Thursday October 17th 2019
Did you miss us last week? We’ve been busy investigating some recent threats and have an update for you in this week’s threat report. Hackers get hacked for 26M cards, APT35 returns with a new campaign using non-standard link shorteners, Diamond Fox gets demo’d on YouTube, and Bishopfox releases Pwn Pulse POC.
One of the largest underground stores for buying stolen credit card data, BriansClub, was hacked. BriansClub hosts more than 26M credit and debit card records that were stolen from online and physical retailers over the past four years, with nearly eight million records uploaded to the shop in 2019.
This hack devalues most of those cards for sale on the underground site: As a method of quality control, card numbers are generally removed once they are sold, helping ensure that the ones for sale are usable. With this hack, the card numbers are no longer guaranteed to be fresh.
A rough estimate of the average value of the data based on pricing tiers on BriansClub shows that the credit card numbers stolen in the hack amount to around $414M of value; on the victim side, the stolen credit cards could add up to around $4B in losses, based on a Justice Department estimates of $500 per card number.
KrebsOnSecurity reached out to Gemini Advisory — a New York-based cybersecurity company that works with financial institutions to monitor the cybercriminal underground — to get a sense of the scale of this breach. Andrei Barysevich, the CEO of Gemini, explained that the loss of so many valid credit card numbers would likely have a significant impact on the underground economy saying, “With over 78% of the illicit trade of stolen cards attributed to only a dozen dark web markets, a breach of this magnitude will undoubtedly disturb the underground trade in the short term.”
ClearSky published a report on the recent campaign conducted by Charming Kittens (APT 35), and observed the link shortening services, Is.gd and 2no.co, used in the campaign were unusual from typical services such as bit.ly or tiny.cc. The Iranian APT35 instead used these as links in SMS messages and emails to target victims, spoofing Google pages in an attempt to harvest credentials.
2no.co, a product of IP Logger, allows an actor to track the IP address of the user that opened the link. Additional functionality of the tool allows the actor to decide what the link redirects to without changing the original shared link.
In one example, APT35 was able to redirect the original shared 2no.co URL to a malicious spoofed Google page. However, when researchers clicked the same link, they were redirected to a legitimate Google login page.
Demon Forums user blackhatrussia shared a link to a YouTube tutorial demoing Diamond Fox 4.2.0 v650, an HTTP Botnet with an admin panel for management of additional plugins.
Blackhatrussia demonstrates the use of Diamond Fox, also known as Gorynych, by walking viewers through the setup in a localhost and connecting the tool to other bots. The tool is highly customizable and creates Bot loaders. Blackhatrussia listed contact information for further inquiry at ICQ:653580170 or russianhackerclub@jabber[.]ru.
Twitter user @BishopFox shared a link to a blog post outlining a POC for CVE-2019-11510 posted on Github. Authors, Orange Tsai and Meh Chang, detail how the script extracts private keys, usernames, admin details (including session cookies) and observed logins from Pulse Connect Secure VPN files.
The script takes the target domain or IP as an argument and will download relevant files from the server using the arbitrary file read vulnerability. Then, the tool greps through the files for sensitive information and dumps it all into a file which is accessible for the user. By default, it will also test each session cookie to see if the session is currently active (and thus available for hijacking). Alyssa Herrera and 0xDezzy published a POC on Exploit.DB shortly after Tsai and Chang presented the exploit at Black Hat USA. Check out Pwn Pulse on github.