This dangerous hacking tool is now on the loose

A dangerous post-exploitation toolkit, first used for cybersecurity purposes, has now been cracked and leaked to hacking communities.

The toolkit is being shared across many different websites, and the potential repercussions could be huge now that it can fall into the hands of various threat actors.

Bleeping Computer

This could be bad. The post-exploitation toolkit in question, called Brute Ratel C4, was initially created by Chetan Nayak. Nayak is an ex-red teamer, meaning that his job included attempting to breach the securities of a given network, which was being actively defended by those on the blue team. Afterward, both teams discuss how it went and whether there are some security flaws to improve upon.

Brute Ratel was created for that exact purpose. It was made for “red teamers” to use, with the ultimate purpose of being able to execute commands remotely on a compromised network. This would then grant the attacker access to the rest of the network in an easier way.

Cobalt Strike is seen as a similar tool to Brute Ratel, and that tool has been heavily abused by ransomware gangs, which is why it’s fairly easy to detect. Brute Ratel has not been quite as widely spread up until now, and it has a licensing verification system that mostly kept the hackers at bay. Nayak is able to revoke the license of any company found to be fake or misusing the tool.

Unfortunately, that’s now a thing of the past, because a cracked version of the tool started to circulate. It was first uploaded to VirusTotal in its uncracked state, but a Russian group called Molecules was able to crack it and entirely remove the licensing requirement from it. This means that now, any potential hacker can get their hands on it if they know where to look.

Will Thomas, a cyber threat intelligence researcher, published a report on the cracked version of the tool. It has already spread to many English and Russian-speaking communities, including CryptBB, RAMP, BreachForums, Exploit[.]in, Xss[.]is, and Telegram and Discord groups.

Person typing on a computer keyboard.

“There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out,” said Thomas in the report. In a conversation with Bleeping Computer, Thomas said that the tool works and no longer requires a license key.

Thomas explained the potential dangers of the tech, saying, “One of the most concerning aspects of the BRC4 tool for many security experts is its ability to generate shellcode that is undetected by many EDR and AV products. This extended window of detection evasion can give threat actors enough time to establish initial access, begin lateral movement, and achieve persistence elsewhere.”

Knowing that this powerful tool is out there, in the hands of hackers who should never have gained access to it, is definitely scary. Let’s hope that antivirus software developers can tighten the defenses against Brute Ratel soon enough.

Editors’ Choice

Repost: Original Source and Author Link


Hacking group posted fake Ukrainian surrender messages, says Meta in new report

A Belarus-aligned hacking group has attempted to compromise the Facebook accounts of Ukrainian military personnel and posted videos from hacked accounts calling on the Ukrainian army to surrender, according to a new security report from Meta (the parent company of Facebook).

The hacking campaign, previously labeled “Ghostwriter” by security researchers, was carried out by a group known as UNC1151, which has been linked to the Belarusian government in research conducted by Mandiant. A February security update from Meta flagged activity from the Ghostwriter operation, but since that update, the company said that the group had attempted to compromise “dozens” more accounts, although it had only been successful in a handful of cases.

Where successful, the hackers behind Ghostwriter had been able to post videos that appeared to come from the compromised accounts, but Meta said that it had blocked these videos from being shared further.

The spreading of fake surrender messages has already been a tactic of hackers who compromised television networks in Ukraine and planted false reports of a Ukrainian surrender into the chyrons of live broadcast news. Though such statements can quickly be disproved, experts have suggested that their purpose is to erode Ukrainians’ trust in media overall.

The details of the latest Ghostwriter hacks were published in the first installment of Meta’s quarterly Adversarial Threat Report, a new offering from the company that builds on a similar report from December 2021 that detailed threats faced throughout that year. While Meta has previously published regular reports on coordinated inauthentic behavior on the platform, the scope of the new threat report is wider and encompasses espionage operations and other emerging threats like mass content reporting campaigns.

Besides the hacks against military personnel, the latest report also details a range of other actions conducted by pro-Russian threat actors, including covert influence campaigns against a variety of Ukrainian targets. In one case from the report, Meta alleges that a group linked to the Belarusian KGB attempted to organize a protest event against the Polish government in Warsaw, although the event and the account that created it were quickly taken offline.

