WHAT IS WATERMINER? NEW STEALTH CRYPTOMINER FOUND HIDDEN IN GTA MOD ON RUSSIAN-SPEAKING FORUM
Security researchers have uncovered a new evasive cryptominer dubbed “WaterMiner” hidden in modified video games, including Grand Theft Auto (GTA) mod, available for download on a Russian-speaking forum. “The WaterMiner malware, once activated, uses TCP port 45560 to communicate with a mining pool that combines the infected machine’s computational resources with that of multiple other miners to share resources and distribute Monero rewards accordingly. Researchers at Minerva Labs said the malicious malware is an altered version of a legitimate open-source miner called XMRig. When another user accused that Anton was reselling someone else’s work, Anton proudly admitted to being 0pc0d3r and the author of the malicious mods and cryptominer. “It seems that lately he realised it’s possible to earn money from his popular mods by infecting his ‘clients’ with multiple types of malware, including cryptominers,” researchers added. “The author’s comments within the source explicitly refer to the ‘mining functionality and indicate that the attacker intentionally included the miner as part of the mod. The evasive Monero mining malware is embedded within gaming mods, including one that claimed to “enhance” GTA, and is designed to hijack a victim’s CPU and abuse the computer’s processing power to covertly mine digital currencies. Minerva said the threat actor behind the WaterMiner campaign goes by the alias “Martin 0pc0d3r” and has “some history in developing other forms of questionable or malicious software, such as auto-aiming bots and mods for computer games. “While examining the downloader, Minerva found unique indicators, which helped trace the source code of an earlier version on Pastebin,” researchers continued. Once executed, the file launches a series of commands that helps execute the WaterMiner malware and then verifies whether or not the machine has already been infected with the malicious software.
MORE THAN 30 MILLION SOUTH AFRICAN IDENTITIES EXPOSED ONLINE IN MASSIVE 27GB DATA BREACH
A statement published to Dracore Data Sciences website claimed Jacobs had confirmed the source of the leaked data was a compromised Jigsaw Holdings server. The personal information of at least 30 million South African citizens has been exposed in what is believed to be the biggest data breach to ever hit the country. Chantelle Fraser, CEO of Dracore Data Sciences, added: “We conclusively know that we are not the source of the data leak” She said that the impact of the leak will be “far reaching. Now, any South African citizens who are concerned their personal data was exposed online are advised to check Have I Been Pwned. ” South Africa has a total population of approximately 56 million people. za”, an estate agency in South Africa that was reportedly once a client of Dracore’s. “Someone in South Africa literally published their database of the entire country to the public internet. 2 million email addresses but “tens of millions of actual identities” in the full database. The true scope – and length – of the business relationship between Dracore Data Sciences and Jigsaw Holdings remains unclear at the time of writing. za, a service tied to a Johannesburg business called Dracore Data Sciences.
WHAT IS HACKER’S DOOR? OLD SOPHISTICATED CHINESE TROJAN RESURFACES AFTER MORE THAN A DECADE
Cylance researchers said a new sample of the malware shared many traits with the old 2004 Chinese backdoor of the same name, but has now been updated to run on newer operating systems and modern 64-bit platforms. The newer version of the malware includes a backdoor along with a rootkit driver that is used for covert communications, Cylance said in a blog post published on Tuesday (17 October. “The recent discovery of a new version, updated for modern Operating Systems, signed with a stolen certificate and actively employed as part of an ongoing compromise is interesting, as it once again shows that threat actors are comfortable relying on third-party tools to reduce development time/costs for malware that will likely be uncovered,” researchers said. Security researchers have discovered a sophisticated remote access trojan (RAT) named “Hacker’s Door” that has resurfaced more than a decade after it first popped up in 2004 and was updated with new features in 2005. Researchers said the malware seems to be operated by the Chinese advanced persistent threat (APT) hacker group Winnti. “Despite the author stating, ‘please do not use for illegal purposes’, they continue to profit from the sale of this aggressive remote access tool,” Cylance said. Cylance researchers said the old, largely-undocumented RAT has not easily been found in-the-wild. The recent updates to Hacker’s Door also showed that it is currently undergoing “active development. Researchers said the malware can support up to Windows 8. “It is highly likely that this tool will continue to be uncovered as part of targeted attacks for some time, as the ease of use and advanced functionality makes ‘Hacker’s Door’ lthe perfect RAT for any adversary’s arsenal.
