Category Archives: Hacker

“Gigabites of Data” Accessed from Web Host Epik

Hacker, ,

You may have heard of Epik (the web host – not Epic the gaming company). According to Gizmodo, Epik the web host and domain registrar provides services to Gab, Parler, and Bitchute (which Gizmodo described as “conspiracy-theory-laden YouTube wannabe), and The Donald (a President Trump fansite).

Epik also recently hosted the Texas whistleblower website – which was intended to allow people to “snitch on Texas residents who want abortions.” Gizmodo reported that Epic forcibly removed the Texas site from the platform after determining it had violated Epik’s terms by non-consensually collecting third-party information.

Those sites seem to end up on Epik after breaking the terms of services of whatever mainstream hosting company they started with.

TechCrunch reported that hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik. The hackers did not say how they obtained the breached data or when the hack took place. TechCrunch says that, according to time stamps, the most recent files suggest the hack “most likely” happened in late February.

It appears that the hackers have now released the information that was in the Epik data breach. TechCrunch reported what was in the data breach, based on a statement from the hackers.

What kind of information was in the data breach? TechCrunch reported that a statement was sent to a torrent file of the dumped data this week. It included a “decades worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The hackers claimed to have customer payment histories, domain purchases and transfers, passwords, credentials and employee mailboxes.

According to TechCrunch, Epik initially told reporters it was unaware of a breach but an email set out by founder and chief executive Robert Monster on Wednesday altered users to an “alleged security incident.” To me, it sounds like the damage had already been done before users were alerted to it by email.

This is a really good example of why you need to be absolutely certain that the web host that is hosting your content is a reliable one.

Ukraine picks up six hackers behind Clop ransomware

Hacker, Information,

It’s been a rough spell for hackers, one was just extradited from Mexico to face charges in California for a DDoS attack on the city of Santa Cruz. 

Now six members of a group responsible for the Clop ransomware were picked up in a raid in the Ukraine. It is not clear if these were all the members behind it or just one cell. The search of the home resulted in the seizure of hundreds of thousands of dollars and expensive vehicles such as an AMG 63 and a Tesla. 

A Ukrainian report states that “[in] 2021, the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California.” 

As S Korea and the US were also in on this roundup and have charges pending for hacks in both countries, it’s unclear where things go from here. 

U.S. Department of Justice Seized $2.3M in Bitcoin from Ransomware Hackers

Hacker,

The U.S. Department of Justice announced that it seized 63.7 bitcoins currently valued at approximately $2.3 million. According to the Department of Justice, “these funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide.” This is the group that targeted the Colonial Pipeline, causing it to shutdown.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 

The Wall Street Journal reported a quote from Stephanie Hinds, acting U.S. attorney for the Northern District of California (where the seizure warrant was obtained). “The extortionists will never see this money. This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

The Wall Street Journal also reported that the FBI officially discourages victims from paying ransoms because doing so can become a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems.

Krebs on Security reported that Colonial Pipeline stated that the hackers only hit its business IT networks – not its pipeline security or safety systems. Colonial Pipeline shut down its pipeline as a precaution.

According to Krebs on Security, DarkSide (which is described as a “ransomware-as-a-service” syndicate) shut down on May 14, 2021, after posting a farewell message to affiliates. The message said that its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

Personally, I find it interesting that the U.S. Department of Justice has the ability to seize cryptocurrency from thieves who received it after inflicting a company with ransomware. Perhaps this will serve as a warning to those who are interested in obtaining cryptocurrency through illegal means.

Passwordstate was Compromised by Supply-Chain Attack

Hacker, ,

As many as 29,000 users of Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, Click Studios told customers. Ars Technica reported that this was a supply-chain attack.

Click Studios began developing Passwordstate in March of 2004, and released it in August that same year. According to Click Studios, Passwordstate is used by more than 29,000 customers and 370,000 security and IT professionals globally, many being from Fortune 500 listed companies. Industries using Passwordstate include defense, banking and finance, media and entertainment, space and aviation, education, utilities, retail, mining, automotive, service providers and IT security integrators.

It is easy to see why companies who were relying on Passwordstate might be upset by this supply-chain attack. TechCrunch reported that an email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customers passwords.

Click Studios has created an Incident Management Advisory on its website. It is where to find regular updates detailing the best information about available at that point in time. Click Studios recommends that people periodically check it for the latest updates.

