Security Week 12: card games, hand-driven malware and a healthy approach to leaks
News
Banks and law enforcement agencies will have to strain themselves: well-known merchants with stolen JokerStash credit cards put up for sale the details of the rich customers of the elite stores Saks Fifth Avenue and Lord & Taylor Stores - that is, Americans and guests of the States, for whom the norm is spent on a large scale. And withdraw money abroad, of course. It is not so easy to isolate among all these operations the dark deeds of fraudsters.
In addition, dealers from JokerStash, as they have become, lay out the goods in small portions, so as not to block it all at once. This means that the leakage will subside, and half of them will not be sold. For comparison: in December, they increased the data of 7 million cards, and so far only a quarter have been laid out. Of the new batch, 125 thousand credit cards are being sold, and only 5 million have been stolen.
News
')
Security researchers have discovered a new malware for Linux systems. The name GoScanSSH, apparently, invented the akyn, according to the principle “what I see - I sing about”: the malware is written in the Go language, scans the network, infects the devices through the SSH port. If he had done something, then there would have been written “spy” or “wiper”, but the fact is that he ... is not doing anything else yet. For what purposes, the attackers intend to use the network collected with its help, it is still unclear, but one thing is for sure: they do not have to take meticulousness and hard work.
To begin with, when scanning a network, the malware carefully checks whether it has stumbled upon servers belonging to a military or government organization. If there is even the slightest doubt, the attack stops immediately. Then he spends brute force, going through more than 7,000 frequently used combinations of logins and passwords. If it is possible to pick it up, it penetrates the system and sends information about its parameters to the command server.
After that, the hackers behind the attack manually configure a new version of their creation, each time based on the features of the server or device found, and manually upload it. So far, experts have found 70 variations, and this is clearly not the limit.
Why such thorough preparation is needed is not yet clear. Hardly for mining: the specifics of the bruteforce makes it clear that the new malware is designed not only for servers, but also for IoT devices, from which it is inconvenient to get cryptocurrency. Maybe for DDoS attacks? In general, the intrigue is growing. Obviously, it will have to learn the hard way.
News
Other craftsmen attacked the supporters of healthy lifestyles. From the free calorie counter MyFitnessPal leaked data 150 million accounts. However, according to the assurances of the owner of the application - Under Armor, the attackers did not touch the credit cards, they only stole logins and passwords.
By a leak led mess with encrypted credentials. Along with the more robust Bcrypt algorithm, the company still used the old, weak SHA-1 for some records.
To the credit of Under Armor, they quickly responded to the leak: four days after its discovery, customers were already notified, and for reliability, both through the application and via email. So whatever attackers want, they will not force other people's calories to work for themselves.
Devil-941
Resident very dangerous virus. Standard strikes. COM files: in the current directory (when activated) and when they are launched (from their TSR-copy). Periodically changes the color of some characters on the screen. Depending on its counters, it deciphers and displays the text: “Have you ever been under light? Pray for your disk! ”. It contains the lines: “Drk”, “* .com”. Intercepts int 9, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Banks and law enforcement agencies will have to strain themselves: well-known merchants with stolen JokerStash credit cards put up for sale the details of the rich customers of the elite stores Saks Fifth Avenue and Lord & Taylor Stores - that is, Americans and guests of the States, for whom the norm is spent on a large scale. And withdraw money abroad, of course. It is not so easy to isolate among all these operations the dark deeds of fraudsters.In addition, dealers from JokerStash, as they have become, lay out the goods in small portions, so as not to block it all at once. This means that the leakage will subside, and half of them will not be sold. For comparison: in December, they increased the data of 7 million cards, and so far only a quarter have been laid out. Of the new batch, 125 thousand credit cards are being sold, and only 5 million have been stolen.
Handwork
News
')
Security researchers have discovered a new malware for Linux systems. The name GoScanSSH, apparently, invented the akyn, according to the principle “what I see - I sing about”: the malware is written in the Go language, scans the network, infects the devices through the SSH port. If he had done something, then there would have been written “spy” or “wiper”, but the fact is that he ... is not doing anything else yet. For what purposes, the attackers intend to use the network collected with its help, it is still unclear, but one thing is for sure: they do not have to take meticulousness and hard work.
To begin with, when scanning a network, the malware carefully checks whether it has stumbled upon servers belonging to a military or government organization. If there is even the slightest doubt, the attack stops immediately. Then he spends brute force, going through more than 7,000 frequently used combinations of logins and passwords. If it is possible to pick it up, it penetrates the system and sends information about its parameters to the command server.
After that, the hackers behind the attack manually configure a new version of their creation, each time based on the features of the server or device found, and manually upload it. So far, experts have found 70 variations, and this is clearly not the limit.
Why such thorough preparation is needed is not yet clear. Hardly for mining: the specifics of the bruteforce makes it clear that the new malware is designed not only for servers, but also for IoT devices, from which it is inconvenient to get cryptocurrency. Maybe for DDoS attacks? In general, the intrigue is growing. Obviously, it will have to learn the hard way.
MyFitnessPal - not only calories are lost
News
Other craftsmen attacked the supporters of healthy lifestyles. From the free calorie counter MyFitnessPal leaked data 150 million accounts. However, according to the assurances of the owner of the application - Under Armor, the attackers did not touch the credit cards, they only stole logins and passwords.
By a leak led mess with encrypted credentials. Along with the more robust Bcrypt algorithm, the company still used the old, weak SHA-1 for some records.
To the credit of Under Armor, they quickly responded to the leak: four days after its discovery, customers were already notified, and for reliability, both through the application and via email. So whatever attackers want, they will not force other people's calories to work for themselves.
Antiquities
Devil-941
Resident very dangerous virus. Standard strikes. COM files: in the current directory (when activated) and when they are launched (from their TSR-copy). Periodically changes the color of some characters on the screen. Depending on its counters, it deciphers and displays the text: “Have you ever been under light? Pray for your disk! ”. It contains the lines: “Drk”, “* .com”. Intercepts int 9, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/352984/
All Articles