OSX PROTON: MAC MALWARE THAT ALLOWS HACKERS TO SPY AND STEAL DATA SPREADING VIA HACKED ELTIMA APPS
THIS NEW BOTNET COULD TAKE DOWN THE INTERNET – AND IT’S RAPIDLY SPREADING ACROSS THE WORLD
According to cybersecurity company Check Point, a new botnet has been spotted which is enslaving internet-of-things (IoT) devices – mainly internet routers and remote cameras. Research suggested that the new botnet is evolving at a rapid pace, and could soon be weaponised to launch cyberattacks in the same fashion as “Mirai” last year. In the last few days of September, Check Point noticed an “increasing number of attempts” by unknown hackers to exploit several existing vulnerabilities in IoT devices. In the last few days, the team said, the botnet has been evolving. When the Mirai botnet hit a year ago, in October 2016, the computing power was exploited to take a slew of US websites offline – including Twitter, Reddit and Netflix – using denial of service attacks. A few months later, in November, a variant of the Mirai botnet was deployed to take approximately 900,000 Deutsche Telekom routers offline, leaving customers without internet. “It is too early to guess the intentions of the threat actors behind it, but with previous botnet DDoS attacks essentially taking down the internet, it is vital that organisations make proper preparations,” the team noted. Check Point said: “While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. The company’s research started at the end of September 2017, and the team said it “soon realised” that it had stumbled upon the “recruitment stages of a vast IoT botnet. “It is vital to have the proper preparations and defence mechanisms in place before an attack strikes,” experts said.
HACKED PERSONAL DETAILS OF MILLIONS OF MALAYSIAN CITIZENS ALLEGEDLY FOR SALE ONLINE
Lowyat reported that one of the databases – from Jobstreet – contained 17 million rows of user data, including names, hashed passwords, addresses and phone numbers. Upon investigation, the website’s team reportedly found it contained data linked to a slew of different websites and telecommunications companies. According to Malaysian technology website Lowyat, which has published screenshots of the exposed citizen data, an unknown seller was caught advertising the leak on its forums. The personal data of “millions” of Malaysian citizens has reportedly been listed for sale online in what could potentially be the biggest information leak in the country’s history. “The Malaysian Communications and Multimedia Commission we believe have been alerted to this issue and will be taking strict action against those found guilty of selling or buying such data. The biggest trove was reportedly collated from the slew of telecommunications companies – with 50 million customer records featuring names, handset descriptions, addresses, sim numbers and IMSI numbers from 2012-15. The Lowyat administrator – under the name Vijandren – wrote: “While we have taken all efforts to ensure that illegal sales like this is removed from our forums, we are also aware that the same data is being peddled across a number of other online channels. IBTimes UK has not independently verified the leaked information at the time of writing. They allegedly include: Jobstreet, the Malaysian Medical Council, the Malaysian Housing Loan Applications and the National Specialist Register of Malaysia.
LOKIBOT: HACKERS MADE OVER $1.5M WITH NEW ANDROID BANKING MALWARE THAT TURNS INTO RANSOMWARE
LokiBot also comes with some unique features, such as starting the browser app and opening up a specific webpage, automatically replying to SMS messages, starting the victims’ bank app, as well as sending out fake notifications, purporting to be from legitimate apps. LokiBot’s operators appear to be continually updating the malware, especially its security detection features, which although not very advanced, are more extensive than those used by other banking malware variants in the wild. “It is very unlikely that the actors behind Android LokiBot have gained this amount of money using only LokiBot since the requested fee for ransomware is between $70 and $100 and the bot counts in the various campaigns we have seen is usually around 1000,” researchers said in a blog. “In fact, we have seen new features emerge in the bot almost every week which shows that LokiBot is becoming a strong Android trojan, targeting many banks and popular apps. Although LokiBot functions primarily as a banking Trojan, it can turn into a ransomware if attempts are made to disable the malware’s admin rights or when victims try to remove it. Once the ransomware feature is activated, LokiBot encrypts all of the victims’ data. A new Android banking malware dubbed LokiBot comes with some ransomware capabilities and is being sold on the dark web for $2,000 worth of Bitcoins. Unfortunately, however, the malware still manages to activate its screen locker feature to lock out victims from their phones. We believe that the actors behind LokiBot are successful, based on their BTC traffic and regular bot updates,” the researchers added. LokiBot’s main attack vector involves phishing overlays on numerous banking apps.