Although foreign influence operations like these make up some of the most dramatic details of the report, Meta says that it has also seen an uptick in influence campaigns conducted domestically by repressive governments against their own citizens. In a conference call with reporters Wednesday, Facebook’s president for global affairs, Nick Clegg, said that attacks on internet freedom had intensified sharply.

“While much of the public attention in recent years has been focused on foreign interference, domestic threats are on the rise globally,” Clegg said. “Just as in 2021, more than half the operations we disrupted in the first three months of this year targeted people in their own countries, including by hacking people’s accounts, running deceptive campaigns and falsely reporting content to Facebook to silence critics.”

Authoritarian regimes generally looked to control access to information in two ways, Clegg said: firstly by pushing propaganda through state-run media and influence campaigns, and secondly by trying to shut down the flow of credible alternative sources of information.

Per Meta’s report, the latter approach has also been used to restrict information about the Ukraine conflict, with the company removing a network of around 200 Russian-operated accounts that engaged in coordinated reporting of other users for fictitious violations, including hate speech, bullying, and inauthenticity, in an attempt to have them and their posts removed from Facebook.

Echoing an argument taken from Meta’s lobbying efforts, Clegg said that the threats outlined in the report showed “why we need to protect the open internet, not just against authoritarian regimes, but also against fragmentation from the lack of clear rules.”

Repost: Original Source and Author Link


Justice Department pledges not to charge security researchers with hacking crimes

The US Department of Justice says it won’t subject “good-faith security research” to charges under anti-hacking laws, acknowledging long-standing concerns around the Computer Fraud and Abuse Act (CFAA). Prosecutors must also avoid charging people for simply violating a website’s terms of service — including minor rule-breaking like embellishing a dating profile — or using a work-related computer for personal tasks.

The new DOJ policy attempts to allay fears about the CFAA’s broad and ambiguous scope following a 2021 Supreme Court ruling that encouraged reading the law more narrowly. The ruling warned that government prosecutors’ earlier interpretation risked criminalizing a “breathtaking amount of commonplace computer activity,” laying out several hypothetical examples that the DOJ now promises it won’t prosecute. That change is paired with a safe harbor for researchers carrying out “good-faith testing, investigation, and/or correction of a security flaw or vulnerability.” The new rules take effect immediately, replacing old guidelines issued in 2014.

“The policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged,” says a DOJ press release. “Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.”

These guidelines reflect a newly limited interpretation of “exceeding authorized access” to a computer, a practice criminalized by the CFAA in 1986. As writer and law professor Orin Kerr explained in 2021, there’s been a decades-long conflict over whether people “exceed” their access by violating any rule laid down by a network or computer owner — or if they have to access explicitly off-limits systems and information. The former interpretation has led to cases like US v. Drew, where prosecutors charged a woman for creating a fake profile on Myspace. The Supreme Court leaned toward the latter version, and now, the DOJ theoretically does, too.

The policy doesn’t settle all criticisms of the CFAA, like its potential for disproportionately long prison sentences. It doesn’t make the underlying law any less vague since it only affects how prosecutors interpret it. The DOJ also warns that the security research exception isn’t a “free pass” for probing networks. Someone who found a bug and extorted the system’s owner using that knowledge, for instance, could be charged for performing that research in bad faith. Even with these limits, though, the rulemaking is a pledge to avoid slapping punitive anti-hacking charges on anyone who uses a computer system in a way its owner doesn’t like.

Repost: Original Source and Author Link


A teen is reportedly the mastermind behind the Lapsus$ hacking group

In recent weeks, the Lapsus$ hacking group has taken credit for accessing company data from Nvidia, Samsung, Ubisoft, Okta, and even Microsoft, and according to a new Bloomberg report, an England-based teenager might be the person heading up the operation.

“Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind,” Bloomberg said. However, the teenager, who apparently uses the online aliases “White” and “breachbase,” has not been accused by law enforcement, and the researchers “haven’t been able to conclusively tie him to every hack Lapsus$ has claimed,” Bloomberg said.

