Information Security News
Researchers have found more digital fingerprints tying this month's WCry ransomware worm to the same prolific hacking group that attacked Sony Pictures in 2014 and the Bangladesh Central Bank last year.
Last week, a researcher at Google identified identical code found in a WCry sample from February and an early 2015 version of Contopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Additional fingerprints linked Lazarus Group to hacks that wiped almost a terabyte's worth of data from Sony Pictures and siphoned a reported $81 million from the Bangladesh Central Bank last year. Researchers say Lazarus Group carries out hacks on behalf of North Korea.
On Monday, researchers from security firm Symantec presented additional evidence that further builds the case that WCry, which is also known as WannaCry, is closely linked to Lazarus Group. The evidence includes:
A reader sent us an interesting find of a phishing site that is going after Uber credentials. Uber credentials are often stolen and resold to obtain free rides. One method the credentials are stolen is phishing. The latest example is using convincing looking Uber receipt emails. These emails feature a prominent link to uberdisputes.com.
Uberdisputes.com then requests the users Uber credentials to log in. Overall, the site uses the expected Uber layout. But more: The site uses a valid SSL certificate.
Turns out that the site was hosted behind a Cloudflare proxy. Cloudflare does issue free SSL certificates, and just like most certificate authorities, it only requires proof of domain ownership to obtain this service. This does make it more difficult to distinguish a fake site from the real thing.
Now by the time I started to investigate this, the original site was already taken down. But there was still some evidence left to see what happened. First of all, passive DNS databases did record the IP address of the site, which pointed to Cloudflare. Secondly, when searching certificate transparency logs, it was clear that a certificate for this site was issued to Cloudflare. Like for all Cloudflare certificates, the certificate was valid for a long list of hostnames hosted by Cloudflare. Sadly, it looks like whois history sites like Domaintools have no record of the site, so we do not know when it was exactly registered, but likely just before the domain started to get used.
For years, Yahoo Mail has exposed a wealth of private user data because it failed to update widely used image-processing software that contained critical vulnerabilities. That's according to a security researcher who warned that other popular services are also likely to be leaking sensitive subscriber secrets.
Chris Evans, the researcher who discovered the vulnerabilities and reported them privately to Yahoo engineers, has dubbed them "Yahoobleed" because the vulnerabilities caused the site to bleed contents stored in server memory. The easy-to-exploit flaws resided in ImageMagick, an image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other programming languages. One version of Yahoobleed was the result of Yahoo failing to install a critical patch released in January 2015. A second Yahoobleed vulnerability was the result of a bug that ImageMagick developers fixed only recently after receiving a private report from Evans.
The vulnerability discovered by Evans could be exploited by e-mailing a maliciously manipulated image file to a Yahoo Mail address. After opening the 18-byte file, chunks of Yahoo server memory began leaking to the end user. Evans called this version of the attack "Yahoobleed1." "Yahoobleed2" worked by exploiting the vulnerability fixed in January 2015.