Personally, I think the safest way for individuals to protect their passwords is to write them down on paper and store that information at home. Paper is entirely immune from supply-chain attacks, and it lacks the code that nasty hackers seem to feel entitled to mess around with. This solution might be insufficient for large businesses, though. Unfortunately, that means these kinds of shenanigans will continue to happen.

Verified Twitter Accounts were Hacked for a Crypto Scam

Hacker

Those who looked at Twitter earlier today may have noticed some very unusual tweets from accounts that have a blue checkmark. TechCrunch reported that these high-profile accounts were simultaneously hacked and used to spread a cryptocurrency scam.

According to TechCrunch, the hackers started by targeting cryptocurrency focused accounts like @bitcoin, @ripple, @coindesk, @coinbase, and @binance. It is possible that those who follow those accounts might not understand that this was a scam.

The first hacked tweet I saw was from the Joe Biden verified account. Someone took a screenshot of what appeared to be Joe Biden tweeting “I am giving back to the community. All Bitcoin sent to the address below will be sent back doubled! If you send $1,000, I will send back $2,000. Only doing this for 30 minutes”. The tweet included a bitcoin address. (The screenshot was posted on social media that was not Twitter.)

I was immediately suspicious. Joe Biden doesn’t seem to me to be the kind of person who would tweet about Bitcoin. And now, we know that it certainly wasn’t him who posted that tweet.

Apple’s verified Twitter account also had a post about doubling the cryptocurrency sent to it. This, too, is extremely suspicions. Apple has never posted a tweet. Why would anyone believe that the first tweet Apple chose to post was about doubling your cryptocurrency? People who saw these tweets should have realized that something was wrong.

That said, some of the verified accounts that got hacked were ones that might sound convincing. For example, Elon Musk’s Twitter account was hacked. He has been known to post unexpected things on Twitter (such as his opinion on the stock price of Tesla). Kanye West, who recently decided to run for president, also seems like someone who just might decide to double people’s cryptocurrency on a whim.

The @Wendy’s account also got hacked. Would Wendy’s decide to “give back” to the community with cryptocurrency? Considering how snarky the Wendy’s account tends to be, some people might think the tweet was real.

This takeaway from this situation is that you should not believe everything you see on social media. It also makes it abundantly clear that social media is not as secure as you might think (or hope) it is.

Marriott Says 5 Million Passport Numbers Were Not Encrypted

Hacker

As you may remember, Marriott International confirmed in November of 2018 that its hotel guest database of about 500 million customers was stolen in a data breach. The breach was related to reservations Marriott’s Starwood Properties.

Since then, some new information about the data breach has been revealed.

The New York Times reported today that Marriott International conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. The New York Times also reported:

On Friday the firm said that teams of forensic and data analysts had identified “approximately 383 million records as the upper limit” for the total number of guest reservations lost, though the company still says it has no idea who carried out the attack, and suggested the figure would decline over time as more duplicate records are identified.

The New York Times pointed to some of its previous reporting from December of 2018, when it reported “that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.”

Gizmodo reported that Marriott International said that a small number of payment cards – “fewer than 2,000” – may have been stored separately and in an unencrypted format.

Quora had a Data Breach Affecting 100 Million Users

Hacker

Quora is a website where people go to get an answer to whatever random question is on their minds. Now, it appears that Quora users are going to be seeking some incredibly significant answers from the website. Quora has had a data breach that affected about 100 million users.

Quora acknowledged this data breach on The Quora Blog. The data breach was discovered on November 30, 2018. Quora says they discovered that some user data was compromised by a third party who gained unauthorized access to one of their systems. Overall, the turn around time between discovery of data breach – and telling users about it – was reasonably fast.

Quora says the investigation is still ongoing, and has apologized for any concern or inconvenience this may cause. For approximately 100 million Quora users, the following information may have been comprised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages.)

Interestingly, Quora says that questions and answers that were written anonymously are not affected by this breach because they do not store the identities of people who post anonymous content.

How will you know if this data breach affected you? Quora is in the process of notifying users whose data has been compromised. If you were affected, Quora will update you with relevant details in an email.

In addition, Quora is logging out all Quora users who may have been affected by the data breach. Quora will invalidate the passwords of those who used a password as their identification. They recommend you change your passwords.

One thing to pay attention to is that this breach affected “data imported from linked networks when authorized by users”. You might want to change passwords on whatever networks you connected to Quora before the data breach.