Play

Intro

Hey guys T-Mobile got hacked, PayPal gets hit by a massive credential stuffing attack, a new android malware that is an evolution of an existing banking malware, and a phone ad scheme that infected real apps. All this in this episode of Exploit Broker’s Hacking News Round up. You’re not going to want to miss this.

PayPal Accounts hit by Credential Stuffing Attack

So, let’s talk about PayPal for a second. It appears they were sending out data breach notifications but before you run out and check your account know that the issue happened back in December 2022. We are finding out more details now because PayPal distributed a security incident notice. We are getting more details and it’s important we discuss and figure out what happened. Did PayPal have some unknown zero day? A flaw in the configuration of some server? No. It appears it was a large Credential Stuffing Attack.

Simply put a credential stuffing attack involves hackers taking known passwords from data dumps on the internet and then use a brute force login tool to try to login to multiple websites with the leaked credentials. The brute force login tool pretends to be a web browser and will try logging into an account using passwords found for a known user. It relies heavily on a user reusing the same password for multiple things. Let’s say you use password 123, if you do please change it, but for this discussion let’s say you use password123 on website a,b,c,d and then there is a data breach and website a leaks your password. A credential stuffing attack would try to login to website b,c, or d with the password found on the internet. Hackers would use the information they got from the website a breach to login to the other websites.

 You must keep all your passwords as unique as possible and try not to repeat the same password on multiple websites. 

So now that we know a bit more about what happened, let’s talk about what PayPal did. As soon as PayPal found out about the hack, they began an investigation. They reset the password of affected users and setup enhanced security that required a password change on the next login. They also gave users a chance to get two years of Equifax and their identity monitor solution.

What did the hackers have access to? According to PayPal they could view your name, date of birth, social security number, address, and individual tax identification number. This was all between a window thought to be from December 6^th to December 8 back in 2022. It also looks like almost 35,000 users were affected by the incident.

So, on the surface it sounds bad, and it is bad for anyone who is affected by the hack. On the plus side PayPal found the attack early on and was able to rule out a vulnerability on their side. The issue with bugs found on the application is they can take longer to fix and can generally affect a wider base of users. In this case a credential stuffing attack would be a result of hackers finding passwords on the internet and by chance it’s the same password on the targeted website. It’s important to change up passwords often and minimize, if not eliminate all together, reused passwords. It’s a good practice to use something like a password manager to help randomize passwords for all your accounts. However, make sure the master password is complex and not something you’ve used before.

Should you panic, stop using PayPal, and disconnect your internet and go offline forever? No. You need to look into a password manager, change out the most critical passwords you have, and rotate passwords out often. Hacking is becoming a more common place and it’s important to learn to navigate without fear.

Source: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

T-Mobile Hacked

The cell phone carrier T-Mobile just recently released notice about a security breach back in late November. T-Mobile filed a report with the Securities and Exchange Commission or SEC about a security incident involving 37 million of its customers. It appears hackers found their way into the network and stole addresses, phone numbers, and birth dates of the affected customers. According to the report the hackers were not able to steal passwords, pins, credit cards, social security numbers, or bank account information.

This only adds fuel to the flames for T-Mobile. For those who may not be aware I’ll recap what’s happened over the past few years.

Back in August 2018 hackers managed to use a vulnerable Application Programming Interface or API to steal details from about 2 million T-Mobile customers. Although they stated passwords, financial information, and social security numbers were not compromised they hackers did potentially steal name, billing zip code, phone number, account number, email address, and account type. That was the beginning of their troubles.

The following year in November 2019 they had another data breach. This time it appeared that roughly over 1 million pre-paid customers had their name, billing address, phone number, account number, rate, plan and calling feature information stolen.

Continuing down this timeline we find ourselves at March 2020. This time hackers were able to break into an employee’s email account and used it to steal customer account information. The hackers were able to get names, addresses, phone numbers, and rates. The hackers were not able to get financial information or Social Security Numbers.

The rest of 2020 looked quiet and then we get to 2021.

2021 had two T-Mobile hacking events. One in January 2021 and the other in August 2021. The January event did not expose names, physical or email addresses, financial data, credit card information, social security numbers, tax ids, passwords, or pins. The August event, however, is a different story.

