The Dark Nexus Between Harm Groups and ‘The Com’

September 13, 2024
29 Comments

A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

Image: Shutterstock.

In September 2023, a Russian ransomware group known as ALPHV/Black Cat claimed credit for an intrusion at the MGM Resorts hotel chain that quickly brought MGM’s casinos in Las Vegas to a standstill. While MGM was still trying to evict the intruders from its systems, an individual who claimed to have firsthand knowledge of the hack contacted multiple media outlets to offer interviews about how it all went down.

One account of the hack came from a 17-year-old in the United Kingdom, who told reporters the intrusion began when one of the English-speaking hackers phoned a tech support person at MGM and tricked them into resetting the password for an employee account.

The security firm CrowdStrike dubbed the group “Scattered Spider,” a recognition that the MGM hackers came from different cliques scattered across an ocean of Telegram and Discord servers dedicated to financially-oriented cybercrime.

Collectively, this archipelago of crime-focused chat communities is known as “The Com,” and it functions as a kind of distributed cybercriminal social network that facilitates instant collaboration.

But mostly, The Com is a place where cybercriminals go to boast about their exploits and standing within the community, or to knock others down a peg or two. Top Com members are constantly sniping over who pulled off the most impressive heists, or who has accumulated the biggest pile of stolen virtual currencies.

And as often as they extort victim companies for financial gain, members of The Com are trying to wrest stolen money from their cybercriminal rivals — often in ways that spill over into physical violence in the real world.

CrowdStrike would go on to produce and sell Scattered Spider action figures, and it featured a life-sized Scattered Spider sculpture at this year’s RSA Security Conference in San Francisco.

But marketing security products and services based on specific cybercriminal groups can be tricky, particularly if it turns out that robbing and extorting victims is by no means the most abhorrent activity those groups engage in on a daily basis.

KrebsOnSecurity examined the Telegram user ID number of the account that offered media interviews about the MGM hack — which corresponds to the screen name “@Holy” — and found the same account was used across a number of cybercrime channels that are entirely focused on extorting young people into harming themselves or others, and recording the harm on video.

HOLY NAZI

Holy was known to possess multiple prized Telegram usernames, including @bomb, @halo, and @cute, as well as one of the highest-priced Telegram usernames ever put up for sale: @nazi.

In one post on a Telegram channel dedicated to youth extortion, this same user can be seen asking if anyone knows the current Telegram handles for several core members of 764, an extremist group known for victimizing children through coordinated online campaigns of extortion, doxing, swatting and harassment.

People affiliated with harm groups like 764 will often recruit new members by lurking on gaming platforms, social media sites and mobile applications that are popular with young people, including Discord, Minecraft, Roblox, Steam, Telegram, and Twitch.

“This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a recent alert from the Royal Canadian Mounted Police (RCMP) about the rise of sextortion groups on social media channels.

“One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.”

The 764 network is among the most populated harm communities, but there are plenty more. Some of the largest such known groups include CVLT, Court, Kaskar, Leak Society, 7997, 8884, 2992, 6996, 555, Slit Town, 545, 404, NMK, 303, and H3ll.

In March, a consortium of reporters from Wired, Der Spiegel, Recorder and The Washington Post examined millions of messages across more than 50 Discord and Telegram chat groups.

“The abuse perpetrated by members of com groups is extreme,” Wired’s Ali Winston wrote. “They have coerced children into sexual abuse or self-harm, causing them to deeply lacerate their bodies to carve ‘cutsigns’ of an abuser’s online alias into their skin.” The story continues:

“Victims have flushed their heads in toilets, attacked their siblings, killed their pets, and in some extreme instances, attempted or died by suicide. Court records from the United States and European nations reveal participants in this network have also been accused of robberies, in-person sexual abuse of minors, kidnapping, weapons violations, swatting, and murder.”

“Some members of the network extort children for sexual pleasure, some for power and control. Some do it merely for the kick that comes from manipulation. Others sell the explicit CSAM content produced by extortion on the dark web.”

KrebsOnSecurity has learned Holy is the 17-year-old who was arrested in July 2024 by the U.K.’s West Midlands Police as part of a joint investigation with the FBI into the MGM hack.

Early in their cybercriminal career (as a 15-year-old), @Holy went by the handle “Vsphere,” and was a proud member of the LAPSUS$ cybercrime group. Throughout 2022, LAPSUS$ would hack and social engineer their way into some of the world’s biggest technology companies, including EA Games, Microsoft, NVIDIA, Okta, Samsung, and T-Mobile.

