Top Hacking News

Today the Hacktivist group Anonymous successfully hacked the official rss.org website based on India as cyberguerrilla website claims. Anonymous said the RSS have killed a lot of innocents people and that is the reason for this RSS Data Leak.


The Anonymous wrote this text message:

"RSS.ORG LEAKED! #Anonymous #CyberLeaks
Hi Brothers and Sisters, there is the Leaked data from rss.org. The terrorist group based on India!
Download: http://www.mediafire.com/file/92tmvobk8xg2va4/LEAKED+rss.org+.rar
Password is: opindia
There are documents , admins informations , admins computers and more. They got explosed By Anonymous!
Spread it.
This hack is part of #OpIndia, more leaks is coming
We are: Anonymous Ghost , Anonymous Greece, MinionGhost,  AnonGhost Philippines.
Best regards, Anonymous! CyberLeaks"
So, the Data Leak from RSS is public? Yes, and anyone can download it. Its a rar file from mediafire

The leak contains the following files:

• PDF Documents from Rss.org website
• All usernames + Last names 
• rss.org computers ( Windows 7 and Vista )
• Admin informations

MalwareTech — the security researcher who stopped the WannaCry ransomware outbreak — was arrested in Las Vegas on accusations of creating the Kronos banking trojan together with another person.

The arrest — first reported by Motherboard — took place yesterday, August 2, after the DEF CON security conference.

According to an official indictment, authorities arrested MalwareTech — real name Marcus Hutchins, 23, from the UK — for creating and updating Kronos, a well-known banking trojan that uses a technique called web injects to insert fake login pages for online banking portals in various browsers.

MalwareTech allegedly created Kronos in 2014

Kronos was first spotted in July 2014 and was the last time seen active in June 2016. In July 2014, Kronos was available for sale on a major Russian underground forum for a price tag of $7,000.

The official indictment accuses MalwareTech of creating and updating the Kronos trojan, while his accomplice — currently unnamed — advertised the malware on hacking forums (for $3,000) and AlphaBay (for $2,000).

US officials seized the servers of the AlphaBay Dark Web marketplace on July 4, 2017. The filing date on the indictment is July 11, 2017.

According to the indictment, the two accomplices made at least one successful sale of Kronos on AlphaBay, yet again revealing that US authorities most likely used the seized AlphaBay data to verify and confirm the purchase.

MalwareTech stopped the WannaCry outbreak

In May 2017, MalwareTech became a world-famous hero when he stopped the spread of the WannaCry ransomware.

MalwareTech's arrest shocked the security community. Fellow security researchers have a hard time believing the accusations. Many believe MalwareTech was framed or investigators might have screwed up their investigation [1, 2, 3, 4].


MalwareTech's arrest also caused a ruckus in the infosec industry as friends couldn't pin where he was detained and provide him with the proper legal counsel.

At the time of his arrest, MalwareTech was an employee of Kryptos Logic, a UK-based cyber-security company.

Bleepingcomputer

The 22-year-old British security researcher who gained fame for discovering the "kill switch" that stopped the outbreak of the WannaCry ransomware—has been reportedly arrested in the United States after attending the Def Con hacking conference in Las Vegas.

Marcus Hutchins, operates under the alias MalwareTech on Twitter, was detained by the FBI in the state of Nevada, a friend of Hutchins confirmed Motherboard.

At the time of writing, it is unclear why the Internet's 'accidental hero' has been detained by the FBI, but his arrest has sparked an endless debate in the security community.

Hutchins became famous over two months ago when the WannaCry ransomware began hitting businesses, organisations and individuals across the world, and he accidentally halted its global spread by registering a domain name hidden in the malware.

The domain as mentioned above was responsible for keeping WannaCry ransomware propagating and spreading like a worm, and if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, Hutchins registered this domain in question and created a sinkhole–tactic researchers use to redirect traffic from the infected machines to a self-controlled system.

Hutchins is quite active on Twitter, but from last 24 hours, we have not seen any tweet from his account, which suggests the reports are likely correct.

Andrew Mabbitt, Hutchins’s friend has confirmed that he has currently been detained at FBI’s field office in Las Vegas. His friend is also asking for some legal help.
Just today, in a separate news we reported that the hackers behind WannaCry cashed out over $140,000 from their Bitcoins wallets, where victims were instructed to send ransom payments.

Since both news came on the same day, some people have started making conspiracy theories about the involvement of both the events, though nothing is clear at this moment.

WannaCry was really bad, as the nasty ransomware forced the British NHS (National Health Service) to shut down hospitals and doctor's surgeries, and infected a Spanish telecommunications company and Russian mobile operator, among much more.

Even a month after its outbreak, the WannaCry ransomware was found infecting systems at Honda Motor Company, forcing its Japan-based factory to shut down its production, and 55 speed and traffic light cameras in Victoria, Australia.

