Daniel Quinn Flint (not related to Daniel RAY Flint who is a different person entirely)

WeLeakInfo Leaked Customer Payment Info

A little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card.

For several years, WeLeakInfo was the largest of several services selling access to hacked passwords. Prosecutors said it had indexed, searchable information from more than 10,000 data breaches containing over 12 billion indexed records — including names, email addresses, usernames, phone numbers, and passwords for online accounts.

For a small fee, you could enter an email address and see every password ever associated with that address in a previous breach. Or the reverse — show me all the email accounts that ever used a specific password (see screenshot above). It was a fantastic tool for launching targeted attacks against people, and that’s exactly how the service was viewed by many of its customers.

Now, nearly 24,000 WeLeakInfo’s customers are finding that the personal and payment data they shared with WeLeakInfo over its five-year-run has been leaked online.

WeLeakInfo’s service fees.

In a post on the database leaking forum Raidforums, a regular contributor using the handle “pompompurin” said he stole the WeLeakInfo payment logs and other data after noticing the domain wli[.]design was no longer listed as registered.

“Long story short: FBI let one of weleakinfo’s domains expire that they used for the emails/payments,” pompompurin wrote. “I registered that domain, & was able to [password] reset the stripe.com account & get all the Data. [It’s] only from people that used stripe.com to checkout. If you used paypal or [bitcoin] ur all good.”

Cyber threat intelligence firm Flashpoint obtained a copy of the data leaked by pompompurin, and said it includes partial credit card data, email addresses, full names, IP addresses, browser user agent string data, physical addresses, phone numbers, and amount paid. One forum member commented that they found their own payment data in the logs.

How WeLeakInfo stacked up against its competitors (according to WLI).

According to DomainTools [an advertiser on this site] Wli[.]design was registered on Aug. 24, 2016 with the domain registrar Dynadot. On March 12, the domain was moved to another registrar — Namecheap.

Pompompurin released several screenshots of himself logged in to the WeLeakInfo account at stripe.com, an online payment processor. Under “management and ownership” was listed a Gerald Murphy from Fintona, U.K.

Shortly after WeLeakInfo’s domain was seized by authorities in Jan. 2020, the U.K.’s National Crime Agency (NCA) arrested two individuals in connection with the service, including a 22-year-old from Fintona.

PLENTY OF TIME FOR OPSEC MISTAKES

It’s been a tough few months for denizens of various hacking forums, which are finding themselves on the defensive end of a great many attacks testing the security of their aliases and operational security lately. Over the past few weeks three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked.

In two of the intrusions (against the Russian hacking forums “Mazafaka” and “Verified”) — the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords.

“Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums,” a recent story here explained.

An exposure of 15 years worth of user data from a forum like Mazafaka is a big risk for registrants because investigators often can use common registration details to connect specific individuals who might have used multiple hacker handles over the years.

Many of the domains from the email addresses listed in the Maza dump date to the early 2000s, back when budding cybercriminals typically took fewer precautions to obfuscate or separate the myriad connections to their real-life identities online.

The biggest potential gold mine for de-anonymizing Maza members is the leak of user numbers for ICQ, an instant messaging service formerly owned by AOL that was widely used by cybercrime forum members up until around 2010. That’s about when AOL sold the platform in 2010 to Russian investor DST for $187.5 million.

Back then, people often associated their ICQ numbers to different interests, pursuits and commerce tied to their real life identities. In many cases, these associations are on public, Russian language forums, such as discussion sites on topics like cars, music or programming.

In a common inadvertent exposure, a cybercriminal happens to make an innocuous post 15 years ago to a now-defunct Russian-language automobile forum.

That post, preserved in perpetuity by sites like archive.org, includes an ICQ number and says there’s a guy named Sergey in Vladivostok who’s selling his car. And the profile link on the auto forum leads to another now-defunct but still-archived personal site for Sergey.

Interestingly, services like WeLeakInfo can just as easily be used against cybercriminals as by them. For example, it’s likely that the database for the automobile forum where Sergey posted got compromised at some point and is for sale on sites like WeLeakInfo (there are active competitors).