JUDISCHE/WAIFU

Another timely example of the overlap between harm communities and top members of The Com can be found in a group of criminals who recently stole obscene amounts of customer records from users of the cloud data provider Snowflake.

At the end of 2023, malicious hackers figured out that many major companies have uploaded massive amounts of valuable and sensitive customer data to Snowflake servers, all the while protecting those Snowflake accounts with little more than a username and password (no multi-factor authentication required). The group then searched darknet markets for stolen Snowflake account credentials, and began raiding the data storage repositories used by some of the world’s largest corporations.

Among those that had data exposed in Snowflake was AT&T, which disclosed in July that cybercriminals had stolen personal information and phone and text message records for roughly 110 million people — nearly all its customers.

A report on the extortion group from the incident response firm Mandiant notes that Snowflake victim companies were privately approached by the hackers, who demanded a ransom in exchange for a promise not to sell or leak the stolen data. All told, more than 160 organizations were extorted, including TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus.

On May 2, 2024, a user by the name “Judische” claimed on the fraud-focused Telegram channel Star Chat that they had hacked Santander Bank, one of the first known Snowflake victims. Judische would repeat that claim in Star Chat on May 13 — the day before Santander publicly disclosed a data breach — and would periodically blurt out the names of other Snowflake victims before their data even went up for sale on the cybercrime forums.

A careful review of Judische’s account history and postings on Telegram shows this user is more widely known under the nickname “Waifu,” an early moniker that corresponds to one of the more accomplished SIM-swappers in The Com over the years.

In a SIM-swapping attack, the fraudsters will phish or purchase credentials for mobile phone company employees, and use those credentials to redirect a target’s mobile calls and text messages to a device the attackers control.

Several channels on Telegram maintain a frequently updated leaderboard of the 100 richest SIM-swappers, as well as the hacker handles associated with specific cybercrime groups (Waifu is ranked #24). That leaderboard has long included Waifu on a roster of hackers for a group that called itself “Beige.”

Beige members were implicated in two stories published here in 2020. The first was an August 2020 piece called Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had brought a wave of voice phishing or “vishing” attacks that targeted work-from-home employees via their mobile devices, and tricked many of those people into giving up credentials needed to access their employer’s network remotely.

Beige group members also have claimed credit for a breach at the domain registrar GoDaddy. In November 2020, intruders thought to be associated with the Beige Group tricked a GoDaddy employee into installing malicious software, and with that access they were able to redirect the web and email traffic for multiple cryptocurrency trading platforms.

The Telegram channels that Judische and his related accounts frequented over the years show this user divides their time between posting in SIM-swapping and cybercrime cashout channels, and harassing and stalking others in harm communities like Leak Society and Court.

Mandiant has attributed the Snowflake compromises to a group it calls “UNC5537,” with members based in North America and Turkey. KrebsOnSecurity has learned Judische is a 26-year-old software engineer in Ontario, Canada.

Sources close to the investigation into the Snowflake incident tell KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers.

Binns is currently in custody in a Turkish prison and fighting his extradition. Meanwhile, he has been suing almost every federal agency and agent that contributed investigative resources to his case.

In June 2024, a Mandiant employee told Bloomberg that UNC5537 members have made death threats against cybersecurity experts investigating the hackers, and that in one case the group used artificial intelligence to create fake nude photos of a researcher to harass them. Continue reading

Bug Left Some Windows PCs Dangerously Unpatched

September 10, 2024
25 Comments

Microsoft Corp. today released updates to fix at least 79 security vulnerabilities in its Windows operating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused some Windows 10 PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.

By far the most curious security weakness Microsoft disclosed today has the snappy name of CVE-2024-43491, which Microsoft says is a vulnerability that led to the rolling back of fixes for some vulnerabilities affecting “optional components” on certain Windows 10 systems produced in 2015. Those include Windows 10 systems that installed the monthly security update for Windows released in March 2024, or other updates released until August 2024.

Satnam Narang, senior staff research engineer at Tenable, said that while the phrase “exploitation detected” in a Microsoft advisory normally implies the flaw is being exploited by cybercriminals, it appears labeled this way with CVE-2024-43491 because the rollback of fixes reintroduced vulnerabilities that were previously know to be exploited.

