Tag: Hack

Russian hackers steal $10 million from ATMs through bank networks

The recent rash of bank system hacks goes deeper than you might have thought -- it also includes stealing cash directly from ATMs. Researchers at Group-iB have published details of MoneyTaker, a group of Russian hackers that has stolen close to $10 million from American and Russian ATMs over the past 18 months. The attacks, which targeted 18 banks (15 of which were American), compromised interbank transfer systems to hijack payment orders -- "money mules" would then withdraw the funds at machines.

The first known attack was in the spring of 2016, when MoneyTaker hit First Data's STAR network (the largest transfer messaging system for ATMs in the US). They also compromised Russia's AW CRB network, and swiped documents for OceanSystems' Fed Link system used by roughly 200 banks across the Americas. And in some cases, the group stuck around after the initial heist -- at least one US bank's documents were stolen twice, while the perpetrators kept spying on Russian bank networks.

While it's not clear who's behind MoneyTaker, you're only hearing about them now because they're particularly clever. They've repeatedly switched their tools and methods to bypass software, and have taken care to erase their tracks. For instance, they've 'borrowed' security certificates from the US federal government, Bank of America, Microsoft and Yahoo. One Russian bank did manage to spot an attack and return some of the ill-gotten gains.

This particular hack didn't directly affect users, since it was more about intercepting bank-to-bank transfers than emptying personal accounts. However, it illustrates both the sophistication of modern bank hacks and the vulnerability of the banks themselves. While it would be difficult to completely prevent hacks, it's clear that attackers are having a relatively easy time making off with funds and sensitive data.

Via: Reuters

Source: Group-iB (reg. required)

Uber paid off a 20-year-old Florida man to destroy hacked data

More details are coming to light about Uber's huge data breach. Reuters is reporting that a 20-year-old Florida man was behind the 2016 extortion-oriented cyberattack and was paid through the firm's bug bounty program. We know that the individual, whose identity Uber refuses to disclose, received $100,000 for destroying the info, which exposed the personal data of roughly 57 million customers and drivers. The ride-hailing firm then kept quiet about the breach for more than a year. You can bet Congress and the five sates investigating Uber will be paying close attention to any new nuggets of info.

Bug bounties (where compensation is offered to hackers who find vulnerabilities) are commonplace within tech circles -- everyone from Apple to Samsung utilizes them. And, while highly-publicized rewards of up to $200,000 are the norm, it's rare that the largest sum is dispensed to any one person. Making Uber's $100,000 silent payout an all-time record for HackerOne, the firm that hosts Uber's bug bounty program, according to a former exec who spoke to Reuters.

The Florida hacker, described in the report as "living with his mom," reportedly paid a second individual for help accessing GitHub's resources to procure credentials for Uber data stored elsewhere.

Upon divulging the breach last month, the company fired chief security officer Joe Sullivan and one of his deputies, senior lawyer Craig Clark, for covering up the breach. But Reuters sources claim the coverup went straight to the top of the food chain to former CEO Travis Kalanick. Both Uber and Kalanick refused to comment.

Source: Reuters

Ex-NSA worker pleads guilty to taking data involved in Russian hack

The NSA hasn't been having the best week when it comes to security, but it's getting at least some closure. A former employee, now known as Nghia Pho, has pleaded guilty to bringing home classified data that was later stolen in a hack linked to Russian intelligence. Pho is expected to face prison time when he's sentenced on April 6th, but prosecutors have capped the maximum penalty to 8 years (versus the typical 10) and are open to calls for a lighter sentence given the non-malicious nature of the case.

Pho took a mix of digital and physical info home between 2010 and 2015. According to New York Times sources, he was using it to rewrite his resume -- this was intentional, but not spiteful. The Russian hackers reportedly exploited the Kaspersky antivirus software on his PC to take data, but it's not clear that Kaspersky was aware of what happened. The company previously acknowledged that it briefly held some NSA data, but there's no word on whether or not it held that data.