The hacking event in August 2021, appeared to have been the worst. Hackers were able to steal names, driver license details, government identification numbers, social security numbers, dates of birth, prepaid customer pins, addresses, and phone numbers. The event was disclosed days after a hacker put the data up for sale on an underground forum.

Now back to our new and recent incident. Although financial and social security information was not stolen, they were able to steal addresses, phone numbers, and dates of birth. This means the impacted customers are now further opened to being targets of phishing campaigns, spam campaigns, and even more personal information is available so that identity theft becomes even easier for hackers to exploit.

This is a prime example of why you need to rotate passwords often, get identity monitoring, lock down your credit, and sign up for a service that notifies you if passwords, email, and any of your personal information is found on the dark web.

Source: https://www.9news.com/article/news/nation-world/t-mobile-data-stolen-37-million-customers/507-db07bf8a-f2ad-4fbc-b0d2-d72583920271

August 2018 Source: https://grahamcluley.com/hackers-t-mobile-data/

November 2019 Source: https://techcrunch.com/2019/11/22/more-than-1-million-t-mobile-customers-exposed-by-breach/

March 2020 source: https://www.theregister.com/2020/03/05/tmobile_breach/

January 2021 source: https://www.theregister.com/2020/03/05/tmobile_breach/

August 2021 source:

https://www.nytimes.com/2021/08/18/business/tmobile-data-breach.html

New Rat Can Take Over your Device

The Android banking malware world has two very dangerous families known primarily between Hydra and Octo. These two families of malware are dangerous because of their ability to perform a Device Take-Over or DTO. Once a device has been taken over by a hacker, they van view and interact with the screen. Hackers can exfiltrate data, manipulate apps and do anything that someone who has psychical access to the phone could do.

There is one other family of Android Banking Malware with comparable infection, ERMAC. ERMAC was being rented by its creator DukeEugene but the biggest different is it did not have the ability to do a device take over. ERMAC source code was sold, and several renamed variants popped up. Infections with the name MetaDroid and OWL were found by ThreatFabric.

The story however has taken a turn. Recently DukeEugene posted a new advertising for a brand-new banking malware known as Hook. Hook was touted as a new malware written from scratch. I’d assume this was to get bad actors interested in a new piece of tech that doesn’t have samples everywhere or to rebrand the product toward a new audience. The claim of being written from scratch, however, may be false as the team at ThreatFabric found that the malware shares a lot of the same source code as the original ERMAC.

So why am I bringing this up if it’s the same ERMAC malware that isn’t as powerful as Hydra and Octo? Hook has some shiny new upgrades that make it concerning. It can now communicate in Realtime and bidirectionally. To give context previously the malware would be using a polling method where it would periodically send messages to the server controlling it. This makes it hard to do anything quickly as changes would require waiting until the next time a poll occurred. The new Realtime communication known as WebSocket communication opens a remote connection and can keep it open until the control server is happy with the conversation. This coupled with its last addition make it a formable malware.

Hook can now use Virtual Network Computing or VNC to view the device remotely and abusing accessibility services to interact with UI elements. These two abilities, viewing and controlling the device, upgrade the malware to the same threat level as Hydra and Octo. Hook can now be considered a Device Take-Over capable malware. It can perform clicks, filling in text boxes, take screen shots, and more. It also can view and retrieve files on the victim device. If you have crypto or use WhatsApp you’ll want to be extra careful. Hook has the ability to extract seed phrases for wallets which would allow a hacker to create a copy of the wallet. Lastly, Hook has the ability to read and send messages from the popular messaging app WhatsApp. Hook is a new malware to be on the lookout for.

Source: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html

Outro

Malware, password hacking, and leaked data are only a portion of the cyber threats of the digital world we live in. If you want to stay up to date and learn about the threats lurking in the cyber shadows stay tuned. This has been Exploit Brokers; I’ll see you in the next one.

Play

Intro

Hey guys and welcome to Exploit Brokers where we break down articles, recap recent hacking events, and give insight on the technical aspects of the hacking events. I will explain things and give my opinion on tech and hacking events so let’s get started.