The British National Crime Agency has confirmed an arrest of a British citizen but hasn't confirmed it is Hutchins.

Update: Marcus Hutchins Accused for Creating Banking Malware

According to a spokesperson from the U.S. Department of Justice Hutchins has been arrested by the FBI for "his role in creating and distributing the Kronos banking Trojan" between 2014-2015.

Kronos malware was distributed via emails with malicious attachments containing compromised Microsoft word documents and used to hijack credentials such as banking passwords to let attackers steal money with ease.

According to Hutchins indictment, shown below, he has been accused of six counts of hacking-related crimes along with another unnamed co-defendant allegedly involved in the development of Kronos malware.


In 2014, the Kronos banking malware was made available for purchase in a Russian underground forum for a price tag of $7,000, with even an option for users to test the malware for a week before buying it.

Last year researchers also discovered that this banking Trojan was used in 2015 campaign for distributing point-of-sale (POS) malware dubbed ScanPOS as the secondary payload.

The Hacker News

Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful.

Security researchers have now discovered at least one group of cyber criminals that are attempting to give its banking Trojan the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide.

The new version of credential stealing TrickBot banking Trojan, known as "1000029" (v24), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly.

TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year.

The Trojan generally spreads via email attachments impersonating invoices from a large unnamed "international financial institution," but actually leads victims to a fake login page used to steal credentials.

Last week, researchers at Flashpoint, who've been continually tracking TrickBot activities and its targets, have discovered that the TrickBot Trojan has just been evolved to spread locally across networks via Server Message Block (SMB).

Since the new version of TrickBot is still being tested, the new features are not fully implemented by the hacking gang behind the Trojan. It also doesn't have the ability to randomly scan external IPs for SMB connections, unlike WannaCry which exploited a vulnerability dubbed EternalBlue.

Flashpoint researchers said the trojan is modified to scan domains for lists of vulnerable servers via the NetServerEnum Windows API and enumerate other computers on the network via Lightweight Directory Access Protocol (LDAP).

The new TrickBot variant can also be disguised as 'setup.exe' and delivered through a PowerShell script to spread through interprocess communication and download additional version of TrickBot onto shared drives.

According to the researchers, the latest discovery of new TrickBot variant provides an insight into what the operators behind the malware might be using in the near-future.

"Flashpoint assesses with moderate confidence that the Trickbot gang will likely continue to be a formidable force in the near term," said Vitali Kremez, director of Research at Flashpoint. 

"Even though the worm module appears to be rather crude in its present state, it's evident that the Trickbot gang learned from the global ransomware worm-like outbreaks of WannaCry and 'NotPetya' and is attempting to replicate their methodology."

In order to safeguard against such malware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.

To always have a tight grip on your valuable data, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.


Moreover, make sure that you run an effective anti-virus security suite on your system, and keep it up-to-date.

The Hacker News

Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They have now shifted from traditional to more clandestine techniques that come with limitless attack vectors and are harder to detect.

Security researchers have discovered that one of the most dangerous Android banking Trojan families has now been modified to add a keylogger to its recent strain, giving attackers yet another way to steal victims sensitive data.

Kaspersky Lab's Senior malware analyst Roman Unuchek spotted a new variant of the well-known Android banking Trojan, dubbed Svpeng, in the mid of last month with a new keylogger feature, which takes advantage of Android's Accessibility Services.

Trojan Exploits 'Accessibility Services' to Add Keylogger

Yes, the keylogger added in the new version of Svpeng takes advantage of Accessibility Services — an Android feature that provides users alternative ways to interact with their smartphone devices.

This change makes the Svpeng Trojan able not only to steal entered text from other apps installed on the device and log all keystrokes, but also to grant itself more permissions and rights to prevent victims from uninstalling the Trojan.

In November last year, the Svpeng banking trojan infected over 318,000 Android devices across the world over the span of only two months with the help of Google AdSense advertisements that was abused to spread the malicious banking Trojan.

Over a month ago, researchers also discovered another attack taking advantage of Android's Accessibility Services, called Cloak and Dagger attack, which allows hackers to silently take full control of the infected devices and steal private data.

If You Are Russian, You Are Safe!

Although the new variant of the Svpeng malware is not yet widely deployed, the malware has already hit users in 23 countries over the course of a week, which include Russia, Germany, Turkey, Poland, and France.

But what's worth noticing is that, even though most infected users are from Russia, the new variant of Svpeng Trojan doesn't perform malicious actions on those devices.

According to Unuchek, after infecting the device, the Trojan first checks the device's language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.

