Other


29
Jul 19

No Jail Time for “WannaCry Hero”

Marcus Hutchins, the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

The British security enthusiast enjoyed instant fame after the U.K. media revealed he’d registered and sinkholed a domain name that researchers later understood served as a hidden “kill switch” inside WannaCry, a fast-spreading, highly destructive strain of ransomware which propagated through a Microsoft Windows exploit developed by and subsequently stolen from the U.S. National Security Agency.

In August 2017, FBI agents arrested then 23-year-old Hutchins on suspicion of authoring and spreading the “Kronos” banking trojan and a related malware tool called UPAS Kit. Hutchins was released shortly after his arrest, but ordered to remain in the United States pending trial.

Many in the security community leaped to his defense at the time, noting that the FBI’s case appeared flimsy and that Hutchins had worked tirelessly through his blog to expose cybercriminals and their malicious tools. Hundreds of people donated to his legal defense fund.

In September 2017, KrebsOnSecurity published research which strongly suggested Hutchins’ dozens of alter egos online had a fairly lengthy history of developing and selling various malware tools and services. In April 2019, Hutchins pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

At his sentencing hearing July 26, U.S. District Judge Joseph Peter Stadtmueller said Hutchins’ action in halting the spread of WannaCry was far more consequential than the two malware strains he admitted authoring, and sentenced him to time served plus one year of supervised release.  Continue reading →


7
May 19

What’s Behind the Wolters Kluwer Tax Outage?

Early in the afternoon on Friday, May, 3, I asked a friend to relay a message to his security contact at CCH, the cloud-based tax division of the global information services firm Wolters Kluwer in the Netherlands. The message was that the same file directories containing new versions of CCH’s software were open and writable by any anonymous user, and that there were suspicious files in those directories indicating some user(s) abused that access.

Shortly after that report, the CCH file directory for tax software downloads was taken offline. As of this publication, several readers have reported outages affecting multiple CCH Web sites. These same readers reported being unable to access their clients’ tax data in CCH’s cloud because of the ongoing outages. A Reddit thread is full of theories.

One of the many open and writable directories on CCH’s site before my report on Friday.

I do not have any information on whether my report about the world-writable file server had anything to do with the outages going on now at CCH. Nor did I see any evidence that any client data was exposed on the site.

What I did see in those CCH directories were a few odd PHP and text files, including one that seemed to be promoting two different and unrelated Russian language discussion forums.

I sent Wolters Kluwer an email asking how long the file server had been so promiscuous (allowing anyone to upload files to the server), and what the company was doing to validate the integrity of the software made available for download by CCH tax customers.

Marisa Westcott, vice president of marketing and communications at Wolters Kluwer, told KrebsOnSecurity on Friday that she would “check with the team to see if we can get some answers to your questions.”

But subsequent emails and phone calls have gone unreturned. Calls to the company’s main support number (800-739-9998) generate the voice message, “We are currently experiencing technical difficulties. Please try your call again later.”

On Tuesday morning, Wolters Kluwer released an update on the extensive outage via Twitter, saying:

“Since yesterday, May 6, we are experiencing network and service interruptions affecting certain Wolters Kluwer platforms and applications. Out of an abundance of caution, we proactively took offline a number of other applications and we immediately began our investigation and remediation efforts. The secure use of our products and services is our top priority. we have ben able to restore network and services for a number – but not all — of our systems.”

Accounting Today reports today that a PR representative from Wolters Kluwer Tax & Accounting, which makes the CCH products, confirmed the outage was the result of a malware attack: Continue reading →


29
Dec 18

Happy 9th Birthday, KrebsOnSecurity!

Hard to believe we’ve gone another revolution around the Sun: Today marks the 9th anniversary of KrebsOnSecurity.com!

This past year featured some 150 blog posts, but as usual the biggest contribution to this site came from the amazing community of readers here who have generously contributed their knowledge, wit and wisdom in more than 10,000 comments.

Speaking of generous contributions, more than 100 readers have expressed their support in 2018 via PayPal donations to this site. The majority of those funds go toward paying for subscription-based services that KrebsOnSecurity relies upon for routine data gathering and analysis. Thank you.

Your correspondence and tips have been invaluable, so by all means keep them coming. For the record, I’m reachable via a variety of means, including email, the contact form on this site, and of course Facebook, LinkedIn, and Twitter (direct messages are open to all). For more secure and discreet communications, please consider reaching out via Keybase, Wicker (krebswickr), or Signal (by request). Continue reading →


1
Mar 18

Financial Cyber Threat Sharing Group Phished

The Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry forum for sharing data about critical cybersecurity threats facing the banking and finance industries, said today that a successful phishing attack on one of its employees was used to launch additional phishing attacks against FS-ISAC members.

The fallout from the back-to-back phishing attacks appears to have been limited and contained, as many FS-ISAC members who received the phishing attack quickly detected and reported it as suspicious. But the incident is a good reminder to be on your guard, remember that anyone can get phished, and that most phishing attacks succeed by abusing the sense of trust already established between the sender and recipient.

The confidential alert FS-ISAC sent to members about a successful phishing attack that spawned phishing emails coming from the FS-ISAC.

Notice of the phishing incident came in an alert FS-ISAC shared with its members today and obtained by KrebsOnSecurity. It describes an incident on Feb. 28 in which an FS-ISAC employee “clicked on a phishing email, compromising that employee’s login credentials. Using the credentials, a threat actor created an email with a PDF that had a link to a credential harvesting site and was then sent from the employee’s email account to select members, affiliates and employees.”