Ditto for any other forum where Sergey used the same email address or password. When researchers start finding password re-use across multiple email addresses that all follow a pattern, it becomes much easier to tie Sergey from Vladivostok to his cybercriminal and real-life identities.

source https://krebsonsecurity.com/2021/03/weleakinfo-leaked-customer-payment-info/

Microsoft Patch Tuesday, March 2021 Edition

On the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users.

Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based versions, and it allows attackers to run a file of their choice by getting you to view a hacked or malicious website in IE.

The IE flaw is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of those used in a recent campaign by nation-state actors to target security researchers. In the ENKI blog post, the researchers said they will publish proof-of-concept (PoC) details after the bug has been patched.

“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

This is probably a good place to quote Ghacks.net’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft.

For the second month in a row, Microsoft has patched scary flaws in the DNS servers on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. All five of the DNS bugs quashed in today’s patch batch earned a CVSS Score (danger metric) of 9.8 — almost as bad as it gets.

“There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs.

As mentioned above, hundreds of thousands of organizations are in the midst dealing with a security nightmare after having their Exchange Server and Outlook Web Access (OWA) hacked and retrofitted with a backdoor. If an organization you know has been affected by this attack, please have them check with the new victim notification website mentioned in today’s story.

Susan Bradley over at Askwoody.com says “nothing in the March security updates (besides the Exchange ones released last week) is causing me to want to urge you to go running to your machines and patch at this time.” I’d concur, unless of course you cruise the web with older Microsoft browsers.

It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.

But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Additional reading:

Martin Brinkman’s always comprehensive take.

The SANS Internet Storm Center no-frills breakdown of the fixes.

source https://krebsonsecurity.com/2021/03/microsoft-patch-tuesday-march-2021-edition/

Microsoft Patch Tuesday, March 2021 Edition

This is probably a good place to quote Ghacks.net’s Martin Brinkman: This is the last patch hurrah for the legacy Microsoft Edge web browser, which is being retired by Microsoft.

“There is the outside chance this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs.

Additional reading:

Martin Brinkman’s always comprehensive take.

The SANS Internet Storm Center no-frills breakdown of the fixes.

source https://krebsonsecurity.com/2021/03/microsoft-patch-tuesday-march-2021-edition/

Warning the World of a Ticking Time Bomb

Globally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.

On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The same sources who shared those figures say the victim list has grown considerably since then, with many victims compromised by multiple cybercrime groups.

Security experts are now trying to alert and assist these victims before malicious hackers launch what many refer to with a mix of dread and anticipation as “Stage 2,” when the bad guys revisit all these hacked servers and seed them with ransomware or else additional hacking tools for crawling even deeper into victim networks.

But that rescue effort has been stymied by the sheer volume of attacks on these Exchange vulnerabilities, and by the number of apparently distinct hacking groups that are vying for control over vulnerable systems.

A security expert who has briefed federal and military advisors on the threat says many victims appear to have more than one type of backdoor installed. Some victims had three of these web shells installed. One was pelted with eight distinct backdoors. This initially caused a major overcount of potential victims, and required a great deal of de-duping various victim lists.

The source, who spoke on condition of anonymity, said many in the cybersecurity community recently saw a large spike in attacks on thousands of Exchange servers that was later linked to a profit-motivated cybercriminal group.

“What we thought was Stage 2 actually was one criminal group hijacking like 10,000 exchange servers,” said one source who’s briefed U.S. national security advisors on the outbreak.

On Mar. 2, when Microsoft released updates to plug the four Exchange flaws being attacked, it attributed the hacking activity to a previously unidentified Chinese cyber espionage group it called “Hafnium.” Microsoft said Hafnium had been using the Exchange flaws to conduct a series of low-and-slow attacks against specific strategic targets, such as non-governmental organization (NGOs) and think tanks.

But by Feb. 26, that relatively stealthy activity was morphing into the indiscriminate mass-exploitation of all vulnerable Exchange servers. That means even Exchange users that patched the same day Microsoft released security updates may have had servers seeded with backdoors.

Many experts who spoke to KrebsOnSecurity said they believe different cybercriminal groups somehow learned of Microsoft’s plans to ship fixes for the Exchange flaws a week earlier than they’d hoped (Microsoft originally targeted today, Patch Tuesday, as the release date).