Hackable License Plates or Hack way or the Highway

What if your car’s license plate could track you? What if hackers were able to access that information and could now monitor the position of your car whenever they wanted? This isn’t science fiction this is what security researchers were able to access when they gained admin access to Reviver’s backend system. In an article by Vice titled, “Researchers Could Track the GPS Location of All of California’s New Digital License Plates” they dive into the issue found by security researchers. Reviver is the company that sells and maintains the REVIVER license plate, a digital license plate that the company states is the modern license plate. The digital license plate also allows a personalized message at the bottom of the plate. Once the security researcher was able to gain admin access, they could change this to whatever they wanted. In addition to modifying the personalized message an attacker could track the plate, update, and delete any plate they want to. Currently California is allowing digital license plates and Reviver is the sole provider of these plates.

Let’s break down the technical information available to try to understand what happened. At first glance it appears there are two main account types of an account given, a “CONSUMER” type and a “CORPORATE” type. At least that’s what appears to normally be passed out. There was a third type of account identified as a “REVIVER” account. This acted as an admin account or root in Linux terms. This means whoever had an account with a “REVIVER” type on it would be able to wield virtually unchecked powers. In my opinion this sounds like something developers and testers would implement so they can get in and out of the system for testing, maintaining, and enhancing pieces of code and products. This is purely what I suspect happened but only REVIVER currently knows what the intention of the account type was.

The good news? Reviver has patched the issues that were reported by the security researchers. Good on them. It’s nice to see companies being receptive to bugs being reported and doing something about it. Far too many times do you hear about companies ignoring bug reports or outside people finding flaws in their systems. REVIVER I think you did well in fixing the issues promptly.

Source: https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location

Canada’s standard means tether gets more restrictions.

It appears the crypto markets can’t catch a break. Decrypt.co is reporting on some more bad news for the crypto markets. It appears that crypto.com will delist the tether stable coin in Canada due to pressures from Canadian regulators. Users will only have until January 31^st to trade or withdraw their tether coins. There was some confusion since the notice by crypto.co did not specifically list that only Canadian Users would be affected. Any remaining tether coin after the January 31^st deadline would be automatically converted over to another stable coin known as USD Coin which is by the financial tech company Circle.

The controversial decision was essentially forced by the Ontario Securities Commission when the Canadian Standards Association or CSA stated their view on stable coins. The CSA essentially views stablecoins or stablecoin related agreements to be securities and/or derivatives.  This change of view means that the stablecoins are now seen a regulated entity like that of stocks, derivatives, futures, and things of that nature. For my American viewers the Ontario Securities association is essentially the Canadian Securities and Exchange Commission or the SEC.

Let’s stop for a second and give some background on the topic. A stable coin is the intermediary between crypto and fiat currency. It is generally tied to another currency or commodity and makes it easier for transactions between coins to happen without the added steps of exchanging to fiat currency such as US dollars. Stable coins are backed by the real-world assets such as the US dollar. To give further background on stable coins; tether is the third-largest digital asset by market capitalization and the largest crypto stablecoin available at the time of this recording. As well, the USD Coin is the second largest stablecoin by a FinTech company known as Circle. The move to change to USDC for any remaining tether makes sense. USDC is owned by a registered Money Service business in the US and is therefore already regulated and scrutinized by the US. Tether had previous issues in the past including lawsuits brought up pertaining to their statements pertaining to USDT being backed by cash and cash equivalents. I’ll be sure to do a video on this in the future.

Source: https://decrypt.co/118812/crypto-com-delist-tether-canada

Let’s JWT this down

The one thing most developers and system admins don’t want to hear is that there is a severe vulnerability in systems they are developing or maintaining. A new high-severity flaw has been found in JsonWebToken or JWT. The severity has the potential to allow an attacker to do Remote Code Execution or RCE. Known as CVE-2022-23529, has been patched in the 9.0.0 version of the JWT package. If your app is running 8.5.1 or below, then it’s time to update it to 9.0.0 to avoid it being exploited out in the wild.

To give some context JWT is how some web applications authenticate users. The JWT library is developed and maintained by Auth0 which is owned by Okta, Inc. The severity is a concern because the JWT library we’re discussing has over 10 million weekly downloads on NPM , the popular node package manager, and is used by over 22,000 projects. That means thousands of potential applications that are running vulnerable code that could lead to an attacker executing malicious code on a victim server.

