Unprotected MongoDB Installations: child’s play for hackers

Hacker held open MongoDB databases for ransom In the last weeks, security experts observed a significant increase in ransom attacks against unprotected MongoDB databases. Victor Gevers, the Co-founder of the GDI Foundation, was the first expert that noticed the attacks and warned of poor security for MongoDB deployments in the wild. In a first time, the […]

Court Documents Reveal How Feds Spied On Connected Cars For 15 Years

It's not always necessary to break into your computer or smartphone to spy on you. Today all are day-to-day devices are becoming more connected to networks than ever to add convenience and ease to daily activities. But here's what we forget: These connected devices can be turned against us because we are giving companies, hackers, and law enforcement a large number of entry points to break into

Insidious phishing attack leverages on fake attachments to steal Gmail credentials

Cybercriminals are adopting specially crafted URLs to trick users into entering their Gmail credentials in a new sophisticated phishing campaign.

Security experts discovered a new effective Gmail phishing attack that is able to deceive also tech-savvy people. Crooks leverage on specially crafted URLs to trick victims into providing their Gmail credentials on a phishing page.

The malicious messages are sent from one of the victim’s contacts and pretend to carry a PDF document that can be previewed directly from Gmail. When the victim clicks on the “attachment” image included in the body of the message it is redirected to a Gmail phishing page.

The URL to which the images of attachments point is crafted to appear legitimate:


The web browser does not display any certificate warning, experts noticed that the apparently legitimate part of the URL is followed by white spaces, which prevent the victims from seeing suspicious strings and an obfuscated script that opens a Gmail phishing page in a new tab. A technical description of the Chrome/Gmail attack has been published on Github.

Gmail phishing

“You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there. It looks like this….” states a blog post published by WordFence. “Once you complete sign-in, your account has been compromised.”

This technique is not new, several victims reported similar attacks in July.

One of the main characteristics of the attacks that have been recently detected by the experts is that crooks immediately accessed the compromised accounts and used them to send out phishing emails to all the victim’s contacts. It is still unclear if the attackers have found a way to automate the process.

As usual, let me suggest to enable two-factor authentication (2FA) on Gmail in order to avoid being victims of this powerful phishing scheme.  However, if the cyber criminals immediately access the compromised account they could also include in a phishing page the 2FA code.

“2FA would make it harder to exploit, but phishing attacks are getting fancier. They capture the 2FA code you enter and immediately start a session elsewhere with your password and 2FA. Hardware 2FA, a security key, (such as a Yubikey) is the only likely way to prevent phishing (excluding targets of state actors)” wrote a user in a discussion on Hacker News.

Google has been aware of this new phishing tactic at least March 2016, for this reason, the Chrome security team suggested introducing a “Not Secure” tag in the address bar for data:, blob: and other URLs that may be exploited by phishers in hacking campaigns.

Pierluigi Paganini

(Security Affairs – cybercrime, Gmail)

The post Insidious phishing attack leverages on fake attachments to steal Gmail credentials appeared first on Security Affairs.

Weak passwords are still the root cause of data breaches

Key findings of a new study conducted by Keeper Security that analyzed 10 million hacked accounts from breached data dumps for the most popular passwords.

Users’ bad habits are still one of the biggest problems for the IT industry, weak passwords and their reuse on multiple websites every day potentially expose a billion users to cyber attacks.

I’m not surprised by the results of a new study conducted by the security firm Keeper Security that analyzed 10 million hacked accounts from breached data dumps for the most popular passwords.

Below the Top 10 Keeper Security’s 2016 most popular password list:

  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321

Most used passwords continue to be 123456 and 123456789 despite the numerous awareness campaigns on a proper security posture, “123456” accounts for 17 per cent of the overall amount of hacked accounts the firm used as data sample.

“Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of users are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.” states the report published by Keeper Security. “We scoured 10 million passwords that became public through data breaches that happened in 2016.”

The bad news is that the list of most popular passwords hasn’t changed over the years.

“The list of most frequently used passwords has changed little over the past few years. That means that user education has limits.” continues the study.

This aspect highlights the lack of a security policy that contemplates also the use of strong passwords and enforces it. Four of the top 10 passwords on the list are composed of just six characters or shorter, it’s very easy to brute force them it the system is not properly protected.

“today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.”

The list also includes passwords like “1q2w3e4r” and “123qwe,” it is likely that some users attempt to use unpredictable patterns to generate strong passwords. Unfortunately dictionary-based password crackers include these variations.

The last point emerged from the report is that email providers don’t correcly monitor the use of their services made by botnet used for spam.

“Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks.” states the report.



Pierluigi Paganini

(Security Affairs – authentication, data breach)

The post Weak passwords are still the root cause of data breaches appeared first on Security Affairs.