The vulnerability scanning activity also ramped up markedly after Microsoft released its updates on Mar. 2. Security researchers love to tear apart patches for clues about the underlying security holes, and one major concern is that various cybercriminal groups may have already worked out how to exploit the flaws independently.

AVERTING MASS-RANSOMWARE

Security experts now are desperately trying to reach tens of thousands of victim organizations with a single message: Whether you have patched yet or have been hacked, backup any data stored on those servers immediately.

Every source I’ve spoken with about this incident says they fully expect profit-motivated cybercriminals to pounce on victims by mass-deploying ransomware. Given that so many groups now have backdoor web shells installed, it would be trivial to unleash ransomware on the lot of them in one go. Also, compromised Exchange servers can be a virtual doorway into the rest of the victim’s network.

“With the number of different threat actors dropping [web] shells on servers increasing, ransomware is inevitable,” said Allison Nixon, chief research officer at Unit221B, a New York City-based cyber investigations firm.

So far there are no signs of victims of this mass-hack being ransomed. But that may well change if the exploit code used to break into these vulnerable Exchange servers goes public. And nobody I’ve interviewed seems to think working exploit code is going to stay unpublished for much longer.

When that happens, the exploits will get folded into publicly available exploit testing kits, effectively making it simple for any attacker to find and compromise a decent number of victims who haven’t already patched.

CHECK MY OWA

Nixon is part of a group of security industry leaders who are contributing data and time to a new victim notification platform online called Check My OWA (Outlook Web Access, the Internet-facing Web component of Exchange Server machines).

Checkmyown.unit221b.com checks if your Exchange Server domain showed up in attack logs or lists of known-compromised domains.

Perhaps it’s better to call it a self-notification service that is operated from Unit221B’s own web site. It draws on tens of thousands of data points that various ISPs and hosting firms have tied to victims around the world who are likely compromised by the backdoor shells. The data comes from large networks watching the sources and targets of mass-scans for vulnerable Exchange servers.

“Our goal is to motivate people who we might otherwise have never been able to contact,” Nixon said. “My hope is if this site can get out there, then there’s a chance some victim companies are notified and take action or can get attention.”

Enter an email address at Check My OWA, and if that address matches a domain name for a victim organization, that email address will get a notice.

If the email’s domain name (anything to the right of the @ sign) is detected in their database, the site will send that user an email stating that is has observed the email domain in a list of targeted domains.

“Malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” reads one of the messages to victims. “We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

Other Exchange users may see this message:

“We have observed your e-mail domain appears in our list of domains the malicious actors were able to successfully compromise, and some of this information suggested they may have been able to install a webshell on an Exchange server associated with this domain,” is another message the site may return. We strongly recommend saving an offline backup of your Exchange server’s emails immediately, and refer back to the site for additional information on patching and remediation.”

Nixon said Exchange users can save themselves a potentially nightmarish scenario if they just back up any affected systems now. And given the number of adversaries currently attacking still-unpatched Exchange systems, there is almost no way this won’t end in disaster for at least some victims.

“There are researchers running honeypots to [attract] attacks from different groups, and those honeypots are getting shelled left and right,” she said. “The sooner they can run a backup, the better. This can help save a lot of heartache.”

Oh, and one more important thing: You’ll want to keep any backups disconnected from everything. Ransomware has a tendency to infect everything it can, so make sure at least one backup is stored completely offline.

“Just disconnect them from a computer, put them in a safe place and pray you don’t need them,” Nixon said.

source https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

A Basic Timeline of the Exchange Mass-Hack

Sometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program.

When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange?

Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified “in early January.” So far the earliest known report came on Jan. 5, from a principal security researcher for security testing firm DEVCOR who goes by the handle “Orange Tsai.” DEVCOR is credited with reporting two of the four Exchange flaws that Microsoft patched on Mar. 2.

Reston, Va.-based Volexity first identified attacks on the flaws on Jan. 6, and officially informed Microsoft about it on Feb. 2. Volexity now says it can see attack traffic going back to Jan. 3. Microsoft credits Volexity with reporting the same two Exchange flaws as DEVCOR.

