 colleagues while chairing a discussion on counter-terrorism in the Sicilian resort of Taormina.

Another common objective of the G7 is the identification and the prosecution of foreign fighters involved in various conflicts various areas, such as the Syria and the Turkey.

The G7 states are requesting the support from local authorities to prosecute the foreign fighters, Lebanon, Jordan and Iraq are areas of high interested in the investigators.

The investigators believe that the Manchester bomber had been to Syria after visiting his parents’ homeland of Libya.

“It is vital we do more to cooperate with our partners in the region to step up returns and prosecutions of foreign fighters,” added May.

“This means improving intelligence-sharing, evidence gathering and bolstering countries’ police and legal processes.”

Tarmina g7 summit

(L-R): EU Council President Donald Tusk, Canadian Prime Minister Justin Trudeau, German Chancellor Angela Merkel, US President Donald Trump, Italian Prime Minister Paolo Gentiloni, French President Emmanuel Macron, Japanese Prime Minister Shinzo Abe, British Prime Minister Theresa May and European Union Commission President Jean-Claude Juncker pose for a family photo on the first day of the G7 Summit at the Teatro Greco in Taormina, Italy, 26 May 2017. The G7 Summit will be held from 26 to 27 May 2017. ANSA/ETTORE FERRARI ANSA/ETTORE FERRARI

The G7 states have to improve information sharing processes on terrorism issued, law enforcements and intelligence agencies share results of the investigations and border security methods with countries where foreign fighters travel through or fight in.

Every time a foreign fighter cross a border, specific actions must be triggered to track down them and their organizations.

“When our allies find evidence, such as video or papers, of illegal activity involving foreign fighters, for example a Brit in a conflict zone, they should pass that to our authorities. It may help prosecute foreign fighters when they return.”

Pierluigi Paganini

(Security Affairs – G7 Summit Taormina, Foreign fighters)

The post G7 Summit – States demand Internet Giants to join forces against online propaganda appeared first on Security Affairs.

Top 7 Ways to Use Wi-Fi Hotspots Safely

Often we find ourselves away from home with no internet connection; however, there are likely public Wi-Fi hotspots in the area that could be utilized. While it may be tempting to connect to the first hotspot that is not password protected, doing so can cause harm to privacy, and risk doing infecting your computer, cell […]

The post Top 7 Ways to Use Wi-Fi Hotspots Safely appeared first on InfoSec Resources.

How is AI Addressing Cyber Security Challenges?

Cyber-attackers are moving towards automation to launch cyber-attacks more frequently, while many organizations are still using manual systems and strategies to analyze security findings and contextualizing them with external threat information. Using such outdated strategies and methods, it can take weeks or months to identify intrusions, during which time attackers can successfully exploit vulnerabilities to […]

The post How is AI Addressing Cyber Security Challenges? appeared first on InfoSec Resources.

Security Risks of Smart E-cigarettes

Section 1. Introduction An increasing number of household devices become electronically interconnected. In addition to smartphones, tablets, fridges, smart TVs and other IoT devices, items for personal use, such cigarettes, also become technologically smarter. The trend of e-smoking started in the early 2000s when the first patent for an e-cigarette was filed. Statistics demonstrate that, […]

The post Security Risks of Smart E-cigarettes appeared first on InfoSec Resources.

sheep-wolf – Exploit MD5 Collisions For Malware Detection

sheep-wolf is a tool to help you Exploit MD5 Collisions in software, specially malware samples which are commonly detected using MD5 hash signatures. and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and […] The post...

Read the full post at

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines. Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and

3 Nigerian Scammers Get 235-Years of Total Jail Sentence in U.S.

You may have heard of hilarious Nigerian scams. My all time favourite is this one: A Nigerian astronaut has been trapped in space for the past 25 years and needs $3 million to get back to Earth, Can you help? Moreover, Nigerians are also good at promising true love and happiness. But You know, Love hurts. Those looking for true love and happiness lost tens of millions of dollars over the