New web targets for the discerning hacker

New web targets for the discerning hacker

The US Department of Justice (DoJ) has said it won’t prosecute security researchers acting “in good faith”, as part of changes to the Computer Fraud and Abuse Act (CFAA). While the DoJ says this was always the case in practice, the changes provide more certainty for researchers, pen testers, and bug bounty hunters.

Meanwhile, the UK government remains half-hearted about bug bounty programs, with Dr Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), saying there are no plans for a broad rollout any time soon. Speaking at the CyberUK conference, he commented: “The reason for that is that we just don’t seem to need to – people are more than happy to come and tell government we’ve screwed up.”

LinkedIn, meanwhile, has launched a public bug bounty program with rewards of up to $18,000 that replaces its invite-only program. Hosted by HackerOne, LinkedIn invites hackers to probe its main web domain, LinkedIn.com, for security flaws, as well as the LinkedIn API and Android and iOS mobile apps.

Blockchain bridge Wormhole has handed over a record $10 million reward to a bug hunter with the online pseudonym ‘satya0x’. Had it been exploited successfully, the critical vulnerability that attracted the reward could have seen all the funds residing in in the Wormhole core bridge contract on Ethereum lost forever.

In other payout news, Youssef Sammouda netted $44,625 for discovering a series of bugs that could have allowed a malicious actor to take over Facebook accounts. They included a cross-site request forgery (CSRF) bug allowing an attacker to force a victim to log out from their Facebook account in their browser, and a flaw forcing a login to the attacker’s Facebook account inside the victim’s browser.

Pwn2Own Vancouver, the flagship hacking contest, took place last month, handing out more than $1 million for bugs in products from Microsoft, Mozilla, Apple, and others. Participants unearthed 27 qualifying vulnerabilities in total, with a team from Star Labs in Singapore being crowned this year’s Masters of Pwn.

And finally, Vidoc Security Lab has published a security advisory warning of more than 60 instances of a web security flaw in the Swagger-UI library, potentially leading to account takeover. Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were alerted, among others.

**The latest bug bounty programs for June 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Aztec Network**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$1 million

Outline:  
A privacy-first recursive, zero-knowledge rollup built on Ethereum that purports to being the “only zkRollup built from the ground up to be privacy-preserving”.

Notes:  
Bounties on offer potentially range up to $1 million, with $25,000 for high severity issues, and $5,000 for medium severity bugs.

Check out the Aztec Network bug bounty page at Immunefi for more details

**Balancer**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$2.4 million

Outline:  
“Community-driven protocol, liquidity provider, and price sensor that empowers decentralized exchange and the automated portfolio management of tokens on the Ethereum blockchain and other EVM compatible systems.”

Notes:  
Payouts in Ethereum could reach $2.4 million, while high severity vulnerabilities can command rewards of up to $600,000.

Check out the Balancer bug bounty page at Immunefi for more details

**Chain**

Program provider:  
Immunefi

Program type:  
Public

Max reward:  
$5 million

Outline:  
Eye-watering payouts in the millions on offer by Chain, which builds “cryptographic ledgers that underpin breakthrough financial products and services”.

Notes:  
Payouts are issued in USDC, XCN, USDT and ETH, with the ratio at Chain’s discretion.

Check out the Chain bug bounty page at Immunefi for more details

**Cudos Network**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
$4,500

Outline:  
A decentralised platform that runs over multiple p2p nodes and enables developers to build complex smart contract functionality.

Notes:  
Top-tier rewards given for cryptographic exploits allowing for the manipulation of BFT consensus, while certain DDoS exploits qualify as tier two.

Check out the Cudos Network bug bounty page at Bugcrowd for more details

**Doctolib**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€20,000

Outline:  
Doctolib develops appointment booking software used by more than 300,000 healthcare personnel and 60 million patients across Europe.

Notes:  
High severity issues command rewards of up to €4,000 and critical bugs will net hackers up to €20,000, with two web domains and iOS and Android apps in play.

Check out the Doctolib bug bounty page at YesWeHack for more details

**Gojek**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$5,000

Outline:  
Gojek is an Indonesian, on-demand, multi-service platform and digital payment technology group.

Notes:  
Maximum bounty of $5,000 on offer for tier-one assets, and $2,000 for tier-two assets.

Check out the Gojek bug bounty page at HackerOne for more details

**LinkedIn**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$15,000

Outline:  
LinkedIn has launched a public bug bounty program to replace the invite-only program running since 2014, as previously reported by The Daily Swig.

