Hey, Guys welcome back for another episode of Exploit Brokers Hacking News!
I’m your host Lauro, lets login!
NASA’s Raspberry Pi and Hacker Problems
So I would say it’s safe to assume most of my listeners are aware of the space agency NASA. What many of you may not be aware of is that NASA’s Jet Propulsion Laboratory, or the JPL, was the target of a year-long attack back in 2018.
According to a ZDNet.com article, “NASA hacked because of unauthorized Raspberry Pi connected to its network”, hackers were able to compromise the JPL’s network by planting a compromised raspberry pi onto the JPL’s internal network.
The lack of segmentation of the JPL’s network meant the attackers could pivot throughout the entire network without issue. For my listeners who may not be aware of the practice. It is a good security practice to segment or to create smaller network segments within the larget network by using devices like a switch, router, or some other network device. The purpose of segmenting a network is that you can prevent devices in one smaller network from connecting to a device in another network. If NASA’s JPL segmented their network it would have been harder for the hacker to move around.
This information comes from the NASA Office of Inspector General’s report. There was some information stolen.
About 500 Megabytes of data was stolen, some of which contained regulated information under ITAR or the International Traffic in Arms Regulations. The fact that ITAR related information was stolen is a major security concern. ITAR regulation was created to ensure that government and military defense tech does not fall into malicious hands.
Now the data in question belonged to NASA’s Mars Science Lab which is known for their Curiosity rover. There is a bit of concern because the hacker or hackers appeared to have accessed NASA’s Deep Space Network of satellites that communicates and controls with equipment and spacecraft. The report appears to point to JPL’s dedication to upkeeping security systems and protocols in place as the main reason for this attack.
So some of you may be wondering, do they know who hacked the JPL? Well, the article goes to point out that it could be the Chinese elite hacking group APT10. This is in connection to two Chinese nationals being charged by the US Department of Justice for hacking cloud providers, the US Navy, and NASA back in 2018. The two Chinese nationals are believed to be APT10 hackers.
WeTransfer just to the wrong people
So if you use WeTransfer then unfortunately private wasn’t private for 2 days. According to bleepingcomputer.com’s article, “WeTransfer Security Incident Sent Files to the Wrong People”, there was a period from June 16th to June 17th were files were sent to a designated people or group also resulted in other people receiving the files as well.
WeTransfer did release an email to users warning about the incident but have not released why the accidental distribution happened. They did take proactive measures by logging out some accounts, resetting passwords, and blocking transfer links for those accounts involved in the incident.
I do agree with bleepingcomputer’s statement at the end of the article. They question the incident being a simple bug in the code. Now from a software developer’s perspective, I don’t think this is a simple bug if they also went to the hassle of resetting accounts. If this was a bug then it’s understandable blocking the links but logging out and resetting passwords sound suspicious of something else they are not telling users.
Only time, another email or another security release will tell.
Ransomware Alert: LooCipher on the loose
So guys Ransomware has now become a prominent part of the cybersecurity threats out in the wild. This new ransomware is another addition. According to bleepingcomputer’s article,” New LooCipher Ransomware Spreads Its Evil Through Spam” the ransomware LooCiper, I may have butchered the name, uses a malicious word document with macros to spread.
The order of infection appears to be similar to the following:
- The victim comes across and opens a word document called Info_BSV_2019.docm
- Once it is open word will prompt to enable macros
- Once the victim Enables Editing and allows the macros the macro connects to a Tor Server
- The macro downloads a malicious executable at http[:]//hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe
- Once downloaded the executable is renamed to LooCipher.exe
- At this point LooCipher.exe is auto-executed
Once the ransomware begins executing it appears to follow similar patterns as other ransomware. The encrypting appears to follow a particular order.
- A file called c2056.ini is made on the Windows Desktop
- This file contains a unique ID, time limit, and bitcoin wallet address to pay the ransom
- The encryption process then beings creating encrypted files with the .lcphr extension appended
- Once all files are encrypted the executable creates the @Please_Read_Me.txt file that gives the ransom amount and instructions on how to pay the ransom
- The wallpaper is then changed with a similar message to the @Please_Read_Me.txt
- Lastly, the LooCipher’s decryptor window shows a countdown with a payment verification button
- There is an unverified process to decrypt once payment has been made
As a security precaution, it is important to keep offline backups in case any ransomware hits your system and always take precautions when opening files that are not from trusted sources.
The article notes that the LooCipher ransomware is using spam techniques to spread and it is not known yet how many have been infected with the ransomware.
Steam Phishing Website
A message to my avid gamer audience who like to hack, I got a warning and news for you. Beware those bearing gifts. A new Malwarebytes Lab report, “Fresh “video games” site welcomes new users with Steam phish” discuss a recent phishing campaign aimed toward gamers.
There has been several, what appear to be compromised, accounts sending out a message gifting 1 free game. The URL does some redirection to get to the real phishing page.
- There is a twitter shortened t.co link
- This takes the users to steamredirect[.]fun that redirects to the true phishing page
The phishing page masks itself as a place where you can win games. The site goes by the name “Gift4Keys” and has a roulette-style game where you can “win”, and I say win sarcastically a free game. To play all you have to do is press the play button on the middle of the site.
Once you “win”, again sarcastically, you are prompted with a timer that gives you 30 minutes to log in to steam and redeem the won game. Once you click login you are given a steam login page that shows gift4keys as a third party affiliate.
Normal third-party affiliates use the sign in at steamcommunity.com but the phishing site’s URL address is simply blank.
If you have supplied credentials then your account has been hacked and it’s important to try to recover it and change your password as soon as possible. If you haven’t had your credentials hijacked then remember this story to help make sure you stay that way.
So guys to conclude this episode and a quick review. We have data being stolen from NASA by a malicious raspberry pi. We also have a new ransomware attack by the name LooCipher that is using spam techniques to spread. If you have a steam account then beware those bearing gifts and never click suspicious links. If it is too good to be true then it may not be true.
That wraps up another episode of Exploit Brokers Hacking New. The show notes can be found at exploitbrokers.com/podcasts/hn05. This has been your host Lauro, signing off until next time.