There are new articles available, click to refresh the page.
✇ Krebs on Security

Who Is the Network Access Broker ‘Babam’?

By: BrianKrebs

Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials — such as usernames and passwords needed to remotely connect to the target’s network. In this post we’ll look at the clues left behind by “Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years.

Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.

But in February 2016, Babam joined Verified, another Russian-language crime forum. Verified was hacked at least twice in the past five years, and its user database posted online. That information shows that Babam joined Verified using the email address “[email protected].” The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years.

In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. This is common among cybercriminal actors for whom Russian is not their native tongue.

Cyber intelligence platform Constella Intelligence told KrebsOnSecurity that the [email protected] address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. The username associated with that account was “bo3dom.”

A reverse WHOIS search via DomainTools.com says [email protected] was used to register two domain names: bonnjoeder[.]com back in 2011, and sanjulianhotels[.]com (2017). It’s unclear whether these domains ever were online, but the street address on both records was “24 Brondeg St.” in the United Kingdom. [Full disclosure: DomainTools is a frequent advertiser on this website.]

A reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: wwwecardone[.]com. The use of domains that begin with “www” is fairly common among phishers, and by passive “typosquatting” sites that seek to siphon credentials from legitimate websites when people mistype a domain, such as accidentally omitting the “.” after typing “www”.

A banner from the homepage of the Russian language cybercrime forum Verified.

Searching DomainTools for the phone number in the WHOIS records for wwwecardone[.]com  — +44.0774829141 — leads to a handful of similar typosquatting domains, including wwwebuygold[.]com and wwwpexpay[.]com. A different UK phone number in a more recent record for the wwwebuygold[.]com domain — 44.0472882112 — is tied to two more domains – howtounlockiphonefree[.]com, and portalsagepay[.]com. All of these domains date back to between 2012 and 2013.

The original registration records for the iPhone, Sagepay and Gold domains share an email address: [email protected]. A search on the username “bo3dom” using Constella’s service reveals an account at ipmart-forum.com, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming. That search shows the user bo3dom registered at ipmart-forum.com with the email address [email protected], and from an Internet address in Vilnius, Lithuania.

[email protected] was used to register multiple domains, including wwwsuperchange.ru back in 2008 (notice again the suspect “www” as part of the domain name). Gmail’s password recovery function says the backup email address for [email protected] is bo3*******@gmail.com. Gmail accepts the address [email protected] as the recovery email for that devrian27 account.

According to Constella, the [email protected] address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “lebeda1” and “a123456“.

Searching in Constella for accounts using those passwords reveals a slew of additional “bo3dom” email addresses, including [email protected].  Pivoting on that address in Constella reveals that someone with the name Vytautas Mockus used it to register an account at mindjolt.com, a site featuring dozens of simple puzzle games that visitors can play online.

At some point, mindjolt.com apparently also was hacked, because a copy of its database at Constella says the [email protected] used two passwords at that site: lebeda1 and a123456.

A reverse WHOIS search on “Vytautas Mockus” at DomainTools shows the email address [email protected] was used in 2010 to register the domain name perfectmoney[.]co. This is one character off of perfectmoney[.]com, which is an early virtual currency that was quite popular with cybercriminals at the time. The phone number tied to that domain registration was “86.7273687“.

A Google search for “Vytautas Mockus” says there’s a person by that name who runs a mobile food service company in Lithuania called “Palvisa.” A report on Palvisa (PDF) purchased from Rekvizitai.vz — an official online directory of Lithuanian companies — says Palvisa was established in 2011 by a Vytautaus Mockus, using the phone number 86.7273687, and the email address [email protected] The report states that Palvisa is active, but has had no employees other than its founder.

Reached via the [email protected] address, the 36-year-old Mr. Mockus expressed mystification as to how his personal information wound up in so many records. “I am not involved in any crime,” Mockus wrote in reply.

A rough mind map of the connections mentioned in this story.

The domains apparently registered by Babam over nearly 10 years suggest he started off mainly stealing from other cybercrooks. By 2015, Babam was heavily into “carding,” the sale and use of stolen payment card data. By 2020, he’d shifted his focus almost entirely to selling access to companies.