Notes:  
Critical security vulnerabilities discovered on the business-oriented social media platform will net researchers bounties ranging from $5,000 up to $15,000.

Read our previous coverage to find out more

**Razorpay**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$3,000

Outline:  
Razorpay claims to be the only payments solution in India that allows businesses to accept, process, and disburse payments.

Notes:  
Critical flaws will command bounties of between $1,000 and $3,000, with four in-scope targets comprising the dashboard, API, checkout, and invoice domains.

Check out the Razorpay bug bounty page at HackerOne for more details

**Quebec Ministry of Cybersecurity and Digital**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
C$1,500

Outline:  
Le ministère de la Cybersécurité et du Numérique has launched its program, with details written in French, on Paris-base bug bounty platform YesWeHack.

Notes:  
The ministry has 12 web assets in scope and is offering a maximum payout of C$1,500.

Check out Le ministère de la Cybersécurité et du Numérique bug bounty page at YesWeHack for more details

**Wealthsimple**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$20,000

Outline:  
The Canadian investment management service has financial tools for stock trading, ETFs, managed investing, and crypto.

Notes:  
Critical bugs can attract $20,000 rewards, while high and medium severity vulnerabilities could net bug hunters $5,000 or $1,000 respectively.

Check out the Wealthsimple bug bounty page at HackerOne for more details

**Other bug bounty and VDP news this month**

*   Another nine new programs in a bumper May for Immunefi included programs from the Bancor Protocol (max reward $900,000) plus Orca and Wombat Exchange (both with a maximum payout of $500,000)
*   Cloudflare and security researchers from Assetnote have documented the discovery and remediation of vulnerabilities in Cloudflare Pages
*   YesWeHack is launching an ethical hacking virtual reality game and holding a live bug bounty challenge at the upcoming International Cybersecurity Forum in June
*   The US Cyber Games, a NICE-NIST collaboration, enters its second season in July, starting with Capture the Flag (CTF) competitions and culminating in the top cybersecurity athletes representing the US internationally
*   Some 401 security flaws were remediated during the 12-month pilot of the US Defense Industrial Base\-Vulnerability Disclosure Program (DIB-VDP), which concluded in April

Additional reporting by Emma Woollacott.

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for May 2022

Bug Bounty Radar // The latest bug bounty programs for June 2022

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin.

Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin.

The defunct REvil ransomware gang is claiming responsibility for a recent distributed denial of service (DDoS) campaign against a hospitality customer of cloud networking provider Akamai. However, it’s highly possible the attack is not a resurgence of the infamous cybercriminal group but a copycat operations, researchers said.

Akamai researchers have been monitoring the DDoS attack since May 12, when a customer an alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group claiming to be associated with REvil, Akamai revealed in a blog post Wednesday.

“The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website,” Akamai SIRT vulnerability researcher Larry Cashdollar wrote in the post. “The requests contain embedded demands for payment, a bitcoin (BTC) wallet, and business/political demands.”

However, while the attackers claim to be REvil, it’s unclear at this time if the defunct ransomware group is responsible, as the attempts seem smaller than previous similar campaigns for which the group claimed responsibility, researchers said.

There also appears to be a political motivation behind the DDoS campaign, which is inconsistent with REvil’s previous tactics, in which the group claimed it was motivated solely by financial gain.

****Return of REvil?****

REvil, which went dark in July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its high-profile attacks against Kaseya, JBS Foods and Apple Computer, among others. The disruptive nature of its attacks spurred international authorities to go hard against the group, with Europol arresting a number of the gang’s affiliates in November 2021.

Finally, in March 2022, Russia—which until then had done little to thwart REvil’s operation–claimed responsibility for fully dismantling the group at the request of the U.S. government, apprehending its individual members. One of those arrested at the time was instrumental in helping ransomware group DarkSide in a crippling attack in May 2021 against Colonial Pipeline, which resulted in the company paying $5 million in ransom.

The recent DDoS attack—which would be a pivot for REvil—was comprised of a simple HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment, researchers said. Traffic in the attack on Layer 7 of the network—the human-computer interaction layer in which apps access network services–peaked at 15 kRps.

The victim was directed to send the BTC payment to a wallet address that “currently has no history and is not tied to any previously known BTC,” Cashdollar wrote.

The attack also had an additional geospecific demand that requested the targeted company to cease business operations across an entire country, he said. Specifically, attackers threatened to launch to follow-up attack that would affect global business operations if this demand was not met and the ransom was not paid in a specific timeframe.

