The Hacker News — Cyber Security, Hacking, Technology News

The cyber criminals behind the global WannaCry ransomware attack that caused chaos worldwide have finally cashed out their ransom payments.

Nearly three months ago, the WannaCry ransomware shut down hospitals, telecom providers, and many businesses worldwide, infecting hundreds of thousands of computers in more than 150 countries, encrypting files and then charging victims $300-$600 for the keys.

WannaCry was really bad, as the nasty ransomware forced the British NHS (National Health Service) to shut down hospitals and doctor's surgeries, and infected a Spanish telecommunications company and Russian mobile operator, among much more.

Even a month after the outbreak, the WannaCry ransomware was found infecting systems at Honda Motor Company, forcing the factory to shut down its production, and 55 speed and traffic light cameras in Victoria, Australia.

Overall, the hackers behind WannaCry made $140,000 in Bitcoins from the victims who paid for the decryption keys—but for almost three months, they did not touch three of their wallets where victims were instructed to send ransom payments.

However, the WannaCry hackers started cashing out their cryptocurrencies on Wednesday night.

According to a Twitter bot tracking WannaCry ransom payments, only 338 victims paid the $300 in Bitcoin that totalled $140,000.

On Wednesday night, this money was withdrawn in 7 different payments within 15 minutes, although it is not clear where the money is being sent, or how the attacker will use it.

If you are unaware, we recently reported about Google's research on how cyber criminals and ransomware hackers cash out their stolen or looted cryptocurrencies via cryptocurrency exchanges that are involved in money laundering.

Last week, even German authorities arrested an alleged operator of the popular BTC-e Bitcoin exchange on charges of laundering over $4 billion in Bitcoin for culprits involved in hacking attacks, tax fraud and drug trafficking without identifying them.

The identity behind the WannaCry ransomware is still unknown, though some researchers traced back WannaCry to a state-sponsored hacking group called Lazarus in North Korea, while other believed the perpetrators might be Chinese.

The WannaCry epidemic was using self-spreading capabilities by leveraging leaked NSA's SMBv1 exploit, called EternalBlue, to infect vulnerable Windows computers, particularly those using older versions of the operating system.

While most of the affected organisations have now returned to normal, law enforcement agencies across the world are still on the hunt.

WikiLeaks published hundreds of more files from the Vault 7 series today which, it claims, show how CIA can mask its hacking attacks to make it look like it came from other countries, including Russia, China, North Korea and Iran.

Dubbed "Marble," the part 3 of CIA files contains 676 source code files of a secret anti-forensic Marble Framework, which is basically an obfuscator or a packer used to hide the true source of CIA malware.

The CIA's Marble Framework tool includes a variety of different algorithm with foreign language text intentionally inserted into the malware source code to fool security analysts and falsely attribute attacks to the wrong nation.

The leaked files indicate that the Marble's source code includes Chinese, Russian, Korean, Arabic and Farsi languages, as well as English, which shows that the CIA has engaged in clever hacking games.

"Marble is used to hamper[ing] forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA," says the whistleblowing site.

"...for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion," WikiLeaks explains.

The released source code archive also contains a deobfuscator to reverse CIA text obfuscation.
Since the Marble framework has now been made public, forensic investigators and anti-virus firms would be able to connect patterns and missing dots in order to reveal wrongly attributed previous cyber attacks and viruses.

So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for and security bugs in popular hardware and software, and the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs.

While WikiLeaks suggests that Marble was in use as recently as 2016, the organization does not provide any evidence to back this claim. Experts are still analyzing the Marble release, so there's no need to get too excited at this moment.

The White House has condemned the revelations made by Wikileaks, saying that those responsible for leaking classified information from the agency should be held accountable by the law.

The company that sells digital forensics and mobile hacking tools to others has itself been hacked.

Israeli firm Cellebrite, the popular company that provides digital forensics tools and software to help law enforcement access mobile phones in investigations, has had 900 GB of its data stolen by an unknown hacker.

But the hacker has not yet publicly released anything from the stolen data archive, which includes its customer information, user databases, and a massive amount of technical data regarding its hacking tools and products.