The teenager is apparently based about five miles outside of Oxford University, and Bloomberg says it was able to speak to his mother for ten minutes through a “doorbell intercom system” at the home. The teenager’s mother told the publication she did not know of allegations against him. “She declined to discuss her son in any way or make him available for an interview, and said the issue was a matter for law enforcement and that she was contacting the police,” Bloomberg said.

Lapsus$ apparently doesn’t just consist of the England-based teenager, though. Bloomberg reports that one suspected member is another teenager in Brazil and that seven unique accounts have been linked with the group. One of the members is apparently such a capable hacker that researchers thought the work was automated, one person involved in research about the group told Bloomberg.

According to cybersecurity expert Brian Krebs, a core member of Lapsus$, who may have used the aliases “Oklaqq” and “WhiteDoxbin,” also purchased Doxbin, a website where people can post or search for the personal information of others for the purposes of doxing. This WhiteDoxbin individual apparently wasn’t the best admin and had to sell the site back to its previous owner, but leaked “the entire Doxbin data set,” which led to the Doxbin community doxing WhiteDoxbin, “including videos supposedly shot at night outside his home in the United Kingdom,” Krebs reported.

Krebs also reports that this person may have been behind the EA data breach that took place last year. What may connect the person between Bloomberg and Krebs’ is the name “breachbase.”

From Krebs:

Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News of EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.

The full picture surrounding Lapsus$ is still murky, but I strongly urge you to read both Bloomberg and Krebs’ reports to learn more about what may be going on.

Repost: Original Source and Author Link


Seven teenagers arrested in connection with the Lapsus$ hacking group

City of London Police have arrested seven teenagers due to their suspected connections with a hacking group that is believed to be the recently prolific Lapsus$ group, BBC News reports.

“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O’Sullivan of the City of London Police said in a statement to The Verge. “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”

Lapsus$ has taken responsibility for some major security breaches at tech companies, including Nvidia, Samsung, Ubisoft, Okta, and Microsoft. On Wednesday, reports surfaced indicating an Oxford-based teenager is the mastermind of the group. City of London Police did not say if this teenager was among those arrested.

At least one member of Lapsus$ was also apparently involved with a data breach at EA, cybersecurity expert Brian Krebs reported on Wednesday in an extensive article about the group. Vice corroborated the group’s involvement in that breach in its own article on Thursday, noting that it was “emblematic of Lapsus$’s subsequent and massive hacks.”

The suspected mastermind’s identity was apparently revealed by angry customers doxing him. According to Krebs’ report, the group’s leader purchased Doxbin, a site where people can share or find personal information on others, last year, but was a poor owner of the site. He apparently gave up control in January but leaked “the entire Doxbin data set” to Telegram, and the Doxbin community retaliated by doxing him.

BBC News says it spoke to the teenager’s father, who was apparently unaware of his involvement with the group. “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer,” the father said, according to BBC News. “I always thought he was playing games. We’re going to try to stop him from going on computers.”

Update March 24th, 12:05PM ET: Added City of London Police statement and additional context about the group.

Repost: Original Source and Author Link


Destructive hacking group REvil could be back from the dead

There was a period in 2021 when the computing world was gripped by fear of a dizzyingly effective hacking group fittingly named REvil — until its website was seized by the FBI and its members arrested by Russia’s security services, that is. Yet like a malevolent curse that just can’t be dispelled, it now seems the group’s websites are back online. Has the group returned to spread discord and wreak havoc once again?

In case you missed them the first time around, REvil came to global attention by hacking into various high-profile targets, pilfering secret documents, then threatening their release unless a ransom was paid. In a notable case, the group stole and published files from Apple supplier Quanta Computer, including some that spilled the beans on unreleased product designs.

Now, it looks like REvil’s sites on the dark web are back in action. According to Bleeping Computer, REvil’s websites are up and running and filled with information new and old, including a list of previous hacking victims alongside a couple of new ones. The hacking group’s domains are accessible through the Tor Browser, which masks URLs to facilitate user privacy.