****Potential Copycat Attack****

There is a precedent for REvil using DDoS in its pervious tactics as a means of triple extortion. However, aside from that, the attack does not appear to be the work of the ransomware group unless it’s the start of an entirely new operation, Cashdollar noted.

REvil’s typical modus operandi was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information, he said.

The technique seen in the DDoS attack “strays from their normal tactics,” Cashdollar wrote. “The REvil gang is a RaaS provider, and there is no presence of ransomware in this incident,” he wrote.

The political motivation tied to the attack—which is linked to a legal ruling about the targeted company’s business model–also goes against a claim REvil’s leaders have made in the past that they are purely profit-driven. “We haven’t seen REvil linked to political campaigns in any other previously reported attacks,” Cashdollar observed.

However, it is possible that REvil is seeking a resurgence by dipping its toe in a new business model of DDoS extortion, he said. What’s more likely is that attackers in the campaign are merely using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands, Cashdollar said.

“What better way to scare your victim into payment than leveraging the name of a notable group that strikes fear into the hearts of organizations’ executives and security teams across wide swaths of industry,” he wrote.

Cybergang Claims REvil is Back, Executes DDoS Attacks

Malware attacks against Linux systems are on the rise. And when it comes to bot malware, XorDDoS is the frontrunner.
The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

> “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

XorDDos’s attack vector (Source: Microsoft)

**Security IoT devices**

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

*   Change your device’s default password to a strong one
*   Limit the number of IP addresses your IoT device connects to
*   Enable over-the-air (OTA) software updates
*   Use a network firewall
*   Use DNS filtering
*   Consider setting up a separate network for your IoT device(s)
*   When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

Massive increase in XorDDoS Linux malware in last six months

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

By Waqas
A seemingly ‘politically motivated’ DDoS attack knocked down the Port of London authority’s website. The Port of London…
This is a post from HackRead.com Read the original post: Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack

A seemingly ‘politically motivated’ DDoS attack knocked down the Port of London authority’s website.

The Port of London Authority/PLA has become the latest victim of a cyberattack that caused the forced shut down of its website, the company confirmed on Tuesday, May 24th.

Check Point Research also confirmed the DDoS attack, citing that an Iranian group launched Distributed Denial of Service (DDoS) attack to shut down the PLA website.

The Port of London Authority

The PLA is a public trust that maintains and supervises the Thames Tideway’s ups and downs from the Kent/Essex Strait to Teddington Lock towards the North Sea end and oversees 200,000 commercial/leisure vessels.

**ALtahrea Team Hacking Group Claims Responsibility**

As per the latest updates, the DDoS attack is politically motivated, and the ALtahrea Team hacking group is responsible for the attack. The group claimed responsibility for the attack on their Telegram channel at 8 pm.

According to Check Point researchers, ALtahrea is a pro-Iranian hacker gang that previously launched attacks against the Israeli Port Authority, the Israeli 9 channel, the Jpost, and other Israeli entities.

The group has also attacked Nasdaq, Turkish president Recep Tayyip Erdogan’s official website, and the Turkish media platform Anadolu Agency.

ALtahrea on Telegram (Image: Hackread.com)

Researchers claim that apparently, the Iranian government operates this group, and its members are staffed either by Iraqis who support Iran or the Iranian government.

Nevertheless, the good news is that at the time of publishing this article, the PLA’s website was back online.

**More DDoS Attack News**

1.  Christian crowdfunding site GiveSendGo hit by DDoS attack
2.  Bandwidth.com reports multimillion-dollar loss post-DDoS attacks
3.  Cloudflare Successfully Thwarted One of The Largest DDoS Attacks
4.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
5.  DDoS attacks on Minecraft event crippled the internet of a European country

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack

By Waqas
The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870…
This is a post from HackRead.com Read the original post: Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online

The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870 million records or 147 GB of data.

SafetyDetectives security team led by Anurag Sen shared details of a misconfigured Elasticsearch server that exposed the data of millions of loan applicants. The data mainly belonged to people from Ukraine, Kazakhstan, and Russia who had applied for microloans.

The server was detected randomly on December 5th, 2021, while checking certain IPs however the details of it have only been shared this week. The anonymous server was left unsecured and unprotected as it didn’t have any authentication protocols, which led to the leaking of more than 870 million records or 147GB of data.

