Hackers are once again finding unsecured MongoDB databases carelessly left exposed on the internet, wiping their contents, and leaving a ransom note demanding a cryptocurrency payment for the data’s safe return.As ZDNet reports, ransom notes have been left on almost 23,000 MongoDB databases that were let unprotected on the public internet without a password.Unsecured MongoDB databases being attacked by hackers is nothing new, of course. Over recent years security breaches involving exposed MongoDB installations have occurred on multiple occasions, claiming the scalps of Verizon, OCR software firm ABBYY, dating websites, amongst others.What makes this particular attack more unusual is that the hacker threatens to contact regulatory authorities if the victim does not pay up, to report them for a GDPR violation.In an example shared by ZDNet, the ransom note demanded 0.015 Bitcoins (at current prices approximately US $140) or data would be leaked and the authorities informed.Part of the ransom note, which is in broken English, reads as follows:All of your data is a backed up. You must pay 0.015 BTC to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server.If you’re unlucky enough to find your MongoDB database wiped by the hacker and replaced by a ransom note, there are an important couple of points to consider:Firstly, will paying the ransom get your data back?Almost certainly not. The hacker may well have accessed 22,900 databases that were not properly secured online, but that’s a very different proposition from actually having successfully exfiltrated what must be a huge amount of data from so many servers. There’s no reason to believe that even if the data was copied by the hacker before it was wiped that they will feel duty bound to return your data to you safely.Secondly, will you be reported for a GDPR violation?Personally I find it hard to imagine that a criminal hacker would make a GDPR complaint against his victims. That’s not to say, of course, that someone else won’t.And that’s a reason, if further reason was ever needed, that everyone running a MongoDB database needs to ensure that they have set it up securely, and not left it open for any Tom, Dick or Hacker to waltz in and cause havoc.Despite MongoDB coming with security features, and providing a checklist for administrators to properly keep their databases out of the reach of unauthorised parties, breaches continue to happen.The tools are there, the information about how to use the tools is available, all that we need is for system administrators to wake up and realise that they need to fix their database security as a matter of priority…. or run the gauntlet of being the next victim of a damaging hack.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.
June 29, 2020
One the face of it, it sounded like a good idea.
A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.
That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.
To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.
But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.
According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.
Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.
Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:
“[Full Name] is threatening or hurting me. Please send help now. [Full address]”
“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”
Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.
The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.
So, that’s a happy end to the story, right?
Well, perhaps not.
You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.
That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.
Follow me for more information.
June 26, 2020
22-year old man from Vancouver, Washington, has been sentenced to a US federal prison for his role in the development of the Satori botnet, which launched distributed denial-of-service (DDoS) attacks from hijacked IoT devices.
The Satori botnet, based upon similar code to the notorious Mirai botnet which knocked major websites offline in 2016, is thought to have compromised hundreds of thousands of IoT devices, exploiting vulnerabilities to even infect routers wrongly assumed to have been protected with strong passwords.
Kenneth Currin Schuchman, who used the online handle “Nexus-Zeta”, was sentenced yesterday to 13 months in prison, having previously pleaded guilty to charges under the Computer Fraud & Abuse Act. In addition, Schuchman has been ordered to serve 18 months of community confinement to help him address mental health and substance abuse issues, and a three year term of supervised release.
After being initially charged in August 2018 Schuchman was released to pretrial supervision, but broke the terms of his release by making the astonishing decision to continue to create and operate a DDoS botnet, and communicate with his co-conspirators.
In one Discord chat with a co-conspirator using the handle “Viktor”, Schuchman is reminded that he is not supposed to be using the internet without the supervision of his father.
The conversation is accompanied by a screen capture from Schuchman’s conditions of release.
Schuchman, who has already spent 13 months confined in a jail in Alaska, is not the only person of interest to law enforcement as it investigates the Satori botnet.
As Brian Krebs reports, minutes after Schuchman’s sentencing the US Department of Justice charged men from Canada and Northern Ireland for their alleged involvement in the Satori and related IoT botnets.
Aaron Sterritt, 20, from Larne, Northern Ireland and 31-year-old Logan Shwydiuk of Saskatoon, Canada are said by prosecutors to have built, maintained, and sold access to the botnets under their control.
Sterritt is particularly of interest. According to the Department of Justice he was a criminal associate of Schuchman, and used the aliases “Viktor” or “Vamp.” As a teenager he was involved in the high-profile hack of TalkTalk, sentenced to 50 hours community service, and – perhaps most painfully of all – ordered to write a letter apologising to the telecoms firm.