We’re seeing more and more software supply chain related attacks lately. Essentially why attack an application directly when you can find exploitable bugs in package that have widespread usage. This allows you to target tons of applications all at once. The moment a strong vulnerability is found the attacker only needs to play the numbers game to try and get a successful attack underway.

Developers should be mindful of security as often as possible. I know it’s alluring to think that software has to be shipped fast but it’s important to have processes in place to try to catch as many of these vulnerabilities as soon as possible. It’s impossible to eventually introduce bugs into applications but the more that are caught the harder it is for an attacker to find an easy vector of attack.

Source: https://thehackernews.com/2023/01/critical-security-flaw-found-in.html

The Zero Day in Sugar

So, there is a major vulnerability in the SugarCRM that allows attackers to take full control of the victim’s server. A recent Zero Day, or previously unknown vulnerability, has been discovered to have been exploited in the wild against SugarCRM instances. The zero day has reportedly affected 12 percent or roughly 354 of the over 3,000 SugarCRM servers online. SugarCRM did make a hot fix available early January and has applied it to its cloud-based offerings. It does encourage any admin running SugarCRM on their own servers to patch as soon as possible.

The vulnerability was posted in late December and included Google Dorks, or search queries used to find certain things by using by Google’s powerful web crawling. A hacker can use a google dork to find websites that are potentially vulnerable by searching information not generally available on the surface of the website.

To give more info on the zero-day found, it was identified as an authentication bypass bug. An authentication bypass bug allows an attacker to send access the server without needing to be authenticated or logged in. The attacker in this instance was able to manipulate a file on the server. The file manipulation allowed the attacker to obtain a cookie which can then be chained to upload a malicious image. The malicious image contained code that allows the attacker to open a remote session on the server. Once they have a remote session on the server, they can do virtually anything they want to. This essentially means the hacker has completely taken over the server and could place other backdoors and launch their own apps at the expense of the server owner.

Source: https://arstechnica.com/information-technology/2023/01/hundreds-of-sugarcrm-servers-infected-with-critical-in-the-wild-exploit/

Outro

Thank you for tuning in this has been Exploit Brokers, I’ll see you in the next one!

Exploit Brokers Hacker News Episode 09

Intro

Hey guys, welcome to exploit brokers today. We’re going to be going over four different articles. Let’s talk about Twitch. Let’s talk about ricochet, the freakout botnet and the Mykings botnet. Let’s jump into it.

Cool. So guys, welcome back. I know I’ve been offline for a little bit, but I am here to bring you back your hacker news goodness. So today we’re going to jump right into it.

Freakout Botnet Attacks DVRs

We’re going to talk about the freakout botnet. It turns out they are using their botnet to turn DVRs into Monero crypto miners. So Monero is one of the favorite type of crypto miners in the criminal industry, because it’s very hard to track compared to like Bitcoin and all that.

So the transactions are much more. Privacy oriented. I guess if you can say it that way, so let’s jump right into it. Let’s see. And I will list the articles and the show notes. This one is by threatpost.com titled freak-out botnet turns DVR’d into Monero, crypto miners. You what we’re talking about today.

I’ll start out by saying the article says the new Necro Python exploit targets visual tools DVRs used in surveillance systems. So we’re not talking about just like, you know, your old DVR. If anyone still has a DVR for tvservices. I imagine a lot of people. Still do, but no, this is specifically the visual tools, DVRs first surveillance systems.

So if you think about surveillance systems, they’re going to be on all the time. They’re going to be pulling feed for everything. So, you know, Hey, if they’re always on anyways, and most people aren’t going to be checking them normally. ’cause, you know, you don’t really check them unless you need them, then you could totally put something on there.

The Juniper threat labs, researchers issued a new detail. There’s apparently something known as Niekro Python and Python, IRC bot. For some people IRC, they may be familiar with that. That’s the internet relay chat. It’s kind of like the predecessor to like messaging. You’d put up an IRC server.

