BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

Technical indicators suggest a cyber-attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analysed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbitvirus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber-security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber-attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the US National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favour of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.


Russia Detains Nine ‘Hackers’ Over $17 Million Bank Thefts

Russia Detains Nine 'Hackers' Over $17 Million Bank Thefts

Russia Detains Nine ‘Hackers’ Over $17 Million Bank Thefts
Russia has detained nine people alleged to be part of a cybercrime ring accused of stealing some $17 million dollars from bank accounts, the interior ministry said Wednesday.

The detentions followed a nationwide manhunt. The FSB security agency launched a major operation last year against the alleged 50-strong “hacker group” that pilfered more than RUB 1 billion ($16.8 million, EUR 15.8 million) since 2013, the statement said.

“Nine individuals suspected of participating in hacking attacks were detained on January 25,” ministry spokeswoman Irina Volk said. One was placed under arrest.

A total of 27 members and organisers are being investigated, with 19 of them now under arrest in pre-trial jail, the ministry said.

Unnamed security sources on Wednesday told Russian agencies that the latest arrests are connected to a case against legendary hacking collective Lurk that was targeted by law enforcement agencies in a sweep last year.
According to cyber-security giant Kaspersky, the group was reportedly suspected of stealing some three billion rubles from commercial organisations that included banks.

Russian hackers are in the spotlight over their alleged involvement in cyber-attacks targeting the US presidential election campaign but experts say the vast majority of cybercrime in the country is financial.

The FSB itself is also currently caught up in another murky scandal that has seen at least two of its top cyber-security experts arrested for treason linked to the United States, a lawyer involved in the case has said.

That treason case has also seen the arrest of Ruslan Stoyanov – the head of Kaspersky’s cyber-security unit that probed Lurk.

Tags: Cyber Attack, Internet, Russia


Hackers Accessed Telegram Messaging Accounts in Iran: Researchers

Hackers Accessed Telegram Messaging Accounts in Iran: Researchers

Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.

Telegram promotes itself as an ultra secure instant messaging system because all data is encrypted from start to finish, known in the industry as end-to-end encryption. A number of other messaging services, including Facebook Inc’s WhatsApp, say they have similar capabilities.

Headquartered in Berlin, Telegram says it has 100 million active subscribers and is widely used in the Middle East, including by the Islamic State militant group, as well as in Central and Southeast Asia, and Latin America.


Telegram’s vulnerability, according to Anderson and Guarnieri, lies in its use of SMS text messages to activate new devices. When users want to log on to Telegram from a new phone, the company sends them authorization codes via SMS, which can be intercepted by the phone company and shared with the hackers, the researchers said.

Armed with the codes, the hackers can add new devices to a person’s Telegram account, enabling them to read chat histories as well as new messages.

“We have over a dozen cases in which Telegram accounts have been compromised, through ways that sound like basically coordination with the cellphone company,” Anderson said in an interview.

Telegram’s reliance on SMS verification makes it vulnerable in any country where cellphone companies are owned or heavily influenced by the government, the researchers said.

A spokesman for Telegram said customers can defend against such attacks by not just relying on SMS verification. Telegram allows – though it does not require – customers to create passwords, which can be reset with so-called “recovery” emails.

“If you have a strong Telegram password and your recovery email is secure, there’s nothing an attacker can do,” said Markus Ra, the spokesman.

Iranian officials were not available to comment. Iran has in the past denied government links to hacking.

Rocket Kitten
The Telegram hackers, the researchers said, belonged to a group known as Rocket Kitten, which used Persian-language references in their code and carried out “a common pattern of spearphishing campaigns reflecting the interests and activities of the Iranian security apparatus.”

Anderson and Guarnieri declined to comment on whether the hackers were employed by the Iranian government. Other cyber experts have said Rocket Kitten’s attacks were similar to ones attributed to Iran’s powerful Revolutionary Guards.

The researchers said the Telegram victims included political activists involved in reformist movements and opposition organizations. They declined to name the targets, citing concerns for their safety.

“We see instances in which people … are targeted prior to their arrest,” Anderson said. “We see a continuous alignment across these actions.”

The researchers said they also found evidence that the hackers took advantage of a programming interface built into Telegram to identify at least 15 million Iranian phone numbers with Telegram accounts registered to them, as well as the associated user IDs. That information could provide a map of the Iranian user base that could be useful for future attacks and investigations, they said.

“A systematic de-anonymization and classification of people who employ encryption tools (of some sort, at least) for an entire nation” has never been exposed before, Guarnieri said.

Ra said Telegram has blocked similar “mapping” attempts in the past and was trying to improve its detection and blocking strategies.

Cyber experts say Iranian hackers have become increasingly sophisticated, able to adapt to evolving social media habits. Rocket Kitten’s targets included members of the Saudi royal family, Israeli nuclear scientists, NATO officials and Iranian dissidents, U.S.-Israeli security firm Check Point said last November.

Popular in the Middle East
Telegram was founded in 2013 by Pavel Durov, known for starting VKontakte, Russia’s version of Facebook, before fleeing the country under pressure from the government.