It’s no excuse for criminal behaviour, of course, but the Satori botnet would not have been capable of launching crippling DDoS attacks if it hadn’t successfully recruited vulnerable routers and other IoT devices to form part of its army.
Businesses and home users can play their part by ensuring that IoT devices are not using default or easy-to-crack passwords, are running the latest security patches, and are properly configured and defended to reduce the threat surface.
But there is also a need for manufacturers to build more secure devices in the first place, and to ensure that when a new vulnerability is discovered that it can be easily rolled out to protect customers and the rest of the internet.
Follow me for more information.
June 25, 2020
Do you think you have found a vulnerability in the Sony PlayStation 4 or the PlayStation Network?If so, you could be heading towards a sizeable sum of money. That’s because Sony announced details of a new bug bounty program that it is running in co-ordination with vulnerability-reporting platform HackerOne.Sony is inviting security researchers, gamers and anyone else who is interested to “test the security of PlayStation 4 and PlayStation Network.”Before now, Sony has been running a private invitation-only bug bounty program with some security researchers, but it says that it now believes the best way to enhance security is to embrace the wider community.To encourage testing by more people, the bug bounty program will be offering rewards for different levels of responsibly disclosed vulnerabilities, reaching over $50,000 for previously unknown critical vulnerabilities on the PS4.Of course, there are some rules.Bounty rewards will differ in size depending on the severity of the vulnerability and the quality of the report (both of which will be determined by Sony). For a low-severity vulnerability on PlayStation Network, for instance, you might only receive a reward of $100, ramping up to a minimum of $3,000 for details of a high-severity security problem.On the PlayStation 4 itself, the numbers increase rapidly to in excess of $50,000 for the most critical reports.If you fancy your chances reporting a PlayStation Network vulnerability, then you need to be aware that only the following domains are in scope for a reward:*.playstation.net*.sonyentertainmentnetwork.com*.api.playstation.commy.playstation.comstore.playstation.comsocial.playstation.comtransact.playstation.comwallets.api.playstation.comThat doesn’t mean you have free reign to spam those sites or to launch distributed denial-of-service (DDoS) attacks against them. Intentionally disrupting Sony’s operations or causing any harm is not going to win you any friends, let alone financial rewards.And don’t think that you’ll be able to report vulnerabilities in Sony’s older gaming hardware (such as earlier versions of the PlayStation, the PS Vita, or the PSP) or flaws found on the PlayStation 4 if it is not running the current beta version of its system software.Sony does not want you to be testing its corporate IT infrastructure. I imagine that it has internal security teams and expert third-party firms who help it with that kind of work. The last thing they would want is every man and his dog trying to hack into their corporate email servers.That’s not to say that Sony might not be interested if you find vulnerabilities that aren’t covered by the rules of the PlayStation bug bounty program. It’s just that you will have to report them via a separate bug bounty process and play by its rules.But if you do find a critical vulnerability in PlayStation 4 or the PlayStation Network, you could find yourself on the receiving end of a substantial reward – provided you are prepared to work together with Sony, giving them time to remediate any problems before you go public about it.For full details of what you can do, what you can’t do, and how you might be rewarded for it, go check out the Sony PlayStation bug bounty page at HackerOne.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.
June 24, 2020
The activist group Distributed Denial of Secrets, perhaps better known by their shorter but clumsy moniker DDoSecrets, has been permanently banned from Twitter.
The self-declared “transparency collective”, which published leaked and hacked data it claimed was of public interest, earned its banishment from Twitter after it distributed a gigantic collection of sensitive documents related to police and law enforcement across the United States.
As we previously reported, the 270GB data dump (dubbed “BlueLeaks”) contains many years worth of information from over 200 US police departments, FBI reports, and other law enforcement agencies.
As investigative journalist Brian Krebs reports, the data appears to have been exfiltrated following a security breach at web development firm Netsential.
The publication of the data appears to have been deliberately timed by DDoSecrets to coincide with “Juneteenth”, the United States’s national day of commemoration of the ending of slavery, June 19th.
Unfortunately, the group’s haste to release the data in time appears to have overtaken any desire to redact details which could put innocent parties at risk: such as images of suspects in police investigations, banking details, and other personally identifiable information (PII).
There are additionally concerns that the breach could endanger ongoing police investigations, and the lives of law enforcement officers.