**Owner Identity Yet Not Available**

SafetyDetectives couldn’t determine who owned the server. However, researchers noted that customer logs of numerous microloans providers’ websites were stored on the server, but most weren’t financial services like lenders or banks. Instead, these websites were of third parties that are intermediaries between the loan company and the applicant.

Most entries in the server’s logs were in the Russian language, while most data belonged to Russians. Therefore, researchers concluded that the server’s owner is a Russian entity.

**Details of Exposed Data**

According to SafetyDetectives researchers, different forms of personally identifiable information (PII) and sensitive user data got exposed in this leak, including details of users’ “internal passports” and other forms of data.

It is worth noting that In Russia and Ukraine, internal passports are used as the substitute for national IDs and are used within the country’s territories. According to SafetyDetectives’s blog post, the internal passport details contained in the exposed server include the following information of users:

*   Gender
*   Marital status
*   Date and place of birth
*   The physical address, including city and region
*   Full name with first name, last name, and patronymic name
*   Passport number with issue/expiry dates and serial number

Some of the exposed data, such as cities, names, addresses, and issued by locations, were written in Cyrillic script, which is primarily used in some parts of Asia and Europe.

In some instances, this information was decoded into certain symbols. Other PII details exposed by the unsecured server include the following:

*   Salary
*   Child count
*   Loan details
*   Mobile numbers
*   Email addresses
*   Employment status
*   Education information
*   Login OTP SMS codes
*   INN (tax identification numbers)

**How Many Users Impacted?**

Around 10 million users are expected to be affected by this exposure. Many server logs and passport numbers belonged to Russians, while most INNs belonged to Ukrainians. The server was located in Amsterdam, the Netherlands.

SafetyDetectives contacted the Russian CERT on December 14th, 2021, and the Dutch CERT on December 30th, 2021. However, both refused to help. The server’s hosting firm was contacted on January 13th, 2022, which secured the server the same day.

**Potential Dangers**

Considering the extent and nature of exposed data, the incident can have far-reaching implications. Such as bad actors can download the data and carry out identity theft, phishing scams, scam marketing campaigns, and microloans identity fraud.

**More Elasticsearch database Mess Ups**

1.  9,517 unsecured databases identified with 10 billion records globally
2.  New malware attack turns Elasticsearch databases into DDoS botnet
3.  Stripchat database mess up exposes 200M adult cam models, users’ data
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  Misconfigured ElasticSearch Servers Exposed 579GB of Users’ Website Activity

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

A fresh look at the Fronton DDoS-focused botnet reveals the criminal tool has more capabilities than previously known.

The Fronton botnet first made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution said it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.

Now the cybersecurity firm Nisos is reporting the Fronton malware goes beyond delivering DDoS attacks and can be used to create massive numbers of social media accounts that can then be used to shape opinion via social media manipulation.

After further analysis of the documents related to Fronton, the Nisos researcher assert that DDoS “is only one of the many capabilities of the system… Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale,” Nisos added.

****Working of Fronton****

Fronton, researchers say, doubles as a backend infrastructure for the social media disinformation. The malware uses an army of compromised IOT devices to carry out both DDoS attacks and disinformation campaigns.

“This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport,” according to researchers.

SANA allows users to create fake social media accounts with generated email and phone numbers, these fake accounts are used to spread content across social networks, blogs and forums, researchers said.

“SANA creates social media persona accounts, including provisioning of an email and phone number,” Nisos explained.

Additionally, researchers note that the platform allows users to control the number of likes, comments, and reactions. As well as provide the “facilities for creating these newsbreaks on a schedule or a reactive basis”, this will track the messages, trends, and their responses.

A response model is specified to perform certain actions after the execution of the Newsbreak. The response model allows the group of bots to react to a piece of particular news in a certain fashion (positive, negative, or neutral), according to the report.

“The response model allows an operator to specify weekly frequency of likes, comments, and reposts. It also allows for the selection of comments from the dictionary lists in order to direct the response patterns of the virtual social group,” Nisos added in a report.

The operators can also specify a minimum frequency of actions and a minimum interval between actions. The researcher also found the platform has “a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.”

The researcher added that Fronton operators have the capability to control the number of friends a fake bot should maintain, and integrate with a feature to store imagery for the bot.

The usage of the tool in real-world attacks is not clear, and as of April 2022, the web portal is active and moved to a different domain.

“As of April 2022, 0day technologies has changed its domain from 0day\[.\]ru to 0day\[.\]llc,” Nisos noted.

