South Korean Webhost Nayana Pays USD1 Million Ransom
So far this Nayana payout is the biggest ransomware payment I’ve seen reported, there’s probably some bigger ones been paid but kept undercover.
Certainly a good deal for the bad actors in this play, and well using an outdated Kernel along with PHP and Apache versions from 2006 you can’t feel too sorry for Nayana.
A South Korean web hosting company is forking out just over US$1 million to ransomware scum after suffering more than eight days of nightmare.
Nayana first announced the attack on June 10, saying customer video files and its database had been encrypted, and promising to work to recover the data.
More than 150 servers were hit, hosting the sites of more than 3,400 mostly small business customers.
After a lengthy negotiation with the hackers, a demand for Bitcoin worth 5 billion won (nearly $4.4 million) was trimmed to around $1 million (397.6 Bitcoin), and the company paid up. The ransom was demanded in three instalments; so far, two have been made.
They’ve made 11 Announcements so far about the situation with the latest being from yesterday, in which they state they’ve paid the ransom but it will still quite some time for them to decrypt the customer data and restore it properly (10 days or more in some cases).
Obviously it’ll depend on the number of files, the size of the files encrypted and the power of the machine running the decryption.
Trend Micro reckons the attack used a version of Erebus ported to Linux.
Trend says at the time of the attack, Nayana was running a witch’s brew of vulnerable systems – an old Linux kernel (2.6.24.2) compiled in 2008, Apache 1.3.36 and PHP 5.1.4 (both dating from 2006).
As well as getting schooled in why systems need to be kept up to date, Nayana says it’s working with the Korea Internet and Security Agency and other “cyber criminal investigators”.
The company’s next recovery status announcement is due today (Tuesday, 20 June).
For those that say they don’t have a budget for security, they should look at this. You could hire a whole red team, an external security audit and use top notch protection tools for far less than $1 Million USD.
I hope this serves as a lesson to more organisations than just Nayana.
Source: The Register
Posted in: Exploits/Vulnerabilities, Malware | Add a Comment
pyrasite – Inject Code Into Running Python Processes
pyrasite is a Python-based toolkit to inject code into running Python processes.
pyrasite works with Python 2.4 and newer. Injection works between versions as well, so you can run Pyrasite under Python 3 and inject into 2, and vice versa.
Usage
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
usage: pyrasite [-h] [--gdb-prefix GDB_PREFIX] [--verbose] [--output OUTPUT_TYPE] pid [filepath|payloadname] pyrasite --list-payloads pyrasite - inject code into a running python process positional arguments: pid The ID of the process to inject code into filepath|payloadname The second argument must be a path to a file that will be sent as a payload to the target process or it must be the name of an existing payload (see --list-payloads). optional arguments: -h, --help show this help message and exit --gdb-prefix GDB_PREFIX GDB prefix (if specified during installation) --verbose Verbose mode --output OUTPUT_TYPE This option controls where the output from the executed payload will be printed. If the value is 'procstreams' (the default) then the output is sent to the stdout/stderr of the process. If the value is 'localterm' then the output is piped back and printed on the local terminal where pyrasite is being run. --list-payloads List payloads that are delivered by pyrasite For updates, visit https://github.com/lmacken/pyrasite |
You can download pyrasite here:
Or read more here.
Posted in: Exploits/Vulnerabilities, Hacking Tools, Programming | Add a Comment
snitch – Information Gathering Tool Via Dorks
Snitch is an information gathering tool which automates the process for a specified domain. Using built-in dork categories, this tool helps gather specified information domains which can be found using web search engines. It can be quite useful in early phases of penetration tests (commonly called the Information Gathering phase).
snitch can identify general information, potentially sensitive extensions, documents & messages, files and directories and web applications.
There are other tools which perform similar functions or parts of what snitch does:
– DMitry – Deepmagic Information Gathering Tool
– wig – CMS Identification & Information Gathering Tool
– theHarvester – Gather E-mail Accounts, Subdomains, Hosts, Employee Names
Usage
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
devil@hell:~/snitch$ python snitch.py _ __ __ _________ (_) /______/ /_ / ___/ __ \/ / __/ ___/ __ \ (__ ) / / / / /_/ /__/ / / / /____/_/ /_/_/\__/\___/_/ /_/ ~0.3 Usage: snitch.py [options] Options: -h, --help show this help message and exit -U [url], --url=[url] domain(s) or domain extension(s) separated by comma* -D [type], --dork=[type] dork type(s) separated by comma* -C [dork], --custom=[dork] custom dork* -O [file], --output=[file] output file -S [ip:port], --socks=[ip:port] socks5 proxy -I [seconds], --interval=[seconds] interval between requests, 2s by default -P [pages], --pages=[pages] pages to retrieve, 10 by default -v turn on verbosity Dork types: info Information leak & Potential web bugs ext Sensitive extensions docs Documents & Messages files Files & Directories soft Web software all All |
You can download snitch here:
Or you can read more here.