And as the dumped data contains information reaching back as far as perhaps the mid-1990s, there is additionally the risk that information may be completely out-of-date.
Speaking to Wired, DDOSecrets founder Emma Best admitted that the group had probably failed to redact all information related to crime victims, children, and unrelated private businesses:
“Due to the size of the dataset, we probably missed things. I wish we could have done more, but I’m pleased with what we did and that we continue to learn.”
That’s a startling admission of failure. More clearly could have been done, but from the sound of things DDoSecrets and its supporters were working to too tight a deadline.
And clearly Twitter was not impressed to see the dissemination of the hacked data, which is in conflict with its policies.
Having been criticised in the past for its tardy response in banning other hacking groups, such as The Dark Overlord, DC Leaks, and Guccifer 2.0, Twitter clearly felt it couldn’t stand silent while the BlueLeaks data leak was being so overtly disseminated on its platform.
Such a ban, however, may not silence DDoSecrets permanently. Don’t be surprised if they pop up again, in a new guise, to share stolen secrets on Twitter.
Follow me for more information.
June 19, 2020
58-year-old Danielle Bulley may not look like your typical cybercriminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.
As North Yorkshire police report, Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.
Once upon a time, Bulley was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon.
At some point things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.
Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.
More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.
Unable to continue to operate, the business was forced to close down.
When specialist police from North Yorkshire Police’s Cyber Crime Unit investigated, they discovered that the Dropbox account had been remotely accessed from an IP address associated with Danielle Bulley.
Under questioning, Bulley admitted that she had deleted the files, claiming that she believed she was entitled to do so, but knowing that it would cause chaos the business.
Detective Constable Steven Harris of the Cyber Crime Unit warned other companies of the threat which can be posed by former employees:
“Bulley’s actions had dire consequences for people’s livelihood. During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim. It dealt the new business a blow from which it never recovered.”
“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.”
Sentencing Bulley to an 18-month community order with 80 hours’ unpaid work, Judge Simon Hickey said: “It was done in revenge. She was a respectable woman, but had lost her good character.”
If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.
Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.
And if you believe you have been wronged by a former employer do not make the mistake of thinking your anger should be directed towards them through some criminal action. You may feel that you have not been fairly treated, but you will feel much worse if you end up with a criminal conviction.
Follow me for more information.
June 18, 2020
Fraudsters stole more than $3.2 million from the banking division of South Africa’s post office, after – in a catastrophic breach of security – employees printed out the bank’s master key.According to South African media reports, the security breach occurred in December 2018 when a copy of Postbank’s digital master key was printed out at a data center in Pretoria.According to internal documents acquired by journalists, employees stole the 36-digit master encryption key, which “allows anyone who has it to gain unfettered access to the bank’s systems, and allows them to read and rewrite account balances, and change information and data on any of the bank’s 12-million cards.”The security breach went unnoticed for months, giving fraudsters free reign to steal millions of dollars. In the nine months up to December 2019, the fraudsters are thought to have used the copied master key to access accounts without authorisation, and make over 25,000 fraudulent transactions, mostly from cards used by people receiving social benefits from the government.A problem for Postbank is that all of the cards were generated with the compromised master key. The bank believes that replacing all of the cards will cost in the region of $58 million.The bank has conducted an internal security audit following the breach, and suspects that rogue employees are responsible.According to news reports, South Africa’s Reserve Bank last year gave Postbank an 18 month deadline to replace the compromised cards. The bank has also responded to the breach by prohibiting contactless offline transactions for cardholders.Many questions remain unanswered regarding how the master key was secured, such as whether the key had been divided into separate parts stored separately – requiring collusion between different people to reveal it in its entirety, and what measures Postbank (not to be confused with the German bank of the same name) had taken to keep tight control of such a critical asset.But clearly something went very wrong at the very heart of the bank if it was possible for someone to make off with a copy of such an essential part of its security as its master key, and then exploit it to make fraudulent transactions. The natural suspicion has to be that the fraud was orchestrated with the assistance or knowledge of privileged insiders within the bank, rather than tech-savvy hackers just happened to stumble across a piece of paper containing a printout of the bank’s master key.All too often organisations are more focused on the threat posed by external hackers and ignoring the risks presented by partners, contractors, and rogue members of staff.Insiders have advantages over malicious external hackers for a variety of reasons. An insider threat can be tough to detect and remain undetected for years, sometimes indistinguishable from regular work activities.An insider has often been given special privileges to work alongside sensitive data, making it harder to know if what they are doing is malicious or not. Furthermore, it’s much easier for a rogue employee to cover their tracks than an external hacker, destroying evidence that otherwise might later be used against them, or blaming incompetence rather than malicious intent for any breach that occurs.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.
