Let’s sum up the results of the month and remember what happened in November, information-safe. And oh, how many things were going on: let’s talk about the new flights of one well-known malicious Pegasus, and the FBI hacking, and about a bot on State Services, which suddenly became a supporter of crypto conspiracies.
November turned out to be eventful for Pegasus. At the beginning of the month, it turned out that Pegasus flew to Europe: the Hungarian government announced that it was using it “within the framework of the law.” In total, there were about three hundred victims, but we do not know anything about them – the details will be classified until 2050.
Apple later sued the Pegasus manufacturer, Israel’s NSO Group, for illegal surveillance of its users. The Apple company has promised that it will henceforth notify users if it sees Pegasus on their devices.
The first notifications were not long in coming: a couple of hours after the court received Apple’s appeal, the first potential victims of Pegasus saw warnings on their devices. Among them are users from Thailand, El Salvador and Uganda: political researchers and educators, activists and journalists.
The same was received by the prosecutor from Poland. She had previously called for an investigation into where the millions of zlotys that were prepared for postal voting in the ultimately failed elections went.
Soon, the Israeli Defense Ministry severely cut the list of countries to which Israeli infosec companies can export their products.
The new list included only democracies, including countries belonging to the EU and Five Eyes. Now the list looks like this: Australia, Austria, Belgium, UK, Bulgaria, Germany, Greece, Denmark, Iceland, Spain, India, Ireland, Italy, Canada, Cyprus, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Portugal, Romania, Slovakia, Slovenia, USA, Finland, France, Croatia, Czech Republic, Sweden, Switzerland, Estonia, South Korea and Japan.
Of course, the list does not include Morocco, Bahrain, Saudi Arabia and the United Arab Emirates, which were previously seen among the clients of the NSO Group. And if you are suddenly embarrassed by India that is clinging among the developed democracies, then it is in vain: this is different, you need to understand.
NSO Group is not to be envied, of course, but it serves it right.
The FBI and Robinhood: the busy days of a hacker
What do the FBI and the investment application Robinhood have in common? The hacker who targeted them in November.
First, Robinhood was told about the leak: it happened as a result of a successful social engineering attack on a support employee. Unknown hackers received about 5 million user emails and about 2 million real names. For about 310 (not thousands, but people) the name, date of birth and index have been merged; for another 10 people received some “more detailed data.” Further it turned out that about 4,400 more telephone numbers had leaked. Financial and other critical data did not seem to be affected. Finally, the whole thing was put up for sale on a well-known hacker forum – the loot was offered by the user pompompurin.
What does the FBI have to do with it? And despite the fact that in mid-November, fake letters were sent from the FBI mail to the addresses of system administrators. They reported on a dangerous hacker named Vinnie Troy, from whom the FBI strongly advises to protect yourself – for example, to double-check the security of systems. The Bureau soon admitted that it had made a mistake in configuring the software, which allowed the cracker to send out the letters.
And then the famous infosec blogger Brian Krebs said that he received the following letter from the same hacked mailbox (email@example.com):
“Hi, this is pompompurin. Check the header of this email to make sure it really came from the FBI servers. I am writing to you because we have discovered a botnet that is hosted on your forehead. Take action immediately! Thanks”.
Pompompurin told Krebs that the purpose of the hack was to point to a gaping security hole in the FBI. He could send out more believable letters, extract valuable data from sysadmins and so on, but this is not a hundred.
Krebs suggested that another target of the attack was Vinnie Troy, who was called the legendary dangerous hacker in fake letters. In fact, Troy is a major information security researcher. He himself also stated that pompompurin was probably behind the attack, who did not like Troy for a long time. In addition, the day before the attack, Troy received a tweet from pompompurin “enjoy”. After the mailing, the sensitive hacker wrote again, carefully specifying: “Did you enjoy”.
The arrests of REvil
November was not fun for well-known cybercriminal groups. First, BlackMatter collapsed. Second, there have been mass arrests of potential REvil members around the world.
Romanian police officers detained two suspects; before that, they searched four houses in Constanta, seizing laptops, telephones and storage media. On the same day, the Kuwaiti police arrested another suspect. These three scammers, if they really are, are responsible for about 7,000 attacks and ransom requests for € 200 million in total.