Danish security firm Dubex says it first saw clients hit on Jan. 18, and reported their incident response findings to Microsoft on Jan. 27.

In a blog post on their discovery, Please Leave an Exploit After the Beep, Dubex said the victims it investigated in January had a “web shell” backdoor installed via the “unifying messaging” module, a component of Exchange that allows an organization to store voicemail and faxes along with emails, calendars, and contacts in users’ mailboxes.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App,” Dubex wrote. “Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone.”

Dubex says Microsoft “escalated” their issue on Feb. 8, but never confirmed the zero-day with Dubex prior to the emergency patch plea on Mar. 2. “We never got a ‘real’ confirmation of the zero-day before the patch was released,” said Dubex’s Chief Technology Officer Jacob Herbst.

How long have the vulnerabilities exploited here been around?

On Mar. 2, Microsoft patched four flaws in Exchange Server 2013 through 2019. Exchange Server 2010 is no longer supported, but the software giant made a “defense in depth” exception and gave Server 2010 users a freebie patch, too. That means the vulnerabilities the attackers exploited have been in the Microsoft Exchange Server code base for more than ten years.

The timeline also means Microsoft had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately.

Here’s a rough timeline as we know it so far:

Jan. 5: DEVCOR alerts Microsoft of its findings.
Jan. 6: Volexity spots attacks that use unknown vulnerabilities in Exchange.
Jan. 8: DEVCOR reports Microsoft had reproduced the problems and verified their findings.
Jan. 11: DEVCOR snags proxylogon.com, a domain now used to explain its vulnerability discovery process.
Jan. 27: Dubex alerts Microsoft about attacks on a new Exchange flaw.
Jan. 29: Trend Micro publishes a blog post about “Chopper” web shells being dropped via Exchange flaws.
Feb. 2: Volexity warns Microsoft about active attacks on previously unknown Exchange vulnerabilities.
Feb. 8: Microsoft tells Dubex it has “escalated” its report internally.
Feb. 18: Microsoft confirms with DEVCOR a target date of Mar. 9 (tomorrow) for publishing security updates for the Exchange flaws. That is the second Tuesday of the month — a.k.a. “Patch Tuesday,” when Microsoft releases monthly security updates (and yes that means check back here tomorrow for the always riveting Patch Tuesday roundup).
Feb. 26-27: Targeted exploitation gradually turns into a global mass-scan; attackers start rapidly backdooring vulnerable servers.
Mar. 2: A week earlier than previously planned, Microsoft releases updates to plug 4 zero-day flaws.
Mar. 3: Tens of thousands of Exchange servers compromised worldwide, with thousands more servers getting freshly hacked each hour.
Mar. 5: KrebsOnSecurity breaks the news that at least 30,000 organizations in the U.S. — and hundreds of thousands worldwide — now have backdoors installed.
Mar. 5: Wired.com confirms the reported number of victims. White House expresses concern over the size of the attack. Former CISA head Chris Krebs tweets the real victim numbers “dwarf” what’s been reported publicly.
Mar. 6: CISA says it is aware of “widespread domestic and international exploitation of Microsoft Exchange Server flaws.”
Mar. 7-Present: Security experts continue effort to notify victims, coordinate remediation, and remain vigilant for “Stage 2” of this attack (further exploitation of already-compromised servers).

source https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.

On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.

In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.

In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser that gives the attackers administrative access to the victim’s computer servers.

Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.

Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.

But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by those security updates.

“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.

“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”

Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.

By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.

Security researchers have published a tool on Microsoft’s Github code repository that lets anyone scan the Internet for Exchange servers that have been infected with the backdoor shell.

KrebsOnSecurity has seen portions of a victim list compiled by running this tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.

“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.

“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”

When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.

“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”

The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.

“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”]

Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.

“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.

This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.

source https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

Three Top Russian Cybercrime Forums Hacked

Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums.

References to the leaked Mazafaka crime forum database were posted online in the past 48 hours.

On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. “Maza,” “MFclub“), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves.

At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as “I seek you,” was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram.

This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different nicknames over time.

Cyber intelligence firm Intel 471 assesses that the leaked Maza database is legitimate.