June 16, 2020
This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire’s online store and its sister brand Icing.
Attacks like this are, unfortunately, not uncommon. Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.
What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.
Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.
Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.
Often these attacks are orchestrated through “supply-chain” attacks, where the hackers poison a third-party script used by a website and therefore don’t need to breach the website’s own defences to steal from customers as they shop.
However, in the case of Claire’s it appears that the hackers did actually gain access to the online store’s infrastructure.
This raises some interesting questions.
Firstly, how did the hackers gain access to the website in order to plant their malicious code? Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire’s infrastructure?
The next obvious follow-up question is what has Claire’s done to ensure that a similar breach doesn’t happen again?
In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.
“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”
It’s good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections. Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.
And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers’ web-skimming attack against customers or Claire’s.
All the evidence points to a determined effort by the hackers to find a weakness at Claire’s that could be exploited to plant the code. It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.
Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers. They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire’s.
Follow me for more information.
June 12, 2020
The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.
At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.
Embarrassingly for the council workers, they were first warned that hackers had infiltrated a Windows 10 PC connected to their IT systems in late May by security blogger Brian Krebs.
Krebs says that he alerted “numerous officials” that criminals specialising in deploying ransomware had compromised their network and – if not stopped – might launch a more widespread attack.
It appears, however, that the Florence city council failed to successfully expel the hackers, who activated their DoppelPaymer ransomware on the city’s IT systems on June 5th.
At the time, Florence Mayor Steve Holt told the media that the city’s email system had been shut down, but that no ransom had been demanded, and officials did not believe that any information had been lost.
Less than a week later the City of Florence realises that things are more serious. As Mayor Steve Holt told journalists, money from the city’s insurance fund will be used to pay the hackers’ ransom demands:
“We began taking every precaution we could possibly take, and then on June 5 it actually hit us. It appears they may have been in our system since early May – over a month going through our system.” “It’s a roll of the dice for us to say ‘nope we’re not doing that,’ and if they actually have our information in their possession they can send it publicly. This unfortunately is a response on our part to pay to make sure they delete it.”
Quite how the council will be able to 100% confirm that the hackers have permanently erased any data they have stolen is unclear, but the gang behind the DoppelPaymer ransomware is reputed to keep its word and not release data after a ransom has been paid.
The same DoppelPaymer ransomware has recently struck NASA contractor Digital Management Inc (DMI) and previously hit the city of Torrance, in the South Bay region of Los Angeles.
Unfortunately Florence is not the only US city to find itself dealing with the aftermath of a ransomware infection this week.
The city of Knoxville, Tennessee, shut down its computer systems after ransomware encrypted its systems in the early hours of Thursday.
In social media posts, the public were advised that court sessions were cancelled as a result of the computer network being offline.
A post on the city’s official website, meanwhile, warns the city’s 180,000 residents that “City online services are currently unavailable.”
A spokesperson said that the FBI had been informed of the attack, which was first spotted by employees of the fire department at approximately 4:30am on June 11th.
Knoxville officials have declined to make public the size of the ransom demand they have received, and no information has been shared about the type of ransomware that was involved.
Cities and government departments are on the horns of a dilemma when it comes to ransomware attacks.
The risk when you give in to an extortionist’s ransomware demand is that you are encouraging other criminals to launch similar attacks. A strong message is sent out to other attackers that organisations are prepared to pay a ransom if hit by ransomware. And that, inevitably, means more ransomware attacks for all of us to fend against.
But at the same time, attacked councils may feel that there is less of a financial hit paying their ransomware attacker than trying to recover from an infection. And if the ransomware attack has also stolen data from an organisation – which the most pernicious strains of ransomware do today – then you may feel that you are protecting your citizens better by at least trying to stop their possibly sensitive data from being leaked to the outside world.
In July last year, a resolution was passed by the the United States Conference of Mayors (USCM) agreeing to “stand united against paying ransoms in the event of an IT security breach.”
Judging by the decision made unanimously this week by the emergency meeting of the City of Florence, Alabama, that is a resolution which some cities are choosing to ignore.
Follow me for more information.