Exploit Brokers Hacker News Episode 09
Intro
Hey guys, welcome to exploit brokers today. We’re going to be going over four different articles. Let’s talk about Twitch. Let’s talk about ricochet, the freakout botnet and the Mykings botnet. Let’s jump into it.
Cool. So guys, welcome back. I know I’ve been offline for a little bit, but I am here to bring you back your hacker news goodness. So today we’re going to jump right into it.
Freakout Botnet Attacks DVRs
We’re going to talk about the freakout botnet. It turns out they are using their botnet to turn DVRs into Monero crypto miners. So Monero is one of the favorite type of crypto miners in the criminal industry, because it’s very hard to track compared to like Bitcoin and all that.
So the transactions are much more. Privacy oriented. I guess if you can say it that way, so let’s jump right into it. Let’s see. And I will list the articles and the show notes. This one is by threatpost.com titled freak-out botnet turns DVR’d into Monero, crypto miners. You what we’re talking about today.
I’ll start out by saying the article says the new Necro Python exploit targets visual tools DVRs used in surveillance systems. So we’re not talking about just like, you know, your old DVR. If anyone still has a DVR for tvservices. I imagine a lot of people. Still do, but no, this is specifically the visual tools, DVRs first surveillance systems.
So if you think about surveillance systems, they’re going to be on all the time. They’re going to be pulling feed for everything. So, you know, Hey, if they’re always on anyways, and most people aren’t going to be checking them normally. ’cause, you know, you don’t really check them unless you need them, then you could totally put something on there.
The Juniper threat labs, researchers issued a new detail. There’s apparently something known as Niekro Python and Python, IRC bot. For some people IRC, they may be familiar with that. That’s the internet relay chat. It’s kind of like the predecessor to like messaging. You’d put up an IRC server.
People could join, you could talk Kind of like a messaging board, but more interactive . According to this the malware in late September was targeting the visual tools, DVR VX16 4.2.28.0 models with crypto mining attacks. What this usually seems to be is like, Hey, Grabbing their botnets and they’re targeting this specific model.
Maybe there’s a firmware of a vulnerability. Maybe there’s something else we’ll just kind of keep going and see if there’s anything we can find. Right. They’re using command injection. . The script can run in both windows and Linux environments and the script has a polymorphic engine to morph itself.
Ooh. So, okay. This is actually really cool. Polymorphic engines, if you think about like something being able to evolve itself or change itself over time you know, viruses or bacteria and stuff like that. The polymorphic engine is actually a very cool way that some viruses, I mean, I say cool, but it’s kind of devastating.
It’s a very cool way that some computer viruses, they keep morphing themselves and antivirus, sometimes use signature-based defenses. Right. So what that means is they’re looking for. A specific type of code or for the binary’s to look a certain way. And then that will allow it to be like, Hey, this looks an awful lot, like this kind of virus or this specific virus.
So by morphing itself, you’re changing your signature. Every couple executions or every execution, right? So the next time you infect somebody while you’re using the next variant of what it was. And typically I was looking into polymorphic, see how they kind of work. Right. And they have their base encrypted.
That’ll get re encrypted and then you have the actual delivery system. There’s a way that you can keep that encrypted in the program. Then you can decrypt it, recompile it, but also re encrypted as well. You have the payloads being constantly changed and the signature will look different.
According to the article freakout, which is the ones who originated the botnet have been doing this since at least January. They’ve been trying to launch distributed denial of service attacks and crypto mining attacks. So they’re trying to bring people down and trying to make money kind of makes sense. Right?
They have several iterations of the Necrobot. According to what I’m seeing here There’s been even recent changes. Cool. They’re using, what’s known as a domain generation algorithm for added persistence. Based off my research, the domain generation algorithm, how it works is it’ll guess a certain kinds of domains. And then it’ll go reach out and like, Hey, are you my C to C server?
Are you my command and control server? If it doesn’t find it well, then, Hey, that’s fine. It just tries again and tries again . The first Necrobot used to scan ports, 22, 80, 443, 8081, and 7001. Then if, if it detected it, then according to the article an XM rig, which is a high-performance Monero miner linked to a specific wallet.
Then it would just try to mine and then throw whatever Monero to that wallet. So the vulnerabilities for those of you that are kind of wondering. Is the CVE-2021-15568 TerraMaster TOS before 4.1.29, CVE-2021-2900. The Genexis. Sorry. If I butchered that Genexis platinum 4410 2.1 P4410-V2-1.28.
There’s five of these, we were already covered two. The third one is CVE-2020-25494 Xinuos, formerly SCO, OpenServer version five and version six. Next is the CVE-2020-28188 TerraMaster TOS every version up to, and including 4.2.06 and the last one is the CVE-2019-12725 Zeroshell 3.9.0.