The plea is only going to help so much when the NSA has bigger fish to fry, such as the Shadow Brokers leaks (there's no indication that Pho is connected). It does show that the agency is racing to crack down on the multiple leaks it has suffered over recent months and years, however. The effort might also serve as a warning shot to NSA staff that may be tempted to leave with data, even if it's for innocuous reasons.

Via: New York Times

Source: Department of Justice

Uber says 2016 hack affected 2.7 million UK customers and drivers

As Uber prepares to defend itself following news that it suffered -- and subsequently hid -- a massive data breach in 2016, the company has begun shedding light on how many people it affected locally. At first count, 57 million global users were implicated in the attack, but the ride-hailing service today revealed that as many as 2.7 million UK customers and drivers had their names, email addresses and mobile phone numbers stolen.

Uber says the number is an approximation rather than an exact count, due to the fact that some users might disclose a location that is different to where they actually reside. It also believes that trip location histories, credit card numbers, bank account numbers and dates of birth were not included in the breach, at least according to third-party forensics experts hired by the company.

Last week, the UK's Information Commissioner's Office (ICO) opened an investigation into the October 2016 hack, noting that it had "huge concerns" about Uber's data practices and its decision not to disclose it. Uber kept details of the breach secret for about a year -- although its new CEO knew two months before news went public -- choosing instead to pay the hackers $100,000 to delete the information.

In a statement, Uber said that affected customers won't need to take any further action. "We have seen no evidence of fraud or misuse tied to the incident," it added. "We are monitoring the affected accounts and have flagged them for additional fraud protection."

Source: Uber

Washington state sues Uber over data breach

The lawsuits are continuing to pile on top of Uber after it revealed that it covered up a hack in fall 2016. Washington state's Attorney General has sued Uber for allegedly violating its local data breach notification law. Companies are supposed to notify the AG within 45 days if a breach affects 500 or more Washington residents, but that clearly didn't happen when Uber paid hackers to keep quiet. The state is demanding penalties of up to $2,000 for each person whose data was exposed, which should lead to a penalty in the "millions of dollars."

We've asked Uber if it can comment on the lawsuit.

The suit is only going to add to Uber's many headaches as of late, but it was likely expecting this kind of response. The very point of the disclosure was to come clean and make amends for the ridesharing outfit's actions during Kalanick's leadership era, when the company all too frequently skirted the law. It may pay a stiff penalty now, but it may reap rewards in the long run if it regains trust and avoids future legal battles.

Via: Reuters

Source: Washington State Attorney General

Hacker in massive Yahoo breach expected to plead guilty

While it's doubtful that the US will catch the Russians accused of participating in the massive 2014 Yahoo breach, a third culprit appears ready to cooperate. Reuters has discovered that Canadian citizen Karim Baratov is slated to appear for a "change of plea" hearing on November 28th, indicating that he's likely to plead guilty to helping Russian officers (Dmitry Dokuchaev and Igor Sushchin) swipe 500 million Yahoo accounts. His attorney has declined to comment, but he has already waived his right to avoid extradition from to the US.

Baratov was part of a larger scheme where Dokuchaev and Sushchin paid hackers to access email accounts, including those outside of Yahoo. At least 50 of the 80 accounts Baratov infiltrated were hosted by Google, and the batch included a mix of Russian officials and business executives. He'd previously pleaded not guilty to the charges, which included multiple fraud charges and identity theft.

Provided Baratov does plead guilty, it's not certain what will have changed his mind. It may be the only conviction in the case, at any rate. When the other suspects live in Russia and may have the blessing of that country's government, the most the US can do is impose travel sanctions.

Source: Reuters

FBI failed to warn officials about Russian email hackers

It's no longer a secret that Russian hackers have targeted the personal email accounts of American officials, but the FBI was apparently less than vigilant in giving these targets a heads-up. The AP has discovered through interviews that, out of nearly 80 people Russia's Fancy Bear team tried to compromise (mainly in 2015), only two had been told by the FBI -- even though the bureau reportedly had evidence for a year or more. In a few cases, the AP chat was the first time the victims learned they were in the crosshairs.

