The domain used by the attack, neweggstats.com, was hosted on a server at the Dutch hosting provider WorldStream and had a certificate. The domain was registered through Namecheap on August 13, using a registration privacy protection company in Panama. The domain’s TLS certificate was purchased through Comodo on the same day. The Comodo certificate was likely the most expensive part of the attackers’ infrastructure.
A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.
Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.
The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.
The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and that it was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices are. He posted a proof-of-concept video on Twitter.
Vermeulen reported the bug over a year ago in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.
After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.
A year later, WD still hasn’t release a patch.
The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”
WD said that several of its My Cloud products are vulnerable — including the EX2, EX4, and Mirror, but not My Cloud Home.
In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.
BUCHAREST, Romania—At the edge of Europe, Romania’s University Politehnica of Bucharest has long been the most prestigious engineering school in the region. Here, a terracotta-tiled building looms large over the campus, hosting the faculty of the Automatic Control and Computer Science (ACCS) program. On the ground floor, close to the entrance, is a humble computer lab. The label reads ED011.
Back in the early 1990s, after Romania escaped the grip of communism, this room was one of the few places offering an Internet connection free of charge. So every night, when no one was watching, students descended upon the lab to connect to the rest of the world. Eager to learn about life in Western Europe and the US, these students already had the look of their counterparts there—long hair, blue jeans, and Metallica shirts.
“Computers gave us the possibility to communicate with people around the world, which was extraordinary,” a former student named Lari tells me today. The ED011 computer lab did more than that, of course. It gave these students total freedom—to not only chat on the early Web but to explore all the odd nooks and crannies of computer science.
Hackers have uncovered and tested a screen-splitting “VR Mode” that has been buried in the Switch’s system-level firmware for over a year. The discovery suggests that Nintendo at least toyed with the idea that the tablet system could serve as a stereoscopic display for a virtual reality headset.
For 11 year-old Emmett from Austin, hacking the website for the Florida Secretary of State was as easy as a simple SQL injection.
While it took Emmett only 10 minutes to break into the election reporting section of the Florida Secretary of State web page, it’s important to note that these pages were set up as replicas.
The idea, according to event organizers from Wickr (a secure communications platform), “was mainly focused on breaking into the portions of the websites that are critical to the election process, [so] the kids worked against the replicas of the webpages where election results are reported by secretaries of state.”
The replicas were built by the team at Wall of Sheep Village and they issued the following statement: “The main issues with the live sites we are creating the replicas of are related to poor coding practices. They have popped up across the industry and are not vendor specific.”
And while the National Association for the Secretaries of State had some choice words for the Voting Machine Hacking Village, they didn’t address the hacks the kids made on their actual web sites.
Well this is interesting. National Association of Secretaries of State issues statement against the Def Con Voting Village. Says its attempt to recreate (and likely hack the shit out of) a connected mockup of the election process isn't realistic. pic.twitter.com/c1uy694UPA
In all, some 47 kids participated in the election hacking contest and 89% of them managed to get in to the virtual web sites set up by Wickr and Wall of Sheep Village.
Emmett, whose dad works in cybersecurity and who has been attending Def Con now for four years, has some thoughts on how easy it was for him to get into the system and change the vote tallies for election results.
“It’s actually kind of scary,” the 11 year-old said. “People can easily hack in to websites like these and they can probably do way more harmful things to these types of websites.”
The point, according to Wickr’s (badass) founder Nico Sell, is to bring attention to just how flawed security operations remain at the state level in areas that are vital to the nation’s democracy.
“The really important reason why we’re doing this is because we’re not taking the problem serious enough how significantly someone can mess with our elections,” said Sell. “And by showing this with eight year old kids we can call attention to the problem in such a way that we can fix the system so our democracy isn’t ruined.”
Some executives at big corporations share the same concerns. For Hugh Thompson, the chief technology officer at Symantec, the risks are real — even if the problems won’t manifest in the most important elections.
As Thompson (who worked on election security in the early 2000s) told The Financial Times, “The risk that I think most of us worried about at that time is still the biggest one: someone goes into a state or a county that doesn’t really matter in the grand scheme of the election, is not going to change the balance on x, y or z, but then publishes details of the attack,” he said. “Undermining confidence in the vote is scary.”
Stakes are incredibly high, according to experts familiar with election security. Despite the indictments that Robert Mueller, the special counsel investigating Russian interference, issued against 12 Russian nationals for targeting the 2016 US election, Russian hacking remains a threat in the current election cycle.
Microsoft has already said that it has detected evidence of attempted Russian interference into three campaigns already in the 2018 election cycle.
As Fortune reported in July, Microsoft’s vice president for customer security, said that researchers at the company had discovered phishing campaigns that were linked to the GRU, the Russian military intelligence unit tied to the DNC election hacks from 2016.
For security officers working on the websites for the secretaries of state in the battleground states that the tween and teen hackers targeted during Def Con, young Emmett has some advice.
“Use more protection. Upgrade your security and obviously test your own websites against some of the common vulnerabilities,” the 11 year-old advised.
Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday.
At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer, a device doctors use to control pacemakers after they’re implanted in patients.
Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients.
The digital ink was barely dry on Ars IT and National Security Editor Sean Gallagher’s feature, “How they did it (and will likely try again): GRU hackers vs. US elections,” when the Daily Beast reported yesterday’s bombshell: Claire McCaskill, among the most vulnerable Senate Democrats facing re-election this year, was one of three candidates in the 2018 midterm election targeted by the highly determined Russian intelligence agency.
According to the post, McCaskill’s office received one or more fake notifications claiming the target’s Microsoft Exchange password had expired and advising it be changed. Targets who clicked on a link were directed to a counterfeit version of the US Senate’s Active Directory Federation Services login page, which would send any passwords the targets entered to the people behind the fake page. McCaskill has been highly critical of Russia and is considered one of the most vulnerable Senate Democrats facing reelection this year. She represents Missouri, a state where Donald Trump defeated Hillary Clinton by almost 20 points in the 2016 election.
McCaskill’s office was one of three candidates that was targeted. The Daily Beast went on to report that the Senate phishing campaign sent each target a different link that caused the fake password-change webpage to display users’ individual email address when they arrived. The customization made the site more convincing.
A prolific hacking group has struck again, this time stealing close to $1 million from Russia’s PIR Bank. The July 3 heist came about five weeks after the sophisticated hackers first gained access to the bank’s network by compromising a router used by a regional branch.
The theft—which according to kommersant.ru is conservatively estimated at about $910,000—is the latest achievement of a group researchers at security firm Group-IB call the MoneyTaker group. In a report published last November that first detailed the group, researchers said its members had conducted 20 successful attacks on financial institutions and legal firms in the US, UK, and Russia. In a follow-up report, Group-IB said MoneyTaker netted about $14 million in the hacks, 16 of which were carried out on US targets, five on Russian banks, and one on a banking-software company in the UK.
While MoneyTaker is skilled at concealing its activities, Group-IB was able to connect the heists by tracing a common set of tactics, techniques, and procedures. After initially gaining access to a target’s network, members often spend months doing reconnaissance in an effort to elevate system privileges to those of a domain administrator. Members also try to remain active inside hacked networks long after the heists are carried out. The attackers also use a variety of freely available tools popular among hackers and security professionals alike, including the Metasploit exploit framework, Microsoft’s PowerShell management framework, and various Visual Basic scripts.