In total, 7 suspected REvil members have been arrested this year. Three were caught in South Korea, and another was recently arrested in Germany.
The US Department of Justice today announced allegations against the ransomware agent REvil responsible for the July 2 attack on the Kaseya MSP platform and the seizure of more than $ 6 million from another REvil partner.
The suspect is a 22-year-old Ukrainian citizen Yaroslav Vasinsky (Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22), who was arrested for cybercrime activities on October 8 at the insistence of the United States while trying to enter Poland from his home country.
Soon, the TOR sites of the grouping (a blog with leaks and a service for paying the ransom), which had previously been hacked by the special services, show just such a page with the heading “Revil is bad.”
There is a mysterious form on the page that requires a username and password – it is not very clear why. And the CSS file with styles is called revil_sucks.css. I wonder if it’s the intelligence services that are having fun, or some third-party group decided to kick the lying one and hacked already hacked hackers?
Not Facebook, not Meta yet
In November, Facebook suddenly promised that it would no longer collect the database of recognized faces, and would delete everything that had already been collected from the servers. Everyone was very surprised – it always looks suspicious when bees militantly oppose honey.
Where is the catch? Watch your hands: the promise was made by Facebook, and the company is now called Meta.
Meta is currently developing virtual reality in which people will interact through realistic avatars of themselves. Of course, there is nowhere without recognition – you need to build a virtual model of a real person, and then track facial expressions and movements.
It was always curious what those who literally bring to life the images of megavillains from various cyberpunk universes think about. Except for “earthlings_given_you_with”, of course.
Hacking Npm packages: part 2
Continuing the October epic. The popular coa library – with 9 million weekly downloads, used by 5 million github repositories – has suddenly been updated after a couple of years of silence. Of course, it was hacked and updated with malicious code, just like UAParser.js recently.
The malware is identical. After installation, the obfuscated TypeScript script checks which operating system is on the machine and pulls the corresponding malicious file. The file was deobfuscated and it was found out that the version of the Qakbot Trojan is being pulled.
The npm component rc was also hacked in the same way (versions 1.2.9, 1.3.9 and 2.3.9.). He has under 14 million downloads a week. Fortunately, npm quickly removed all the malicious updates.
A little later, GitHub (the parent company of npm) talked about two critical vulnerabilities that it recently fixed.
First, for some time at the end of October, the names of private packages stored on the npm mirror were publicly available. The content was not highlighted, but the names are enough to exploit the dependency confusion vulnerability. GitHub changed the mirror generation process to prevent such leaks in the future.
The second vulnerability allowed the publication of package updates without proper authorization. Github says that the microservices responsible for authorization did not work quite correctly, which caused the vulnerability. At the same time, there is no data on exploits, and the company is confident that the bug has not been used since at least September 2020.
And from 2022, npm will include mandatory two-factor authentication for developers. If it was owned by the owners of UAParser.js, coa and other heroes of the funny stories that sounded here, then these packages might not have been hacked.
In early November, researchers spoke about the largest botnet in history, which once had more than 1.6 million devices. For comparison, the rather sensational Meris in September, responsible for the record DDoS in the Russian Internet (on Yandex), includes only 250 thousand devices. The giant botnet has long been called Pink.
Pink mainly consists of MIPS routers. It uses several third-party services (like GitHub), P2P networks, and centralized C&C servers for management.
Since its golden age, the botnet responsible for over a hundred DDoS attacks has been blown away. There are now about a hundred thousand active devices left in Pink.
Back in November, the Emotet botnet returned, which had been defeated by intelligence agencies in January. They say the botnet operators were persuaded to return it by the Conti hackers.
The main feature of Emotet is its partnership with hacker groups, which the botnet helps to distribute runaway and other malware to “expensive” victims. Looks like we are waiting for the heyday of Conti: for them this not too triumphant return is very profitable.
Hacking Government services and crypto conspiracies from the bot
Finally, someone pretty much stormed the State Services. On November 10, the Ministry of Digital Communications spoke about an attack of 680 GB per second.
The only casualty was the local bot. For some time, he said in response to attempts to obtain a QR code or certificates that “the coronavirus does not exist,” QR codes “are part of the world government’s plans for population segregation,” and vaccines are “a means of disposing of the surplus population.”
The ministry claims that they only got to the bot, and the user data is safe.