So something I’d like to point out. We do have what looks to be like one extremely recent exploit 2021. Like, you know, last year, exploits, 2020s and the 2019. This virus has exploits that are pretty recent. The chances that an organization is using something that hasn’t been patched or that the software’s haven’t had a patch for like the 2021 let’s say, then, you know, that’s, that’s pretty high.
As a software engineer, turnaround time is not like, Hey, there’s an exploit. Cool. I could totally get that fixed by this afternoon. If you just find out about it and you’re in process of normal code delivery code release right. You may not have team members to go fix critical patches that night.
You may have to pull them off that could throw your deadlines off. Very much a cat and mouse and a delivery standpoint, right? So of course you have to do bug. But do you have time to do bug fixes and your main release as well? From this, I don’t know too much about TerraMaster or the CVS in question, but from a software engineering perspective, you got to be careful with that.
Ooh, so the head of Juniper labs has told threat posts, which is the article that I’m reading this off. Most security teams need to be able to handle DGA domain attempts. What I’m assuming he means right? From an IT perspective, if a computer, a box, right, is sending out 400 DNS requests looking for similar things will an average user, shouldn’t be sending 400 DNS requests in an hour.
Right. They might go to like four or five, but if they’re doing their job, Even if you’re Googling, right. You’re not going to hit 300 domains, 400 domains. Two hours, three hours. That’s my guess. By having a route switch firewall with a rule that kinda says like, Hey, if any machine is throwing like 300 or more than 200 or whatever threshold .
X amount of DNS requests in X time or Y time, then you need to throw an alert. You need a block that cause Hey, that could be a malicious or compromised box. I could totally see where that’s, kind of where they’re getting at. But you know, that’s just my opinion. So let’s roll into the next one.
Source: https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/
Ricochet Anti-Cheat Kernel
So ricochet call of duty for any of you gamers who are interested, ricochet is an anti cheat engine. Call of duty, wants to use for Warzone and Vanguard. The reason I’m bringing this up is they have a Kernel level driver. It’s first going to come to call of duty. Kernel level, for those of you who may or may not be aware, you have the user level and you have the kernel level.
Kerner level is anything that runs windows privileges versus user space is, you know, users kind of straight forward. Right? The problem with Kernel drivers is they tend to have a lot of control over the system due to the nature that they are integrated tightly with the operating system. They’re trying to calm people down.
I kind of pre-read this article right there, trying to calm people down by saying, Hey, it’s not always on and it only checks for software that interacts with call of duty, but that doesn’t mean it can’t change. That doesn’t mean that there couldn’t be false flags, right? So my biggest concern with any security tool with any AI thing..
Is false positives. Right? False positives could give people a really bad day. Do we want to stop hackers? Yeah, we want to stop hackers. Do we want to stop people from ruining the game ? Yeah, we want to stop people from ruining the game. What happens if the driver accidentally sees overclocking software as a flag.
So you’re going to have a lot of tech enthusiasts. A lot of people build gaming, rigs, gaming computers with the idea. Cool. I can play games, but I can also overclock this thing and get the most performance or just some people just like to do it for fun. Even I’ve played around with overclocking.
It’s just one of those things like, Hey, I have a really cool PC. Can I try this? My other concern as well. You have a kernel level driver that can interact with a system that’s been developed by this company. Well like any kernel level thing. What if there’s a vulnerability in that kernel?
How fast would they be able to patch it? How much will they care? Are they going to be invested to be able to like, Hey, a CVE came out on our kernel driver that is installing Monero miners or whatever should we patch it? Do we care?
That’s almost any company, but this is one more company. What I’m reading, the way I’m understanding is you will not be able to play the game unless the kernel driver is installed. For you to be able to play call of duty on your gaming PC, you would need to have this Kernel Installed.
That doesn’t make me feel great about it. Call of duty I’m seeing maybe a hundred million yeah, about a hundred million players, which means that if you target, let’s say, let’s say a quarter of them are gaming PC players, right
You have a quarter of the 100 million. So you have 25 million people who are now running this driver on their computers. If a CVE breaks out 25 million is, you know, pretty substantial base considering it’s one company. You should be worried about that for anything and everything.
Windows is not exactly, the most secure system there’s a lot of faults they’re getting better, but they do have a lot faults. Not related, but it appears that part of the driver is actually using or could possibly use machine learning algorithms. I don’t know this definitively, but they’re saying that they want to use machine learning to analyze server data, to determine patterns.
