The Hacker News — Cyber Security, Hacking, Technology News

Here we are with our weekly roundup, briefing this week's top cyber security threats, incidents and challenges.

This week has been very short with big news from shutting down of two of the largest Dark Web marketplaces and theft of millions of dollars in the popular Ethereum cryptocurrency to the discovery of new Linux malware leveraging SambaCry exploit.

We are here with the outline of this week's stories, just in case you missed any of them. We recommend you read the entire thing (just click 'Read More' because there's some valuable advice in there as well).

Here's the list of this Week's Top Stories:

1. Feds Shuts Down AlphaBay and Hansa Dark Web Markets — Dream Market Under Suspicion

On Thursday, Europol announced that the authorities had shut down two of the largest criminal Dark Web markets — AlphaBay and Hansa — in what's being called the largest-ever international operation against the dark web's black market conducted by the FBI, DEA and Dutch National Police.

Interestingly, the federal authorities shut down AlphaBay, but before taking down Hansa market, they took control of the Dark Web market and kept it running for at least a month in an effort to monitor the activities of its visitors, including a massive flood of Alphabay refugees.

After the shutdown of both AlphaBay and Hansa, Dream Market has emerged as the leading player, which has been in business since 2013, but it has now been speculated by many dark web users that Dream Market is also under police control.

For detailed information — Read more.

2. New Ransomware Threatens to Send Your Internet History to All Your Friends

After WannaCry and Petya ransomware outbreaks, a new strain of ransomware has been making the rounds on the Google Play Store in bogus apps, which targets Android mobile phone users.

Dubbed LeakerLocker, instead of encrypting files on your device, this Android ransomware secretly collects personal images, messages and browsing history and then threatens to share them with your contacts if you don't pay $50 (£38).

For more detailed information on the LeakerLocker ransomware — Read more.

3. New CIA Leaks — Smartphone Hacking and Malware Development

WikiLeaks last week published the 16th batch of its ongoing Vault 7 leak, revealing the CIA's Highrise Project that allowed the spying agency to stealthy collect and forwards stolen data from compromised smartphones to its server through SMS messages.

This week, the whistleblowing organisation revealed about a CIA contractor — Raytheon Blackbird Technologies — who was responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals.

For more detailed information on Highrise Project and its contractor Raytheon Blackbird Technologies — Read More.

4. Three Back-to-Back Multi-Million Dollar Ethereum Heist in 20 Days

This week, an unknown hacker stole nearly $32 Million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – from wallet accounts linked to at least three companies by exploiting a critical vulnerability in Parity's Ethereum Wallet software.

This was the third Ethereum cryptocurrency heist that came out two days after an alleged hacker stole $7.4 Million worth of Ether from trading platform CoinDash and two weeks after someone hacked into South Korean cryptocurrency exchange and stole more than $1 Million in Ether and Bitcoins from user accounts.

For more detailed information about the Ethereum Heist — Read More.

5. Critical Gnome Flaw Leaves Linux PCs Vulnerable

This week has been bad for Linux users as well. A security researcher discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that allowed hackers to execute malicious code on targeted Linux machines.

German researcher Nils Dagsson Moskopp dubbed the vulnerability Bad Taste (CVE-2017-11421) and also released proof-of-concept (PoC) code on his blog to demonstrate the vulnerability.

For more details about the Bad Taste vulnerability and its PoC — Read More.

6. New Malware Exploits SambaCry to Hijack NAS Devices

Despite being patched in late May, the SambaCry vulnerability is currently being leveraged by a new piece of malware to target the Internet of Things (IoT) devices, particularly Network Attached Storage (NAS) appliances.

SambaCry is a 7-year-old critical remote code execution (RCE) vulnerability (CVE-2017-7494) in Samba networking software that could allow a hacker to remotely take full control of a vulnerable Linux and Unix machines.

The flaw was discovered and patched two months ago, but researchers at Trend Micro warned that the flaw had been actively exploited by the SHELLBIND malware that mostly targets NAS devices used by small and medium-size businesses.

For more detailed information on the SHELLBIND malware — Read More.

7. Devil's Ivy — Millions of Internet-Connected Devices At Risk

This week, researchers at the IoT-focused security firm Senrio discovered a critical remotely exploitable vulnerability in an open-source software development library used by major IoT manufacturers that eventually left millions of smart devices vulnerable to hacking.