“To correct this issue, users need to apply both the September 2024 Servicing Stack Update and the September 2024 Windows Security Updates,” Narang said.

Kev Breen, senior director of threat research at Immersive Labs, said the root cause of CVE-2024-43491 is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code.

“The notes from Microsoft say that the ‘build version numbers crossed into a range that triggered a code defect’,” Breen said. “The short version is that some versions of Windows 10 with optional components enabled was left in a vulnerable state.” Continue reading

Advertisement

Sextortion Scams Now Include Photos of Your Home

September 3, 2024
114 Comments

An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as Google Maps.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting [recipient’s street address] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, [recipient’s name]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address. Continue reading

Owners of 1-Time Passcode Theft Service Plead Guilty

September 2, 2024
14 Comments

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.

The call would prompt the target to enter a one-time passcode that was sent to the user via SMS when the thieves attempted to log in. Any codes shared by the target were then relayed to the scammer’s user panel at the OTP Agency website.

A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.

Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:

Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat

Vijayanathan: Are you sure

Picari: So much evidence in there

Vijayanathan: Are you 100% sure

Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find

Vijayanathan: Exactly so if we just shut EVERYTHING down

Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%

Vijayanathan : Everyone with a brain will tell you stop it here and move on

Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site

Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.

OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.

Continue reading

When Get-Out-The-Vote Efforts Look Like Phishing

August 28, 2024
42 Comments

Multiple media reports this week warned Americans to be on guard against a new phishing scam that arrives in a text message informing recipients they are not yet registered to vote. A bit of digging reveals the missives were sent by a California political consulting firm as part of a well-meaning but potentially counterproductive get-out-the-vote effort that had all the hallmarks of a phishing campaign.

Image: WDIV Detroit on Youtube.

On Aug. 27, the local Channel 4 affiliate WDIV in Detroit warned about a new SMS message wave that they said could prevent registered voters from casting their ballot. The story didn’t explain how or why the scam could block eligible voters from casting ballots, but it did show one of the related text messages, which linked to the site all-vote.com.

“We have you in our records as not registered to vote,” the unbidden SMS advised. “Check your registration status & register in 2 minutes.”

Similar warnings came from an ABC station in Arizona, and from an NBC affiliate in Pennsylvania, where election officials just issued an alert to be on the lookout for scam messages coming from all-vote.com. Some people interviewed who received the messages said they figured it was a scam because they knew for a fact they were registered to vote in their state. WDIV even interviewed a seventh-grader from Canada who said he also got the SMS saying he wasn’t registered to vote.

Someone trying to determine whether all-vote.com was legitimate might visit the main URL first (as opposed to just clicking the link in the SMS) to find out more about the organization. But visiting all-vote.com directly presents one with a login page to an online service called bl.ink. DomainTools.com finds all-vote.com was registered on July 10, 2024. Red flag #1.

The information requested from people who visited votewin.org via the SMS campaign.

Another version of this SMS campaign told recipients to check their voter status at a site called votewin.org, which DomainTools says was registered July 9, 2024. There is little information about who runs votewin.org on its website, and the contact page leads to generic contact form. Red Flag #2.

What’s more, Votewin.org asks visitors to supply their name, address, email address, date of birth, mobile phone number, while pre-checking options to sign the visitor up for more notifications. Big Red Flag #3.

Votewin.org’s Terms of Service referenced a California-based voter engagement platform called VoteAmerica LLC. The same voter registration query form advertised in the SMS messages is available if one clicks the “check your registration status” link on voteamerica.org.

VoteAmerica founder Debra Cleaver told KrebsOnSecurity the entity responsible for the SMS campaigns telling people they weren’t registered is Movement Labs, a political consulting firm in San Francisco.

Cleaver said her office had received several inquiries about the messages, which violate a key tenet of election outreach: Never tell the recipient what their voter status may be.

“That’s one of the worst practices,” Cleaver said. “You never tell someone what the voter file says because voter files are not reliable, and are often out of date.”

Reached via email, Movement Labs founder Yoni Landau said the SMS campaigns targeted “underrepresented groups in the electorate, young people, folks who are moving, low income households and the like, who are unregistered in our databases, with the intent to help them register to vote.”

Landau said filling out the form on Votewin.org merely checks to see if the visitor is registered to vote in their state, and then attempts to help them register if not.