How 'Svpeng' Trojan Steals Your Money

Unuchek says the latest version of Svpeng he spotted in July was being distributed through malicious websites that disguised as a fake Flash Player.
Once installed, as I have mentioned above, the malware first checks for the device language and, if the language is not Russian, asks the device to use Accessibility Services, which opens the infected device to a number of dangerous attacks.


With having access to Accessibility Services, the Trojan grants itself device administrator rights, displays an overlay on the top of legitimate apps, installs itself as a default SMS app, and grants itself some dynamic permissions, such as the ability to make calls, send and receive SMS, and read contacts.

Additionally, using its newly-gained administrative capabilities, the Trojan can block every attempt of victims to remove device administrator rights—thereby preventing the uninstallation of the malware.

Using accessibility services, Svpeng gains access to the inner working of other apps on the device, allowing the Trojan to steal text entered on other apps and take screenshots every time the victim presses a button on the keyboard, and other available data.

"Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app," Unuchek says. 

"It is interesting that, in order to find out which app is on top, it uses accessibility services too."

All the stolen information is then uploaded to the attackers' command and control (C&C) server. As part of his research, Unuchek said he managed to intercept an encrypted configuration file from the malware's C&C server.

Decrypting the file helped him find out some of the websites and apps that Svpeng targets, as well as help him obtain a URL with phishing pages for both the PayPal and eBay mobile apps, along with links for banking apps from the United Kingdom, Germany, Turkey, Australia, France, Poland, and Singapore.


Besides URLs, the file also allows the malware to receive various commands from the C&C server, which includes sending SMS, collecting information such as contacts, installed apps and call logs, opening the malicious link, gathering all SMS from the device, and stealing incoming SMS.

The Evolution of 'Svpeng' Android Banking Malware

Researchers at Kaspersky Lab initially discovered the Svpeng Android banking malware trojan back in 2013, with primary capability—Phishing.

Back in 2014, the malware was then modified to add a ransomware component that locked victim's device (by FBI because they visited sites containing pornography) and demanded $500 from users.

The malware was among the first to begin attacking SMS banking, use phishing web pages to overlay other apps in an effort to steal banking credentials and to block devices and demand money.

In 2016, cyber criminals were actively distributing Svpeng via Google AdSense using a vulnerability in the Chrome web browser, and now abusing Accessibility Services, which possibly makes Svpeng the most dangerous mobile banking malware family to date that can steal almost anything—from your Facebook credentials to your credit cards and bank accounts.

How to Protect Your Smartphone From Hackers

With just Accessibility Services, this banking Trojan gains all necessary permissions and rights to steal lots of data from the infected devices.

The malicious techniques of the Svpeng malware even work on fully-updated Android devices with the latest Android version and all security updates installed, so it is little users can do in order to protect themselves.


There are standard protection measures you need to follow to remain unaffected:

• Always stick to trusted sources, like Google Play Store and the Apple App Store, but only from trusted and verified developers.
• Most importantly, verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
• Do not download apps from third party sources, as most often such malware spreads via untrusted third-parties.
• Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
• Never click on links provided in an SMS, MMS or email. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
• Install a good antivirus app that can detect and block such malware before it can infect your device, and always keep the app up-to-date.

If you are a fan of Game of Thrones here is a shocking news for you – Home Box Office (HBO), has joined the list of media giant who suffered data breaches. In HBO’s case, hackers have leaked unreleased and upcoming episodes and scripts of groundbreaking Television show Game of Thrones.

That’s not all, hackers who have claimed responsibility for the hack are threatening to leak more data in coming days. So far, according to a report from Entertainment Weekly, hackers have sent emails to several media outlets claiming that they have stolen 1.5 terabytes of data from HBO’s system.

Entertainment Weekly noted that the data contains upcoming episode of Ballers and Room 104 (which has apparently been leaked online) and files which seem related to the fourth episode of Game of Thrones which will be aired next week.

The email sent to the media outlets said that:

 “Hi to all mankind. The greatest leak of cyber space era is happening. What’s its name? Oh I forget to tell. Its HBO and Game of Thrones……!!!!!! You are lucky to be the first pioneers to witness and download the leak. Enjoy it & spread the words. Whoever spreads well, we will have an interview with him. HBO is falling.” 

HBO, on the other hand, has acknowledged the breach. However, it doesn’t confirm if Game of Thrones related data was stolen or not or what kind of data was stolen by the hackers.

“HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” HBO network said in a statement.

[…]

“We immediately began investigating the incident and are working with law enforcement and outside cyber security firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

It is unclear who is behind this breach and why did they choose to target HBO. In case if hackers have access to such a massive trove of data it will be devastating for the network. Remember, in December 2014; Sony suffered a similar breach in which a hacking group going by the handle of “Guardians of Peace” (GOP) stole a massive amount of data from Sony’s servers and ended up leaking movies and financial information of the company.