Dubbed Devil's Ivy, the vulnerability (CVE-2017-9765) in the gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

The researchers also released proof-of-concept (PoC) video demonstrating the RCE on a security camera manufactured by Axis Communications.

For more detailed information on the Devil's Ivy and PoC video — Read More.

8. “Ubuntu Linux for Windows 10 Released” — Sounds So Weird?

Downloading an entire operating system has just become as easy as downloading an application for Windows 10 users, as Microsoft last week announced the availability of popular Linux distro 'Ubuntu' in the Windows App Store.

While the company announced its plans to launch Fedora and SUSE Linux as well on Windows Store, the company did not reveal exactly when its users can expect to see these two flavours of Linux distro on the App Store.

For detailed information on how to install and run Ubuntu on Windows 10 — Read More.

9. Over 70,000 Memcached Servers Vulnerable to Hacking

It's been almost eight months since the Memcached developers have patched several critical remote code execution (RCE) vulnerabilities in the software, but tens of thousands of servers running Memcached application are still vulnerable.

Cisco's Talos intelligence and research group last year discovered three critical RCE vulnerabilities in Memcached — a moderhttp://thehackernews.com/2017/07/segway-hoverboard-hacking.htmln open-source and easily deployable distributed caching system that allows objects to be stored in memory.

The vulnerability exposed major websites including Facebook, Twitter, YouTube, Reddit, to hackers, but the team of researchers scanned the internet on two different occasions and found that over 70,000 servers are still vulnerable to the attacks, including ransomware attacks similar to the one that hit MongoDB databases in late December.

For more in-depth information on the Memcached vulnerabilities — Read More.

10. Tor Launches Bug Bounty Program for Public

After its intention to launch a public bug bounty program in late December 2015, the Tor Project has finally launched a "Bug Bounty Program," encouraging hackers and security researchers to find and privately report bugs that could compromise the anonymity network.

The bug bounty reports will be sent through HackerOne — a startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the U.S. Department of Defense for Hack the Pentagon initiative.

For detailed information on bug bounty prices and types of valid vulnerabilities — Read More.

Other Important News This Week

Besides these, there were lots of incidents happened this week, including:

• Microsoft's smart move to help take down cyber espionage campaigns conducted by "Fancy Bear" hacking group.
• A new credential stealing malware found being sold for as cheap as $7 on underground forums.
• Cisco patched a highly critical RCE vulnerability in its WebEx browser extension for Chrome and Firefox, which could allow attackers to execute malicious code on a victim's computer remotely.
• Windows 10 now let you Reset forgotten password directly from your computer's Lock Screen.
• Several critical vulnerabilities in Segway Ninebot miniPRO could allow hackers to remotely take "full control" over the hoverboard within range and leave riders out-of-control.
• Ashley Madison's parent company Ruby Corp has agreed to pay a total of $11.2 Million to roughly 37 million users whose personal details were exposed in a massive data breach two years ago.

By now you might be aware of the took down of two of the largest online dark websites—AlphaBay and Hansa—in what's being called the largest-ever international operation against the dark web's black market conducted by the FBI, DEA (Drug Enforcement Agency) and Dutch National Police.

But the interesting aspect of the takedown was that the federal authorities shut down AlphaBay, but took control of the Hansa market and kept it running for at least a month in an effort to monitor the activities of its visitors.

The visitors of Hansa market also included a massive flood of Alphabay refugees, as the seizer of AlphaBay Market forced their visitors to join the Hansa market for illegal trading and purchasing.

However, not just Hansa, after AlphaBay's shutdown, many of its users also joined another website known as Dream Market, which is believed to be the second-largest dark web marketplace, ahead of Hansa.

After the shutdown of both AlphaBay and Hansa, Dream Market has emerged as the leading player, but now some Reddit users on several "r/Dream_Market" threads have expressed concerns about the Dream Market, which has been in business since 2013.

One Reddit user said that Dream Market has been compromised in a similar manner as Hansa and is already under police control.

"I got contacted by an ex-Hansa staff member telling me that the operation is apparently bigger than we currently assume, that 'there will be a bloodbath, a purge' and that 'any vendor on HANSA should immediately seize his operation, lawyer up and hide his trails'," the Reddit user post read.

Possibly the Real IP of Dream Market "Mistakenly" Exposed

Another Redditor claimed to have discovered a non-encrypted IP address in Dream Market’s source code, saying that police might have taken over control of the dark market as well and are now actively monitoring its visitors.