“We understand that many people are jarred by the messages – we tested hundreds of variations of messages and found that these had the largest impact on someone’s likelihood to register,” he said. “I’m deeply sorry for anyone that may have gotten the message in error, who is registered to vote, and we’re looking into our content now to see if there are any variations that might be less certain but still as effective in generating new legal registrations.”

Cleaver said Movement Labs’ SMS campaign may have been incompetent, but it wasn’t malicious.

“When you work in voter mobilization, it’s not enough to want to do good, you actually need to be good,” she said. “At the end of the day the end result of incompetence and maliciousness is the same: increased chaos, reduced voter turnout, and long-term harm to our democracy.”

To register to vote or to update your voter registration, visit vote.gov and select your state or region.

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

August 27, 2024
12 Comments

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China.

Image: Shutterstock.com

Versa Director systems are primarily used by Internet service providers (ISPs), as well as managed service providers (MSPs) that cater to the IT needs of many small to mid-sized businesses simultaneously. In a security advisory published Aug. 26, Versa urged customers to deploy a patch for the vulnerability (CVE-2024-39717), which the company said is fixed in Versa Director 22.1.4 or later.

Versa said the weakness allows attackers to upload a file of their choosing to vulnerable systems. The advisory placed much of the blame on Versa customers who “failed to implement system hardening and firewall guidelines…leaving a management port exposed on the internet that provided the threat actors with initial access.”

Versa’s advisory doesn’t say how it learned of the zero-day flaw, but its vulnerability listing at mitre.org acknowledges “there are reports of others based on backbone telemetry observations of a 3rd party provider, however these are unconfirmed to date.”

Those third-party reports came in late June 2024 from Michael Horka, senior lead information security engineer at Black Lotus Labs, the security research arm of Lumen Technologies, which operates one of the global Internet’s largest backbones.

In an interview with KrebsOnSecurity, Horka said Black Lotus Labs identified a web-based backdoor on Versa Director systems belonging to four U.S. victims and one non-U.S. victim in the ISP and MSP sectors, with the earliest known exploit activity occurring at a U.S. ISP on June 12, 2024.

“This makes Versa Director a lucrative target for advanced persistent threat (APT) actors who would want to view or control network infrastructure at scale, or pivot into additional (or downstream) networks of interest,” Horka wrote in a blog post published today.

Black Lotus Labs said it assessed with “medium” confidence that Volt Typhoon was responsible for the compromises, noting the intrusions bear the hallmarks of the Chinese state-sponsored espionage group — including zero-day attacks targeting IT infrastructure providers, and Java-based backdoors that run in memory only.

In May 2023, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity Infrastructure Security Agency (CISA) issued a joint warning (PDF) about Volt Typhoon, also known as “Bronze Silhouette” and “Insidious Taurus,” which described how the group uses small office/home office (SOHO) network devices to hide their activity.

In early December 2023, Black Lotus Labs published its findings on “KV-botnet,” thousands of compromised SOHO routers that were chained together to form a covert data transfer network supporting various Chinese state-sponsored hacking groups, including Volt Typhoon.

In January 2024, the U.S. Department of Justice disclosed the FBI had executed a court-authorized takedown of the KV-botnet shortly before Black Lotus Labs released its December report. Continue reading

Local Networks Go Global When Domain Names Collide

August 23, 2024
36 Comments

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here’s a look at one security researcher’s efforts to map and shrink the size of this insidious problem.

At issue is a well-known security and privacy threat called “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on a private corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

Consider the hypothetical private network internalnetwork.example.com: When an employee on this network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; entering “\\drive1\” alone will suffice, and Windows takes care of the rest.

But problems can arise when an organization has built their Active Directory network on top of a domain they don’t own or control. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc.

For example, a company in 2005 builds their Microsoft Active Directory service around the domain company.llc, perhaps reasoning that since .llc wasn’t even a routable TLD, the domain would simply fail to resolve if the organization’s Windows computers were ever used outside of its local network.

Alas, in 2018, the .llc TLD was born and began selling domains. From then on, anyone who registered company.llc would be able to passively intercept that organization’s Microsoft Windows credentials, or actively modify those connections in some way — such as redirecting them somewhere malicious.