GOVERNMENT’S CYBER VULNERABILITIES AFFECT PRIVATE SECTOR IN IRNN HACK
A recent report by Seqrite Intelligence Labs, the enterprise security solutions brand of Quick Heal Technologies, disclosed an advertisement they discovered on the Darknet (a small portion of the internet hidden from search engines). The advertisement announced secret access to the servers and databases of over 6,000 Indian organizations – including internet service providers (ISPs) as well as public and private sector organizations. The hacker offered this information for 15 bitcoin (equivalent to approximately USD$73,000). The hacker subsequently offered to execute further cyber-attacks against the listed companies for an undisclosed price.Seqrite Cyber Intelligence Labs, along with its partner seQtree InfoServices, called it one of the biggest breaches affecting Indian organizations. Seqrite and seQtree reported that the Indian Registry for Internet Names and Numbers (IRINN), which comes under the National Internet Exchange of India, was the organization that hackers had compromised. After discovering the advertisement, Seqrite and seQtree teams started gathering background research on the hacker but were unable to identify the perpetrator. The research team then contacted the hacker for further details, posing as an interested buyer. The hacker shared a sample of their stolen data, which included an email address of a prominent Indian technology firm and information linked back to the Indian government. According to Seqrite Intelligence Labs, this hacker may have the capacity to create serious service outages in India. The entities affected by the data breach include the Bombay Stock Exchange, the Reserve Bank of India, the Indian Space Research Organization, Wipro, Mastercard, Visa, Hathaway, IDBI Bank, and Ernst & Young. According to researchers, the seller claims to have the ability to tamper the IP allocation pool, which could result in a serious outage or distributed denial of service (DDoS) condition.
DARK WEB MARKETS SELLING REMOTE ACCESS TO CORPORATE PCS FOR JUST $3 ALLOWING HACKERS TO SPY ON FIRMS
Dark web vendors are now selling remote access to corporate computers for as little as $3 (£2.28). Dark web marketplaces have begun increasingly selling credentials to hacked Remote Desktop Protocol (RDP) servers, which allow hackers to spy on and steal data from companies without using malware. In case of Windows PCs, RDPs could allow hackers to remotely access a computer and compromise a corporate network, leaving the firm open to potential data breaches, espionage and more. This makes RDPs valuable to cybercriminals. According to security experts at Flashpoint, RDPs from across the globe are currently up for sale in the popular dark web market Ultimate Anonymity Services (UAS). RDPs being sold were sourced from healthcare, education and government organisations. “UAS offers SOCKs proxies in addition to over 35,000 brute forced RDPs for sale,” Flashpoint researchers said in a blog. “UAS offers RDPs sourced from countries across the world; however, in keeping with Eastern European cybercriminal norms, the shop does not offer RDPs from the Commonwealth of Independent States (CIS).” Over 7,200 RDPs from China, 6,100 from Brazil, 3,000 from India, 1,300 from Spain and 900 from Colombia were found being sold on UAS. According to the Flashpoint researchers, these countries may have a higher number of exposed RDPs presumably because of “lax cybersecurity hygiene” involving remote connection monitoring. UAS also offers around 300 US-based RDPs, from Virginia, Ohio, Oregon and California. Regardless of the country of origin, RDPs on UAS were priced between $3 and $10. In comparison, xDedic, yet another dark web market and a competitor of UAS, offered RDPs for over $100 in some cases. “UAS’ lower prices may contribute to the growing popularity of the shop among cybercriminals,” the Flashpoint researchers said, adding that cybercriminals’ interest in UAS “will likely continue growing”.
TARTE COSMETICS DATA LEAK: CRU3LTY HACKERS GET HOLD OF NEARLY 2 MILLION CUSTOMERS’ DATA LEFT EXPOSED
It is still unclear as to how long the data was left exposed before it was secured. Yet another massive data leak, exposing millions of people’s personal information has come to light. The two MongoDB databases that contained Tarte’s customers’ data were “set up without the proper security measures” with the security settings switched to “public” instead of “private”, which in turn left the data freely available online. Tarte Cosmetics, considered to be a cult favourite beauty brand, freely exposed nearly two million customers’ personal data to the public via two unsecured databases. Sensitive data of both US and international customers, who shopped online between 2008 and 2017, was left publicly exposed via two unsecured MongoDB databases. With all of the other data leaks online it is possible that criminals could even cross reference this data against other breaches and get the customer’s full card number or more information. Almost every week there seems to be another massive data leak, hack, or security breach that exposes customer data,” Diachenko said in a blog. “At Tarte, keeping customer information fully secure is our No 1 priority. It is also unclear as to how long the data was left exposed before it was secured. Cru3lty accessed exposed data. Kromtech security researchers may not have been the only ones to stumble across the trove of data. “In this instance they would already have the last 4 digits of the credit card on file and with 2 million customers they would have all of the personal information needed to trick them into believing they are confirming their credit card with a company they trust.