"We found a clear address IP on the javascript source code of the market. The police must know it from a long time. GO AWAY FROM HERE RIGHT NOW !!!," the Redditor wrote along with a piece of Site's Source Code.

After exploring a bit, I found that the clearnet IP address 194.9.94.82 mentioned in the JavaScript file (lchudifyeqm4ldjj.onion/market.js) is owned by "Loopia AB," a Swedish hosting company.

This JavaScript file has not been added or altered recently, as according to some moderators, the file has been there from at least past 9 months, and the code itself doesn’t indicate any signs of hijack or interception.

However, here's the big blunder — Exposure of the possible real IP address of the server, which is supposed to be hidden behind the Tor Onion Router, is one of the biggest mistakes Dream Market operators might have made that could have already given an opportunity to law enforcement agencies to raid the hosting company and take control of the servers.

While the claims that Dream Market is under police control are yet to be verified, vendors who joined Dream Market may still be compromised by law enforcement.

Meanwhile, some anonymous users on Reddit are also encouraging dark web users to visit Dream Market, saying "CALM DOWN! DREAM IS WORKING FINE!"

Benefitted from the shutdown of its rivals, Dream Market had 57,000 listings for drugs and 4,000 listings for opioids on Thursday.

What could be the best way to take over and disrupt cyber espionage campaigns?

Hacking them back?

Probably not. At least not when it's Microsoft, who is continuously trying to protect its users from hackers, cyber criminals and state-sponsored groups.

It has now been revealed that Microsoft has taken a different approach to disrupt a large number of cyber espionage campaigns conducted by "Fancy Bear" hacking group by using the lawsuit as a tool — the tech company cleverly hijacked some of its servers with the help of law.

Microsoft used its legal team last year to sue Fancy Bear in a federal court outside Washington DC, accusing the hacking group of computer intrusion, cybersquatting, and reserving several domain names that violate Microsoft's trademarks, according to a detailed report published by the Daily Beast.

Fancy Bear — also known as APT28, Sofacy, Sednit, and Pawn Storm — is a sophisticated hacking group that has been in operation since at least 2007 and has also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.

The hacking group is believed to be associated with the GRU (General Staff Main Intelligence Directorate), Russian secret military intelligence agency, though Microsoft has not mentioned any connection between Fancy Bear and the Russian government in its lawsuit.

Instead of registering generic domains for its cyber espionage operations, Fancy Bear often picked domain names that look-alike Microsoft products and services, such as livemicrosoft[.]net and rsshotmail[.]com, in order to carry out its hacking and cyber espionage campaigns.

This inadvertently gave Microsoft an opportunity to drag the hacking group with "unknown members" into the court of justice.

Microsoft Sinkholed Fancy Bear Domains

The purpose of the lawsuit was not to bring the criminal group to the court; instead, Microsoft appealed to the court to gain the ownership of Fancy Bear domains — many of which act as command-and-control servers for various malware distributed by the group.

"These servers can be thought of as the spymasters in Russia's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents," the report reads.

Although Microsoft did not get the full-ownership of those domains yet, the judge last year issued a then-sealed order to domain name registrars "compelling them to alter" the DNS of at least 70 Fancy Bear domains and pointing them to Microsoft-controlled servers.

Eventually, Microsoft used the lawsuit as a tool to create sinkhole domains, allowing the company's Digital Crimes Unit to actively monitor the malware infrastructures and identify potential victims.

"By analyzing the traffic coming to its sinkhole, the company’s security experts have identified 122 new cyber espionage victims, whom it’s been alerting through Internet service providers," the report reads.

Microsoft has appealed and is still waiting for a final default judgment against Fancy Bear, for which the hearing has been scheduled on Friday in Virginia court.

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis. Do you also want to learn real-world hacking techniques but don’t know where [...]

With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Following major companies and organisations, the non-profit group behind Tor Project – the largest online anonymity network that allows people to hide their real identity online – has finally launched a "Bug Bounty Program."

The Tor Project announced on Thursday that it joined hands with HackerOne to start a public bug bounty program to encourage hackers and security researchers to find and privately report vulnerabilities that could compromise the anonymity network.

HackerOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.

Bug bounty programs are cash rewards gave by companies or organisations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose them.

The Tor Project announced its intention to launch a public bug bounty program in late December 2015 during a talk by the Tor Project at Chaos Communication Congress (CCC) held in Hamburg, Germany. However, it launched the invite-only bounty program last year.