Philippe Caturegli, founder of the security consultancy Seralys, is one of several researchers seeking to chart the size of the namespace collision problem. As a professional penetration tester, Caturegli has long exploited these collisions to attack specific targets that were paying to have their cyber defenses probed. But over the past year, Caturegli has been gradually mapping this vulnerability across the Internet by looking for clues that appear in self-signed security certificates (e.g. SSL/TLS certs).

Caturegli has been scanning the open Internet for self-signed certificates referencing domains in a variety of TLDs likely to appeal to businesses, including .ad, .associates, .center, .cloud, .consulting, .dev, .digital, .domains, .email, .global, .gmbh, .group, .holdings, .host, .inc, .institute, .international, .it, .llc, .ltd, .management, .ms, .name, .network, .security, .services, .site, .srl, .support, .systems, .tech, .university, .win and .zone, among others.

Seralys found certificates referencing more than 9,000 distinct domains across those TLDs. Their analysis determined many TLDs had far more exposed domains than others, and that about 20 percent of the domains they found ending .ad, .cloud and .group remain unregistered.

“The scale of the issue seems bigger than I initially anticipated,” Caturegli said in an interview with KrebsOnSecurity. “And while doing my research, I have also identified government entities (foreign and domestic), critical infrastructures, etc. that have such misconfigured assets.”

REAL-TIME CRIME

Some of the above-listed TLDs are not new and correspond to country-code TLDs, like .it for Italy, and .ad, the country-code TLD for the tiny nation of Andorra. Caturegli said many organizations no doubt viewed a domain ending in .ad as a convenient shorthand for an internal Active Directory setup, while being unaware or unworried that someone could actually register such a domain and intercept all of their Windows credentials and any unencrypted traffic.

When Caturegli discovered an encryption certificate being actively used for the domain memrtcc.ad, the domain was still available for registration. He then learned the .ad registry requires prospective customers to show a valid trademark for a domain before it can be registered.

Undeterred, Caturegli found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500 (on subsequent .ad registrations, he located a company in Andorra that could process the trademark application for half that amount).

Caturegli said that immediately after setting up a DNS server for memrtcc.ad, he began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online Caturegli concluded they all belonged to police officers in Memphis, Tenn.

“It looks like all of the police cars there have a laptop in the cars, and they’re all attached to this memrtcc.ad domain that I now own,” Caturegli said, noting wryly that “memrtcc” stands for “Memphis Real-Time Crime Center.”

Caturegli said setting up an email server record for memrtcc.ad caused him to begin receiving automated messages from the police department’s IT help desk, including trouble tickets regarding the city’s Okta authentication system.

Mike Barlow, information security manager for the City of Memphis, confirmed the Memphis Police’s systems were sharing their Microsoft Windows credentials with the domain, and that the city was working with Caturegli to have the domain transferred to them.

“We are working with the Memphis Police Department to at least somewhat mitigate the issue in the meantime,” Barlow said.

Domain administrators have long been encouraged to use .local for internal domain names, because this TLD is reserved for use by local networks and cannot be routed over the open Internet. However, Caturegli said many organizations seem to have missed that memo and gotten things backwards — setting up their internal Active Directory structure around the perfectly routable domain local.ad.

Caturegli said he knows this because he “defensively” registered local.ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the City of Newcastle in the United Kingdom. Continue reading

National Public Data Published Its Own Passwords

August 19, 2024
127 Comments

New details are emerging about a breach at National Public Data (NPD), a consumer data broker that recently spilled hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online. KrebsOnSecurity has learned that another NPD data broker which shares access to the same consumer records inadvertently published the passwords to its back-end database in a file that was freely available from its homepage until today.

In April, a cybercriminal named USDoD began selling data stolen from NPD. In July, someone leaked what was taken, including the names, addresses, phone numbers and in some cases email addresses for more than 272 million people (including many who are now deceased).

NPD acknowledged the intrusion on Aug. 12, saying it dates back to a security incident in December 2023. In an interview last week, USDoD blamed the July data leak on another malicious hacker who also had access to the company’s database, which they claimed has been floating around the underground since December 2023.

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator.

A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages.

The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.

According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.”

“Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.”

The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

A testimonial from Sal Verini on the homepage of CreationNext, the Lahore, Pakistan-based web development firm that apparently designed NPD and RecordsCheck.

