#CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack?

Tuesday, March 20, 2018

A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers. Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea. However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. "Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer," said Vitaly Kamluk, researchers with Kaspersky Lab who co-authored a report released on the attacks. "Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda."

In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. "How the industry responded was a disaster," Kamluk said. "There was too much finger pointing with no certainty." Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).

#CyberSecurityPulse: Biggest-Ever DDoS Attack Hits Github Website

Monday, March 5, 2018

At the end of 2016, a DDoS attack on DynDNS blocked major Internet sites such as Twitter, Spotify and PayPal. The Mirai botnet was used to take advantage of the full bandwidth of thousands of Internet-connected devices. However, last Wednesday 28th of February we witnessed the largest DDoS attack ever seen on the GitHub website, reaching a record 1.35 Tbps and 126.9 million packets per second.

Interestingly, the attackers did not use any botnets, but misconfigured Memcached servers to amplify the attack. Memcached operation is based on a distributed hash table. To prevent misuse of Memcached servers, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use. In this sense, Akamai estimates that at least 50,000 servers are vulnerable.

New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module

This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in the middle attacks once a target has been compromised. It is available from the post exploitation module in Metasploit project.

Evrial, malware that steals Bitcoins using the clipboard... and the scammed scammers

Monday, February 26, 2018

Evrial is the latest cryptocoin malware stealer, and uses the power to control the clipboard as its strongest bet to get "easy money". Elevenpaths has took a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that whoever he is… scammed the scammers themselves.

Qutra, the creator, selling its malware

#CyberSecurityPulse: Dude, Where Are My Bitcoins?

Monday, February 19, 2018

Numerous types of attacks are affecting cryptocurrency users: families of malware that steal wallets, phishing attacks that try to forge platforms where users manage their bitcoins, applications that use the CPU of users to mine... And, in addition, those that prefer to manage their own money without delegating responsibility to a third party they will also have to deal with the problem of losing private keys or not remembering the password with which we protected the wallet.

If it has happened to you and you have protected your wallet with a password, maybe you do not have everything lost. John the Ripper, a password cracking software tool, contains plugins that crack differents wallets: bitcoin2john, blockchain2john, electrum2john, ethereum2john and multibit2john. In the first place, we will have to select the type of plugin that we are going to use depending on the type of wallet that you are using. Then, you pass that content to a text file, launch John The Ripper ./john with the file name and, finally, cross the fingers!