In an email alert sent by HBO’s chairman and CEO Richard Plepler, it was stated that:

The problem before us is unfortunately all too familiar in the world we now find ourselves a part of. As has been the case with any challenge we have ever faced, I have absolutely no doubt that we will navigate our way through this successfully.”

Source: Hack Read

China is well known for its online censorship and surveillance tactics, but earlier today news broke that Apple has removed all virtual private network (VPN) apps from App Store in China. This means Apple users in China can not avail online anonymity anymore and their privacy is at high risk.

ExpressVPN, a British Virgin Islands-based VPN provider, was the first one to notice the issue when their app was removed from the App Store. Upon further digging, ExpressVPN discovered that Apple had removed all major VPN apps from the App Store.

In their blog post, ExpressVPN wrote that: 

“We’re disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China’s censorship efforts. ExpressVPN strongly condemns these measures, which threaten free speech and civil liberties.”

A screenshot shared by ExpressVPN shows Apple’s notification about the removal of their app from the Store.


Another VPN service provider VyprVPN told HackRead that their app has also been removed from the app store. In their blog post, VyprVPN wrote that their “VPN support is built into the iOS operating system so users can continue to use VyprVPN on iOS without the App by using our manual iOS VPN setup instructions.”

Another good news is that those users who have set up their billing address outside of China can still download and use the VPN apps from other territories.

Just last week, it was reported that China is forcing its Muslim citizens to install spyware on their devices so the government authorities can spy and monitor their online activities.

This came as no surprise since the search engine giant Google, and social media giant Facebook is already banned in China. However, the users outside of China have heavily criticized Apple for aiding China in its war against online privacy.

Source: Hack Read

WikiLeaks has just published a new set of classified documents linked to another CIA project, dubbed 'Imperial,' which reveals details of at least three CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.

If you are a regular reader of THN, you must be aware that this latest revelation by the whistleblower organisation is the part of an ongoing CIA-Vault 7 leaks, marking it as the 18th batch in the series.
If you are unaware of the Vault 7 leaks, you can head on to the second of this article for having a brief look on all the leaks at once.

Achilles — Tool to Backdoor Mac OS X Disk Images

Dubbed Achilles, the hacking tool allows CIA operators to combine malicious Trojan applications with a legitimate Mac OS app into a disk image installer (.DMG) file.
The binding tool, the shell script is written in Bash, gives the CIA operators "one or more desired operator specified executables" for a one-time execution.

As soon as an unsuspecting user downloads an infected disk image on his/her Apple computer, opens and installs the software, the malicious executables would also run in the background.

Afterwards, all the traces of the Achilles tool would be "removed securely" from the downloaded application so that the file would "exactly resemble" the original legitimate app, un-trojaned application, making it hard for the investigators and antivirus software to detect the initial infection vector.

Achilles v1.0, developed in 2011, was only tested on Mac OS X 10.6, which is Apple's Snow Leopard operating system that the company launched in 2009.

SeaPea — Stealthy Rootkit For Mac OS X Systems

The second hacking tool, called SeaPea, is a Mac OS X Rootkit that gives CIA operators stealth and tool launching capabilities by hiding important files, processes and socket connections from the users, allowing them to access Macs without victims knowledge.

Developed in 2011, the Mac OS X Rootkit works on computers running then-latest Mac OS X 10.6 (Snow Leopard) Operating System (32- or 64-bit Kernel Compatible) and Mac OS X 10.7 (Lion) Operating System.


The rootkit requires root access to be installed on a target Mac computer and cannot be removed unless the startup disk is reformatted or the infected Mac is upgraded to the next version of the operating system.

Aeris — An Automated Implant For Linux Systems

The third CIA hacking tool, dubbed Aeris, is an automated implant written in C programming language that is specifically designed to backdoor portable Linux-based Operating Systems, including Debian, CentOS, Red Hat — along with FreeBSD and Solaris.

Aeris is a builder that CIA operators can use to generate customised impacts, depending upon their covert operation.

Last week, WikiLeaks revealed about CIA contractor Raytheon Blackbird Technologies, which analysed in-the-wild advanced malware and hacking techniques and submitted at least five reports to the agency for help develop their own malware.

Since March, the whistle-blowing group has published 18 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:

• Highrise Project — the alleged CIA project that allowed the spying agency to stealthy collect and forwarded stolen data from compromised smartphones to its server through SMS messages.
• BothanSpy and Gyrfalcon — two alleged CIA implants that allowed the spying agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
• OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
• ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
• Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
• Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
• Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
• Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
• AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
• Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
• Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
• Grasshopper – Framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
• Marble – Source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
• Dark Matter – Hacking exploits the agency designed to target iPhones and Macs.
• Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
• Year Zero – Alleged CIA hacking exploits for popular hardware and software.