A profile produced by threat intelligence firm Flashpoint says Babam has received at least four positive feedback reviews on the Exploit cybercrime forum from crooks associated with the LockBit ransomware gang.

The ransomware collective LockBit giving Babam positive feedback for selling access to different victim organizations. Image: Flashpoint

According to Flashpoint, in April 2021 Babam advertised the sale of Citrix credentials for an international company that is active in the field of laboratory testing, inspection and certification, and that has more than $5 billion in annual revenues and more than 78,000 employees.

Flashpoint says Babam initially announced he’d sold the access, but later reopened the auction because the prospective buyer backed out of the deal. Several days later, Babam reposted the auction, adding more information about the depth of the illicit access and lowering his asking price. The access sold less than 24 hours later.

“Based on the provided statistics and sensitive source reporting, Flashpoint analysts assess with high confidence that the compromised organization was likely Bureau Veritas, an organization headquartered in France that operates in a variety of sectors,” the company concluded.

In November, Bureau Veritas acknowledged that it shut down its network in response to a cyber attack. The company hasn’t said whether the incident involved ransomware and if so what strain of ransomware, but its response to the incident is straight out of the playbook for responding to ransomware attacks. Bureau Veritas has not yet responded to requests for comment; its latest public statement on Dec. 2 provides no additional details about the cause of the incident.

Flashpoint notes that Babam’s use of transliterated Russian persists on both Exploit and Verified until around March 2020, when he switches over to using mostly Cyrillc in his forum comments and sales threads. Flashpoint said this could be an indication that a different person started using the Babam account since then, or more likely that Babam had only a tenuous grasp of Russian to begin with and that his language skills and confidence improved over time.

Lending credence to the latter theory is that Babam still makes linguistic errors in his postings that suggest Russian is not his original language, Flashpoint found.

“The use of double “n” in such words as “проданно” (correct – продано) and “сделанны” (correct – сделаны) by the threat actor proves that this style of writing is not possible when using machine translation since this would not be the correct spelling of the word,” Flashpoint analysts wrote.

“These types of grammatical errors are often found among people who did not receive sufficient education at school or if Russian is their second language,” the analysis continues. “In such cases, when someone tries to spell a word correctly, then by accident or unknowingly, they overdo the spelling and make these types of mistakes. At the same time, colloquial speech can be fluent or even native. This is often typical for a person who comes from the former Soviet Union states.”

✇ Security Affairs

NSO Group spyware used to compromise iPhones of 9 US State Dept officials

By: Pierluigi Paganini

Apple warns that the mobile devices of at least nine US Department of State employees were compromised with NSO Group ‘s Pegasus spyware.

The iPhones of at least nine US state department officials were compromised with the NSO Group’s spyware Pegasus.

The US officials targeted by the surveillance software were either based in Uganda or focused on matters concerning the African country, revealed Reuters which was not able to determine which was NSO client that orchestrated the attacks.

“Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.” reads the post published by Reuters. “The intrusions, first reported here, represent the widest known hacks of U.S. officials through NSO technology.”

NSO Group told Reuters that it is not aware of the tools used in the attacks and added it has canceled the customer accounts, anyway it declared that will investigate the incidents. NSO Group added that once the surveillance spyware is sold to a customer it is not able to know who will be the targets of the customer.

NSO announced that it will cooperate with any relevant government authority to track down the attackers.

“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place,” said an NSO spokesperson, who added that NSO will also “cooperate with any relevant government authority and present the full information we will have.”

Early November, the U.S. sanctioned four companies for the development of surveillance malware or the sale of hacking tools used by nation-state actors, including NSO Group. NSO Group and Candiru are being sanctioned for the development and sale of surveillance software used to spy on journalists and activists. 

In November, Apple has sued NSO Group and its parent company Q Cyber Technologies in a U.S. federal court for illegally targeting its customers with the surveillance spyware Pegasus.

According to the lawsuit, the surveillance firm is accountable for hacking into Apple’s iOS-based devices using zero-click exploits. The software developed by the surveillance firm was used to spy on activists, journalists, researchers, and government officials.

