Episode 7: February 13 2022

A Ransomware Groups’ New Tactic, PHP Everywhere WordPress Plugin Vulnerability, Hackers Planted Fake Digital Evidence on Devices, DOJ Arrests Two and Seizes $3.6 Billion Stolen Cryptocurrency, The Pirate Bay Clones Target Millions of Users Every Month

Bullet points of key topics + chapter markers
[00:40] A Ransomware Group’s New Tactic
[04:35] PHP Everywhere WordPress Plugin Vulnerability
[08:29] Hackers Planted Fake Digital Evidence on Devices
[14:02] DOJ Arrests Two and Seizes $3.6 Billion Stolen Cryptocurrency
[22:24] The Pirate Bay Clones Target Millions of Users Every Month

Links

https://www.vice.com/en/article/epx5ne/ransomware-wants-you-to-like-and-subscribe-or-else

https://threatpost.com/php-everywhere-bugs-wordpress-rce/178338/

https://thehackernews.com/2022/02/critical-rce-flaws-in-php-everywhere.html

https://thehackernews.com/2022/02/hackers-planted-fake-digital-evidence.html

https://thehackernews.com/2022/02/us-arrests-two-and-seizes-36-million-in.html

NOTES

A Ransomware Group’s New Tactic

MalwareHunterTeam

  • Group of Independent Security Researchers
  • Ghost Cyber Team
    • Little known group
    • Indonesia

Attack

  • The message shows up on Victim’s screen
    • HELLO ALL YOUR FILES HAVE BEEN LOCKED BY RANOMWARE [sic] BUT CALSE [SIC] YOU CAN ACCESS BAK WITH SUBSCRIBE MY CHANEL [sic] YOUTUBE
  • Single Machine Ransomware
    • Does not spread to more machines

Meh Results

  • YT Channel has 64 subscribers
  • Videos of hacking
    • Logos of the group
    • Possible School
  • Possible Prank
    • Though ransomware is detected by several antivirus
      • According to Virus Total
  • Not the First to not ask for money
    • 2017
      • Ransomware asked for Nudes

Noting to panic about

PHP Everywhere WordPress Plugin Vulnerability

Php Everywhere

  • Lets you easily utilize PHP on WordPress site
    • Pages, posts, sidebar
  • 30,000+ Installations

Bug

  • CVE-2022-24663 – CVSS score 9.9 out of 10
  • Code can completely take over the site
  • it was possible for any logged-in user
    • even a user with almost no permissions
      • Subscriber or a Customer
    • execute arbitrary PHP on a site by sending a request with the shortcode parameter using the [php_everywhere] tage
  • Allows any Authenticated User to execute code
    • Any Level
    • Even Subscribers
  • 2 other Vulnerabilities
    • 2022-24664 and CVE-2022-24665,
      • CVSS 9.9 out of 10
      • Slightly less severe
        • Need contributor or above permission
  • 3 total vulnerabilities
    • Was possible to set to Admin only
      • Not set by default
    • Have been fixed by developer
    • Launched a largely rebuilt version
      • Jan 10th
  • Just now releasing the data
    • For responsible disclose process

Fix

  • Update PHP Everywhere to latest version
  • Update all plugins

Hackers Planted Fake Digital Evidence on Devices

ModifiedElephant

  • Operational since 2012
  • Laid low due to their limited target base
  • Linked to targeted attacks in India on
    • Human Rights Activists
    • Human Rights Defenders
    • Academics
    • Lawyers
  • Goal
    • Long term Surveillance
    • Plant fake “evidence”
      • Framing and Incarcerating victims
  • How?
    • Commercially available RAT (trojan)
    • Spear phishing
      • Pretending to be Activism emails
      • Malicious documents
        • Malware
          • NetWire
          • DarkComet
          • Simple Keyloggers
          • Unknown Android trojan
            • Let them intercept/manage
              • SNS
              • CallData
            • Wipe the device
    • Target and Infecting victim multiple times a day