Now this goes back to my false positive concern, right? So machine learning algorithms are. At current time, most of them are not 100, truly 100% accurate. If you think it’s a hundred percent, you’re maybe you’re over-fitting, which means you’re, you’re saying, Hey, this data looks this way. Cool. But then when you throw real data at it, it doesn’t fit the training data exactly.
So you’ll overfit and that’s just, that’s just one thing I’m concerned about. Say, say it’s half a percent, right? What’s half a percent of a hundred million players is like 50,000 players that you may. Automatically flag. If you doing anything like an auto ban based on the flags, cool. You just falsely band 50,000 players.
Not to mentioned that even false positive, be like, well, Hey, what about the hackers that do get through? You are reducing the amount, but this is not a catchall solution. This is not a cool, we can fix everything.
You have to do it in a nuanced way. You can’t just have the machine learning, AI be able to auto ban people without some sort of appeal process, without some sort of safety checks to prevent those who get falsely flagged to be able to come back because it’s going to suck. You pay $60, a hundred dollars, or, you know, $60 plus DLC.
I mean, Warzone is free, but if you’re buying the season pass or whatever, you’re still paying, it’s going to suck that you falsely get flagged and you lose access to the thing that you were paying money. And I don’t think anybody wants that.
I was pulling the information, I’m going to put it in the show notes off CallOfDuty.com, it’s self.
Source: https://www.callofduty.com/blog/2021/10/ricochet-anti-cheat-initiative-for-call-of-duty
MyKings Botnet
Let’s kind of segment into the next article.
The next article comes from bleepingcomputer.com titled “MyKings botnet, still active and making massive amounts of money”. Cool. Botnets making money seems to be like a recurring theme. The MyKings botnet, according to the article is still actively spreading and is making tons of crypto.
The first appearance was like five years ago. Being that it’s one of the most analyzed I’m kind of pair I’m paraphrasing slash reading the article. MyKings is particularly interested in researchers thanks to his vast infrastructure versatile features. What does it mean by versatile features will list a few, right.
I’ll kind of touch on what they mean. So the article states that it includes: bootkits, miners, droppers, clipboard stealers, and more. Bootkits are particularly problematic because they install themselves in the boot sector of the operating system. You don’t want a virus that manipulates your system on boot or just as it’s booting, because it becomes very hard to truly get rid of that.
If the boot kit installs itself, well, you may have to completely wipe the entire system and there goes all your data, right? Minors going back to the Monero Miner, or if you know, Bitcoin minor that could be done. There’s there’s dozens of variations. There’s probably a couple different miners per coin.
Right? Droppers, I’ve heard this term before. I have to come back to you on that clipboard stealers, you know, straight up just steals your clipboard. The reason that could be problematic is if you’re mining or if you’re doing something else cool, now they have your wallet and have other stuff.
Every time that it sees your wallet, they could inject their wallet. And there you go. Now they’re now they’re using the hacker’s wallet for reasons that they would use there’s deposits, trades, et cetera.
Let’s jump into the article. Bleeping computer seems to be referencing the Avast threat labs. The earnings reflected in the wallet linked to the makings are approximately 24.7 million. So they’ve been, they, they make quite a bit of money off this, right. They’re using substitution.
Oh, cool. Kind of what I was touching on. So they are using the clipboard manipulation thing to inject their to inject their wallet. The latest I’m going to read from the article. The latest version of the malware also features a new url manipulation system in the clipboard stealer module, which the attackers created to hijack steam item trade transactions. Cool they’re even targeting Steam here, the module changed the trade off offer URLs.
So the actors placed at the receiving end. So not only are they trying to probably look for digital wallets, now they’re even targeting games. So they’re targeting steam. Which is kind of interesting. I mean, in games, items sell for a lot I know there’s this one game don’t remember off the top of my head that uses real world money to kind of be like a one-to-one, but you’re not supposed to take the money out.
At least the developers, I think don’t want you to . Hey, that’s one way that now criminals are trying to make more money. Now let’s go after games too. So there was also functionality added for the Yandex, disc storage, cloud service, and it looks like they’re essentially using that for a social engineering style spread. They are putting a photos archive, you unzip it, it’s actually the malware, but you are a trusted person sending your other friend, this link, they’re going to download it, run it because it came from you and it’s actually gonna infect them because your clipboard was manipulated behind the scenes.
Source: https://www.bleepingcomputer.com/news/security/mykings-botnet-still-active-and-making-massive-amounts-of-money/
Twitch Hacked
Now onto our last article.
Article by 9to5mac.com, “PSA: Twitch.tv was hacked, everything leaked, including creator payouts”. I’m pretty sure you’ve seen this on the news. It’s been everywhere. Right? So Twitch TV, the very popular streaming channel for, or streaming website for games. And I guess other stuff was hacked.