Apple also announced it would support with a contribution of $10 million to the academic research in unmasking the illegal surveillance activities

“Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.” reads the announcement published by Apple.

The legal action aims at permanently preventing the infamous company from breaking into any Apple software, services, or devices.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post NSO Group spyware used to compromise iPhones of 9 US State Dept officials appeared first on Security Affairs.

✇ Security Affairs

KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays

By: Pierluigi Paganini

Since 2017, an unknown threat actor has run thousands of malicious Tor relay servers in the attempt to unmask Tor users.

A mysterious threat actor, tracked as KAX17, has run thousands of malicious Tor relay servers since 2017 in an attempt to deanonymize Tor users.

KAX17 ran relay servers in various positions within the Tor network, including entry and exit nodes, researchers at the Tor Project have removed hundreds of servers set up by the threat actor in October and November 2021.

In August 2020, the security researcher that goes online with the moniker Nusenu revealed that in May 2020 a threat actor managed to control roughly 23% of the entire Tor network’s exit nodes. Experts warned that this was the first time that a single actor controlled such a large number of Tor exit nodes. A Tor exit relay is the final relay that Tor traffic passes through before it reaches the intended destination. The Tor traffic exits through these relays, this means that the IP address of the exit relay is interpreted as the source of the traffic.  Tor Exit relays advertise their presence to the entire Tor network, so they can be used by any Tor user.

Controlling these relays it is possible to see which website the user connects to and, if an insecure connection is used, it is also possible to manipulate traffic. In May 2020, the threat actor managed to control over 380 Tor exit nodes, with a peak on May 22, when he controlled the 23.95% of Tor exit relay.

Nusenu told The Record that it has observed a recrudescence of the phenomenon associated to the same attacker.

“But a security researcher and Tor node operator going by Nusenu told The Record this week that it observed a pattern in some of these Tor relays with no contact information, which he first noticed in 2019 and has eventually traced back as far as 2017.” reads the post published by The Record. “Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point.”

Most of the Tor relay servers set up by the KAX17 actor were located in data centers all over the world and are configured as entry and middle points primarily. Nusenu pointed out that, unlike other threat actors he analyzed in the past, the KAX17 group only operates a small number of exit points.

This circumstance suggests that the group is operating to track Tor users within the anonymizing network, Nusenu also believes that the KAX17 is an APT group.

Below are some insights on the KAX17 profile provided by the researcher in a post:

  • active since at least 2017
  • sophistication: non-amateur level and persistent
  • uses large amounts of servers across many (>50) autonomous systems (including non-cheap cloud hosters like Microsoft)
  • operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
  • (known) concurrently running relays peak: >900 relays
  • (known) advertised bandwidth capacity peak: 155 Gbit/s
  • (known) probability to use KAX17 as first hop (guard) peak: 16%
  • (known) probability to use KAX17 as second hop (middle) peak: 35%
  • motivation: unknown; plausible: Sybil attack; collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

The expert states that the probability to connect a guard relay operated by KAX17 was 16%, a percentage that pass to 35% when analyzing the probability to pass through one of the middle relays set up by the threat actor.

“The following graph shows (known) KAX17′ network fraction in % of the entire tor network for each position (first, second and last hop of a tor circuit) over the past 3 years.”

KAX17 Tor

Nusenu shared its findings with the Tor Project since last year, and the Tor security experts removed all the exit relays set up by the group in October 2020. The Tor Project also removed a set of KAX17 malicious relays between October, and November 2021.

The expert also states that KAX17’s poor OpSec revealed the use of email address in relay’s ContactInfo, but it is impossible to determine its authenticity, we cannot exclude that it is a false flag.

“Detecting and removing malicious tor relays from the network has become an impractical problem to solve. We presented a design and proof of concept implementation towards better self-defense options for tor clients to reduce their risk from malicious relays without requiring their detection.” concludes the researcher.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Tor)

The post KAX17 threat actor is attempting to deanonymize Tor users running thousands of rogue relays appeared first on Security Affairs.