There are now several websites that have been stood up to help people learn if their SSN and other data was exposed in this breach. One is npdbreach.com, a lookup page erected by Atlas Data Privacy Corp. Another lookup service is available at npd.pentester.com. Both sites show NPD had old and largely inaccurate data on Yours Truly. Continue reading

NationalPublicData.com Hack Exposes a Nation’s Data

August 15, 2024
43 Comments

A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We’ll also take a closer look at the data broker that got hacked — a background check company founded by an actor and retired sheriff’s deputy from Florida.

On July 21, 2024, denizens of the cybercrime community Breachforums released more than 4 terabytes of data they claimed was stolen from nationalpublicdata.com, a Florida-based company that collects data on consumers and processes background checks.

The breach tracking service HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground both concluded the leak is the same information first put up for sale in April 2024 by a prolific cybercriminal who goes by the name “USDoD.”

On April 7, USDoD posted a sales thread on Breachforums for four terabytes of data — 2.9 billion rows of records — they claimed was taken from nationalpublicdata.com. The snippets of stolen data that USDoD offered as teasers showed rows of names, addresses, phone numbers, and Social Security Numbers (SSNs). Their asking price? $3.5 million.

Many media outlets mistakenly reported that the National Public data breach affects 2.9 billion people (that figure actually refers to the number of rows in the leaked data sets). HaveIBeenPwned.com’s Troy Hunt analyzed the leaked data and found it is a somewhat disparate collection of consumer and business records, including the real names, addresses, phone numbers and SSNs of millions of Americans (both living and deceased), and 70 million rows from a database of U.S. criminal records.

Hunt said he found 137 million unique email addresses in the leaked data, but stressed that there were no email addresses in the files containing SSN records.

“If you find yourself in this data breach via HaveIBeenPwned.com, there’s no evidence your SSN was leaked, and if you’re in the same boat as me, the data next to your record may not even be correct.”

Nationalpublicdata.com publicly acknowledged a breach in a statement on Aug. 12, saying “there appears to have been a data security incident that may have involved some of your personal information. The incident appears to have involved a third-party bad actor that was trying to hack into data in late December 2023, with potential leaks of certain data in April 2024 and summer 2024.”

The company said the information “suspected of being breached” contained name, email address, phone number, social security number, and mailing address(es).

“We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you,” the statement continues. “We have also implemented additional security measures in efforts to prevent the reoccurrence of such a breach and to protect our systems.”

Hunt’s analysis didn’t say how many unique SSNs were included in the leaked data. But according to researchers at Atlas Data Privacy Corp., there are 272 million unique SSNs in the entire records set.

Atlas found most records have a name, SSN, and home address, and that approximately 26 percent of those records included a phone number. Atlas said they verified 5,000 addresses and phone numbers, and found the records pertain to people born before Jan. 1, 2002 (with very few exceptions).

If there is a tiny silver lining to the breach it is this: Atlas discovered that many of the records related to people who are now almost certainly deceased. They found the average age of the consumer in these records is 70, and fully two million records are related to people whose date of birth would make them more than 120 years old today. Continue reading

Six 0-Days Lead Microsoft’s August 2024 Patch Push

August 13, 2024
13 Comments

Microsoft today released updates to fix at least 90 security vulnerabilities in Windows and related software, including a whopping six zero-day flaws that are already being actively exploited by attackers.

Image: Shutterstock.

This month’s bundle of update joy from Redmond includes patches for security holes in Office, .NET, Visual Studio, Azure, Co-Pilot, Microsoft Dynamics, Teams, Secure Boot, and of course Windows itself. Of the six zero-day weaknesses Microsoft addressed this month, half are local privilege escalation vulnerabilities — meaning they are primarily useful for attackers when combined with other flaws or access.

CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 all allow an attacker to gain SYSTEM level privileges on a vulnerable machine, although the vulnerabilities reside in different parts of the Windows operating system.

Microsoft’s advisories include little information about the last two privilege escalation flaws, other than to note they are being actively exploited. Microsoft says CVE-2024-38106 exists in the Windows Kernel and is being actively exploited, but that it has a high “attack complexity,” meaning it can be tricky for malware or miscreants to exploit reliably.

“Microsoft lists exploit complexity as high due to the attacker needing to win a race condition,” Trend Micro’s ZeroDay Initiative (ZDI) noted. “However, some races are easier to run than others. It’s times like this where the CVSS can be misleading. Race conditions do lead to complexity high in the CVSS score, but with attacks in the wild, it’s clear this bug is readily exploitable.” Continue reading