Extensive Hacking Operation Discovered in Kazakhstan

Last Friday, Qihoo 360, a Chinese cybersecurity vendor, published a report exposing an extensive hacking operation focusing on people in Kazakhstan. Targets include government agencies, foreign diplomats, researchers, journalists, and government dissidents, among others. The malicious actors are said to have extensive resources and could develop “private hacking tools, buy expensive spyware off the surveillance market and even invest in radio communications interception hardware.”

Qihoo 360 researchers named the group behind the campaign as Golden Falcon or APT-C-34. However, according to Kaspersky, Golden Falcon is another name for DustSquad, a hacking group that has been active for the past two years. The report further explains Golden Falcon’s operations, stating the information stolen was seemingly categorized by city and each city’s folder contained data from numerous victims. In total, researchers discover victims from the 13 largest cities in Kazakhstan and more.

According to ZDNet, two hacking tools were used by Golden Falcon. The first, a Remote-Control System, is a surveillance kit sold by HackingTeam, and the second is a backdoor trojan named Harpoon, which “appears to have been developed by the group itself.”

Qihoo 360 obtained the manual for the backdoor. The backdoor mechanisms include:

Keylogging

Stealing of clipboard data

Taking a screenshot of the active window at predetermined intervals

Listing the contents of a given directory

Getting Skype login name, contact list, and chat message history

Getting Skype and Google Hangouts contacts and voice recordings

Recording sound via the microphone, eavesdropping

Copying a specified file from the target computer

Automatically copying files from removable media

Storing all intercepted data in an encrypted data file, inside a specified directory

Sending stolen data to a specified FTP server

Running a program or operating system command

Downloading files from a given FTP into a specific directory

Remotely reconfiguring and update components

Receiving data files from a given FTP and automatically extract the files to a specified directory

Self-destructing

Read more here

Personal and Social Information of 1.2B People Exposed on Open Elasticsearch Install

The database, discovered by Bob Diachenko and Vinny Troia, contains more than four terabytes of data, making it one of the largest data leaks from a single organization. The leaked data includes personal and social information, such as names, email addresses, and phone numbers as well as LinkedIn and Facebook profile information. The data within the server appears to be from two different data enrichment companies, People Data Labs and OxyData.io.

The server itself was unprotected and easily accessible via http://35.199.58.125:9200. While it appears that sensitive data remained safe, leaving any server unsecured is has the potential for catastrophe.

Read more here

Coin Stealer Found in Monero Linux Binaries from Official Site

Last week, Monero’s official website was compromised, resulting in a coin stealer being implanted within their Linux 64-bit command-line Monero binaries. Multiple concerned users reported throughout Reddit, Twitter, and GitHub that the binaries downloaded from the website did not have matching hashes for over 40 minutes.

Moderators on Monero’s subreddit recommended that users verify the integrity of the binaries with Fluffypony’s GPG key to ensure validity. SerHack, a security researcher and contributor to the Monero project, stated that he discovered a coin stealer embedded within the non-verified CLI binaries. A detailed analysis of the malware can be found here.

Get more information here

Google Offers up to $1.5 Million Bounty for Remotely Hacking Titan M Chip

Google has announced an increase in various rewards for finding and reporting critical vulnerabilities in the Android operating system. The most significant increase includes a $1 million bug bounty for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” If a security researcher can achieve full chain remote execution in developer preview versions of Android, Google will pay an additional $500,000, making the total $1.5 million for the find.

Google’s Titan M is a dedicated chip that protects devices against boot-time attacks. The separated hardware chip works with sensitive data, passcode verification, private, keys and more. Other new bounties include data exfiltration and lock screen bypass vulnerabilities.

In total, Google has paid out $1.5 million in 2019 as part of its bug bounty program.

Read more here

TrickBot Trojan Getting Ready to Steal OpenSSH and OpenVPN Keys

TrickBot, the banking trojan that seems to evolve constantly, has upgraded its capabilities with an updated password grabber module. The new module steals OpenSSH private keys and OpenVPN passwords/configuration files. This February, the password stealer module was upgraded to take VNC, PuTTY, and Remote Desktop Protocol (RDP) credentials.

According to security researchers, TrickBot uses HTTP POST requests to send OpenSSH and OpenVPN passwords to their Command and control (C2) servers. The Unit 42 research team states that the “best security practices like running fully-patched and up-to-date versions of Microsoft Windows will hinder or stop TrickBot infections,” further emphasizing the importance of keeping a healthy patching schedule.

Read more here