✇ The Hacker News

Researchers Detail How Pakistani Hackers Targeting Indian and Afghan Governments

By: Ravie Lakshmanan
A Pakistani threat actor successfully socially engineered a number of ministries in Afghanistan and a shared government computer in India to steal sensitive Google, Twitter, and Facebook credentials from its targets and stealthily obtain access to government portals. Malwarebytes' latest findings go into detail about the new tactics and tools adopted by the APT group known as SideCopy, which is
✇ Security Affairs

Threat actors stole $120 M in crypto from BadgerDAO DeFi platform

By: Pierluigi Paganini

Threat actors stole $120 million in cryptocurrencies from multiple wallets connected to the decentralized finance platform BadgerDAO.

Threat actors this week have hacked the decentralized finance platform BadgerDAO and have stolen $120.3 million in crypto funds, blockchain security firm PeckShield reported. Most of the stolen funds, over $117 million, were Bitcoin, while the rest of the stolen assets were stored in the form of interest-bearing Bitcoin, a form of tokenised Bitcoin, and Ether.

BadgerDAO is a decentralised autonomous organisation (DAO) that allows customers to bridge user’s Bitcoin into other blockchains.

Here is the current whereabouts as well as the total loss: $120.3M (with ~2.1k BTC + 151 ETH) @BadgerDAO pic.twitter.com/fJ4hJcMWTq

— PeckShield Inc. (@peckshield) December 2, 2021

The attackers were able to inject a malicious script into the UI of BadgerDAO website that allowed them to intercept and hijack Web3 transactions. The funds were hijacked to the wallet under the control of the attackers.

Peckshield was able to track the stolen funds:

Here is the list of funds that were so far transferred out from victims @BadgerDAO pic.twitter.com/P5pOj1YQ2l

— PeckShield Inc. (@peckshield) December 2, 2021

The malicious script was injected as early as November 10th, but the threat actors ran it at random intervals to avoid detection. BadgeDAO notified US and Canadian authorities and is investigating the security breach with the help of forensics firm Chainalysis.

Badger has received reports of unauthorized withdrawals of user funds.

As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.

Our investigation is ongoing and we will release further information as soon as possible.

— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021

The investigation continues.

Badger has retained data forensics experts Chainalysis to explore the full scale of the incident & authorities in both the US & Canada have been informed & Badger is cooperating fully with external investigations as well as proceeding with its own.

— ₿adgerDAO 🦡 (@BadgerDAO) December 2, 2021

Once Badger discovered the unauthorized transfers, it paused all smart contracts, it also advised users to decline all transactions to addresses that are under the control of the attackers.

According to The Verge website, Badger is investigating is how threat actors had access to Cloudflare via an API key that should’ve been protected by two-factor authentication.

“While the attack didn’t reveal specific flaws within Blockchain tech itself, it managed to exploit the older “web 2.0” technology that most users need to use to perform transactions. Multi-factor authentication systems protect our accounts against many phishing schemes or bulk credential stuffing attacks. Still, experts have repeatedly warned about targeted phishing attacks that can bypass it, while toolkits to automate the process have been available for years.” reported The Verge.

“All [the] blockchain / smart contract audits in the world, and people lose 120m to a Cloudflare API leak by a sloppy team where a dude passes a new approval to his contract in the site header – GG – we still have a long way to go.” A member of the team said, “I’m sure we will have some mitigation procedures proposed after this.” reads the comment of a user within Badger’s Discord.

DeFi platforms are under attack, according to a report published by AtlasVPN in august, the DeFi hacks accounted for 76% of all hacks between January and July 2021. The report states that over $129 million were stolen in DeFi attacks in 2020.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, BadgerDAO)

The post Threat actors stole $120 M in crypto from BadgerDAO DeFi platform appeared first on Security Affairs.

