Last Week In Blockchain and CyberSecurity News - March 19, 2019

Hacker Returns and Puts 26 Million User Records for Sale on The Dark Web 

The hacker who previously listed over 840 million user records on the dark web marketplace has struck again. This time, the hacker put the data of six different companies, totaling 26.42 million user records on sale for 1.2431 bitcoin ($4,940). Since February 11th, the hacker has put up Round 1Round 2, and Round 3 on Dream Market, a dark web marketplace, totaling up to 32 companies. The companies included in the fourth round include “game dev platform GameSalad, Brazilian bookstore Estante Virtual, online task manager and scheduling apps Coubic and LifeBear, Indonesia e-commerce giant Bukalapak, and Indonesian student career site YouthManual” (ZDnet). 


The hacker stated he put the data up for sale mainly because the companies did not correctly protect their passwords, saying “I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.”  It is alarming that in 2019 consumer data is not adequately protected allowing incidents like this to occur. Companies must stay vigilant, and correctly secure their assets. 
 

Read more here.

Malware Spreads as a Worm, Uses Cryptojacking Module to Mine for Monero 

A modular malware with worm capabilities has been observed to exploit known vulnerabilities in servers running “ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer”(BleepingComputer). The worm, dubbed PsMiner is a Windows binary written in the Go language. PsMiner deploys numerous exploit modules across vulnerable servers it comes across to mine for Monero cryptocurrency. 

PsMiner can also brute force its way in when it comes across a target that utilizes weak or default credentials. Once the worm successfully infiltrates a victim’s computer, it will execute a PowerShell command that “downloads a WindowsUpdate.ps1 malicious payload” which is “designed to drop [a] Monero miner as part of the final infection stage.” The payload will also copy the malicious script and deploy an “Update service for Windows Service” scheduled task designed to “re-launch the main malware module every 10 minutes” allowing it to keep a stable presence on the compromised system. PsMiner also uses living-off-the-land(LotL) techniques to compromise the targets further.

Read more about PsMiner here

VPN Provider Citrix Hacked, up to 6TB of Data Accessed 

Citrix Systems’ internal network was hacked by cybercriminals who may have obtained and accessed numerous business documents. As stated in their blog post, the FBI contacted Citrix with a concern that “international cybercriminals gained access” into the company's networks. The agency told Citrix that the hackers most likely broke into their systems with password spraying. Password spraying is an “attack method that takes a large number of usernames and loops them with a single password” (InfosecInstitute). As of when this blog post was written, information regarding what documents may have been accessed is unknown. However, according to Citrixs’ blog post, the hackers were able to access “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including email correspondence, files in network shares and other services used for project management and procurement." As Citrix serves nearly all the top Fortune 500 companies, this breach is quite substantial. 

Read more about the hack here  

Read more about password spraying here

Yatron Ransomware Plans to Spread Using EternalBlue NSA Exploits 

Yatron is advertised as a Ransomware-as-a-Service that takes advantage of the EternalBlue and DoublePulsar exploits to spread to other computers on a network. Yatron will also attempt to delete the encrypted files if a payment is not completed within 72 hours. Unlike other Ransomware-as-a-Service where the developer takes a revenue share of all submitted ransom payments, Yatron is sold for a one-time payment of $100 in Bitcoin. The ransomware aims to spread via P2P, USB, and LAN.  

Get more information here

Massive attacks bypass MFA on Office 365 and G Suite accounts via IMAP Protocol 

In a new study conducted by Proofpoint researchers, experts described an interesting wave of massive attacks against major cloud services. Threat actors have been targeting Office 365 and G suite cloud accounts using the IMAP protocol to bypass multi-factor authentication (MFA). The attacks use legacy protocols combined with credential dumps to increase the efficiency of massive brute force attacks. According to the study, Office 365 and G Suite cloud accounts using IMAP are “difficult to protect against with multi-factor authentication, where service accounts and shared mailboxes are notably vulnerable”(ProofPoint).  

The researchers analyzed over one hundred thousand unauthorized logins and discovered that:  

  • 72% of tenants were targeted at least once by threat actors   

  • 40% of tenants had at least one compromised account in their environment   

  • Over 2% of active user-accounts were targeted by malicious actors  

  • 15 out of every 10,000-active user-accounts were successfully breached by attackers 

The attackers attempt to access a cloud account could be used for internal phishing, internal BEC, or used to launch external attacks. The study also concluded that IMAP was the most abused legacy protocol, and many of the attacks avoid account lock-out, allowing them to be hard to detect. 

Other information from the study included: 

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks  

  • Roughly 25% of Office 365 and G Suite tenants experienced a successful breach as a result  

  • Threat actors achieved a 44% success rate breaching an account at a targeted organization   

    Read more here.