For its part, the FBI's only official response is that it "routinely notifies" people and organizations of threats. Off the record, however, an unofficial source told the AP that the FBI struggles to cope with the volume of potential targets and had to prioritize alerts "to the best of our ability."

Whether or not that claim holds water is another matter. Although the hit list (obtained thanks to Secureworks poring through targeting data) was daunting with over 500 US-based targets, there doesn't appear to be evidence that the FBI launched a significant effort to warn those people and organizations. And there's the problem: while it's hard to know if the FBI could have notified all 500 in a timely manner, there doesn't appear to have been a concerted attempt to try.

It's not certain how much damage Russia's email attack actually caused. The targets had to have opened questionable links and otherwise fallen prey, and some hadn't occupied sensitive posts for years. However, the findings suggest that the FBI didn't always have a sense of urgency when dealing with Russia's coordinated hacking campaigns, and may not have taken them more seriously until the 2016 presidential election made clear they were a serious problem.

Source: AP News

SEC knew about weak security years before hack

The hack that compromised the US Securities and Exchange Commission was a shock and more than a little damaging, but could it have been prevented? Unfortunately the answer is very likely yes. The Hill has combed through the SEC's internal evaluations, and it's now clear that the Commission had been warned about digital security issues for years. An inspector general audit warned about "weaknesses" in the SEC's security measures back in 2013, and multiple warnings appear to have sometimes fallen on deaf ears. A June 2016 inspector general report said the SEC hadn't "fully addressed" some problems from previous audits, and was at "increased risk" of intruders taking sensitive data.

That security was weak isn't completely shocking when a number of American government agencies have fallen prey to hacks. Also, many government agencies have to make do with aging computers and infrastructure that can't receive software updates outside of exceptional circumstances. The inspector general's office itself has struggled with both poor funding and a lack of clear goals.

Still, the SEC had plenty of time to update its platforms and implement policies that weren't necessarily dependent on newer technology, such as thorough data encryption. The hack also illustrates a serious problem with government cybersecurity in the US. If an agency as crucial as the SEC struggled to improve its security practices over the years, that suggests other important institutions also have a lot to learn about safeguarding critical data.

Source: The Hill

Uber’s new chief knew about hack months before the public

Uber may have come clean about the grievous hack that exposed data for 57 million users, but it apparently took its time getting to that point. Wall Street Journal sources have learned that new CEO Dara Khosrowshahi was informed about the data breach two weeks after he took the reins on September 5th, or more than two months before informing the public. There were reasons for the delay, according to the tipsters, but it still meant leaving people out of the loop.

Khosrowshahi did order a prompt investigation, as he claimed, but Uber and Mandiant (the digital forensics unit of FireEye) wanted to determine exactly how many users were affected and fire the two executives that covered up the attack. Uber told its would-be investor SoftBank about the breach roughly three weeks before the WSJ scoop, but it still didn't know just how many people were at risk.

Uber has confirmed the broader claims of the report. The company informed SoftBank with incomplete info because of its "duty to disclose to a potential investor," according to a statement, and revealed the breach in a "very public way" once its investigation wrapped up.

While Khosrowshahi inherited the hack from the previous management under Travis Kalanick and isn't facing much of a direct threat, the revelation isn't exactly going to help Uber as investigators from the FTC and individual states look into what happened. They may want to know why Uber's inquiry took so long, and whether or not Uber could have offered a basic warning to customers as soon as it knew their data was at risk. It'll need to have satisfactory answers if it wants to avoid the same kind of scrutiny as Equifax and other high-profile hacking targets.

Source: Wall Street Journal

Image-sharing site Imgur was hacked in 2014

Imgur, a popular picture-sharing site, revealed today that it suffered a data breach in 2014, claiming it was just notified of it on November 23rd. In a blog post, Imgur said hackers stole email addresses and passwords of 1.7 million user accounts -- a small fraction of its 150 million total users.


Via: ZDNet

Source: Imgur