✇ The Hacker News

New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions

By: Ravie Lakshmanan
A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access. Cisco Talos
✇ The Hacker News

Why Everyone Needs to Take the Latest CISA Directive Seriously

By: The Hacker News
Government agencies publish notices and directives all the time. Usually, these are only relevant to government departments, which means that nobody else really pays attention. It's easy to see why you would assume that a directive from CISA just doesn't relate to your organization. But, in the instance of the latest CISA directive, that would be making a mistake. In this article, we explain why
✇ Security Affairs

Watch out for Omicron COVID-19-themed phishing messages!

By: Pierluigi Paganini

Threat actors have started to exploit the interest in the Omicron COVID-19 variant and are using it as a lure in phishing campaigns.

Crooks have already started exploiting the interest in the Omicron COVID-19 variant and are using it as a lure in phishing attacks.

People are interested in the spreading of the new variant, the efficiency of the vaccines and the measures that will adopt the states to prevent its spreading, and threat actors are attempting to take advantage of this situation.

An Omicron COVID-19 campaign was spotted by UK authorities and the National Health Service (NHS) is warning about the Omicron COVID-19-themed phishing attacks.


Beware of fake NHS emails asking you to order a Omicron PCR test.

Link goes to a fake NHS website.

The NHS will:

❌NEVER ask for payment – the vaccine is free
❌NEVER ask for your bank details

Forward emails to [email protected] pic.twitter.com/GcGB3C5dLI

— Norfolk County Council Trading Standards (@NorfolkCCTS) November 30, 2021

@ukhsa advise of a #SCAM doing the rounds on social media purporting to offer #Omicron #PCRs #tscovid19

This has been reported & will be taken down but it is likely there will be more instances before it is removed, & there are reports of people querying it at test sites. pic.twitter.com/IXZ1qPStq5

— Dudley EHO – Play your part – #protectDudley (@myDudleyEHO) December 1, 2021

These phishing messages offer a free Omicron PCR test that will allegedly allow recipients to avoid restrictions. One of the samples shared by UK’s consumer protection organization ‘Which?’ and published by BleepingComputer were sent by the email ‘[email protected]’ in the attempt to make emails more credible.

Upon clicking on the link embedded into the message, recipients are redirected to a fake NHS website where to apply for a “COVID-19 Omicron PCR test.”

The recipients have to fill a form with their data (name, date of birth, home address, mobile phone number, and email address), some security questions (i.e. mother’s maiden name), and finalize the procedure by making a payment of £1.24 ($1.65).

Clearly, the scammers aim at stealing the payment details of the recipients while making the payment.

Authorities are urging the citizens to be aware of suspicious emails or text messages that may be asking for financial details (i.e. credit card data, banking data). The NHS never asks for financial details in legitimate email correspondence.

“The NHS will: NEVER ask for payment – the vaccine is free NEVER ask for your bank details.”

Users that will receive suspicious messages can report them at “[email protected]”.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Omicron COVID-19)

The post Watch out for Omicron COVID-19-themed phishing messages! appeared first on Security Affairs.

✇ The Hacker News

New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers

By: Ravie Lakshmanan
E-commerce platforms in the U.S., Germany, and France have come under attack from a new form of malware that targets Nginx servers in an attempt to masquerade its presence and slip past detection by security solutions. "This novel code injects itself into a host Nginx application and is nearly invisible," Sansec Threat Research team said in a new report. "The parasite is used to steal data from
✇ The Hacker News

CISA Warns of Actively Exploited Critical Zoho ManageEngine ServiceDesk Vulnerability

By: Ravie Lakshmanan
The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities. Tracked as CVE-2021-44077 (CVSS score: 9.8), the issue relates to an unauthenticated, remote code execution
✇ Security Affairs

CISA adds Zoho, Apache, Qualcomm, Mikrotik flaws to the list of actively exploited issues

By: Pierluigi Paganini

U.S. CISA urges to address vulnerabilities Qualcomm, Mikrotik, Zoho and the Apache Software Foundation software.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its catalog of actively exploited vulnerabilities recommending federal agencies to address the flaws in Qualcomm, Mikrotik, Zoho and the Apache Software Foundation software within specific timeframes and deadlines.

CISA also warns of risk to the federal enterprise for delaying to address these vulnerabilities.