So if you have an account there they’re recommending you change your password, which I will recommend if your data’s ever in a breach. Yes. Change your password. Yeah, do it. Password managers are also pretty cool. Those can get hacked too, but Hey, at least you have like only one master password that you need to be changing often and you don’t got to remember the other ones.
Going through the article. There was an anonymous hacker who posted a huge download link. Apparently the entire website source code, various console phone stuff. Ooh, an unreleased steam competitor talking about steam earlier, right?. Payouts and encrypted passwords all got leaked. So encrypted passwords that could or could not be problematic depending on how good the encryption is. By the way don’t trust it, change your password. Payouts, that’s just, ah, man. Now you’re going to know what every streamer makes. Apparently 125 gigabyte torrent link was posted to 4Chan. I think last Wednesday. This was October 6th.
Ooh. So very early Wednesday, I think like maybe late September Wednesday. So I’m a little bit late to this article. One anonymous company told and I’m reading from the art from the article. “One anonymous company told VGC”, which I’m guessing is where 9to5Mac original quoted their stuff.
“That the leak data is legitimate. Including the source code for the Amazon owned streaming platform. Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies”.
I guess there hasn’t been any update, going over, right. All of that. That’s, that’s rich. So as well as the data that got. Internal penetration testing tools got leaked too. Right? So the hackers got hacked. Twitch TV isn’t exactly hackers, but they’re hacking tools got hacked. Reminds me of, I think it was a government agency, got their stuff stolen by hackers too.
It kinda reminds me of that realm, right. When you look in, when you look into the abyss, the abyss will stare back kind of thing. ‘ The entirety of Twitch’s source code with comment history “going back to its early beginnings”‘. They got all the Twitch, pretty much all the repo all the creator payouts from 2019, mobile desktop and console client, proprietary SDK and internal AWS services used by twitch. So they can completely make a Twitch clone tomorrow. Wow. ‘”Every other property that Twitch owns”, including IGDB and CurseForge’.
No idea what those are, but Hey, it’s Amazon owned, so it’s big. “An unrelased Steam competitor, codenamed Vapor from Amazon Game Studios”. So something I’ve, I’ve been seeing from the Amazon side. Right. As a developer, I like AWS. It’s kind of cool. I’m not super big on only one platform, but anyways, I’ve seen where Amazon is pushing I think I forget their name of it, but they, they have, they’re starting to push into the game market and I think it’s because Hey, Vapor or whatever this thing is. If it’s a steam competitor, they want to get in on selling games. I know they’re trying to get in on the game engine side.
It kind of makes sense. Gaming is a very profitable or not profitable, but is a very big industry people game on their mobile people game on console people game on PC , it’s what people do. The last point of what was stolen includes a penetration tools, which I was talking about, it looks like it was red team tools for my listeners who are not aware, red team essentially means attacker, right?
You have red team attack, the blue team defends, and kind of variations of those. You have some people that try to do both. That will be another episode. Another thing to talk about. A Twitter user has actually been quick to post spreadsheets about who the highest-paid earners were. So I will link the article in the description or in the show notes, if you want to go check out what that Twitter is and see, you know, who were the higher paid ones? All I will say here is it’s like a couple of million dollars from August 2019 to October 2021. I mean that. That’s pretty big.
Most people don’t make a couple of million dollars unless you’re a CEO or something also, Hey, props to them.
‘The hacker said their motivation was to disrupt the space because “their community is a disgusting, toxic cesspool”‘, nine to five quoting somebody else. Not me.
It seems just like the hacker was disgruntled because of Twitch’s politics. Not going to get into that, but Hey, if you don’t like Twitch, don’t get on Twitch. If you like Twitch, well, then get on Twitch. It’s going to be completely up to you, I do agree with the notion rules should be applied evenly.
You can’t just pick and choose, you know, you’re profitable people can bend the rules, stuff like that. I don’t, I, it should be across the board. Right. It said Twitch is working hard to address this, but many people are unhappy about the results. According to the article, I mean kind of makes sense.
Your whole data was leaked or your tools are leaked or internal stuff was leaked. Now everyone knows how much they made. You know, people can see how much they made from this year to this year.
According to this, you know, but you, people are unhappy. And I know a lot of people have been unhappy with the touch platform as a generality, but you reap what you sow I guess.
Source: https://9to5mac. com/2021/10/06/twitch-tv-was-hacked/
Outro
Guys that’s the last article. So thank you for sticking with me again. This has been Exploitbrokers Hacker News with your host Lauro, and I will see you in the next one