Posted in: Hacking Tools, Privacy, Web Hacking | Add a Comment
Fake News As A Service (FNaaS?) – $400k To Rig An Election
This is pretty interesting, the prices for Fake News as a Service have come out after some research by Trend Micro, imagine that you can create a fake celebrity with 300,000 followers for only $2,600.
Now we all know this Fake News thing has been going on for a while, and of course, if it’s happening, some capitalist genius is going to monetize it and offer it as a professional service.
Fake news has come to be associated with political intrigue but the same propaganda techniques are also abused by cybercriminals, according to a study by Trend Micro.
The techniques and methods used to spread fake news and manipulate public opinion have a wide range of objectives and even a price list.
Cybercriminals produce, market and monetise fake news in underground markets. The scope of a campaign and intended target affect pricing. For example, campaigns aimed to spark street protests are priced at $200,000 while discrediting a journalist would cost $55,000 and creating a fake celebrity (with 300,000 followers) costs a more modest $2,600.
A year-long campaign to influence election outcomes is available for just $400,000, the study says. Whether such listings are in themselves an attempt at disinformation is certainly debatable. US intel agencies, Western politicians and security firms are nigh-on unanimous that attempts to influence the US presidential election last year were the work of the Kremlin. For example, UK defence secretary Sir Michael Fallon recently said the Kremlin is “weaponising misinformation” as part of a sustained campaign that goes beyond alleged meddling in the presidential election.
You can read the full 77 page report by Trend here: The Fake News Machine [PDF]
It’s insightful to see the types of services that are available, and how they are categorised. Now I’ve known about social media manipulation for many years (fake likes, followers, YouTube views and so on) but to see this kind of Fake News at scale, as a service is something new to me.
Fake news services typically involve the creation of fake social media profiles and groups; developing the fake content itself; driving likes and retweets for dissemination; and building legitimate-looking news sites. All these steps are designed to set up and sustain false narratives.
For an additional fee, multiple news sites can be purchased which cross reference each other to add more authenticity to the fake news campaign, the report reveals.
Chinese, Russian, Middle Eastern and English underground marketplaces offer fake news services of one type or another. Regional differences exist.
For example, in China, fake advertorials can be purchased for as little as ¥100 (£11), while in Russia 35,000 rubles (£483) will buy your video two minutes on the YouTube homepage.
The report also details an example of the dissemination of fake news, including the cynical abuse of the recent Manchester bombing attack. Mexican journalists were falsely listed in galleries as bombing victims in what’s thought to be an attack by a drug cartel. These fake victim pics were subsequently promoted through social media.
Unfortunately there’s no technical solution to thwart this, it’s purely about education. If people don’t fact check, cross check and verify sources before disseminating them this whole Fake News situation is just going to get worse and worse.
I feel like it had a serious impact on both Brexit and the Trump election, and it’s likely to stay very relevant in any large scale World events as so many people now base their opinions on what they see online.
Source: The Register
Posted in: Legal Issues, Social Engineering | Add a Comment
credmap – The Credential Mapper
Credmap is an open source credential mapper tool that was created to bring awareness to the dangers of credential reuse. It is capable of testing supplied user credentials on several known websites to test if the password has been reused on any of these. It is not uncommon for people who are not experts in […]
Posted in: Hacking Tools, Password Cracking, Privacy | Add a Comment
LazyDroid – Android Security Assessment Tool
Lazydroid is a tool written as a bash script to facilitate some aspects of an Android Security Assessment. Features It provides some common tasks such as: Set the debug flag of an application to true Set the backup flag of an application to true Re-Build the application Re-Sign the application Smart log extraction of an […]
Posted in: Hacking Tools | Add a Comment
OneLogin Hack – Encrypted Data Compromised
The OneLogin hack is blowing up now it seems like whoever got access can also decrypt encrypted customer data which is just about AS BAD as it can get for a password/identity management service. Now I’m a HUGE supporter of password management tools as I’ve mentioned many times here, so anyone who signed up for […]
Posted in: Cryptography, Exploits/Vulnerabilities, Privacy, Web Hacking | Add a Comment
EtherApe – Graphical Network Monitor
EtherApe is a graphical network monitor for Unix modelled after etherman. Featuring link layer, IP and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Colour coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP, SLIP and WLAN devices, plus several encapsulation formats. It can filter traffic […]
Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
maltrail – Malicious Traffic Detection System
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for […]
Posted in: Countermeasures, Malware, Security Software | Add a Comment
Windows XP Too Unstable To Spread WannaCry
Not a super serious article this one, but I found it very entertaining – apparently, Windows XP has a BSOD (Blue Screen of Death) when faced with a WannaCry infection. There’s a very extension analysis of WannaCry here where this information comes from WannaCry: Two Weeks and 16 Million Averted Ransoms Later. Yes, WannaCrypt can […]
Posted in: Exploits/Vulnerabilities, Malware, Windows Hacking | Add a Comment