While Facebook and Twitter are banned in Iran, Telegram is widely used by groups across the political spectrum. They shared content on Telegram “channels” and urged followers to vote ahead of Iran’s parliamentary elections in February 2016.

Last October, Durov wrote in a post on Twitter that Iranian authorities had demanded the company provide them with “spying and censorship tools.” He said Telegram ignored the request and was blocked for two hours on Oct. 20, 2015.

Ra said the company has not changed its stance on censorship and does not maintain any servers in Iran.

After complaints from Iranian activists, Durov wrote on Twitter in April that people in “troubled countries” should set passwords for added security.

Amir Rashidi, an internet security researcher at the New York-based International Campaign for Human Rights in Iran, has worked with Iranian hacking victims. He said he knew of Telegram users who were spied on even after they had set passwords.

Ra said that in those cases the recovery email had likely been hacked.

Anderson and Guarnieri will present their findings at the Black Hat security conference in Las Vegas on Thursday. Their complete research is set to be published by the Carnegie Endowment for International Peace, a Washington-based think tank, later this year.

© Thomson Reuters 2016

Share a screenshot and win Samsung smartphones worth Rs. 90,000 by participating in the #BrowseFaster contest.

Tags: Apps, Cyber Security, Encryption, Hack, Hacking, Reuters, Telegram


Virtru Will defend Emails From Hackers and the FBI, however not from your Boss

Virtru Will Shield Emails From Hackers and the FBI, but Not From Your Boss

free NSA-quality encryption and a fiveyearold could use it.

John and will Ackerly each had stints inside the authorities for the duration of the surveillance build-up of the past a long time – John as a Bush management technology adviser and could as an engineer at thenational security employer.

nowadays the two brothers from the District of Columbia play very distinctive roles: supportingindividuals and corporations evade snooping of all sorts thru an encrypted communications app calledVirtru.

“Our awareness is on the ninety nine.99 percentage of folks who recognize they have got tocomfortable their content, however it’s constantly been too difficult and complex earlier than,” saidCEO John Ackerly.

For the layperson, it is tough to tell whether Virtru’s system is any higher than its opposition.

but on ease of use, the app unambiguously supplies. i was sending encrypted emails from one account toanother within 30 seconds of downloading the organization‘s app for Android.

And when I switched to my horribly slow, virus-ridden computer to test Virtru’s browser plug-in, i discoveredit lightning-speedy and glitch-unfastened despite a crummy net connection.

however the actual amusing comes with the extra functions within the app. Virtru helps you to delete or revoke get admission to to emails you have despatched. It has an “expiration” feature so that you can set emails to erase themselves after a sure quantity of time.

every other beneficial function forbids the sender from forwarding. a person may want to evade that limitby copying and pasting into another browser, but even that would trade quickly: A employer spokespersonstated tracking whether e mail content has been Ctrl-C’d is “an problem and function we are operatingon.”

Virtru’s internet site advertises “stop-to-give up encryption,” a time period normally reserved for communications that may be accessed only by way of sender and recipient. in keeping with theorganization, it’s the case for the individual users who download the free app.

however if you‘re signed up through your enterprise, you need to understand that an administratorsomeplace in your agency is probably analyzing your emails. For the agencies and authoritiescorporations it sells to, Virtru builds in functions that may intently reveal personnelverbal exchange.

At $60 (more or less Rs. 4,000) consistent with consumer, these corporate accounts carry in quite a few cash for Virtru. Staffers at HBO use it to send movie scripts and limit whom they get forwarded to,perhaps seeking to save you leaks like the one that brought us ultimate 12 months‘s first fourrecreation of Thrones” episodes beforehand of time. A agreement with nation government in Marylandmanner a few 10,000 police officers and law enforcement staffers use the app to encrypt their communications.

take into account that even corporate emails set to “expire” can be retroactively accessed if a corporateclient so chooses. For personal corporations, meaning a technology administrator may want to pull up even your personal encrypted emails in the event of an audit. For authorities officials using the app in Maryland, that could suggest a Freedom of information Act request from a journalist, in line with Ackerly.

And it’s no longer simply big companies and government corporations passing touchy records thruVirtru’s servers. The Pentagon will pay Juncture Consulting, a tenindividual organisation based in Woodbridge, Virginia, to assess retiring soldiersfitness to determine how a whole lot disabilityreimbursement they may get.

chief working officer Michelle de Stefano says the physicians she hires handle that paintings ongovernment computer systems. however handling those employeessensitive facts is a distinctivestory, she says, so she commenced paying approximately $120 a year for a primary model of Virtru’ssoftware program.

“I don’t want to be liable for screwing up anyone‘s identification information and having something badoccur to it,” said de Stefano. “I don’t need to be that weak link.”

© 2016 The Washington post

download the gadgets 360 app for Android and iOS to stay updated with the contemporary techinformation, product reviews, and specific deals at the popular mobiles.

Tags: Android, Apple, Apps, Encryption, stop to cease Encryption, net, iOS, NSA, Virtru