“The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details,” Intel 471 found, noting that Maza forum visitors are now redirected to a breach announcement page. “Initial analysis of the leaked data pointed to its probable authenticity, as at least a portion of the leaked user records correlated with our own data holdings.”

The attack on Maza comes just weeks after another major Russian crime forum got plundered. On Jan. 20, a longtime administrator of the Russian language forum Verified disclosed that the community’s domain registrar had been hacked, and that the site’s domain was redirected to an Internet server the attackers controlled.

A note posted by a Verified forum administrator concerning the hack of its registrar in January.

“Our [bitcoin] wallet has been cracked. Luckily, we did not keep large amounts in it, but this is an unpleasant incident anyway. Once the circumstances became clear, the admin assumed that THEORETICALLY, all the forum’s accounts could have been compromised (the probability is low, but it is there). In our business, it’s better to play safe. So, we’ve decided to reset everyone’s codes. This is not a big deal. Simply write them down and use them from now on.”

A short time later, the administrator updated his post, saying:

“We are getting messages that the forum’s databases were filched after all when the forum was hacked. Everyone’s account passwords were forcibly reset. Pass this information to people you know. The forum was hacked through the domain registrar. The registrar was hacked first, then domain name servers were changed, and traffic was sniffed.”

On Feb. 15, the administrator posted a message purportedly sent on behalf of the intruders, who claimed they hacked Verified’s domain registrar between Jan. 16 and 20.

“It should be clear by now that the forum administration did not do an acceptable job with the security of this whole thing,” the attacker explained. “Most likely just out of laziness or incompetence, they gave up the whole thing. But the main surprise for us was that they saved all the user data, including cookies, referrers, ip addresses of the first registrations, login analytics, and everything else.”

Other sources indicate tens of thousands of private messages between Verified users were stolen, including information about bitcoin deposits and withdrawals and private Jabber contacts.

The compromise of Maza and Verified — and possibly a third major forum — has many community members concerned that their real-life identities could be exposed. Exploit — perhaps the next-largest and most popular Russian forum after Verified, also experienced an apparent compromise this week.

According to Intel 471, on March 1, 2021, the administrator of the Exploit cybercrime forum claimed that a proxy server the forum used for protection from distributed denial-of-service (DDoS) attacks might have been compromised by an unknown party. The administrator stated that on Feb. 27, 2021, a monitoring system detected unauthorized secure shell access to the server and an attempt to dump network traffic.

Some forum lurkers have speculated that these recent compromises feel like the work of some government spy agency.

“Only intelligence services or people who know where the servers are located can pull off things like that,” mused one mainstay of Exploit. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”

Others are wondering aloud which forum will fall next, and bemoaning the loss of trust among users that could be bad for business.

“Perhaps they work according to the following logic,” wrote one Exploit user. “There will be no forums, there will be no trust between everyone, less cooperation, more difficult to find partners – fewer attacks.”

source https://krebsonsecurity.com/2021/03/three-top-russian-cybercrime-forums-hacked/

Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails

Microsoft Corp. today released software updates to plug four security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.

The software giant typically releases security updates on the second Tuesday of each month, but it occasionally deviates from that schedule when addressing active attacks that target newly identified and serious vulnerabilities in its products.

The patches released today fix security problems in Microsoft Exchange Server 2013, 2016 and 2019. Microsoft said its Exchange Online service — basically hosted email for businesses — is not impacted by these flaws.

Microsoft credited researchers at Reston, Va. based Volexity for reporting the attacks. Volexity President Steven Adair told KrebsOnSecurity it first spotted the attacks on Jan. 6, 2021.

Adair said while the exploits used by the group may have taken great skills to develop, they require little technical know-how to use and can give an attacker easy access to all of an organization’s email if their vulnerable Exchange Servers are directly exposed to the Internet.

“These flaws are very easy to exploit,” Adair said. “You don’t need any special knowledge with these exploits. You just show up and say ‘I would like to break in and read all their email.’ That’s all there is to it.”

Microsoft says the flaws are being used by a previously unknown Chinese espionage group that’s been dubbed “Hafnium,” which is known to launch its attacks using hosting companies based in the United States.

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said. “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

According to Microsoft, Hafnium attackers have been observed combining all four zero-day flaws to target organizations running vulnerable Exchange Server products.