Instead, attackers are looking for possible opportunities to sell the access to Cellebrite system and data on a few selected IRC chat rooms, the hacker told Joseph Cox, contributor at Motherboard, who was contacted by the hacker and received a copy of the stolen data.

Meanwhile, Cellebrite also admitted that it recently experienced "unauthorized access to an external web server," and said that it is "conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company's end user license management system."

The 900 GB of stolen archive also includes login data (usernames and passwords) of Cellebrite customers, which suggests that it has been taken from the web servers related to Cellebrite's site.

The dump also contains "evidence files from seized mobile phones, and logs from Cellebrite devices," as well as it appears that company has sold phone hacking tools to repressive regimes, such as Turkey, the United Arab Emirates, and Russia.

On the other hand, the hacker did not clearly state the actual extent of what he/she had done to Cellebrite's systems.

"I can't say too much about what has been done," the hacker told Motherboard. "It's one thing to slap them, it's a very different thing to take pictures of [their] balls hanging out."

Cellebrite is known for its powerful hacking tool Universal Forensic Extraction Device (UFED) that help investigators bypass the security mechanisms of mobile phones, especially iPhones, and extract all data, including SMS messages, emails, call logs and passwords from them.

Just a few months back, Cellebrite's most sensitive in-house capabilities were made public by one of its products' resellers, who distributed copies of Cellebrite's firmware and software for anyone to download.

It's a Fact! No matter how smart the criminals are, they always leave some trace behind.

Two Harvard students have unmasked around 229 drug and weapon dealers with the help of pictures taken by criminals and used in advertisements placed on dark web markets.

Do you know each image contains a range of additional hidden data stored within it that can be a treasure to the investigators fighting criminals?

Yeah it's true — "A picture is worth a thousand words."

Digital images come with basic metadata, as well as EXIF data that contains information about the device with which it was taken.

EXIF, stands for "Exchangeable Image File Format," may contain image dimensions, date and time (when it was originally taken and modified), the model of camera and its settings, information about the software used for editing, it’s creator and copyright information, as well as GPS co-ordinates of the location where the photo was taken.

If a criminal, let’s say a kidnapper, has taken a photo or video of their captive from a GPS enabled phone or camera and send it as proof of life to victim’s family for ransom, the police would be able to trace back the kidnapper to the exact location where photo was taken.
This is exactly what happened in the latest case when Harvard students, Paul Lisker and Michael Rose, collected more than 223,471 unique images from the underground illegal markets and found 229 images with geolocation data.

"In our investigation, we searched for the presence of these geotags in the images of items for sale on darknet market sites," the pair say in a blog post. "Using Python and bash scripts, we checked each image's EXIF data for longitude [and] latitude data, saving the coordinates for each geotagged photo and its file path to a text file."

The duo found 229 images that contained unique GPS coordinates which, unless spoofed, can be used by investigators to locate the places where the photos were taken within the range of two kilometers.

Remember, an anonymous hacker who was arrested by the FBI in 2012 after he posted a picture of his girlfriend's breasts online?

Higinio O. Ochoa III, a.k.a Anonw0rmer, an alleged member of Anonymous-linked CabinCr3w hacking team, who was responsible for hacking into the United States law enforcement agencies and releasing the personal information including phone numbers and home addresses of police officers.

He took picture of his girlfriend's boobs using his iPhone and posted it on Twitter without realizing the picture contained GPS data pointing directly to his house in Melbourne, Australia.

While the majority of metadata in photos is harmless, but removing EXIF data, especially geo-coordinates, is a smart idea, if you are privacy-conscious.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

FBI to Apple: We'll Unlock iPhone by Our Own

"On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook's iPhone," the motion reads.
"Testing is required to determine whether it is a [feasible] method that'll not compromise data on Farook's iPhone. If the method is viable, it should eliminate the need for the assistance from Apple set forth in the All Writs Act Order in this case."

FBI Wants Encryption Backdoor to Unlock More iPhones

1. If you copy the hard drive, all the data from the iPhone will remain scrambled, which will be of no use.
2. If you enter 10 wrong passwords, the whole iPhone will be wiped off, which means if your method fails, you'll never recover the data from the shooter's iPhone.