People could join, you could talk Kind of like a messaging board, but more interactive . According to this the malware in late September was targeting the visual tools, DVR VX16 4.2.28.0 models with crypto mining attacks. What this usually seems to be is like, Hey, Grabbing their botnets and they’re targeting this specific model.

Maybe there’s a firmware of a vulnerability. Maybe there’s something else we’ll just kind of keep going and see if there’s anything we can find. Right. They’re using command injection. . The script can run in both windows and Linux environments and the script has a polymorphic engine to morph itself.

Ooh. So, okay. This is actually really cool. Polymorphic engines, if you think about like something being able to evolve itself or change itself over time you know, viruses or bacteria and stuff like that. The polymorphic engine is actually a very cool way that some viruses, I mean, I say cool, but it’s kind of devastating.

It’s a very cool way that some computer viruses, they keep morphing themselves and antivirus, sometimes use signature-based defenses. Right. So what that means is they’re looking for. A specific type of code or for the binary’s to look a certain way. And then that will allow it to be like, Hey, this looks an awful lot, like this kind of virus or this specific virus.

So by morphing itself, you’re changing your signature. Every couple executions or every execution, right? So the next time you infect somebody while you’re using the next variant of what it was. And typically I was looking into polymorphic, see how they kind of work. Right. And they have their base encrypted.

That’ll get re encrypted and then you have the actual delivery system. There’s a way that you can keep that encrypted in the program. Then you can decrypt it, recompile it, but also re encrypted as well. You have the payloads being constantly changed and the signature will look different.

According to the article freakout, which is the ones who originated the botnet have been doing this since at least January. They’ve been trying to launch distributed denial of service attacks and crypto mining attacks. So they’re trying to bring people down and trying to make money kind of makes sense. Right?

They have several iterations of the Necrobot. According to what I’m seeing here There’s been even recent changes. Cool. They’re using, what’s known as a domain generation algorithm for added persistence. Based off my research, the domain generation algorithm, how it works is it’ll guess a certain kinds of domains. And then it’ll go reach out and like, Hey, are you my C to C server?

Are you my command and control server? If it doesn’t find it well, then, Hey, that’s fine. It just tries again and tries again . The first Necrobot used to scan ports, 22, 80, 443, 8081, and 7001. Then if, if it detected it, then according to the article an XM rig, which is a high-performance Monero miner linked to a specific wallet.

Then it would just try to mine and then throw whatever Monero to that wallet. So the vulnerabilities for those of you that are kind of wondering. Is the CVE-2021-15568 TerraMaster TOS before 4.1.29, CVE-2021-2900. The Genexis. Sorry. If I butchered that Genexis platinum 4410 2.1 P4410-V2-1.28.

There’s five of these, we were already covered two. The third one is CVE-2020-25494 Xinuos, formerly SCO, OpenServer version five and version six. Next is the CVE-2020-28188 TerraMaster TOS every version up to, and including 4.2.06 and the last one is the CVE-2019-12725 Zeroshell 3.9.0.

So something I’d like to point out. We do have what looks to be like one extremely recent exploit 2021. Like, you know, last year, exploits, 2020s and the 2019. This virus has exploits that are pretty recent. The chances that an organization is using something that hasn’t been patched or that the software’s haven’t had a patch for like the 2021 let’s say, then, you know, that’s, that’s pretty high.

As a software engineer, turnaround time is not like, Hey, there’s an exploit. Cool. I could totally get that fixed by this afternoon. If you just find out about it and you’re in process of normal code delivery code release right. You may not have team members to go fix critical patches that night.

You may have to pull them off that could throw your deadlines off. Very much a cat and mouse and a delivery standpoint, right? So of course you have to do bug. But do you have time to do bug fixes and your main release as well? From this, I don’t know too much about TerraMaster or the CVS in question, but from a software engineering perspective, you got to be careful with that.

Ooh, so the head of Juniper labs has told threat posts, which is the article that I’m reading this off. Most security teams need to be able to handle DGA domain attempts. What I’m assuming he means right? From an IT perspective, if a computer, a box, right, is sending out 400 DNS requests looking for similar things will an average user, shouldn’t be sending 400 DNS requests in an hour.