CVE-2021-26855 is a “server-side request forgery” (SSRF) flaw, in which a server (in this case, an on-premises Exchange Server) can be tricked into running commands that it should never have been permitted to run, such as authenticating as the Exchange server itself.

The attackers used CVE-2021-26857 to run code of their choice under the “system” account on a targeted Exchange server. The other two zero-day flaws — CVE-2021-26858 and CVE-2021-27065 — could allow an attacker to write a file to any part of the server.

After exploiting these vulnerabilities to gain initial access, Hafnium operators deployed web shells on the compromised server, Microsoft said. Web shells are essentially software backdoors that allow attackers to steal data and perform additional malicious actions that lead to further compromise.

Neither Microsoft nor Volexity is aware of publicly available code that would allow other cybercriminals to exploit these Exchange vulnerabilities. But given that these attacks are in the wild now, it may only be a matter of days before exploit code is publicly available online.

Microsoft stressed that the exploits detailed today were in no way connected to the separate SolarWinds-related attacks. “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.

Payroll/HR Giant PrismHR Hit by Ransomware?

PrismHR, a company that sells technology used by other firms to help more than 80,000 small businesses manage payroll, benefits, and human resources, has suffered what appears to be an ongoing ransomware attack that is disrupting many of its services.

Hopkinton, Mass.-based PrismHR handles everything from payroll processing and human resources to health insurance and tax forms for hundreds of “professional employer organizations” (PEOs) that serve more than two million employees. The company processes more than $80 billion payroll payments annually on behalf of PEOs and their clients.

Countless small businesses turn to PEOs in part because they simplify compliance with various state payroll taxes, and because PEOs are the easiest way for small businesses to pool their resources and obtain more favorable health insurance rates for their employees.

PrismHR has not yet responded to requests for comment. But in a notice sent to its PEO partners, PrismHR said it detected suspicious activity within its networks on Feb. 28, and that it disabled access to its platform for all users in an effort to contain the security incident.

The company said the disruption has affected 200 PEO clients across the country, and that the most immediate concern is helping PEOs ensure their customers can process payrolls this week.

“The outage may extend throughout today and possibly later, with potential impact on payroll processing,” Prism explained in a template email it suggested PEO partners share with their customers. “We are committed to ensuring everyone receives their pay as timely and as accurately as possible. For this payroll period, we will use estimates from the last available payroll period. Once the software platform is back online, we will perform a reconciliation and correct any discrepancies as soon as possible.”

Jacob Cloran is co-founder of Decimal, a company that does accounting for small businesses, many of whom rely on PEOs affected by the PrismHR outage. Decimal itself uses a PEO that relies on PrismHR.

“We don’t have a good option to run our payroll this week, and the message we’ve received from our PEO doesn’t give me a lot of confidence we’ll be able to do that,” Cloran said.

Cloran said while there are other cloud-based companies that work with multiple PEOs, PrismHR is by far the largest.

“Prism is the only real option on the PEO software market,” he said. “Everyone I know who has tried any of the others ends up back at Prism. It’s the best of all bad available options.”

PrismHR did not specify what was responsible for the suspicious network activity, but their actions so far are straight out of the textbook recommendations for responding to a ransomware outbreak. A notice from the PEO working with some of Cloran’s clients stated that PrismHR was in the process of rebuilding its entire system from data backups in a new environment.

Also, the crooks behind ransomware attacks typically wait until the weekend to unleash their malware within victim organizations, knowing that most targets will be short-staffed or out of the office at this time. PrismHR said it detected the activity on Sunday.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are often unable to serve their customers while a ransomware infestation is active.

Ransomware renders any files it touches unreadable unless and until a victim pays for a digital key needed to unlock the encryption on them. Worse, it has become almost a best practice among ransomware criminal groups to steal as much data as possible from the victim organization prior to unleashing the ransom malware within a target environment.

Some of that data is often then published on dark web victim shaming sites in a bid to force the victim company into paying up. Some companies victimized by ransomware even face dual ransom demands: One for a digital key needed to unlock access to files, and a second payment in exchange for a promise not to publish all of the stolen data. Those that refuse to be extorted are told to expect that huge amounts of sensitive company data will be published online or sold on the dark web (or both).