Security researchers became aware of the new activity while monitoring the hacking forum RuTOR, where they saw an advertisement promoting REvil’s services with a new website that redirects to its old domain. The group’s updated services include an apparently improved version of the REvil ransomware, along with an 80/20 revenue-sharing model.

Does this mean that the original REvil crew has somehow been resurrected for another round of high-profile hacks and mischief? Well, that’s not entirely clear. Aside from the fact that the group was gutted by multiple law enforcement investigations around the world, there are other reasons to be suspicious.

For one thing, the website’s code is littered with references to other hacking groups, which might imply that a different malware gang has somehow taken control of REvil’s website. Another possibility is that the new site is a “honeypot” maintained by law enforcement or some other group and designed to capture information about potential clients of REvil.

For now, the mystery remains unsolved. But if REvil is indeed back from the grave — or another hacking group has decided to take it over — it doesn’t bode particularly well for the future, especially considering the havoc caused by hacking group LAPSUS$ in recent months. If you want to stay safe, you can start by ensuring you’re protected by one of the best antivirus apps available and avoid clicking suspicious links on the web or in your emails.

Editors’ Choice

Repost: Original Source and Author Link


Microsoft says it took over servers being used by China-based hacking group Nickel

The Microsoft Digital Crimes Unit (DCU) has seized 42 websites that the China-based hacking group Nickel used to attack organizations in the US, as well as around the world, according to a report on Microsoft’s blog (via Bleeping Computer). Microsoft says that the attacks were likely carried out to gather intelligence from government agencies, think tanks, and human rights groups.

A US District Court in Virginia gave Microsoft permission to take control of the comprised websites on December 2nd, as outlined in the court document (PDF), allowing Microsoft to redirect traffic from those sites to Microsoft’s servers. While this won’t stop Nickel’s attacks completely, Microsoft says it should help “protect existing and future victims while learning more about Nickel’s activities.” You can view the full list of seized websites in this PDF.

Just after the DCU’s move to block Nickel, Google announced a lawsuit against two Russian individuals believed to be responsible for operating the Glupteba botnet. The botnet was reportedly used to infect one million Windows devices. Meanwhile, Google’s CyberCrime Investigation Group and Threat Analysis Group said they teamed up to delete “around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution.”

In Microsoft’s initial complaint (PDF), the company says that Nickel uses a “variety of techniques” to install malware on victims’ computers, including compromising third-party virtual private networks and spear phishing. Due to the nature of Nickel’s attacks, the group is able to exfiltrate sensitive information from the device unbeknownst to the user.

“During the infection of a victim’s computer, Nickel deploys malware designed to make changes at the deepest and most sensitive levels of the computer’s Windows operating system,” Microsoft’s complaint reads. “The consequences of these changes are that the user’s version of Windows is essentially adulterated, and unknown to the user, has been converted into a tool to steal credentials and sensitive information from the user.”

Microsoft says that it’s been tracking Nickel since 2016, noting that the group is also referred to as APT15, KE3CHANG, Vixen Panda, Royal APT, and Playful Dragon. Nickel has targeted diplomatic organizations and ministries of foreign affairs across the world, including countries in North America, South America, Central America, the Caribbean, Europe, and Africa. It also reportedly strikes targets that align with China’s “geopolitical interests.”

With the 24 lawsuits that it has filed so far, Microsoft says that the DCU has shut down a total of over 10,000 compromised websites and blocked the registration of 600,000 potentially malicious sites.

In July, the US (along with several other nations) blamed the Chinese government for the Microsoft Exchange attack that compromised the emails of over 30,000 organizations in the US. Google and Microsoft have since pledged to help the US government bolster its cybersecurity.

Repost: Original Source and Author Link


Hacker targets ‘Apex Legends’ in plea to fix ‘Titanfall’ hacking

Apex Legends has reportedly been hacked to raise awareness over the unplayable state of developer Respawn’s other game series Titanfall. Players have taken to social media to report that the battle royale’s server playlists are being replaced with a message that reads “SAVETITANFALL.COM, TF1 is being attacked so is Apex.” Gamers also received an “Important Message” popup after matches directing them to the same URL that has been active for a few months now, according to PC Gamer

The resulting disruption to matchmaking in Apex Legends prompted Respawn to publish a server update that it said resolved the issue. In tweets, the studio added that the attack “has not put players’ personal information or accounts at risk.”

