Tag Archive for: hide

How the Epik hack reveals every secret the far-right tried to hide

/in


A large-scale breach of the domain registrar and web hosting company Epik has exposed a massive trove of data, including the names of individuals behind some of the far-right’s most notorious websites.



graphical user interface: anonymous mask worn by man in epikfail hack

© Provided by Daily Dot
anonymous mask worn by man in epikfail hack

The data, as first reported by independent journalist Steven Monacelli on Monday, was released as a torrent this week by the hacking collective Anonymous.

Loading...

Load Error

In a press release on the hack, dubbed Operation EPIK FAIL, Anonymous claimed that it was able to obtain “a decade’s worth” of information, including domain registrations and transfers, account credentials, and emails from an Epik employee.

“This dataset is all that’s needed to trace actual ownership and management of the fascist side of the internet that has eluded researchers, activists, and, well, just about everybody,” the release alleges.

A compressed version of the torrent was later released by the journalist collective DDoSecrets, which plans to upload and host the data for reporters and researchers.

Epik’s customers include social media sites such as Parler and Gab as well as far-right forums like TheDonald. A pro-life website that urged Texas residents to report women seeking abortions to the authorities in the wake of the state’s abortion ruling was also temporarily a customer of Epik.

In a statement to Gizmodo on Tuesday, an Epik spokesperson claimed that the company was “not aware of any breach.”

Epik CEO Robert Monster sent an email on Wednesday to customers acknowledging “an alleged security incident” but did not provide specifics.

“Our internal team, working with external experts, have been working diligently to address the situation,” Monster wrote. “We are taking proactive steps to resolve the issue. We will update you on our progress.”

“You are in our prayers today. We are grateful for your support and prayer. When situations arise where individuals might not have honorable intentions, I pray for them,” Monster added. “I believe that what the enemy intends for evil, God invariably transforms into good.”

The Daily Dot attempted to reach Monster for comment, whose phone…

Source…

Oh great: hackers are selling tools to hide malware in your GPU

/in


If you thought your GPU was safe from malware then you’d be mistaken, according to a new report from Bleeding Computer, malware that can execute code from your GPU is now a reality.

Oh great: hackers are selling tools to hide malware in your GPU 02 | TweakTown.com

VIEW GALLERY – 2 IMAGES

It seems that a proof-of-concept (PoC) was up for sale on a hacker forum and allows hackers to keep malicious code stored in your GPU memory buffer, which stops malware code from being scanned by security software when it scans the system RAM.

The seller of the GPU-focused malware says that it only works on Windows systems with support for version 2.0 and above of the OpenCL framework. This is required for executing the malware on the GPU, with the hacker testing it on Intel, AMD, and NVIDIA GPUs.

But is this GPU-focused malware in the wild? Yep.

On August 25 the seller said they sold the PoC without talking about the deal too much, just two weeks after posting about the PoC. Another member on the same hacker forum said that the GPU-based malware has worked before, with the Linux-based GPU rootkit called JellyFish… from 6 years ago.

Source…

Hackers hide credit card data from compromised stores in JPG file

/in


Hackers have come up with a sneaky method to steal payment card data from compromised online stores that reduces the suspicious traffic footprint and helps them evade detection.

Instead of sending the card info to a server they control, hackers hide it in a JPG image and store it on the infected website.

Easy data exfiltration

Researchers at website security company Sucuri found the new exfiltration technique when investigating a compromised online shop running version 2 of the open-source Magento e-commerce platform.

These incidents are also known as Magecart attacks and have started years ago. Cybercriminals gaining access to an online store through a vulnerability or weakness plant malicious code designed to steal customer card data at checkout.

Sucuri found a PHP file on the compromised website that the hackers had modified to load additional malicious code by creating and calling the getAuthenticates function.

The code above also created in a public location of the infected store a JPG image that would be used to store payment card data from customers in encoded form.

This allowed the attackers to easily download the information as a JPG file without triggering any alarms in the process as it would look as if a visitor simply downloaded an image from the website.

Analyzing the code, the researchers determined that the malicious code used the Magento framework to capture the information from the checkout page delivered through the Customer_ parameter.

If the customer providing the card data was logged in as a user, the code also stole their email address, Sucuri said in a blog post last week.

The researchers say that almost all data submitted on the checkout page is present in the Customer_ parameter, which includes payment card details, phone number, and postal address.

All the information above can be used for credit card fraud either directly by the hackers or by another party purchasing the data, or to deploy more targeted phishing and spam campaigns.

Sucuri says that this method is sufficiently stealthy for website owners to miss when checking for an infection. However, integrity control checks and website monitoring services should be able to detect changes such…

Source…

SolarWinds hackers used 7-Zip code to hide Raindrop Cobalt Strike loader

/in


The ongoing analysis of the SolarWinds supply-chain attack uncovered a fourth malicious tool that researchers call Raindrop and was used for distribution across computers on the victim network.

The hackers used Raindrop to deliver a Cobalt Strike beacon to select victims that were of interest and which had already been compromised through the trojanized SolarWinds Orion update.

There are currently four pieces of malware identified in the SolarWinds cyberattack, believed to be the work of a Russian threat actor:

  • Sunspot, the initial malware used to inject backdoors into the Orion platform builds
  • Sunburst (Solorigate), the malware planted in Orion updates distributed to thousands of SolarWinds customers
  •  Teardrop post-exploitation tool delivered by Sunburst on select victims deploy customized Cobalt Strike beacons
  • Raindrop, the newly uncovered malware that is similar to Teardrop

Disguised as 7-Zip file to load Cobalt Strike

Symantec researchers found the new Raindrop malware on machines compromised through the SolarWinds cyberattack. They noticed that it fulfills the same function as Teardrop but it is different as far as the deployment mechanism is concerned, as well as at the code level..

 

To hide the malicious functionality, the hackers used a modified version of the 7-Zip source code to compile Raindrop as a DLL file. The 7-Zip code only acts as a cover as it is not used in any way.

In one victim that installed the trojanized Orion platform in early July 2020, Symantec found that teardrop came the very next day via Sunburst. Raindrop appeared 11 days later on another host in the organization where malicious activity had not been observed, the researchers say.

How Raindrop ended up on a victim network is a mystery for now. Symantec saw no evidence of Sunburst delivering Raindrop directly, yet it was present “elsewhere on networks where at least one computer has already been compromised by Sunburst.”

On another victim network, Raindrop landed in May 2020. A few days later, PowerShell commands were executed in an attempt to spread the malware on other systems. Cybersecurity company Volexity investigating SolarWinds cyberattacks also reported that the hackers…

Source…