PrismHR said in a statement to its PEO customers that while its investigation and response to the incident is ongoing, the company “is not aware of any sensitive data being breached or compromised.”

Given the volume and sensitive nature of the data PrismHR managed on behalf of PEO clients, it’s no doubt those clients and their customers are hoping that statement is accurate as well.

source https://krebsonsecurity.com/2021/03/payroll-hr-giant-prismhr-hit-by-ransomware/

Is Your Browser Extension a Botnet Backdoor?

A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.

Singapore-based Infatica[.]io is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions — desktop and mobile device software add-ons available for download from Apple, Google, Microsoft and Mozilla designed to add functionality or customization to one’s browsing experience.

Some of these extensions have garnered hundreds of thousands or even millions of users. But here’s the rub: As an extension’s user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author’s time. Yet extension authors have few options for earning financial compensation for their work.

So when a company comes along and offers to buy the extension — or pay the author to silently include some extra code — that proposal is frequently too good to pass up.

For its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica’s computer code can earn anywhere from $15 to $45 each month for every 1,000 active users.

An Infatica graphic explaining the potential benefits for extension owners.

Infatica’s code then uses the browser of anyone who has that extension installed to route Web traffic for the company’s customers, including marketers or anyone able to afford its hefty monthly subscription charges.

The end result is when Infatica customers browse to a web site, that site thinks the traffic is coming from the Internet address tied to the extension user, not the customer’s.

Infatica prices its service based on the volume of web traffic a customer is seeking to anonymize, from $360 a month for 40 gigabytes all the way to $20,000 a month for 10,000 gigabytes of data traffic pushed through millions of residential computers.

THE ECONOMICS OF EXTENSIONS

Hao Nguyen is the developer behind ModHeader, an extension used by more than 400,000 people to test the functionality of websites by making it easier for users to modify the data shared with those sites. When Nguyen found himself spending increasing amounts of his time and money supporting the extension, he tried including ads in the program to help offset costs.

ModHeader users protested loudly against the change, and Nguyen removed the ads — which he said weren’t making him much money anyway.

“I had spent at least 10 years building this thing and had no luck monetizing it,” he told KrebsOnSecurity.

Nguyen said he ignored multiple requests from different companies offering to pay him to insert their code, mainly because the code gave those firms the ability to inject whatever they wanted into his program (and onto his users’ devices) at any time.

Then came Infatica, whose code was fairly straightforward by comparison, he said. It restricted the company to routing web requests through his users’ browsers, and did not try to access more sensitive components of the user’s browser experience, such as stored passwords and cookies, or viewing the user’s screen.

More importantly, the deal would net him at least $1,500 a month, and possibly quite a bit more.

“I gave Infatica a try but within a few days I got a lot of negative user reviews,” he said. “They didn’t like that the extension might be using their browser as a proxy for going to not so good places like porn sites.”

Again he relented, and removed the Infatica code.

A TARGET-RICH ENVIRONMENT

These days, Nguyen is focusing more of his time on chrome-stats.com, which provides detailed information on more than 150,000 extensions. The service is free for limited use, but subscribers who pay a monthly fee can get access to more resources, such as older extension versions and details about their code components.

According to chrome-stats.com, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation and their user base.

Image: chrome-stats.com

The vast majority of extensions are free, although a handful that have attracted a large and loyal enough following have been able to charge for their creations or for subscription services tied to the extension. But last year, Google announced it was shutting down paid Chrome extensions offered on its Chrome Web Store.

Nguyen said this will only exacerbate the problem of frustrated developers turning to offers from dodgy marketing firms.

“It’s a really tough marketplace for extension developers to be able to monetize and get reward for maintaining their extensions,” he said. “There are tons of small developers who haven’t been able to do anything with their extensions. That’s why some of them will go into shady integration or sell the extension for some money and just be done with it.”

A solicitation sent by Infatica to the developer of the SponsorBlock extension. Image: sponsor.ajay.app

WHO IS INFATICA?