The US Agency requests the Federal agencies to apply security patches for Zoho ManageEngine ServiceDesk flaws by December 15, 2021. The two flaws added to the catalog are the CVE-2021-37415 Zoho ManageEngine ServiceDesk authentication bypass vulnerability and the CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus remote code execution.

Both issues have been actively exploited by nation-state actors over the last few months.

CISA also urges to address the CVE-2018-14847 MikroTik Router OS Directory Traversal Vulnerability within June 1th 2022.

Another flaw added to the catalog is the CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF) vulnerability that must be addressed by December 15, 2021. A few days ago, the German Cybersecurity Agency and Cisco warned of attacks exploiting the recently patched CVE-2021-40438 flaw in Apache HTTP servers.

The German BSI agency published an alert about this vulnerability, it is aware of at least one attack exploiting this flaw.

The fifth issue added to the list of actively exploited vulnerabilities is the CVE-2020-11261 Improper Input Validation flaw that impacts multiple Qualcomm chipsets. This vulnerability must be addressed by June 1th 2022.

Google warned that the Qualcomm vulnerability was exploited by threat actors in limited, targeted attacks.

“There are indications that CVE-2020-11261 may be under limited, targeted exploitation” reads a note added to the January security bulletin last week.

The CVE-2020-11261 flaw was reported to Qualcomm by Google’s Android Security team on August 20, 2020 and was addressed in January 2021.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zoho)

The post CISA adds Zoho, Apache, Qualcomm, Mikrotik flaws to the list of actively exploited issues appeared first on Security Affairs.

✇ Security Affairs

Russian internet watchdog Roskomnadzor bans six more VPN services

By: Pierluigi Paganini

Russia’s internet watchdog, ‘Roskomnadzor’, has announced the ban of other VPN products, 15 VPN services are now illegal in Russia

Russian communications watchdog Roskomnadzor tightens the control over the Internet and blocked access to six more VPN services. The latest banned services are Betternet, Lantern, X-VPN, Cloudflare WARP, Tachyon VPN, PrivateTunnel.

The total number of banned VPN products reached 15, below is the full list of blocked services:

  • Hola! VPN
  • ExpressVPN
  • KeepSolid VPN Unlimited
  • Nord VPN
  • Speedify VPN
  • IPVanish VPN
  • VyprVPN
  • Opera VPN
  • ProtonVPN
  • Betternet
  • Lantern
  • X-VPN
  • Cloudflare WARP
  • Tachyon VPN
  • PrivateTunnel

Russia’s internet watchdog sent a request to inform the Center for Monitoring and Control of the Public Communications Network about the ban of the services from the systems of all registered Russian companies and public organizations.

The companies were banned because they did not meet the demand of the Roskomnadzor to connect their systems to the Federal State Information System (FGIS).

In September Russian communications watchdog Roskomnadzor blocked access to Hola!VPN, ExpressVPN, KeepSolid VPN Unlimited, Nord VPN, Speedify VPN, and IPVanish VPN.

Russian communications watchdog argued that VPNs could be abused for illegal activities online, including terrorism and child pornography. However, the watchdog made some exceptions for companies that leverage VPNs for their operations, for this reason, the regulator created a white list of software and apps that will be able to continue using VPN providers.

Russians ordinary use VPN services and other anonymizing services to access blocked content and bypass censorship, in the following graph we can see the continuous growth for the number of Tor users in Russia.

VPN services

In 2017, Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites, and the Duma approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

The bill prohibited the use of any service from the Russian territory if they could be used to access blacklisted websites.

VPN operators and proxy services operating in the country must register themselves with the Government regularity authority.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, VPN services)

The post Russian internet watchdog Roskomnadzor bans six more VPN services appeared first on Security Affairs.

✇ Security Affairs

NginRAT – A stealth malware targets e-store hiding on Nginx servers

By: Pierluigi Paganini

Threat actors are targeting e-stores with remote access malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions.

Researchers from security firm Sansec recently discovered a new Linux remote access trojan (RAT), tracked as CronRAT, that hides in the Linux task scheduling system (cron) on February 31st.

