From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #65 - September 15, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Fancy Bear Returns, Zoom Rolls Out 2FA, & Massive Mailfire Leak - 02:00 PM-02:30 PM


This week, Dr. Doug talks Candiru fish, Office Phishing attacks with a twist, Fancy Bear, Zhenhua data leaks, TikTok and Oracle, and Big Eyed Beans from Venus! Jason Wood returns for Expert Commentary on a Russian hacker selling a how-to video on exploiting unsupported Magento installations to skim credit card details for $5,000!

  1. New API Phishing Attack on Office 365 Users.
  2. Fancy Bear launched even more attacks against Election Companies.
  3. 3rd Party Mailfire leaks 320 million database records of dating and porn site users.
  4. Zhenhua has a LOT of data about lots of people.
  5. TikTok rebuffs Microsoft for Oracle Offer.
  6. Lots of remote workers are accessing corporate data on their personal devices.
  7. Temple University releases access to ransomware information for free.
    1. Temple Site.
  8. Zoom rolls out 2FA for all users.
  9. Life on Venus, I doubt it but who knows. Captain Beefheart might.


Doug White's Content:


Jason Wood's Content:


Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

To me, one of the most fascinating aspects of our online adversaries is the market and organization that has grown up around making money off of breaking into systems. Profiting of this kind of stuff has been a motive for a long time, but it always strike me as a bit wild to read about how people are figuring out how to get better at stealing, selling data, and extorting money out of others. I found this story in The Register and a similar one on ThreatPost.

Basically, an attacker realized he had a zero day attack for Magento 1 and that Adobe is no longer supporting this version. Our opportunistic hacker decided there was an opportunity for profit here. People are still running Magento 1 and there are no software updates. That means that there’s no easy way for users of this software to fix their sites, short of upgrading to Magento 2. This individual decided that they could probably make more money easier and safer by just teaching others how to exploit the zero day, so that’s what they did.

They created a video that explains how to exploit these systems with card skimmers and put it up for sale for $5,000. That seems like quite a bit, but to make it more valuable, they made sure that the information stayed scarce. They said they would only sell the exploit to 10 people. That gives the hacker a $50,000 pay day. Not too shabby. I found it interesting that they decided to apply scarcity to keep the price higher. If they decided to sell it to a wider audience, then it wouldn’t have sold for as much. Perhaps they could have made more than $50,000 by selling it for $1,000 to a wider audience, but such are the mysteries of pricing.

One possible result of this video sale is that nearly 2,000 Magento 1 sites had their payment pages compromised and customer payments went off to a website hosted in Moscow. Apparently there are still another 95,000 vulnerable Magento 1 sites still to go. Are the two related? Maybe or maybe not. The publicly available information really isn’t that clear. Sansec Threat Intelligence released the report on the activity to The Register and ThreatPost. The ThreatPost article has a bit more technical information available. Either way, there isn’t enough for me to decide the two are definitely related, but the two events happening together seems is pretty coincidental if they aren’t. I suspect Sansec has a great deal more information that they couldn’t or wouldn’t release publicly. I’ve learned first hand through my job that releasing information about intrusions and threat actors is tricky business.

This is just one example of how criminal operations are making money off of e-crime, without actually hacking large number of systems themselves. There are others that I’ve read about that are even more organized in conducting this sort of thing. The Ransomware-as-a-Service providers are another one that is very active and appear to be making a fair bit of money. If you want to understand more of what you are defending against, then I highly recommend you check out these criminal operations. They run like a business and are always looking for ways to improve their revenues. It’s extremely interesting reading.