Nisos released a complete research report for further analysis.

Fronton IOT Botnet Packs Disinformation Punch

Analysts have seen a massive spike in malicious activity by the XorDdos trojan in the last six months, against Linux cloud and IoT infrastructures .

Cybercriminal use of the Linux Trojan known as XorDdos is on the rise, according to a new report, which found a 254% increase in malicious activity against Linux endpoints using the malware over the last six months. 

It was first discovered in 2014, and the Microsoft 365 Defender Research Team explained in a recent blog post that the XorDdos Trojan targets Linux cloud and Internet of Things (IoT) endpoints, and deploys botnets to carry out distributed denial-of-service (DDoS) attacks. 

The team added that the attacks fit a wider trend of attacks targeting Linux-based systems. 

"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks," the team wrote in describing the rise of the XorDdos Trojan. "DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Trojan XorDdos Attacks Surge, Targeting Cloud, IoT

By Waqas
The Pro-Russia Hacker Group Killnet recently targeted European institutions, while Anonymous hackers are already claiming to have leaked…
This is a post from HackRead.com Read the original post: Anonymous Declares Cyber War Against Pro-Russia Hacker Group Killnet

The Pro-Russia Hacker Group Killnet recently targeted European institutions, while Anonymous hackers are already claiming to have leaked the group’s personal information in a database dump.

The Anonymous hacktivists collective announced declaring cyberwar against pro-Russia hackers Killnet. The hacktivist group posted about this recent development on their Twitter handle, @YourAnonOne. The tweet read:

“The #Anonymous collective is officially in cyberwar against the pro-Russian hacker group #Killnet.”

Shortly after posting the tweet, Anonymous revealed that the official website of Killnet (Killnet.ru) was taken offline. Anonymous later posted that Killnet’s user database has also been leaked online.

“Pro Russian hackers group KillNet user database is leaked online by #Anonymous. LOL,” wrote @AnonOpsSE.

As seen by Hackread.com, the leaked database contains 146 email address and their plain-text passwords.

Tweets from Anonymous and alleged database leak (Image: Hackread.com)

**Why Anonymous Furious at Killnet?**

This act could be in response to the warning issued by cybersecurity agencies in the UK, USA, Canada, New Zealand, and Australia, citing that pro-Russian hackers may soon target organizations outside of Ukrainian borders.

It is worth noting that the FVEY (Five Eyes Alliance) published a threat assessment report yesterday. The organization revealed that numerous Russian government-sponsored and other hacker groups have vowed to support Russia.

The same report claimed that these groups could target Western critical national infrastructure organizations. Some identified cybercrime groups included DDoS attackers Killnet, CoomingProject, Sality botnet fame Salty Spider, and Emotet operators Mummy. Hence, Anonymous wants to disrupt Killnet’s attacking capabilities that have intensified in Europe recently.

**Killnet Claims They’re “Ordinary People”**

In an interview with the Russian news network RT, Killnet explained their version of ongoing events. In its interview given in the Russian language, the group claimed that it comprises “ordinary people from all over Russia who stood up to defend their country.”

> “We have always been hated . First, it was the “terrible” empire, then the “bad” Soviet Union, and now it’s the “evil” Russia.” DDoS is the face of our project. Behind the scenes lies a huge amount of work on an invisible front. This is the calculation of the positions of the Armed Forces of Ukraine, hacking enemy systems, monitoring and collecting information, as well as capturing control systems.
> 
> Killnet

Killnet on Telegram

**Killnet’s Recent Hacking Spree**

Killnet specializes in DDoS attacks and has recently targeted websites of numerous Italian government ministries and institutions, including the country’s customs agency, foreign affairs department, culture and heritage ministry, education ministry, and the superior council of the judiciary.

This hacking spree occurred in early May, while on 16 May, Killnet attacked the Italian upper house of parliament, the Automobile Club d’Italia, and the National Health Institute. In April, Killnet attacked the Romanian government-owned websites, including the Ministry of Defense, with DoS attacks originating from Russia.

The pro-Russia group has also attacked the websites of the governments of the USA, the Czech Republic, Estonia, Poland, and other NATO members.

**More Anonymous Attacks on Russia News**

1.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
2.  Anonymous sent 7 million texts to Russians & hacked their security cams
3.  Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
4.  Confirmed: Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data
5.  Anonymous & its affiliates hacked 90% of Russian misconfigured databases

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#ddos