CronRAT is employed in Magecart attacks against online stores web stores and enables attackers to steal credit card data by deploying online payment skimmers on Linux servers.

While investigating CronRAT infections in North America and Europe the researchers spotted a new malware, dubbed NginRAT, that hides on Nginx servers bypassing security solutions. Like CronRAT, also NginRAT works as a “server-side Magecart,” it injects itself into an Nginx process.

Experts pointed out that a rogue Nginx process could not be distinguished from the original.

“NginRAT essentially hijacks a host Nginx application to masquerade its presence. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT injects itself. The result is a remote access trojan that is embedded in the Nginx process.” reads the analysis published by the experts. “On a typical eCommerce web server, there are many Nginx processes. And the rogue Nginx looks just like the others.”

The researchers discovered that NginRAT is delivered using CronRAT and both allow attackers to maintain remote access to the infected system.

In the infection process, CronRAT contact the command and control server at using custom commands. One of the commands is dwn that downloads a Linux system library to /dev/shm/php-shared. Then, CronRAT launches

env LD_L1BRARY_PATH="[580 bytes]" \
    LD_PRELOAD=/dev/shm/php-shared \
    /usr/sbin/nginx --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help --help --help \
    --help --help --help --help --help --help --help --help --help 1>&2 &

to inject the NginRAT into the host Nginx application.


“Once Nginx calls dlopen, NginRAT takes control. It removes the php-shared file, changes its process name to nginx: worker process, gathers information about the system and opens up a connection with the c&c server at It then awaits further commands, possibly sleeping for weeks or months.” continues the post published by the researchers.

Experts explained that NginRAT hides into a legitimate Nginx host process, a /proc/PID/exe will point to Nginx. Another trick that makes the analysis of the malware challenging is that the library code is only written in memory and cannot be examined after its launch. The use of LD_L1BRARY_PATH (with typo) is an indicator of compromise.

In order to find malicious processes, admins can run this command:

$ sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/

Then it is possible to kill them with kill -9 <PID>.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post NginRAT – A stealth malware targets e-store hiding on Nginx servers appeared first on Security Affairs.

✇ Krebs on Security

Ubiquiti Developer Charged With Extortion, Causing 2020 “Breach”

By: BrianKrebs

In January 2021, technology vendor Ubiquiti Inc. [NYSE:UI] disclosed that a breach at a third party cloud provider had exposed customer account credentials. In March, a Ubiquiti employee warned that the company had drastically understated the scope of the incident, and that the third-party cloud provider claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.

Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.

Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.

On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.

But Sharp was a member of the team doing the forensic investigation, the indictment alleges.

“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident,” wrote prosecutors with the Southern District of New York.

According to the indictment, on January 7 a senior Ubiquiti employee received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that internal Ubiquiti data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 Bitcoin.

The ransom email also offered to identify a purportedly still unblocked “backdoor” used by the attacker for the sum of another 25 Bitcoin (the total amount requested was equivalent to approximately $1.9 million at the time). Ubiquiti did not pay the ransom demands.

Investigators say they were able to tie the downloads to Sharp and his work-issued laptop because his Internet connection briefly failed on several occasions while he was downloading the Ubiquiti data. Those outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly — thus exposing his Internet address as the source of the downloads.

When FBI agents raided Sharp’s residence on Mar. 24, he reportedly maintained his innocence and told agents someone else must have used his Paypal account to purchase the Surfshark VPN subscription.

Several days after the FBI executed its search warrant, Sharp “caused false or misleading news stories to be published about the incident,” prosecutors say. Among the claims made in those news stories was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full scope of the intrusion. In reality, the indictment alleges, Sharp had shortened to one day the amount of time Ubiquiti’s systems kept certain logs of user activity in AWS.

“Following the publication of these articles, between Tuesday, March 30, 2021 and Wednesday March 31, [Ubiquiti’s] stock price fell approximately 20 percent, losing over four billion dollars in market capitalization,” the indictment states.

Sharp faces four criminal counts, including wire fraud, intentionally damaging protected computers, transmission of interstate communications with intent to extort, and making false statements to the FBI.