While game hacking is often associated with cheating or theft, it seems in this case it was an extreme case of fan frustration over Respawn’s lack of attention toward Titanfall. Using it to advocate for an end to game hacks is also something you don’t see that often.

In short, Titanfall has suffered from numerous vulnerabilities that are leading to crashed or overloaded servers and disconnections. After years of complaints, Respawn recently confirmed that it was working on a fix for the problems, which have plagued the title on Origin and Steam.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link


The FBI is remotely hacking hundreds of computers to protect them from Hafnium

In what’s believed to be an unprecedented move, the FBI is trying to protect hundreds of computers infected by the Hafnium hack by hacking them itself, using the original hackers’ own tools (via TechCrunch).

The hack, which affected tens of thousands of Microsoft Exchange Server customers around the world and triggered a “whole of government response” from the White House, reportedly left a number of backdoors that could let any number of hackers right into those systems again. Now, the FBI has taken advantage of this by using those same web shells / backdoors to remotely delete themselves, an operation that the agency is calling a success.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” explains the US Justice Department.

The wild part here is that owners of these Microsoft Exchange Servers likely aren’t yet aware of the FBI’s involvement; the Justice Department says it’s merely “attempting to provide notice” to owners that they attempted to assist. It’s doing all this with the full approval of a Texas court, according to the agency. You can read the unsealed search and seizure warrant and application right here.

It’ll be interesting to see if this sets a precedent for future responses to major hacks like Hafnium. While I’m personally undecided, it’s easy to argue that the FBI is doing the world a service by removing a threat like this — while Microsoft may have been painfully slow with its initial response, Microsoft Exchange Server customers have also now had well over a month to patch their own servers after several critical alerts. I wonder how many customers will be angry, and how many grateful that the FBI, not some other hacker, took advantage of the open door. We know that critical-but-local government infrastructure often has egregious security practices, most recently resulting in two local drinking water supplies being tampered with.

The FBI says that thousands of systems were patched by their owners before it began its remote Hafnium backdoor removal operation, and that it only removed “removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.”

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

Today is Patch Tuesday, by the way, and Microsoft’s April 2021 security update includes new mitigations for Exchange Server vulnerabilities, according to CISA. If you’re running a local Exchange Server or know someone who is, take a look.

Repost: Original Source and Author Link


US announces charges against North Korean hackers for sweeping hacking scheme

The Justice Department unsealed charges Wednesday for three North Korean computer programmers accused of conspiring to extort over $1.3 billion from banks and other businesses across the globe, as first reported by The Washington Post.

In 2018, the Justice Department brought charges against one North Korean operative, Park Jin Hyok, for their involvement in the infamous Sony Pictures hack in 2014, as well as the devastating 2017 WannaCry ransomware attack. In Wednesday’s unsealed indictment, Park and others are accused of participating in a sweeping conspiracy to hack into banks and crypto exchanges as well as creating the WannaCry virus.

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of stacks of cash, are the world’s leading bank robbers,” Assistant Attorney General John C. Demers said in a statement Wednesday. “The Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”

The indictment was filed in December and alleges that the defendants work for North Korea’s military intelligence agency, the Reconnaissance General Bureau. The DOJ says that the defendants targeted cryptocurrency exchanges, stealing millions from banks and businesses around the world. They are also accused of multiple phishing campaigns from March 2016 to February 2020 targeting US military contractors, energy and technology companies, and the State and Defense departments.

The victims of this wide-ranging hacking conspiracy vary from the Central Bank of Bangladesh to cryptocurrency companies based in South Korea, Indonesia, and Slovenia, according to the indictment.

“Simply put, the regime has become a criminal syndicate with a flag,” Demers said on Wednesday.

Repost: Original Source and Author Link