Right. They might go to like four or five, but if they’re doing their job, Even if you’re Googling, right. You’re not going to hit 300 domains, 400 domains. Two hours, three hours. That’s my guess. By having a route switch firewall with a rule that kinda says like, Hey, if any machine is throwing like 300 or more than 200 or whatever threshold .

X amount of DNS requests in X time or Y time, then you need to throw an alert. You need a block that cause Hey, that could be a malicious or compromised box. I could totally see where that’s, kind of where they’re getting at. But you know, that’s just my opinion. So let’s roll into the next one.

Source: https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/

Ricochet Anti-Cheat Kernel

So ricochet call of duty for any of you gamers who are interested, ricochet is an anti cheat engine. Call of duty, wants to use for Warzone and Vanguard. The reason I’m bringing this up is they have a Kernel level driver. It’s first going to come to call of duty. Kernel level, for those of you who may or may not be aware, you have the user level and you have the kernel level.

Kerner level is anything that runs windows privileges versus user space is, you know, users kind of straight forward. Right? The problem with Kernel drivers is they tend to have a lot of control over the system due to the nature that they are integrated tightly with the operating system. They’re trying to calm people down.

I kind of pre-read this article right there, trying to calm people down by saying, Hey, it’s not always on and it only checks for software that interacts with call of duty, but that doesn’t mean it can’t change. That doesn’t mean that there couldn’t be false flags, right? So my biggest concern with any security tool with any AI thing..

Is false positives. Right? False positives could give people a really bad day. Do we want to stop hackers? Yeah, we want to stop hackers. Do we want to stop people from ruining the game ? Yeah, we want to stop people from ruining the game. What happens if the driver accidentally sees overclocking software as a flag.

So you’re going to have a lot of tech enthusiasts. A lot of people build gaming, rigs, gaming computers with the idea. Cool. I can play games, but I can also overclock this thing and get the most performance or just some people just like to do it for fun. Even I’ve played around with overclocking.

It’s just one of those things like, Hey, I have a really cool PC. Can I try this? My other concern as well. You have a kernel level driver that can interact with a system that’s been developed by this company. Well like any kernel level thing. What if there’s a vulnerability in that kernel?

How fast would they be able to patch it? How much will they care? Are they going to be invested to be able to like, Hey, a CVE came out on our kernel driver that is installing Monero miners or whatever should we patch it? Do we care?

That’s almost any company, but this is one more company. What I’m reading, the way I’m understanding is you will not be able to play the game unless the kernel driver is installed. For you to be able to play call of duty on your gaming PC, you would need to have this Kernel Installed.

That doesn’t make me feel great about it. Call of duty I’m seeing maybe a hundred million yeah, about a hundred million players, which means that if you target, let’s say, let’s say a quarter of them are gaming PC players, right

You have a quarter of the 100 million. So you have 25 million people who are now running this driver on their computers. If a CVE breaks out 25 million is, you know, pretty substantial base considering it’s one company. You should be worried about that for anything and everything.

Windows is not exactly, the most secure system there’s a lot of faults they’re getting better, but they do have a lot faults. Not related, but it appears that part of the driver is actually using or could possibly use machine learning algorithms. I don’t know this definitively, but they’re saying that they want to use machine learning to analyze server data, to determine patterns.

Now this goes back to my false positive concern, right? So machine learning algorithms are. At current time, most of them are not 100, truly 100% accurate. If you think it’s a hundred percent, you’re maybe you’re over-fitting, which means you’re, you’re saying, Hey, this data looks this way. Cool. But then when you throw real data at it, it doesn’t fit the training data exactly.

So you’ll overfit and that’s just, that’s just one thing I’m concerned about. Say, say it’s half a percent, right? What’s half a percent of a hundred million players is like 50,000 players that you may. Automatically flag. If you doing anything like an auto ban based on the flags, cool. You just falsely band 50,000 players.

Not to mentioned that even false positive, be like, well, Hey, what about the hackers that do get through? You are reducing the amount, but this is not a catchall solution. This is not a cool, we can fix everything.

You have to do it in a nuanced way. You can’t just have the machine learning, AI be able to auto ban people without some sort of appeal process, without some sort of safety checks to prevent those who get falsely flagged to be able to come back because it’s going to suck. You pay $60, a hundred dollars, or, you know, $60 plus DLC.