New campaign leverages RIG Exploit kit to deliver the Cerber Ransomware

Experts from Heimdal Security warned of a spike in cyber attacks leveraging the popular RIG Exploit kit to deliver the Cerber Ransomware.

The RIG exploit kit is even more popular in the criminal ecosystem, a few days ago security experts at Heimdal Security warned of a spike in cyber attacks leveraging the popular Neutrino and RIG EKs.

Now security experts from Heimdal Security are warning of a new campaign leveraging the RIG exploit kit that targets outdated versions of popular applications to distribute the Cerber ransomware.

The attackers leverage an array of malicious domains to launch drive-by attacks against visitors trying to exploit flaws in outdated versions of popular applications such as Flash, Internet Explorer, or Microsoft Edge.

“At the moment, cybercriminals are using a swarm of malicious domains to launch drive-by attacks against unsuspecting users.” states the analysis published by Heimdal Security.

“The campaign works by injecting malicious scripts into insecure or compromised systems. Victims can get infected simply by browsing the compromised or infected websites, without clicking on anything. What exposes them to this attack are outdated versions of the following apps: Flash Player, Silverlight, Internet Explorer or Edge.”

The crooks compromise websites to inject malicious scripts that allow exploiting the flaws in the victim’s browser even without user interaction.  reports.

RIG Exploit kit

This new campaign leverages on a RIG exploit kit that attempts to exploit the following 8 vulnerabilities:

According to the experts from Heimdal security, this variant of the RIG exploit is the Empire Pack version (RIG-E). Cyber criminals also abused domains that are part of the so-called Pseudo-Darkleech gateway that was also exploited by cyber gangs in June 2016 to deliver the CryptXXX ransomware in several campaigns leveraging on the Neutrino Exploit Kit.

It is important to highlight that the success of campaigns like this one is determined by the failure in applying security updates in popular software.

“As you can see, cybercriminals often use vulnerabilities already patched by the software developer in their attacks, because they know that most users fail to apply updates when they’re released. In spite of the wave of attacks, many Internet users still choose to ignore updates, but we hope that alerts such as this one will change their mind and make them more aware of the key security layer that updates represent.” states the report.

Pierluigi Paganini

(Security Affairs – RIG Exploit Kit, cybercrime)

The post New campaign leverages RIG Exploit kit to deliver the Cerber Ransomware appeared first on Security Affairs.

Intelligence report claims the Kremlin has cracked Telegram service

A raw intelligence document published last week claims Russian cyber experts have cracked Telegram messaging service to spy on opponents.

A raw intelligence document published last week contains much information about President Donald Trump and the approach of the Kremlin to the cyber espionage.

According to the report, the Russian Federal Security Service (FSB) offers bribes for back doors into commercial products, it uses to recruit black hat hackers in every way, including blackmail and coercion. The document reports the FSB used the sale of cheap PC game containing malware to compromise the machines. The report also reveals that the Russian Intelligence has cracked the popular Telegram instant messaging service.

The intelligence report has been prepared by a former British agent, he received the information about the hack of the Telegram service by a “cyber operative.”

“His/her understanding was that the FSB now successfully had cracked this communication software and therefore it was no longer secure to use,” reads the document.

Telegram was used by opponents of the government, for this FSB decided to crack it.Telegram is the work of two Russian brothers and billionaires, Nikolai and Pavel Durov. They had previously created Vkontakte – an alternative to Facebook. However, they got in trouble over some Ukrainian personal data issue and fled to Berlin from Russia in 2014.

Telegram leverages on a custom encryption process it made up itself for this reason security experts and privacy advocates raised several times questions about its security.

When it comes to cyberattacks, Russia’s offensive tactics include targeting foreign governments, especially Western governments; penetrating foreign corporations, especially banks; monitoring of the domestic elite; and attacking political opponents inside Russia and abroad.

According to the cyber spy, the Russian government received the support of an IT staffer at Telegram.


The Russian intelligence in one circumstance compromised some IT gear used by a foreign director of a Russian state-owned enterprise in order to conduct cyber espionage on Western organizations via backdoor.

The FSB offered a U.S. citizen of Russian descent funding for an IT startup in exchange for a backdoor into the software developed by the company. In this way, Russian cyber spies could deliver a malware to launch targeted attacks.

The intelligence document doesn’t provide further details on the cyber operations conducted by Russian hackers.

It is interesting as obvious the interest for the representatives of the G7 governments and NATO.

“External targets include foreign governments and big corporations, especially banks,” the document says, but mainly succeeds only among lower level targets. It says it has “limited success in attacking top foreign targets like G7 governments, security services and but much more on second tier ones through IT back doors, using corporate and other visitors to Russia.”

In order to target G7 governments, nation-state actors hit second-tier organizations, including western private banks and the governments of smaller states that are allied with the Western states.

“Hundreds of agents, either consciously cooperating with the FSB or whose personal and professional IT systems had even unwittingly compromised, were recruited,” continues the document.