The highest payout for the flaws has been kept $4,000 — bug hunters can earn between $2,000 and $4,000 for High severity vulnerabilities, between $500 and $2,000 for Medium severity vulnerabilities, and a minimum of $100 for Low severity bugs.

Moreover, less severe issues will be rewarded with a t-shirt, stickers and a mention in Tor's hall of fame.

"Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online," Tor browser developer Georg Koppen said in a blog post. "Help us protect them and keep them safe from surveillance, tracking, and attacks."

The Tor Project is a non-profit organisation behind the Tor anonymizing network that allows any online user to browse the Internet without the fear of being tracked.

The Project first announced its plan to launch the bug bounty program weeks after it accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to help them Unmask Tor users and reveal their IP addresses, though FBI denies the claims.

It's finally confirmed — In a coordinated International operation, Europol along with FBI, DEA (Drug Enforcement Agency) and Dutch National Police have seized and taken down AlphaBay, one of the largest criminal marketplaces on the Dark Web.

But not just AlphaBay, the law enforcement agencies have also seized another illegal dark web market called HANSA, Europol confirmed in a press release today.

According to Europol, both underground criminal markets are "responsible for the trading of over 350,000 illicit commodities including drugs, firearms and cybercrime malware."

On July 4th, AlphaBay suddenly went down without any explanation from its administrators, which left its customers in panic. Some of them even suspected that the website's admins had pulled an exit scam and stole user funds.

However, last week it was reported that the mysterious shut down of the dark web marketplace was due to a series of raids conducted by the international authorities.

The raid also resulted in the arrest of Alexandre Cazes, a 26-year-old Canadian citizen who was one of the alleged AlphaBay's operators and was awaiting extradition to the US when a guard found him hanged in his jail cell the next day.

Now, Europol just announced that two of the largest criminal Dark Web markets—AlphaBay and Hansa— have shut down by the authorities, as the infrastructure "responsible for the trading of over 350 000 illicit commodities including drugs, firearms and cybercrime malware."

"This is an outstanding success by authorities in Europe and the US. The capability of drug traffickers and other serious criminals around the world has taken a serious hit today after a highly sophisticated joint action in multiple countries," Rob Wainwright, Europol Executive Director said. 

"By acting together on a global basis the law enforcement community has sent a clear message that we have the means to identify criminality and strike back, even in areas of the Dark Web. There are more of these operations to come."

Feds Covertly Monitored Activities of Criminals Hansa Market 

This is what made the operation more interesting.

The federal authorities revealed that they secretly took control over the Hansa market on 20th June 2017 and kept it running for at least a month in an effort to monitor the activities of vendors and buyers without their knowledge.

And here's the Icing on the cake — During the same period federal authorities purposely only took down AlphaBay, forcing their users to join the Hansa market for illegal trading and purchasing.

"We could identify and disrupt the regular criminal activity that was happening on Hansa market but also sweep up all of those new users that were displaced from AlphaBay and looking for a new trading platform for their ciminal activities," Rod Jay Rosenstein, the Deputy Attorney General for the DoJ, said today in a live press conference in Washington DC.

How One Simple Mistake Revealed AlphaBay Operator’s Identity

Cazes made the same mistake that most cyber criminals do which revealed his real identity and led to his arrest. He was using his personal email (Pimp_Alex_91@hotmail.com) to send out welcome & support emails to all members of his AlphaBay websites.


The feds learned that the email address belonged to a Canadian man named Alexandre Cazes with the birth date October 19, 1991, and was working as president of a software company called EBX Technologies.

Cazes has been charged with a total of 16 counts, including:

• 1 count of conspiracy to engage in racketeering
• 1 count of conspiracy to distribute narcotics
• 6 counts of distribution of narcotics
• 1 count of conspiracy to commit identity theft
• 4 counts of unlawful transfer of false identification documents
• 1 count of conspiracy to commit access device fraud
• 1 count of trafficking in device making equipment
• 1 count of money laundering conspiracy

"Law enforcement authorities in the United States worked with numerous foreign partners to freeze and preserve millions of dollars’ worth of cryptocurrencies that were the subject of forfeiture counts in the indictment, and that represent the proceeds of the AlphaBay organization’s illegal activities," the DoJ says.

After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.

Prior to its takedown, AlphaBay Market reached more than 200,000 customers and 40,000 vendors, with over 250,000 listings for illegal drugs and over 100,000 stolen and fraudulent identification documents and access devices, malware and other computer hacking tools.