I mean, Warzone is free, but if you’re buying the season pass or whatever, you’re still paying, it’s going to suck that you falsely get flagged and you lose access to the thing that you were paying money. And I don’t think anybody wants that.

I was pulling the information, I’m going to put it in the show notes off CallOfDuty.com, it’s self.

Source: https://www.callofduty.com/blog/2021/10/ricochet-anti-cheat-initiative-for-call-of-duty

MyKings Botnet

Let’s kind of segment into the next article.

The next article comes from bleepingcomputer.com titled “MyKings botnet, still active and making massive amounts of money”. Cool. Botnets making money seems to be like a recurring theme. The MyKings botnet, according to the article is still actively spreading and is making tons of crypto.

The first appearance was like five years ago. Being that it’s one of the most analyzed I’m kind of pair I’m paraphrasing slash reading the article. MyKings is particularly interested in researchers thanks to his vast infrastructure versatile features. What does it mean by versatile features will list a few, right.

I’ll kind of touch on what they mean. So the article states that it includes: bootkits, miners, droppers, clipboard stealers, and more. Bootkits are particularly problematic because they install themselves in the boot sector of the operating system. You don’t want a virus that manipulates your system on boot or just as it’s booting, because it becomes very hard to truly get rid of that.

If the boot kit installs itself, well, you may have to completely wipe the entire system and there goes all your data, right? Minors going back to the Monero Miner, or if you know, Bitcoin minor that could be done. There’s there’s dozens of variations. There’s probably a couple different miners per coin.

Right? Droppers, I’ve heard this term before. I have to come back to you on that clipboard stealers, you know, straight up just steals your clipboard. The reason that could be problematic is if you’re mining or if you’re doing something else cool, now they have your wallet and have other stuff.

Every time that it sees your wallet, they could inject their wallet. And there you go. Now they’re now they’re using the hacker’s wallet for reasons that they would use there’s deposits, trades, et cetera.

Let’s jump into the article. Bleeping computer seems to be referencing the Avast threat labs. The earnings reflected in the wallet linked to the makings are approximately 24.7 million. So they’ve been, they, they make quite a bit of money off this, right. They’re using substitution.

Oh, cool. Kind of what I was touching on. So they are using the clipboard manipulation thing to inject their to inject their wallet. The latest I’m going to read from the article. The latest version of the malware also features a new url manipulation system in the clipboard stealer module, which the attackers created to hijack steam item trade transactions. Cool they’re even targeting Steam here, the module changed the trade off offer URLs.

So the actors placed at the receiving end. So not only are they trying to probably look for digital wallets, now they’re even targeting games. So they’re targeting steam. Which is kind of interesting. I mean, in games, items sell for a lot I know there’s this one game don’t remember off the top of my head that uses real world money to kind of be like a one-to-one, but you’re not supposed to take the money out.

At least the developers, I think don’t want you to . Hey, that’s one way that now criminals are trying to make more money. Now let’s go after games too. So there was also functionality added for the Yandex, disc storage, cloud service, and it looks like they’re essentially using that for a social engineering style spread. They are putting a photos archive, you unzip it, it’s actually the malware, but you are a trusted person sending your other friend, this link, they’re going to download it, run it because it came from you and it’s actually gonna infect them because your clipboard was manipulated behind the scenes.

Source: https://www.bleepingcomputer.com/news/security/mykings-botnet-still-active-and-making-massive-amounts-of-money/

Twitch Hacked

Now onto our last article.

Article by 9to5mac.com, “PSA: Twitch.tv was hacked, everything leaked, including creator payouts”. I’m pretty sure you’ve seen this on the news. It’s been everywhere. Right? So Twitch TV, the very popular streaming channel for, or streaming website for games. And I guess other stuff was hacked.

So if you have an account there they’re recommending you change your password, which I will recommend if your data’s ever in a breach. Yes. Change your password. Yeah, do it. Password managers are also pretty cool. Those can get hacked too, but Hey, at least you have like only one master password that you need to be changing often and you don’t got to remember the other ones.