The Russian institutions also suffer the cyber attacks of multiple cyber gangs, including Carbanak, Buktrap and Metel.

“The Central Bank of Russia claimed that in 2015 alone there had been more than 20 attempts at serious cyber embezzlement of money from corresponding accounts held there, comprising several billions of Rubles,” continues the report.  

Pierluigi Paganini

(Security Affairs – Telegram, cyber espionage)

The post Intelligence report claims the Kremlin has cracked Telegram service appeared first on Security Affairs.

Security Affairs newsletter Round 95 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

First of all, let me inform you that at the #infosec16 SecurityAffairs was awarded as The Best European Personal Security Blog

·        Iranian Group OilRig is back and delivers digitally signed malware
·        Security Affairs newsletter Round 94 – News of the week
·        Crooks target UK schools with ‘Department of Education ransomware
·        Recent power outages in Turkey were also caused by cyber attacks
·        French Minister Le Drian on cyber espionage: France is not immune, ready to hack back
·        ESEA data breach, 1.5 million gamers records leaked
·        Security Researcher hacks “Anti Tracking & Pro Privacy” Brave Browser
·        Number of MongoDB ransom attacks peaked 27,000 in a day
·        Hello Kitty database leaked online, 3.3 million fans affected
·        CVE-2016-7200 & CVE-2016-7201 Edge flaws added to the Sundown Exploit Kit
·        The Los Angeles Community College District paid a $28,000 ransom to decrypt its files
·        A Second variant of Shamoon 2 targets virtualization products
·        ShadowBrokers offers for sale the stolen NSA Windows Hacking Tools
·        Juniper SRX firewalls open a root-level account due to a flaw
·        Thousands of unpatched Magento shops hacked in the last two years
·        Spora Ransomware allows victims to pay for immunity from future attacks
·        In 2016, these are the four ways how bots altered history
·        EyePyramid – Police arrests two for hacking into emails of politicians, lawyers, entrepreneurs, and masons
·        Israeli mobile phone data extraction company Cellebrite was hacked
·        The ISC issued updates for 4 High severity DoS flaws in BIND
·        Two observations about the Italian EyePyramid espionage campaign
·        WordPress 4.7.1 released, patches eight vulnerabilities and 62 bugs
·        ShadowBrokers exits releasing another arsenal of tools to hack Windows
·        @Kapustkiy is back and hacked the Government of Venezuela
·        WhatsApp backdoor? What is wrong in the last claims?
·        Hackers that hit MongoDB installs now switch on exposed Elasticsearch clusters

Once again thank you!

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 95 – News of the week appeared first on Security Affairs.

Talos Team discovered serious issues in Aerospike Database Server

Security experts from Cisco Talos discovered several flaws in the Aerospike Database Server, a high-performance, and open source NoSQL database.

Security experts from Cisco Talos have discovered several vulnerabilities in the Aerospike Database Server, a high-performance, and open source NoSQL database.

It is used by several major brands for high-performance applications, including Kayak, AppNexus, Adform, adMarketplace and BlueKai.

The Cisco Talos team discovered that Aerospace Database Server, and likely earlier versions, is affected by three flaws that have been rated as critical and high severity, including remote code execution and information disclosure issues.

Talos has published technical details of the vulnerabilities in the advisories that also include proof-of-concept (PoC) code for them.

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.” reads the advisory published by the Talos Team.

TALOS-2016-0264 (CVE-2016-9050) – Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) – Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) – Aerospike Database Server Set Name Code Execution Vulnerability.
Aerospike Database Server

The first security vulnerability, tracked as CVE-2016-9050, is an out-of-bounds read issue that affects the client message-parsing functionality. An attacker can exploit it by sending a specially crafted packet to the listening port which can result in memory disclosure or a denial-of-service (DoS) condition.

A second vulnerability, tracked as CVE-2016-9052, is an arbitrary code execution that affects a different function, namely “as_sindex__simatch_by_iname.”

The third one tracked as CVE-2016-9054, is a stack-based buffer overflow that resides in the querying functionality, specifically the “as_sindex__simatch_list_set_binid” function. It is quite simple to exploit, an attacker has to connect to the listening port to remotely execute arbitrary code via a specially crafted packet that triggers the vulnerability.

The flaws were reported to the Aerospike development team on December 23 and they addresses them on January 5 in version 3.11.0.

Talos has published advisories containing technical details and proof-of-concept (PoC) code for each of the vulnerabilities.

Pierluigi Paganini

(Security Affairs – Aerospike Database Server, hacking)

The post Talos Team discovered serious issues in Aerospike Database Server appeared first on Security Affairs.

