Archive for November 29, 2017

Fancy Bear hackers’ UK link revealed

As dangerous as they may be, a Russian cyberespionage group allied with the Kremlin known as APT28, Fancy Bear, Sofacy, Iron Twilight and Pawn Storm gets points for topicality.

When Russia's most notorious hackers hired servers from a UK-registered company, they left a trove of clues behind, the BBC has discovered.

The hackers used the computers to attack the German parliament, hijack traffic meant for a Nigerian government website and target Apple devices.
The company, Crookservers, had claimed to be based in Oldham for a time.

It says it acted swiftly to eject the hacking team as soon as it learned of the problem.

Technical and financial records from Crookservers seen by the BBC suggest Fancy Bear had access to significant funds and made use of online financial services, some of which were later closed in anti-money laundering operations.

Russian hackers tried to breach the personal Gmail accounts of scores of US officials. Fancy Bear was responsible for waging a hacking campaign in 2015 and 2016 targeted towards the Democratic Party and the Clinton campaign with shrewd, politically savvy timing and aimed at disrupting the 2016 election.

Some of Fancy Bear's activities had previously been identified by the cyber-security company Crowdstrike. 

Indeed an internet protocol (IP) address that once belonged to a dedicated server hired via Crookservers was discovered in the malicious code used in the breach.

Over three years, Fancy Bear rented computers through Crookservers, covering its tracks using bogus identities, virtual private networks and hard-to-trace payment systems.

Researchers at cyber-threat intelligence company SecureWorks, who analysed information from Crookservers for the BBC, said it had helped them connect several Fancy Bear operations.

Mike McLellan of SecureWorks said the hackers employed poor tradecraft.

The server used to control the malware was hired through Crookservers by a hacker using the pseudonym Nikolay Mladenov who paid using Bitcoin and Perfect Money, according to records seen by the BBC.

E Hacking News – Latest Hacker News and IT Security News 2017-11-28 15:54:00

The Oxford and Cambridge Club, one of the United Kingdom’s most elite gentlemen’s clubs open to alumni of the universities of Oxford and Cambridge, has called in the Metropolitan police and private investigators after being hit by the theft of online data of its 5,000 members.

Alistair Telfer, the club’s secretary, has written to all members by email and followed it up with a letter — seen by the newspaper — urging them to check bank accounts regularly for "suspicious activity" and has warned them to be alert to potential identity theft, after a hard drive was stolen from the club’s headquarters which consisted of data of the members. Members were informed that they could be at risk of fraud attempts.

"We have been advised that we should write to confirm that there may have been a data breach at the Club which could possibly result in disclosure of your personal data held on the Club computer system," Telfer wrote.
The breach at Pall Mall street in central London has put the personal details of many members at risk, including comedian, actor and author Stephen Fry; Lord Rees, the astronomer royal; the former master of Trinity College. Though Queen Elizabeth II’s husband and the Duke of Edinburgh, Prince Philip and his son, Prince Charles — both honorary members of the club — were not affected by the break-in, 'The Sunday Telegraph' reported.

A backup computer drive, described as the size of a toaster, was taken from a locked “comms” room inside the club’s headquarters earlier this month. The information on the hard drive includes members’ names, home and email addresses, phone numbers, some bank account details, dates of birth and even photographs. The database did not hold information about members’ credit or debit cards.

The theft was discovered on November 16, but has only just been reported amid a police investigation.

Canadian accused in 2014′s Yahoo Hacking Case

A Canadian youth accused by the United States of helping Russian intelligence agents in hacking Yahoo emails in 2014, according to court records.

Karim Baratov is scheduled to appear before the federal court in San Francisco on Tuesday for the plea hearing, and it is expected that he would plead guilty.

Baratov is a 22-year-old Canadian citizen born in Kazakhstan, was arrested in Canada in March at the request of U.S. prosecutors. He was sent to U.S. this summer after he was waived off his right to fight against a  U.S. request for his extradition from Canada.

Baratov is accused of hacking 80 Yahoo accounts and faces 20 years in prison in the U.S. if convicted.

However, both Baratov's lawyer, Andrew Mancilla,  and U.S. Attorney's Office in San Francisco declined to comment.

Bitcoin Gold wallet compromised, users may have downloaded malware

It seems that Bitcoin Gold has been dealt more than their share of bad luck recently. The company is still mired in the aftermath of the MyBTGWallet scam, and now they have been hit with another problem that is causing them to issue a critical warning to their customers. Users of Bitcoin Gold (BTG) are facing another cybersecurity issue. The BTG team has earlier revealed that someone has gained access to their Github repository for the project and replaced the compiled Windows file with a different one.

According to a critical warning sent by BTG, the link on the Download page and the file downloads on the Github release page have been serving a suspicious file of unknown origin for approximately four and a half days or approximately 36 hours.

Anyone who downloaded the Bitcoin Gold Wallet for Windows between November 24th, 13:11 UTC and November 25th, 2017, 22:30 UTC is at risk of a malware infection, BTG developers announced on the coin’s official site,
The file does not trigger antivirus/anti-malware software, however, in an abundance of caution, BTG is presuming that the file is of malicious intent to steal user information and/or cryptocurrency. The developers are still analysing the file.

The BTG warning explains: “Until we know otherwise, all users should presume this file was created with malicious intent – to steal cryptocurrencies and/or user information. The file does not trigger antivirus / anti-malware software, but do not presume the file is safe.”

The team adds that: “If the file was used, the computer on which it was used should be addressed with extreme caution; the file should be deleted, the machine should be thoroughly checked for malware and viruses (or wiped clean), and any cryptocurrencies with wallets accessible on that machine should be moved to new wallet addresses immediately.”

It’s the second BTG-related swindle in the past week — just days ago, a site claiming to generate BTG wallets for users who submitted their private keys instead stole the balances, netting over $3 million USD in various digital assets.

ISIS official website filled with Pornographic images

A group of young Iraqi hackers, Daeshgram, have targeted official website of Islamic State by sticking pornographic images on their home page.

Members of Daeshgram said that their motive behind this hack was to spread distrust among Isis supporters about messages sent by the group's leader, according to Newsweek.

"Our intention was to flood the market with fake Amaq content in order to dilute the credibility of Amaq - a so-called news agency," one anonymous member of Daeshgram told  Newsweek.

Daeshgram, whose name is an amalgam of two words: one is Instagram and another one is the Arabic word for Isis, Daesh, aims to disrupt pro-Isis groups on the encrypted instant messaging software Telegram.

"Daesh responded by telling supporters not to trust any of the Amaq links.They even had fights among themselves about the topic and deleted each other from various groups."

Hackers photoshopped a pornographic scene and posted it on an ISIS announcement about the opening of a new media center in Syria. A video gave an impression to the ISIS supporters, whoever listened to the announcement, as the extremists were actually watching a projection of a naked woman.

"We wanted Daesh to know that we are inside their groups to create a level of paranoia and distrust," the hacker told Newsweek. "Many Daesh clicked on it and saw it as fake. The odd thing is that when Daesh marked the content as fake, even more, Daesh clicked on it to understand why a genuine looking link and content is fake."

This is not the first time Isis have been subjected to target, in 2016, WachulaGhost hacked more than 250 social media accounts which were administrated by Isis supporters, all the contents were repleced with pornography and gay pride messages.