Posts Tagged: Recorded Future


27
Mar 17

Alleged vDOS Owners Poised to Stand Trial

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

The front page of vDOS, when it was still online last year.

The front page of vDOS, when it was still online last year.

After those restrictions came and went, some readers expressed surprise that there were no formal charges announced against either of the young men. This week, however, Israeli police sent letters to lawyers for both men stating that the official investigation was nearing completion and that they planned to urge government prosecutors to pursue criminal charges.

The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).

Bidani’s attorney Perach Aroch told KrebsOnSecurity that her client has not yet been officially charged with any crime. But she said once the investigation is complete the defense will have 30 days to review the evidence and to make arguments as to why the case should be dismissed.

“They have to give us 30 days to see all the evidence and to try to convince them why they should not take this case to court,” Aroch said. “After that, [the prosecutors will] decide if it should go to trial.”

18-year-old Yarden Bidani.

18-year-old Yarden Bidani.

The arrest of Bidani and Huri came after the police received information from the Federal Bureau of Investigation (FBI). But the United States apparently isn’t the only country weighing in on this case: According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

It’s unclear exactly why the Swedish government is so interested in this case, but the vDOS service has been implicated in a series high-profile attacks that brought down some of the country’s largest news media Web sites last year.

Shortly after those attacks in March 2016, Somerville, Mass.-based security intelligence firm Recorded Future published an analysis linking the assaults against Swedish media sites to vDOS and to “applej4ck,” the hacker nickname allegedly used by Bidani.

In publicizing the news of vDOS’s hack last year, KrebsOnSecurity also published several months of attack logs from the vDOS service. However, those logs only dated back to May 2016.

Itay Huri’s lawyer declined to comment for this story, but TheMarker’s Amitai Ziv obtained a statement from Huri’s attorney, who accused Israeli police of applying pressure and terror through the media instead of looking for the truth.

Ziv said sources he’s spoken to believe the case will almost certainly go to trial.

“Professionals involved in the case said the likelihood of indictments in the affair is very high,” he wrote.

According to Bidani’s lawyer Aroch, the two former friends are now pointing the finger of blame at each other and are no longer speaking to one another.

“They each now accuse each other in things, so it’s a little bit of a problem,” Aroch said.

Aroch said both Bidani and Huri are free to travel and even leave the country, although both men have had their bank and PayPal accounts frozen.

Bidani and Huri allegedly started vDOS when they were 14 years old. By the time the service was shut down last September, it had attracted tens of thousands of customers who paid for attacks in PayPal (when vDOS’s PayPal accounts were shut down, the service briefly shifted to accepting payment via Bitcoin).

My Sept. 2016 investigation into the hacking of vDOS revealed that in just two of the four years the service was in operation, it brought in revenues of more than $600,000. Continue reading →


14
Dec 16

New Critical Fixes for Flash, MS Windows

Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software.

brokenwindows

Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.

As per usual, the largest share of flaws fixed are in Microsoft’s browsers — Internet Explorer and Edge. Also included in the mix are updates for Microsoft Office and .NET.

According to security firm Shavlik, several of the vulnerabilities fixed with this Microsoft patches were publicly disclosed prior to this week, meaning would-be attackers have had a head start trying to figure out how to exploit them.

As part of a new Microsoft policy that took effect in October, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). Continue reading →


11
Nov 15

Critical Fixes for Windows, Adobe Flash Player

For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

brokenwindowsOne-quarter of the patches from Microsoft address flaws that the company labels “critical,” meaning they can be exploited by malware or malcontents to break into vulnerable systems with no help from users. Four of the bulletins address vulnerabilities that were publicly disclosed prior to Patch Tuesday, meaning malicious hackers had a head start in figuring out how to exploit those weaknesses.

Top of the priority list among these 12 patches should probably be the one for Internet Explorer, which fixes more than two dozen flaws in IE, nearly all of them critical, browse-to-a-hacked-site-and-get-owned flaws. Another patch, MS15-113, fixes critical bugs in Microsoft’s Edge Browser, its intended replacement for IE. Also of note is a Microsoft Office patch that addresses seven flaws.

This month also includes a patch for .NET, a program that past experience has taught me to patch separately. If you use Windows and Windows Update says you have patches available for .NET, consider unchecking those updates until you’ve applied the rest released on Tuesday. Reboot and install any available .NET updates.

Separately, Adobe issued a patch for its Flash Player software that fixes at least 17 vulnerabilities in the program and in Adobe AIR. Adobe says it is not aware of any exploits in the wild for issues addressed in this update, but readers should seriously consider whether having Flash installed and/or enabled in the browser is worth the risk.  Continue reading →


11
Sep 13

‘Yahoo Boys’ Have 419 Facebook Friends

Earlier this week, I wrote about an online data theft service that got hacked. That compromise exposed a user base of mostly young Nigerian men apparently engaged in an array of cybercrime activities — from online dating scams to 419 schemes. It turned out that many of these guys signed up for the data theft service using the same email address they used to register their Facebook accounts. Today’s post looks at the social networks between and among these individuals.

Of the nearly 3,000 BestRecovery users, about 280 of them had Facebook accounts tied to their BestRecovery email addresses. George Mason University associate professor Damon McCoy and several of his grad students volunteered to scrape those profiles that were open and map their social networks to see if there were any obvious or discernible patterns in the data.

The raw data itself — which ranked the BestRecovery users on number of connections they had to other users — was potentially useful, but difficult to parse into meaningful chunks. Oddly enough, as I was poring over that data I heard from Chris Ahlberg, the CEO of Recorded Future Inc., a Cambridge, Mass. software company that specializes in Web intelligence and predictive analytics. Ahlberg was writing to say that he enjoyed the blog — particularly the posts with data-intensive analyses — and that he’d be delighted to collaborate on a data-rich research project at some point. I told him his timing couldn’t have been more serendipitous.

Ahlberg and his team took the raw scraped data sets from the Facebook accounts and ran it through their cyber intelligence applications. In short order, they produced some very compelling and beautiful graphs, shown below.

Staffan Truvé, Recorded Future’s chief technology officer noted that — with few exceptions — the BestRecovery users largely appear to belong to one of two very separate social networks.

RecordedFuture's rendering of the Facebook profiles shows fairly two tight-knit social networks.

RecordedFuture’s rendering of the Facebook profiles shows fairly two tight-knit social networks.

“There appears to be two fairly separate, quite tightly knit networks, each with a few central leaders, and also with just a few individuals being the bridge between the two networks — and that those middlemen are themselves not connected,” said Staffan Truvé, Recorded Future’s chief technology officer.

I noted in my previous story that a majority of the BestRecovery keylog service users who had Facebook pages that reported a location listed either somewhere in Nigeria (usually Lagos), or Kuala Lumpur, Malaysia. Not surprisingly, those two geographic groups are generally represented by these two globs of Facebook users (with several exceptions of users who are from Nigeria but living in Kuala Lumpur and vice versa).

Here’s a closer look at the most influential/connected members at the center of Cluster 1 (upper in the diagram above)

cluster1

Continue reading →