News of Sharp’s arrest was first reported by BleepingComputer, which wrote that while the Justice Department didn’t name Sharp’s employer in its press release or indictment, all of the details align with previous reporting on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).

✇ The Hacker News

Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials

By: Ravie Lakshmanan
Meta, the company formerly known as Facebook, on Thursday announced an expansion of its Facebook Protect security program to include human rights defenders, activists, journalists, and government officials who are more likely to be targeted by bad actors across its social media platforms. "These people are at the center of critical communities for public debate," said Nathaniel Gleicher, head of
✇ The Hacker News

Researches Detail 17 Malicious Frameworks Used to Attack Air-Gapped Networks

By: Ravie Lakshmanan
Four different malicious frameworks designed to attack air-gapped networks were detected in the first half of 2020 alone, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information. "All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission
✇ The Hacker News

Let there be light: Ensuring visibility across the entire API lifecycle

By: The Hacker News
The following article is based on a webinar series on enterprise API security by Imvision, featuring expert speakers from IBM, Deloitte, Maersk, and Imvision discussing the importance of centralizing an organization's visibility of its APIs as a way to accelerate remediation efforts and improve the overall security posture. Centralizing security is challenging in today's open ecosystem When
✇ Security Affairs

Europol arrested 1800 money mules as part of an anti-money-laundering operation

By: Pierluigi Paganini

Europol identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7.

Europol has identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7.

The operation is the result of a joint effort of 27 countries, Eurojust, INTERPOL, the European Banking Federation (EBF), and the FinTech FinCrime Exchange

The name EMMA is an acronym for European Money Mule Action operation, the first EMMA operation led by Europol took place in 2016.

The EMMA 7 operation was conducted between September 15 and November 30, 2021, it saw the contribution of law enforcement agencies from Australia, Austria, Belgium, Bulgaria, Colombia, Czech Republic, Estonia, Finland, Greece, Germany, Hong Kong, Hungary, Ireland, Italy, Moldova, Netherlands, Poland, Portugal, Romania, Singapore, Slovak Republic, Slovenia, Sweden, Switzerland, Spain, United Kingdom, United States.

The money mules have a crucial role in criminal organizations to launder money for a wide array of illegal activities, such as online scams, sim-swapping, e-commerce fraud, and phishing. Money mules receive and transfer money on behalf of crooks in exchange for a small fee.

“The operation resulted in 1 803 arrests and the identification of over 18 000 money mules.” reads the press release published by Europol. “It also revealed that money mules were being used to launder money for a wide array of online scams such as sim-swapping, man in the middle attacks, e-commerce fraud and phishing.”

money mules Europol EMMA 7

The authorities conducted 2,503 individual investigations, the operation prevented losses of €67.5 million by stopping 7,000 fraudulent transactions that were reported. According to Europol, around 400 banks and financial institutions supported the operation.

Another important result was the identification of 324 recruiters.

Europol pointed out that money mules can be recruited unknowingly into the criminal operation. Groups of individuals such as students, immigrants, and people in economic distress, are a privileged target of recruiters that offer them easy money. Recruiters leverage multiple channels, such as legitimate-looking job adverts and social media posts.

“Ignorance is not an excuse when it comes to the law and money muling; they are breaking the law by laundering the illicit proceeds of crime. For this reason, Europol coordinated the ‘#DontBeAMule’ awareness campaign with all participant countries, law enforcement and the EBF on behalf of the European banks, as a means to prevent more innocent bystanders being exploited by criminals and putting themselves at risk.” concludes the press release.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Europol)

The post Europol arrested 1800 money mules as part of an anti-money-laundering operation appeared first on Security Affairs.

✇ The Hacker News

Researchers Warn Iranian Users of Widespread SMS Phishing Campaigns

By: Ravie Lakshmanan
Socially engineered SMS messages are being used to install malware on Android devices as part of a widespread phishing campaign that impersonates the Iranian government and social security services to make away with credit card details and steal funds from victims' bank accounts. Unlike other variants of banking malware that bank of overlay attacks to capture sensitive data without the knowledge