Ready to Start Your Career?
August 18, 2017
UNM4SK3D: HBO, NetSarang, and Fancy Bear
August 18, 2017
#hackedBlackmail is coming. In a bizarre string of events, HBO hit show Game of Thrones is at the center of breaches and episode leaks, among other pieces to this growing hacker's puzzle. Initially, unknown hackers claimed to have 1.5 terabytes of data from HBO and leaked that information in two batches to prove they were not bluffing. This leaked information included upcoming episodes of 'Ballers,' 'Room 104,' Game of Thrones scripts from Season 7, HBO emails, employment agreements, and balance sheets, for which they demanded a ransom of nearly $6 million in Bitcoin. Trying to appease the hackers, an HBO executive offered $250,000 as a 'bug bounty' and a 'show of good faith,' requesting the ransom deadline be extended. This email exchange appeared to only anger the hackers further and was also leaked.Meanwhile, HBO Spain appeared to have accidentally broadcast Season 7 Episode 6 of Game of Thrones five days before its official premier, which quickly circulated online despite being taken down after an hour. In a statement, HBO said, "We have learned that the upcoming episode of Game of Thrones was accidentally posted for a brief time on the HBO Nordic and HBO España platforms," while trying to assure viewers that it was not connected to the recent cyber incident at HBO in the US. Similarly, four individuals were arrested in India for " for unauthorized publication of the fourth episode from Season 7," says Deputy commissioner of police Akbar Pathan. The accused work for a Mumbai company that stores and processes HBO TV programs for an app. This case is apparently unrelated to the ongoing data breach at HBO and the accidental leak by HBO Spain, but is being investigated further.The latest of this saga is another hack- this time of HBO and Game of Throne's Twitter and Facebook accounts. Saudia Arabian hacking group 'OurMine' claimed responsibility for this hack and got #HBOhacked trending on Twitter. OurMine previously compromised social media accounts of major companies CEOs, including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, and Google CEO Sundar Pichai. It appears that the group never goes beyond demonstrating they can gain access to the accounts, but HBO removed the messages shortly after posting nonetheless. It is uncertain whether or not OurMine is responsible for the 1.5 terabytes of data hack, but many seem to believe they are not.
Hi, OurMine are here, we are just testing your security, HBO team, please contact us to upgrade the security -ourmine.org -> -OurMine tweet from HBO accountsWant to read about the initial HBO hack? Catch up with this previous 'UNM4SK3D.'
#backdoor'ShadowPad' isn't the nickname for your new mancave. No, it's the secret backdoor leveraged by hackers that allowed them to gain access to networks protected by cryptographically signed software from NetSarang. This software used by "hundreds of banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries" was infiltrated for 17 days starting July 18th before being discovered by researchers. Hackers were able to gain access to the update mechanism for the popular NetSarang server management software package and altered it to include an advanced backdoor. In doing so, malicious code is delivered unnoticed via the backdoor to all of NetSarang's clients.First discovered by Kaspersky Labs, researchers said, "The tiered architecture prevents the actual business logics of the backdoor from being activated until a special packet is received from the first tier command and control (C&C) server (activation C&C server)." 'ShadowPad' was hidden in layers of encrypted code with backdoor pinging out every 8 hours to a command-and-control server with information on the compromised computers, including domain names, network details, and usernames. The malicious software was immediately pulled from the company's website and replaced with the previous, untampered version.The affected NetSarang's software packages are:
- Xmanager Enterprise 5.0 Build 1232
- Xmanager 5.0 Build 1045
- Xshell 5.0 Build 1322
- Xftp 5.0 Build 1218
- Xlpd 5.0 Build 1220
ShadowPad is an example of the dangers posed by a successful supply-chain attack. Given the opportunities for covert data collection, attackers are likely to pursue this type of attack again and again with other widely used software components. -Kapersky LabsGet hands-on with backdoors. Read the tutorial 'Putting a Backdoor On Executable Files' and try it for yourself.
#malwareIt appears the infamous Russian hacking group 'Fancy Bear' is up to its old tricks, this time using EternalBlue to target high-value guests using Wi-Fi networks at European hotels. In an attempt to gain persistence on hotel networks for the assumed purpose of carrying out surveillance on the guests using the Wi-Fi, this attack is exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue. You may recall 'Fancy Bear' (aka APT28) as the group accused of hacking the Democratic National Committee (DNC) and Clinton Campaign. In the past, they have used malicious Word documents sent to hotels as a way of spreading GameFish malware, but now it appears they've upgraded their tactics. EternalBlue leverages a version of Windows' Server Message Block (SMB) version 1 networking protocol to laterally spread across networks. This legacy service was removed from Windows as of Server 2012 R2, suggesting the attackers have knowledge of the "unsurprising fact that hotels are using old software."The attack starts with a phishing email sent to one of the hotel employees. The email, containing malicious document 'Hotel_Reservation_Form.doc,' uses macros to decode and deploy GameFish. Then, when the malware is installed on the hotel's network, "GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks." Next, it deploys 'Responder,' an open source penetration testing tool created by Laurent Gaffie of SpiderLabs. 'Responder' is used for NetBIOS Name Service (NBT-NS) poisoning, allowing users to steal credentials sent over the wireless network. Despite the escalation of hacking techniques by the known group, this is not the first time the hospitality industry has been targeted. The 'Darkhotel' attacks from 2014, which targeted CEOs, is another example.
To spread through the hospitality company's network, APT28 used a version of the EternalBlue SMB exploit. This is the first time we have seen APT28 incorporate this exploit into their intrusions. -FireEye researchersKnowBe4 has also been covering this developing story. Read 'Hackers are Targeting Hotel Wi-Fi with Particularly Evil Malware and Spear Phishing' for more.