Going through the article. There was an anonymous hacker who posted a huge download link. Apparently the entire website source code, various console phone stuff. Ooh, an unreleased steam competitor talking about steam earlier, right?. Payouts and encrypted passwords all got leaked. So encrypted passwords that could or could not be problematic depending on how good the encryption is. By the way don’t trust it, change your password. Payouts, that’s just, ah, man. Now you’re going to know what every streamer makes. Apparently 125 gigabyte torrent link was posted to 4Chan. I think last Wednesday. This was October 6th.

Ooh. So very early Wednesday, I think like maybe late September Wednesday. So I’m a little bit late to this article. One anonymous company told and I’m reading from the art from the article. “One anonymous company told VGC”, which I’m guessing is where 9to5Mac original quoted their stuff.

“That the leak data is legitimate. Including the source code for the Amazon owned streaming platform. Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies”.

I guess there hasn’t been any update, going over, right. All of that. That’s, that’s rich. So as well as the data that got. Internal penetration testing tools got leaked too. Right? So the hackers got hacked. Twitch TV isn’t exactly hackers, but they’re hacking tools got hacked. Reminds me of, I think it was a government agency, got their stuff stolen by hackers too.

It kinda reminds me of that realm, right. When you look in, when you look into the abyss, the abyss will stare back kind of thing. ‘ The entirety of Twitch’s source code with comment history “going back to its early beginnings”‘. They got all the Twitch, pretty much all the repo all the creator payouts from 2019, mobile desktop and console client, proprietary SDK and internal AWS services used by twitch. So they can completely make a Twitch clone tomorrow. Wow. ‘”Every other property that Twitch owns”, including IGDB and CurseForge’.

No idea what those are, but Hey, it’s Amazon owned, so it’s big. “An unrelased Steam competitor, codenamed Vapor from Amazon Game Studios”. So something I’ve, I’ve been seeing from the Amazon side. Right. As a developer, I like AWS. It’s kind of cool. I’m not super big on only one platform, but anyways, I’ve seen where Amazon is pushing I think I forget their name of it, but they, they have, they’re starting to push into the game market and I think it’s because Hey, Vapor or whatever this thing is. If it’s a steam competitor, they want to get in on selling games. I know they’re trying to get in on the game engine side.

It kind of makes sense. Gaming is a very profitable or not profitable, but is a very big industry people game on their mobile people game on console people game on PC , it’s what people do. The last point of what was stolen includes a penetration tools, which I was talking about, it looks like it was red team tools for my listeners who are not aware, red team essentially means attacker, right?

You have red team attack, the blue team defends, and kind of variations of those. You have some people that try to do both. That will be another episode. Another thing to talk about. A Twitter user has actually been quick to post spreadsheets about who the highest-paid earners were. So I will link the article in the description or in the show notes, if you want to go check out what that Twitter is and see, you know, who were the higher paid ones? All I will say here is it’s like a couple of million dollars from August 2019 to October 2021. I mean that. That’s pretty big.

Most people don’t make a couple of million dollars unless you’re a CEO or something also, Hey, props to them.

‘The hacker said their motivation was to disrupt the space because “their community is a disgusting, toxic cesspool”‘, nine to five quoting somebody else. Not me.

It seems just like the hacker was disgruntled because of Twitch’s politics. Not going to get into that, but Hey, if you don’t like Twitch, don’t get on Twitch. If you like Twitch, well, then get on Twitch. It’s going to be completely up to you, I do agree with the notion rules should be applied evenly.

You can’t just pick and choose, you know, you’re profitable people can bend the rules, stuff like that. I don’t, I, it should be across the board. Right. It said Twitch is working hard to address this, but many people are unhappy about the results. According to the article, I mean kind of makes sense.

Your whole data was leaked or your tools are leaked or internal stuff was leaked. Now everyone knows how much they made. You know, people can see how much they made from this year to this year.

According to this, you know, but you, people are unhappy. And I know a lot of people have been unhappy with the touch platform as a generality, but you reap what you sow I guess.

Source: https://9to5mac. com/2021/10/06/twitch-tv-was-hacked/

Outro

Guys that’s the last article. So thank you for sticking with me again. This has been Exploitbrokers Hacker News with your host Lauro, and I will see you in the next one