Authorities believed that the dark websites like AlphaBay and Hansa were responsible for lost of many lives in America.

"Today, some of the most prolific drug suppliers use what is called the dark web, which is a collection of hidden websites that you can only access if you mask your identity and your location," Rosenstein said.

"One victim was just 18 years old when in February she overdosed on a powerful synthetic opioid which she had bought on AlphaBay. Grant Siever, only 13 years of age, a student at Treasure Mountain Junior High School, Utah, Park City. When he passed away, after overdosing on a synthetic opioid that had been purchased by a classmate on AlphaBay."

Like AlphaBay, Silk Road, the largest Dark Web market at that time, was also shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.

The feds also seized Bitcoins (worth $33.6 million, at that time) from the dark web site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).

A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines.

Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered by German researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his blog to demonstrate the vulnerability.

The code injection vulnerability resides in "gnome-exe-thumbnailer" — a tool to generate thumbnails from Windows executable files (.exe/.msi/.dll/.lnk) for GNOME, which requires users to have Wine application installed on their systems to open it.

Those who are unaware, Wine is a free and open-source software that allows Windows applications to run on the Linux operating system.

Moskopp discovered that while navigating to a directory containing the .msi file, GNOME Files takes the filename as an executable input and run it in order to create an image thumbnail.

For successful exploitation of the vulnerability, an attacker can send a crafted Windows installer (MSI) file with malicious VBScript code in its filename, which if downloaded on a vulnerable system would compromise the machine without further user interaction.

"Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine," Moskopp explains while demonstrating his PoC. 

"The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution."

The flaw can be exploited by potential hackers using other attack vectors as well, for example, by directly inserting a USB-drive with a malicious file stored on it, or delivering the malicious file via drive-by-downloads.

How to Protect Yourself from Bad Taste

Moskopp reported the vulnerability to the GNOME Project and the Debian Project. Both of them patched the vulnerability in the gnome-exe-thumbnailer file.

The vulnerability affects gnome-exe-thumbnailer before 0.9.5 version. So, if you run a Linux OS with the GNOME desktop, check for updates immediately before you become affected by this critical vulnerability.

Meanwhile, Moskopp also advised users to:

• Delete all files in /usr/share/thumbnailers.
• Do not use GNOME Files.
• Uninstall any software that facilitates automatically execution of filenames as code.

Moskopp also advised developers to not use "bug-ridden ad-hoc parsers" to parse files, to "fully recognise inputs before processing them," and to use unparsers, instead of templates.

Good news for you is that this week's THN Deals brings Ethical Hacking A to Z Bundle that let you get started regardless of your experience level.

An unknown hacker has just stolen nearly $32 million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – from Ethereum wallet accounts linked to at least three companies that seem to have been hacked.

This is the third Ethereum cryptocurrency heist that came out two days after an alleged hacker stole $7.4 million worth of Ether from trading platform CoinDash, and two weeks after an unknown attacker hacked into South Korean cryptocurrency exchange Bithumb and stole more than $1 Million in Ether and Bitcoins from user accounts.

On Wednesday, Smart contract coding company Parity issued a security alert, warning of a critical vulnerability in Parity's Ethereum Wallet software, which is described as "the fastest and most secure way of interacting with the Ethereum network."

Exploiting the vulnerability allowed attackers to compromise at least three accounts and steal nearly 153,000 units of Ether worth just almost US$32 million at the current price.
The attack started late Tuesday and continued on Wednesday, resulting in a total of three transactions, which can be seen on Etherscan.io. The three victims of the attack identified are:

• Swarm City
• æternity blockchain
• Edgeless Casino

Parity says the vulnerability affected the contract used to create multi-signature Ethereum wallets in Parity version 1.5 or later, warning its users to move their Ether from their in-browser wallets to more secure accounts immediately.

White Hat Hackers Group Holds $75 Million Worth of Ethereum

Yes, 377,000 more Ether worth over $75 Million were also drained by white hat hackers.

As the attack began, a group of white hat hackers used the same exploit to drain approximately 377,000 Ether from other vulnerable wallets into holding accounts in order to protect them from black hat hackers, Coindesk reports.

The Whitehats are currently holding the rescued funds and has promised to return the funds to their owners once this security threat passed.

"The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible," White Hats wrote on Reddit. 

"We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there."

The company has just released an updated version of the Parity software fixing the vulnerability.