The alert said while FS-ISAC was already planning and implementing a multi-factor authentication (MFA) solution across all of its email platforms, “unfortunately, this incident happened to an employee that was not yet set up for MFA. We are accelerating our MFA solution across all FS-ISAC assets.”

The FS-ISAC also said it upgraded its Office 365 email version to provide “additional visibility and security.”

In an interview with KrebsOnSecurity, FS-ISAC President and CEO Bill Nelson said his organization has grown significantly in new staff over the past few years to more than 75 people now, including Greg Temm, the FS-ISAC’s chief information risk officer.

“To say I’m disappointed this got through is an understatement,” Nelson said. “We need to accelerate MFA extremely quickly for all of our assets.” Continue reading →


29
Dec 17

Happy 8th Birthday, KrebsOnSecurity!

Eight years ago today I set aside my Washington Post press badge and became an independent here at KrebsOnSecurity.com. What a wild ride it has been. Thank you all, Dear Readers, for sticking with me and for helping to build a terrific community.

This past year KrebsOnSecurity published nearly 160 stories, generating more than 11,000 reader comments. The pace of publications here slowed down in 2017, but then again I have been trying to focus on quality over quantity, and many of these stories took weeks or months to report and write.

As always, a big Thank You to readers who sent in tips and personal experiences that helped spark stories here. For anyone who wishes to get in touch, I can always be reached via this site’s contact form, or via email at krebsonsecurity @ gmail dot com.

Here are some other ways to reach out: Continue reading →


2
Dec 17

Former NSA Employee Pleads Guilty to Taking Classified Data

A former employee for the National Security Agency pleaded guilty on Friday to taking classified data to his home computer in Maryland. According to published reports, U.S. intelligence officials believe the data was then stolen from his computer by hackers working for the Russian government.

Nghia Hoang Pho, 67, of Ellicott City, Maryland, pleaded guilty today to “willful retention of national defense information.” The U.S. Justice Department says that beginning in April 2006 Pho was employed as a developer for the NSA’s Tailored Access Operations (TAO) unit, which develops specialized hacking tools to gather intelligence data from foreign targets and information systems.

According to Pho’s plea agreement, between 2010 and March 2015 he removed and retained highly sensitive classified “documents and writings that contained national defense information, including information classified as Top Secret.”

Pho is the third NSA worker to be charged in the past two years with mishandling classified data. His plea is the latest — and perhaps final — chapter in the NSA’s hunt for those responsible for leaking NSA hacking tools that have been published online over the past year by a shadowy group calling itself The Shadow Brokers.

Neither the government’s press release about the plea nor the complaint against Pho mention what happened to the classified documents after he took them home. But a report in The New York Times cites government officials speaking on condition of anonymity saying that Pho had installed on his home computer antivirus software made by a Russian security firm Kaspersky Lab, and that Russian hackers are believed to have exploited the software to steal the classified documents. Continue reading →


28
Nov 17

MacOS High Sierra Users: Change Root Password Now

A newly-discovered flaw in macOS High Sierra — Apple’s latest iteration of its operating system — allows anyone with local (and, apparently in some cases, remote) access to the machine to log in as the all-powerful “root” user without supplying a password. Fortunately, there is a simple fix for this until Apple patches this inexplicable bug: Change the root account’s password now.

Update, Nov. 29, 11:40 a.m. ET: Apple has released a patch for this flaw. More information on the fix is here. The update is available via the App Store app on your Mac. Click Updates in the App Store toolbar, then use the Update buttons to download and install any updates listed.

Original story:

For better or worse, this glaring vulnerability was first disclosed today on Twitter by Turkish software developer Lemi Orhan Ergin, who unleashed his findings onto the Internet with a tweet to @AppleSupport:

“Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as “root” with empty password after clicking on login button several times. Are you aware of it @Apple?”

High Sierra users should be able to replicate the exploit by accessing System Preferences, then Users & Groups, and then click the lock to make changes. Type “root” with no password, and simply try that several times until the system relents and lets you in.

How does one change the root password? It’s simple enough. Open up a Terminal (in the Spotlight search box just type “terminal”) and type “sudo passwd root”. Continue reading →


20
Nov 17

Fund Targets Victims Scammed Via Western Union

If you, a friend or loved one lost money in a scam involving Western Union, some or all of those funds may be recoverable thanks to a more than half-billion dollar program set up by the U.S. Federal Trade Commission.

In January 2017, Englewood, Colo.-based Western Union settled a case with the FTC and the Department of Justice wherein it admitted to multiple criminal violations, including willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud. As part of the settlement, the global money transfer business agreed to forfeit $586 million.

Last week, the FTC announced that individuals who lost money to scammers who told them to pay via Western Union’s money transfer system between January 1, 2004 and January 19, 2017 can now file a claim to get their money back by going to FTC.gov/WU before February 12, 2018.

Scammers tend to rely on money transfer businesses like Western Union and MoneyGram because once the money is sent and picked up by the recipient the transaction is generally irreversible. Such scams include transfers made for fraudulent lottery and prizesfamily emergenciesadvance-fee loans, and online dating, among others. Continue reading →


15
Nov 17

R.I.P. root9B? We Hardly Knew Ya!

root9B Holdings, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011 as root9B Technologies, the company touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department. Continue reading →


14
Nov 17

Adobe, Microsoft Patch Critical Cracks

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update). Continue reading →