It is unclear how many extensions currently incorporate Infatica’s code. KrebsOnSecurity searched for extensions that invoke several domains tied to Infatica’s Web proxy service (e.g., extendbalanc[.]org, ipv4v6[.]info). This research was conducted using Nguyen’s site and crxcavator.io, a similar extension research site owned by networking giant Cisco Systems.

Those searches revealed that Infatica’s code has been associated with at least three dozen extensions over the past few years, including several that had more than 100,000 users. One of those is Video Downloader Plus, which at one point claimed nearly 1.4 million active users.

The founder and director of Infatica — a resident of Biysk, Russia named Vladimir Fomenko — did not respond to multiple requests for comment.

Infatica founder Vladimir M. Fomenko.

Fomenko is the sole director of the iNinja VPN, another service that obfuscates the true Internet address of its more than 400,000 users. It stands to reason that iNinja VPN also is not only offering its customers a way to obfuscate their Internet address, but is actively using those same systems to route traffic for other customers: A Chrome browser plugin and ad blocker by the same name whose code includes Infatica’s “extenbalanc” domain has 400,000 users.

That would put Infatica in line with the activities of another major controversial VPN/proxy provider: Illuminati, a.k.a. “HolaVPN.” In 2015, security researchers discovered that users of the HolaVPN browser extension were being used to funnel Web traffic for other people. Indeed, in the screenshot above, Infatica’s marketing team can be seen comparing its business model to that of HolaVPN.

Fomenko has appeared in two previous KrebsOnSecurity stories; both concerned King Servers (a.k.a. “Hosting Solution Ltd.“), a hosting company he has operated for years which caters mostly to adult websites.

In 2016, hackers suspected of working for Russian state security services compromised databases for election systems in Arizona and Illinois. Six of the eight Internet addresses identified by the FBI as sources of the attack traced back to King Servers. In an interview with The New York Times several months later, Fomenko flatly denied having any ties to the hacking.

According to the Russian daily Novaya Gazeta, revelations about the 2016 hacking incident’s ties to King Servers led to treason charges against Sergey Mikhaylov, the former deputy chief of Russia’s top anti-cybercrime unit.

Russian authorities charged that Mikhaylov had tipped off the FBI to information about Fomenko and King Servers. In 2019, Mikhaylov was convicted and sentenced to 22 years in a penal colony.

BE SPARING IN TRUSTING EXTENSIONS

Browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. The powers granted to each extension are roughly spelled out in its “manifest,” basically a description of what it will be able to access once you incorporate it into your browser.

According to Nguyen’s chrome-stats.com, about a third of all extensions for Chrome — by far the most widely-used Web browser — require no special permissions. But the remainder require the user to place a good deal of trust in the extension’s author. For example, approximately 30 percent can view all of your data on all or specific websites, or index your open tabs and browsing activity.

Image: chrome-stats.com

More than 68,000 Chrome extensions allow the execution of arbitrary code in the context of webpages, effectively allowing the extension to alter the appearance and functionality of specific sites.

I hope it’s obvious by this point, but readers should be extremely cautious about installing extensions — sticking mainly to those that are actively supported and respond to user concerns.

Personally, I do not make much use of browser extensions. In almost every case I’ve considered installing one I’ve been sufficiently spooked by the permissions requested that I ultimately decided it wasn’t worth the risk, given that any extension can go rogue at the whims of its author.

If you’re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going forward. Given the high stakes that typically come with installing an extension, consider carefully whether having the extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems like WordPress and Joomla.

Do not agree to update an extension if it suddenly requests more permissions than a previous version. This should be a giant red flag that something is not right. If this happens with an extension you trust, you’d be well advised to remove it entirely.

Also, never download and install an extension just because some Web site says you need it to view some type of content. Doing so is almost always a high-risk proposition. Here, Rule #1 from KrebsOnSecurity’s Three Rules of Online Safety comes into play: “If you didn’t go looking for it, don’t install it.” Finally, in the event you do wish to install something, make sure you’re getting it directly from the entity that produced the software.

Google Chrome users can see any extensions they have installed by clicking the three dots to the right of the address bar, selecting “More tools” in the resulting drop-down menu, then “Extensions.” In Firefox, click the three horizontal bars next to the address bar and select “Add-ons,” then click the “Extensions” link on the resulting page to view any installed extensions.

source https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/