The TeamTNT hacking group has upped its game with a set of tools allowing it to indiscriminately target multiple operating systems. 

On Wednesday, cybersecurity researchers from AT&T Alien Labs published a report on a new campaign, dubbed Chimaera, that is thought to have begun on July 25, 2021 — based on command-and-control (C2) server logs — and one that has revealed an increased reliance on open source tools by the threat group.  TeamTNT was first spotted last year and was connected to the installation of cryptocurrency mining malware on vulnerable Docker containers. Trend Micro has also found that the group attempts to steal AWS credentials to propagate on more servers, and Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations. Now, Alien Labs says the group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine. Despite the short time period, the latest campaign is responsible for “thousands of infections globally,” the researchers say.TeamTNT’s portfolio of open source tools includes the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne. Lazagne is an open source project that lists browsers including Chrome and Firefox, as well as Wi-Fi, OpenSSH, and various database programs as supported for password retrieval and credential storage. Palo Alto Networks has also discovered that the group is using Peirates, a cloud penetration testing toolset to target cloud-based apps.

“The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for antivirus companies to detect,” the company says. While now self-armed with the kit necessary to strike a wide variety of operating systems, TeamTNT still focuses on cryptocurrency mining.  Windows systems, for example, are targeted with the Xmrig miner. A service is created and a batch file is added to the startup folder to maintain persistence — whereas a root payload component is used on vulnerable Kubernetes systems.  Alien Labs says that as of August 30, a number of malware samples still have low detection rates.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apple’s latest lineup of iPhone has arrived: On Wednesday at an Apple Event in Cupertino, the company unveiled the iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max, and the iPhone 17 Air — a brand new model and the thinnest iPhone ever made. The new phones feature the A19 chipset (and for the iPhone 17 Air, a new N1 chip), and, for the first time, a 120Hz ProMotion display, with a new camera module for the iPhone 17 Pro models. If you’re looking to upgrade, you can preorder the iPhone 17 from Apple More

The Federal Trade Commission’s (FTC’s) latest “data spotlight” release shows $148 million in gift card payment scams have been recorded for the first nine months of 2021. This growing trend exceeds the total number and dollar amount of similar scams logged by the agency throughout the entirety of 2020. This type of scam involves a malicious party convincing the target that they are required to provide some form or payment to settle a debt. The grift usually comes with threats of legal action, wage garnishment, or jail time, should they not comply with the request of the fictitious company or government agency the caller claims to be representing. Also: Log4j zero-day flaw: What you need to know and how to protect yourselfIn reality, these criminal actions are a way for unscrupulous individuals or criminal rings to secure gift card codes they can use illicitly or resell through online black markets for profit. The data spotlight shows more than 40,000 consumers were impacted by these scams during the first three quarters of 2021, with the practice peaking at $51 million and 14,000 reports during Q1 alone. Median losses for each of the incidents rose as well, from $700 in 2018 to $1,000 in 2021. Much larger thefts of $5,000 or more resulting from gift card scams also now represent more than 8% of reports, showing these thieves are becoming more brazen. The most popular gift card to request among scammers, by far, is one for Target stores. These represented $35 million in scam sales between January and September 2021. Google Play was a distant second at $17 million, followed by Apple ($16 million), eBay ($10 million), and Walmart ($6 million). Interestingly, even if the caller was directed to purchase a gift card for another retailer, Target was the most popular store to suggest victims use for their purchase. Walmart, Best Buy, CVS, and Walgreens were all also popular with scammers, the FTC said. 

If all of these facts weren’t unsettling enough, the agency noted that some scammers even groom their victims to avoid detection. The FTC has evidence of criminals instructing victims to visit multiple stores to avoid suspicion by making several smaller purchases, with some even providing coaching on what to tell cashiers that ask questions about their orders. The FTC once again urged consumers to immediately hang up on any caller that claims to be attempting to collect a debt via gift card. Just in case it needs to be said again, no government agency or commercial entity of any kind will actually attempt to collect a debt from you via gift card, ever. The Federal Trade Commission suggests that anyone that believes they may have been targeted by a scammer visit its informational site on gift card scams while also reporting the incident to its fraud division.  More

Getty Images/iStockphoto

A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company’s “data leak detection” service.
The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches.
The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.
A data leak monitoring service is a common type of service offered by cyber-security firms. Security companies scan the dark web, hacking forums, paste sites, and other locations to collect information about companies that had their data leaked online.
They compile “hacked databases” inside private backends to allow customers to search the data and monitor when employee credentials leak online, when the companies, themselves, suffer a security breach.
The DataViper hack

Earlier today, a hacker going by the name of NightLion (the name of Troia’s company), emailed tens of cyber-security reporters a link to a dark web portal where they published information about the hack.

Image: ZDNet
The site contains an e-zine (electronic magazine) detailing the intrusion into DataViper’s backend servers. The hacker claims to have spent three months inside DataViper servers while exfiltrating databases that Troia had indexed for the DataViper data leak monitoring service.
The hacker also posted the full list of 8,225 databases that Troia managed to index inside the DataViper service, a list of 482 downloadable JSON files containing samples from the data they claim to have stoled from the DataViper servers, and proof that they had access to DataViper’s backend.
Furthermore, the hacker also posted ads on the Empire dark web marketplace where they put up for sale 50 of the biggest databases that they found inside DataViper’s backend.

Image: ZDNet
Most of the 8,200+ databases listed by the hacker were for “old breaches” that originated from intrusions that took place years before, and which had been known and leaked online already, in several locations.
However, there were also some new databases that ZDNet was not able to link to publicly disclosed security breaches. ZDNet will not be detailing these companies and their breaches, as we have requested additional details from the hacker, and are still in the process of verifying their claims.
Troia: Hacker breached a test server
In a phone call today with ZDNet, Troia admitted that the hacker gained access to one of the DataViper servers; however, the Night Lion Security founder said the server was merely a test instance.
Troia told ZDNet that he believes the hacker is actually selling their own databases, rather than any information they stole from his server.
The security researcher said this data had been public for many years, or, in some cases, Troia obtained it from the same communities of hackers in which the leaker is also part of.
Troia told ZDNet that he believes the leaker is associated with several hacking groups such as TheDarkOverlord, ShinyHunters, and GnosticPlayers.
All the groups have a prolific hacking history, are responsible for hundreds of breaches, some of which Troia indexed in his DataViper database.
Furthermore, Troia also documented the activities of some of these groups in a book he published this spring. The DataViper founder says today’s leak was timed to damage his reputation before a talk he’s scheduled to give on Wednesday at the SecureWorld security conference about some of the very same hackers, and their supposed real-world identities.
Troia’s full statement is below:

“When people think they are above the law, they get sloppy. So much so they forget to look at their own historical mistakes. I literally detailed an entire scenario in my book where I allowed them to gain access to my web server in order to get their IPs. They haven’t learned. All they had access to was a dev environment. Much like the grey Microsoft hack which they recently took credit for, all they had was some source code that turned out to be nothing special, but they hyped it anyway hoping to get people’s attention. These are the actions of scared little boys pushed up against a wall facing the loss of their freedom.”

Additional reporting will follow throughout the week as ZDNet goes through the leaked data. More

Microsoft has outlined several mitigations to protect against attacks on multi-factor authentication that will unfortunately make life more difficult for your remote workers.  Three years ago, attacks on multi-factor authentication (MFA) were so rare that Microsoft didn’t have decent statistics on them, largely because few organisations had enabled MFA.    But with MFA use rising […] More