Last Week In Blockchain and CyberSecurity News - August 27, 2019

Hostinger Suffers Data Breach, Resets Password for 14 Million Users

In a blog post published last weekend, popular web hosting provider Hostinger revealed that an unauthorized third party successfully breached one of its servers and was able to gain access to various data. The hacker was able to acquire hashed passwords and other non-financial data belonging to millions of Hostinger customers. The stolen data includes usernames, emails, first names, IP addresses, and more.  

The cybercriminals were able to utilize an authorization token on one of the company's servers to gain access to an internal system API (this route did not require a username or password).To make matters worse, Hostinger utilized a weak SHA-1 hashing algorithm to secure its customers’ passwords, making it easier for hackers to crack the stolen hashes. 

Hostinger has now sent out email password recovery emails to their affected customers and will enforce a stronger SHA-2 hashing algorithm for future passwords.  

Read more here

Emotet Botnet Is Back, Servers Active Across the World

The command and control (C2) servers for the Emotet botnet have resumed activity after a two-month hiatus. Emotet started out as a banking trojan in 2014 and changed its course to become a botnet that delivers various malware strains. The botnet has been used to distribute the banking trojan Trickbot and Ryuk ransomware.  

Cofense Labs confirmed activity on August 22, 2019, stating 

Active servers can be seen here, and according to MaxMind geo-IP service, the addresses are derived from the U.S., Hungary, France, Germany, India, Belgium, Poland, Mexico, Argentina, and Australia.  

Researchers expect new Emotet campaigns to begin soon.  

Read more here

Binance Says That Leaked KYC Data Is from a Third-Party Vendor

Earlier this month, the world’s largest cryptocurrency exchange by volume, Binance, became a victim to cybercriminals who claimed to have hacked the Know Your Customer (KYC) data of thousands of users. The scammers threatened to release the information of 10,000 users if the company refused to pay 300 bitcoins ($3.5 million at the time). Binance declined to pay the ransom and then launched an investigation into the matter.  

The company recently confirmed that some of the leaked photos match actual Binance customer accounts, but many seem to have been modified.  

In an update published by the company, their investigation revealed that  

“[T]here were multiple photoshopped or otherwise altered images which do not match the KYC images in our database and are being accounted into the comprehensive investigation. In addition, every image processed through Binance for KYC purposes is embedded with a concealed digital watermark, which was notably absent from all of the leaked images.” 

Binance has notified potential victims, providing them with tips on privacy protection and security as well as a lifetime Binance VIP membership. They also recommend that the affected users apply for new identification documents. 

Get more information here

Hackers Mount Attacks on Webmin Servers, Pulse Secure, and Fortinet VPNs

Cybercriminals have begun to exploit vulnerabilities discussed earlier this month at the DEF CON and Blackhat security conferences. Researchers at DEF CON discovered and discussed a major backdoor in Webmin servers, a web-based utility for Linux systems, as well as in enterprise VPN products such as Pulse Secure and Fortinet's FortiGate. As the public exploit code is publicly available, attackers have begun to conduct mass scans to look for vulnerable servers. If successful, the hackers would be able to take full control of the vulnerable systems.  

According to BinaryEdge, there are 29,000 unpatched Webmin servers connected to the internet that are vulnerable to this exploit.  

At BlackHat, researchers presented two fairly new vulnerabilities that can allow pre-authentication file reads. If an attacker successfully exploits CVE-2019-11510 (affecting Pulse Secure) and CVE-2018-13379 (affecting FortiGate), they can retrieve files from a system without needing to authenticate.  

Using technical details and proof-of-concept code included in the talks, cybercriminals have begun to retrieve system password files from pulse Secure VPNs and VPN session files from Fortinet’s FortiGate. Bad Packets has stated there are almost 42,000 Pulse Secure VPN systems available online and 14,500 are not patched.  

Read more here

Cryptocurrency Miners Expose Nuclear Plant to Internet

Employees at the South Ukraine Nuclear Power Plant reportedly connected their mining rigs to the plant’s internal network in a form of cryptojacking, exposing the plant to the Internet. The incident is considered a potential breach of state secrets due to the power plant’s classification as a critical structure and is currently being investigated by the Ukrainian Secret Service. 

Cryptojacking is the unauthorized and often unnoticeable takeover of a computer’s resources to mine cryptocurrency. Although cryptojackers don’t directly steal money from their victims, the malware they inject causes performance issues, increases electricity usage, and opens the door for other hostile code.   

However, the Ukrainian Secret Service is examining if the attackers used the mining rigs “as a pivot point to enter the nuclear power plant's network and retrieve information from its systems, such as data about the plant's physical defenses and protections.”  

Luckily, the mining equipment was discovered to be in the power plant’s administration offices and not on its industrial network. Two mining rigs were discovered; One case held six Radeon RX 470 GPU video cards, and the second one held five. 

Read more here