Ploutus-D, a new variant of Ploutus ATM malware spotted in the wild

Security experts from FireEye have spotted a new variant of the infamous Ploutus ATM malware that infected systems in Latin America.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The threat allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

Experts at FireEye Labs have recently discovered a new version of the Ploutus ATM malware, dubbed Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Below the improved introduced in the Ploutus-D

  • It uses the Kalignite multivendor ATM Platform.
  • It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems.
  • It is configured to control Diebold ATMs.
  • It has a different GUI interface.
  • It comes with a Launcher that attempts to identify and kill security monitoring processes to avoid detection.
  • It uses a stronger .NET obfuscator called Reactor.

While similarities between Ploutus and Ploutus-D are:

  • The main purpose is to empty the ATM without requiring an ATM card.
  • The attacker must interact with the malware using an external keyboard attached to the ATM.
  • An activation code is generated by the attacker, which expires after 24 hours.
  • Both were created in .NET.
  • Can run as Windows Service or standalone application

The technical analysis revealed that developers improved obfuscation of the code by switching from .NET Confuser to Reactor.

The malware will add itself to the “Userinit” registry key to gain persistence, the key is located at:

\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

The attacker must interact with the Launcher by connecting a keyboard to the ATM USB or PS/2 port as illustrated in the following picture.


“Once the Launcher has been installed in the ATM, it will perform keyboard hooking in order to read the instructions from the attackers via the external keyboard. A combination of “F” keys will be used to request the action to execute” states the analysis.

The Launcher dropped legitimate files into the system, such as the KAL ATM, along with Ploutus-D. This action makes sure that all the software and versions needed to properly run the malware are present in the same folder to avoid any dependency issues.

The Ploutus-D could allow crooks to steal thousands of dollars in minutes reducing the risk to be caught while stealing the money under the CCTV.

“Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes.” states the analysis published by FireEye. “A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.”

In order to install the malware attackers likely have access to the targeted ATM software. The experts also speculate the crooks can buy physical ATMs from authorized resellers, which come preloaded with vendor software, or in the worst scenario they could steal the ATMs directly from the bank.

The analysis includes the main differences with previous versions and Indicators of Compromise (IOC) to use for the identification of the threat.

Pierluigi Paganini

(Security Affairs – Ploutus-D, ATM hacking)

The post Ploutus-D, a new variant of Ploutus ATM malware spotted in the wild appeared first on Security Affairs.

Hackers that hit MongoDB installs now switch on exposed Elasticsearch clusters

The hackers that targeted MongoDB installations with ransom attacks now switch on the exposed Elasticsearch clusters with a similar tactic.

A few days ago I reported the news of a string of cyber attacks against MongoDB databases. Hackers broke into unprotected MongoDB databases, stealing their content, and asking for a ransom to return the data.

Now it seems that the same hackers have started targeting Elasticsearch clusters that are unprotected and accessible from the internet.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Crooks are targeting Elasticsearch cluster with ransom attacks in the same way they have made with MongoDB.

The news was reported on the official support forums this week, a user who was running a test deployment accessible from the internet reported hackers removed all the indices and added a new index “warning” was created there.

The user has found the following text from the raw index data:


Something quite similar to the recent ransom attacks against MongoDB.

“Late last week, a malicious attack was initiated, in which data from thousands of open source databases was copied, deleted and held for ransom. Although no malware, or “ransomware” was used in these attacks, and they are not related to product vulnerabilities, they nonetheless represent serious security incidents involving a data loss, or even a data breach.” reads the description of the discussion in the official forum. “The good news is that data loss from similar attacks is easily preventable with proper configuration.” 


According to the security researcher Niall Merrigan,  more than 600 Elasticsearch clusters have been targeted by the hackers.

Unfortunately, the number of internet-accessible Elasticsearch installs are much greater, roughly 35,000. The experts believe that the number of wiped Elasticsearch installs would rapidly increase, has it has happened for the MongoDB databases.

It is important to protect Elasticsearch clusters exposed on the Internet as soon as possible, there is no reason to expose them.

Researchers from the company Itamar Syn-Hershko have published a blog post that includes recommendations for securing Elasticsearch installations.

“Have a Single Page Application that needs to query Elastic and get jsons for display? Pass it through a software facade that can do request filtering, audit-logging and most importantly, password-protect your data,” states the blog post. “Without that, (a) you are for sure binding to a public IP and you shouldn’t, (b) you are risking unwanted changes to your data, (c) and the worst – you can’t control who accesses what and all your data is visible for all to see. Just what’s happening now with those Elasticsearch clusters.”

The experts suggest disabling the features that users don’t need such as dynamic scripting with non-sandboxed languages (mvel, groovy) used in old versions.

As usual, let me suggest you to avoid paying, but report the incident to law enforcement.

Pierluigi Paganini

(Security Affairs – Elasticsearch , hacking)

The post Hackers that hit MongoDB installs now switch on exposed Elasticsearch clusters appeared first on Security Affairs.