DOJ Arrests Two and Seizes $3.6 Billion Stolen Cryptocurrency

On Tuesday

  • Largest financial seizure ever
  • DOJ announced arrest of Married Couple
    • Conspiring to launder cryptocurrency
      • 4.5 billion
        • Siphoned during the Bitfinex Hack 2016
    • Conspiracy to commit money laundering
      • Max 20 years in prison
    • Conspiracy to defraud the US
      • Max 5 years in prision
  • Couple from New York
    • Ilya Lichtenstein, 34, husband
    • Heather Morgan, 31, wife
  • Allegation
    • stolen funds through a labyrinth of cryptocurrency transactions
    • Law enforcement got a hold of 3.6 billion
    • Couple not charged with the hack
      • But receiving the funds into a bitcoin wallet
      • Part of the money was laundered to conceal activity
    • Back in 2019 Israel authorities arrested 2 brothers
      • Eli and Assaf Gigi
      • Over their involvement in the Bitfinex hack
  • Scheme
    • Moving the 229,765 bitcoins from BitFinEx
    • Over 2,000 transactions
      • To Licenstein’s account
    • 25,000 of those coins where transferred and deposited into financials accounts held by the couple.
    • IRS said
      • “Beginning in or around January 2017, a portion of the stolen BTC moved out of Wallet 1CGA4s in a series of small, complex transactions across multiple accounts and platforms.  This shuffling, which created a voluminous number of transactions, appeared to be designed to conceal the path of the stolen BTC, making it difficult for law enforcement to trace the funds.”
    • To achieve this, the defendants are said to have used a number of sophisticated laundering methods, including —
      • Setting up online accounts using fake identities,
      • Using software to automate transactions,
      • Depositing stolen funds into accounts at a variety of virtual currency exchanges and darknet markets like AlphaBay and Hydra and then withdrawing the money to obfuscate the transaction trail,
      • Converting bitcoin to other private digital currencies like Monero, a practice known as chain hopping, and
      • Misusing U.S.-based business accounts to legitimize their banking activity
    • 21% of the stolen Bitcoin has been moved or laundered over the last 5 years
  • DOJ Take Down of AlphaBay in 2017
    • Made if possible to access internal transaction logs
    • Enabling them to track the stolen BitFinEx funds
      • Through the AlphaBay service to a crypto asset exchange in the Licenstein’s name.
  • Count Issued Warrants
    • Which allowed them to access cloud accounts
    • Which obtained a file with the private keys to access the digital wallet
    • Enabling them to recover the 94,000 bitcoins
  • Bitfinex will work with the DoJ
    • follow appropriate legal processes to establish Their rights to a return of the stolen bitcoin,”
    • They have been cooperating extensively with the DoJ since its investigation began and will continue to do so.”

The Pirate Bay Clones Target Millions of Users Every Month

  • Malvertising or malicious advertising is gaining rapid popularity as a threat. It involves advertising fraud schemes by tricking website visitors. As per a report, malvertising witnessed a rise of 231% in Q3, 2021. These kinds of attacks are usually found mushrooming in torrent and porn websites. A recent campaign was found impersonating the famous Pirate Bay torrent website.

What’s going on?

CyberNews discovered five malicious domains parading around as The Pirate Bay. These domains served malicious ads to more than seven million users every month by using free content to lure targets.

  • All the websites offered fake torrent download magnet-links and several ads rendered in the background of the landing pages, stacked together.
  • This ensured that clicking on one ad would trigger multiple hidden and possibly malicious ads.
  • Furthermore, the websites serve faux torrent files propagating malicious JavaScript files.

Why this matters

The malicious JavaScript files are used to identify users, record their activities, and serve them intrusive advertisements. This can be leveraged to exfiltrate the victim’s personal data, establish backdoor to the infected system, or install ransomware, among other malicious activities. Malvertising campaigns are widespread on fake torrent sites as attackers can easily make downloads look legitimate. As opening a torrent file requires a user to provide permissions, some may inadvertently download malware without realizing what hit them.

Why torrent sites?

  • Scammers can also leverage legitimate ad networks to spread malvertising campaigns and display malicious ads on renowned sites.
  • While they can be served on any kind of website, torrent sites are the most popular because these sites act as gateways for illegal files on the black market.
  • Furthermore, torrent sites have more footfall compared to other websites.

The bottom line

Unfortunately, not a lot can be done to thwart faux torrent sites. However, learning about online safety and implementing reliable adblocker and antivirus programs can go a long way in protecting users. In addition to this, the safest way to stay safe is to read the ads carefully and avoid clicking on dubious links.

Leave a Reply

Your email address will not be published.