ransomware

automotive, News, security April 22, 2020

A brief history of software vulnerabilities in vehicles (Update 2023)

Updated in 2023: 2023: Sam Curry: Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More Kia, Honda, Infiniti, Nissan, Acura Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the VIN number Fully remote account takeover and PII disclosure via VIN number (name, phone number, email address, physical address) Ability to lock users out of remotely managing their vehicle, change ownership For Kia’s specifically, we could remotely access the 360-view camera and view live images from the car Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including… Multiple Github instances behind SSO Company-wide internal chat tool, ability to join nearly any channel SonarQube, Jenkins, misc. build servers Internal cloud deployment services for managing AWS instances Internal Vehicle related APIs Remote Code Execution on multiple systems Memory leaks leading to employee/customer PII disclosure, account access Hyundai, Genesis Fully remote lock, unlock, engine start, engine stop, precision locate, flash headlights, and honk vehicles using only the victim email address Fully remote account takeover and PII disclosure via victim email address (name, phone number, email address, physical address) Ability to lock users out of…

General April 20, 2020

“Your Site Has Been Hacked” ransomware email campaign in the wild

I was actually not expecting this kind of ransomware… I am used by now with “You’re hacked”, “You’re infected”… and others alike , but this one with the website is actually really interesting. What I find very disturbing is the fact that there are 5 transactions. A few were for tests, I think, but there is at least one who paid. They do use the a correct website of mine. PS: Of course that my site hasn’t been hacked :))   Here are some of the headers: Return-Path: <hacker@autoservistoth.cz> Received: from autoservistoth.cz ([213.157.59.58]) by mx.google.com with ESMTP id ce7si16117485edb.534.2020.04.17.03.08.14 for <sorin@mustaca.com>; Fri, 17 Apr 2020 03:08:23 -0700 (PDT) Received-SPF: neutral (google.com: 213.157.59.58 is neither permitted nor denied by best guess record for domain of hacker@autoservistoth.cz) client-ip=213.157.59.58; Authentication-Results: mx.google.com; spf=neutral (google.com: 213.157.59.58 is neither permitted nor denied by best guess record for domain of hacker@autoservistoth.cz) smtp.mailfrom=hacker@autoservistoth.cz X-AntiVirus: Checked by Dr.Web [version: 11.1.11.04270, engine: 11.1.9.04170, virus records: 6152810, updated: 8.05.2017] Return-path: <postmaster@thehomebase.top> From: “Hacker” <hacker@autoservistoth.cz> To: sorin@mustaca.com   For indexing better, this is the body of the email. PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS! We have hacked your website http://www.xxxxxx.com and extracted…

Spam & Phishing September 6, 2017

Digital blackmailing – Sextorsion

We are used to see ransomware encrypting files and requesting money (bitcoin) to decrypt them. I received now a new email on a corporate address, which is a black-e-mail … in digital form. I have to say, that the amount of thoughts expressed in the email is interesting. Somebody, with some basic knowledge and bad English knowledge has put some infos together. 🙂   Here is the plain text, so that it is easier to index: Hello. I do not want to judge anyone, but as a result of several occasions, we have point of contact from now. I do not think that caress oneself is very bad, but when all your relatives, colleagues and friend see it- its obviously awful. So, closer to the point. You visited the website with роrn, which I’ve adjusted with the deleterious soft. Then you chose video, virus started working and your device became working as dedicated desktop immediately. Naturally, all cams and screen started recording instantly and then my virus collected all contacts from your device. I text you on this e-mail address, because I got it it with my soft, and I guess you for sure check this work address. The most…

antivirus, security May 22, 2017

WannaCry Ransomware – Executive summary

If you want news from the IT Security industry, please check IT Security News here: http://www.itsecuritynews.info/?s=WannaCry This is my summary, inspired from various sources on the web mentioned in the Sources (see at the end).   The ransomware Wannacry has infected systems across the globe and has been the topic of discussion among security professionals for quite some days now. The WannaCry ransomware attack – 5 things you need to know A ransomware attack of “unprecedented level” (Europol) started spreading WannaCry ransomware around the world on Friday, May 12, 2017, around 11 AM ET/3PM GMT. Until now, hundreds of thousands of Windows-running computers in 99 countries have been affected, with the highest numbers of infections in Russia, Ukraine, India and Taiwan. Cyber criminals are using the EternalBlue exploit released by The Shadow Brokers on April 14, 2017. This exploit was patched a month before that, when Microsoft issued a critical security update (Microsoft Security Bulletin MS17-010). The reason why this particular campaign became so extensive is because it exploits a vulnerability in Windows SMBv1 and SMBv2 to move laterally within networks and infect other computers. If you haven’t installed the updates and are running a vulnerable operating system (see list below), even…

security July 20, 2016

Social engineering at its best: ransomware delivery methods

I wrote already about Ransomware (and here), but in a more generic way as I will do now. From me to me, with the subject “Documents from work” is the subject of a new Locky ransomware. Attached is a Word document containing macros. In the document (which is actually an archive) is a file called  word\vbaProject.bin. That file seems to be the trigger that downloads the ransomware binary.   This is the link to the VirusTotal detection: https://virustotal.com/en/file/28ba8362af69958964bf8d7e23664cddc625e67b55ff5d5e95e9feef74158e96/analysis/1469020147/ At the moment of writing this post, 30/53 engine detect it.   My goal is not to analyze here the ransomware, but the delivery. The social engineering used here has as soly purpose to make the user to open and executed the attachment. There are subjects of emails which simply “force” some people to open them without thinking. FW:Expenses Report # xxxx payment confirmation Additional Costs recent bill  RE: Additional Information Needed #aaaaaa What you MUST Do The emails and attachments are not harmful just sitting in your inbox or Trash folder. You MUST delete emails which you didn’t send and have these characteristics: from yourself to yourself contain attachments (archives, .JS, .DOC, .DOCX, .DOCM, XLS, .XLSX, etc.) have a blank body area or few lines…

quoted, security June 27, 2016

VPNMentor.com: Cybertalk with IT security expert Sorin Mustaca

Cybertalk with IT security expert Sorin Mustaca   vpnMentor has had the privilege of talking with Sorin Mustaca, a Certified IT consultant with over 15 years of experience in IT security, and author of “Improve Your Security”, a guide for the common end user that deals with the question of how to beware of cyber threats on the individual level.   By Ditsa Keren, 16/06/2016 Content Can you tell us a little bit about your background in IT security? With so many new threats and with the fast development of hacking technologies, how can an anti-virus stay up to date and protect a company from being hacked? What can you tell us about the recently emerging Ransomware encryption Malware attacks? What defenses would you recommend in the case of a ransomware attack? What can you tell us about the recent leak of over 32 million twitter accounts? Why do we only see these leaks now? Do you recognize a specific country from which the majority of hackers operate? Do you see any leakage of cyber technology between military intelligence organizations and the dark net? Can you give us some examples? What kind of new cyber threats can we expect to see…

security March 17, 2016

About ransomware, Google malvertising and Fraud

I am sick and tired to see so many people affected by this wave of ransomware attacks. I don’t want to go into details about Ransomware like Locky because it has been written quite a lot about it. The most common way that Locky arrives is as follows: You receive an email containing an attached document. The document advises you to enable macros “if the data encoding is incorrect.” If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it. The saved file serves as a downloader, which fetches the final malware payload from the crooks. The final payload could be anything, but in this case is usually the Locky Ransomware. Read more details here (NakedSecurity of Sophos).   Now, desperate people who just got all their document encrypted by Locky, search the web for possible solutions. Remember: Locky scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X…

%d bloggers like this: