Information Technology

A data breach at the BuyUcoin cryptocurrency exchange has reportedly led to user information becoming leaked underground.

Names, email addresses, phone numbers, cryptocurrency transaction records, and bank details of users may have been compromised, according to Inc42. The publication estimates that up to 325,000 users are impacted, whereas Bleeping Computer suggests a figure closer to 161,000. 
The alleged data leak, flagged by researcher Rajshekhar Rajaharia, was posted on a hacking forum and is thought to be the work of ShinyHunters, previously linked to the sale of stolen company databases. 
In total, the alleged data dump comprises of three separate archives, with the associated dates of June 1, July 14, and September 5, 2020.
The Indian cryptocurrency exchange has denied the existence of a data breach, classifying reports as a “rumor.”
In a statement updated on January 21, BuyUcoin said the organization is “thoroughly investigating each and every aspect” of the report. The Indian cryptocurrency exchange added that “all our user’s portfolio assets are safe and sound within a secure environment” and “95% of user funds are kept in cold storage.”
BuyUcoin did not confirm or deny that a leak had taken place, but did say that there is a planned “overhaul” of cybersecurity processes throughout 2021.

However, the organization’s original statement, since removed from BuyUcoin’s main blog, said that a “low impact security incident” occurred last year in which “non-sensitive, dummy data” was leaked. 
The cryptocurrency exchange said that during a “routine testing exercise” with the data, 200 entries were impacted. Furthermore, BuyUcoin claims that “not even a single customer was affected during the incident.”
“BuyUcoin rejects alleged information in some media reports that the data of 3.5 lakh customers was compromised,” the firm said. “We would like to reiterate the fact that only dummy data of 200 entries were impacted which was immediately recovered and secured by our automated security systems.”
However, this appears to contradict Rajaharia, who claims that as a user himself, his information was involved in the leak. The research has called BuyUcoin’s response “irresponsible,” as even if funds are safe, unaware users may still be susceptible to phishing and social engineering scams based on the alleged leak. 
Last week, Russian cryptocurrency exchange Livecoin closed its doors following an alleged cyberattack. The organization said that its infrastructure and backend systems were compromised, leading to exchange rates being tampered with and the alleged cybercriminals made off with substantial profits, leading to financial damage that cannot be recovered from.
ZDNet has reached out to BuyUcoin and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Zscaler
Chances are that if you deploy a Linux server online these days and you leave even the tiniest weakness exposed, a cybercrime group will ensnare it as part of its botnet.

The latest of these threats is named DreamBus.
Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019.
But current DreamBus versions have received several improvements compared to initial SystemdMiner sightings [1, 2, 3].
Currently, the botnet targets enterprise-level apps that run on Linux systems. Targets include a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.
Some of these apps are targeted with brute-force attacks against their default administrator usernames, others with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities.
The idea is to give the DreamBus gang a foothold on a Linux server where they could later download and install an open-source app that mines the Monero (XMR) cryptocurrency to generate profits for the attackers.

Furthermore, each of the infected servers is also used as a bot in the DreamBus operation to launch further brute-force attacks against other possible targets.
Zscaler also said that DreamBus employed quite a few measures to prevent easy detection. One of them was that all systems infected with the malware communicated with the botnet’s command and control (C&C) server via the new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, as it’s complex to set up.

[1/2]🆕 Network admins beware, #SystemdMiner is now using DNS over HTTPs to connect to its .onion C2.We uploaded IoCs to VT:Modified UPX – > d5b98358d261730a9a81b480bd94cbc8Unpacked – > 61d36807f333e9dd01737d74b2724ab9- > > pic.twitter.com/6wYrQ8a8dZ
— Intezer (@IntezerLabs) August 3, 2020

Furthermore, to prevent the C&C server from being taken down, the DreamBus gang hosted it on the Tor network; via a .onion address.
But despite all these protective measures, Zscaler’s Brett Stone-Gross believes we’re seeing yet another botnet birthed and operated out of Russia, or Eastern Europe.
“Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK,” the researcher said.
But Stone-Gross also warned companies not to take this botnet lightly. Sure, the botnet delivers a cryptocurrency miner right now, but the Zscaler researcher believes operators could easily pivot to more dangerous payloads, such as ransomware, at any time they wanted. More

Tesla is suing a former member of staff for allegedly stealing confidential information and attempting to cover his tracks in the aftermath. 

The lawsuit, filed in the US Northern District of California Court, names Alex Khatilov as the alleged perpetrator, a Quality Assurance software engineer. 
According to Tesla’s complaint, only three days after being hired on December 28, 2020, Khatilov “brazenly stole” thousands of files from the automaker’s WARP Drive backend system, as reported by CNBC. 
The software engineer allegedly stole “scripts” of proprietary software code, related to areas including vehicle development and manufacturing, before transferring them to a personal Dropbox account. 
“Only a select few Tesla employees even have access to these files; and as a member of that group, Defendant took advantage of that access to downloaded files unrelated to his job,” the complaint reads. 
The complaint says that the apparent theft was detected on January 6, 2021. Tesla investigators then interviewed Khatilov, who allegedly said that only a “couple [of] personal administrative documents” had been transferred. 
“After being prompted, he gave Tesla investigators access to view his Dropbox account, where they discovered Defendant’s claims were outright lies,” Tesla alleges. “[…] Defendant then claimed he somehow “forgot” about the thousands of other files he stole (almost certainly another lie).”

Tesla has also accused the engineer of attempting to cover his tracks by “hurriedly deleting the Dropbox client and other files during the beginning of the interview,” leaving the company to wonder whether or not other confidential data may have been stolen, noting that Tesla has “no way to know” if any further leaks or transfers to third-parties have occurred. 
A jury trial has been requested. Tesla is claiming breach of contract and the theft of trade secrets. 
“Access to the scripts would enable engineers at other companies to reverse engineer Tesla’s automated processes to create a similar automated system in a fraction of the time and with a fraction of the expense it took Tesla to build it,” Tesla says. “The scripts also would inform competitors of which systems Tesla believes are important and valuable to automate and how to automate them — providing a roadmap to copy Tesla’s innovation.”
Speaking to the New York Post, Khatilov claims the issue is a misunderstanding, with files “unintentionally” moved into Dropbox. Khatilov added that he was unaware of the lawsuit until contacted by the publication.
In 2018, Tesla sued process technician Martin Tripp for leading “gigabytes” of data to outsiders, including “dozens of confidential photographs and a video of Tesla’s manufacturing systems.” For the past two years, Tripp and Tesla have been involved in the legal dispute, ending only when a settlement was recently agreed upon in which the former employee will pay Tesla $400,000.
Last year, Tesla launched a lawsuit against a former employee for allegedly sabotaging operations at the company’s Fremont, California plant. 
In other news concerning Tesla’s CEO Elon Musk this month, the entrepreneur said last week that he intends to contribute $100 million to a prize fund for viable carbon capture projects to combat global warming. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: ZDNet
A well-known hacker has leaked this week the details of more than 2.28 million users registered on MeetMindful.com, a dating website founded in 2014, ZDNet has learned this week from a security researcher.

The dating site’s data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases.
The leaked data, a 1.2 GB file, appears to be a dump of the site’s users database.
The content of this file includes a wealth of information that users provided when they set up profiles on the MeetMindful site and mobile apps.
Some of the most sensitive data points included in the file include:
Real names
Email addresses
City, state, and ZIP details
Body details
Dating preferences
Marital status
Birth dates
Latitude and longitude
IP addresses
Bcrypt-hashed account passwords
Facebook user IDs
Facebook authentication tokens

Image: ZDNet
Messages exchanged by users were not included in the leaked file; however, this does not make the entire incident less sensitive.
While not all leaked accounts have full details included, for many MeetMindful users, the provided data can be used to trace their dating profiles back to their real-world identities.

When we reached out for comment to MeetMindful on Thursday via Twitter, a MeetMindful spokesperson redirected our request to an email address from where we have not heard back for three days.
In the meantime, the forum thread where the MeetMindful data was leaked has been viewed more than 1,500 times and most likely downloaded, in many cases.
The data is still available for download on the public file-hosting site where it was initially uploaded.
The site’s data was released by a threat actor who goes online as ShinyHunters, who earlier this week also leaked the details of millions of users registered on Teespring, a web portal that lets users create and sell custom-printed apparel.
A request for comment sent to an email address previously used by ShinyHunters was not answered.
The leak of this highly sensitive data represents a looming issue for the site’s users and the main reason why MeetMindful needs to notify account holders.
Over the past few years, many cybercrime groups have engaged in a practice called sextortion, where they take data leaked from dating sites and contact site users, threatening to expose their dating profiles and history to family or work colleagues unless they’re paid a ransom demand. More

Image: Cyrus Crossan
A Texas-based CCTV technician pleaded guilty this week to illegally accessing the security cameras of hundreds of families to watch 

people in their homes get naked and engage in sexual activities.
According to a criminal complaint [PDF], Telesforo Aviles, a 35-year-old, committed his crimes between November 2015 and March 2020 while working as a support technician for ADT, a provider of home security services.
Aviles’s job involved installing home video surveillance cameras at customer premises and configuring the devices to work with the company’s proprietary ADT Pulse app.
But prosecutors said that Aviles strayed from company policy and started adding his personal email address to customers ADT Pulse app during the installation and testing process.
Investigators said the technician usually targeted attractive women, and he used the backdoor account to access the camera’s real-time video feed and spy on customers in intimate moments in their homes and with their partners.
The technician’s scheme was discovered in January and February 2020 when several customers discovered Aviles’ email address in their app’s configuration panel and reported the incidents to ADT, which later referred the case to authorities.

Aviles was charged in April 2020 and pleaded guilty [PDF] this week, on Thursday.
Prosecutors said Aviles accessed more than 200 customer CCTV systems on more than 9,600 occasions.
The former ADT technician now faces a sentence of up to five years in prison and a fine of up to $250,000, according to court documents. He was conditionally released earlier this week [PDF].
ADT notified its customers of the incident in April 2020. The New York Post reported at the time that the company tried to convince customers to sign a confidentiality agreement in exchange for a monetary payment so Aviles’ actions wouldn’t leak online.
Their efforts didn’t work, and the company is currently facing three class-action lawsuits[1, 2, 3] as a result of its former employee’s actions. More

Networking device maker SonicWall said on Friday night that it is investigating a security breach of its internal network after detecting what it described as a “coordinated attack.”
In a short statement posted on its knowledgebase portal, the company said that “highly sophisticated threat actors” targeted its internal systems by “exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
The company listed NetExtender VPN clients and the Secure Mobile Access (SMA) gateways as impacted:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.
SonicWall said that the newer SMA 1000 series is not impacted as that particular product series is using a different VPN client than NetExtender.
Patches for the zero-day vulnerabilities are not available at the time of writing.
To help keep its own customers’ networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.
SonicWall also urged companies to enable two-factor authentication options in its products for admin accounts.

The networking device maker, whose products are often used to secure access to corporate networks, now becomes the fourth security vendor to disclose a security breach over the past two months after FireEye, Microsoft, and Malwarebytes.
All three previous companies were breached during the SolarWinds supply chain attack. CrowdStrike said it was targeted in the SolarWinds hack as well, but the attack did not succeed.
Cisco, another major vendor of networking and security devices, was also targeted by the SolarWinds hackers. The company said last month it was investigating if attackers escalated their initial access from the SolarWinds products to other parts of its network.
Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack. More

Vladimir_Timofeev, Getty Images/iStockphoto
The Russian government has issued a security alert on Thursday evening warning Russian businesses of potential cyberattacks launched by the United States in response to the SolarWinds incident.
The Russian government’s response comes after comments made by the new Biden administration earlier in the day.
Also: Best VPNs • Best security keys • Best antivirus     
Answering questions about their plans on the SolarWinds hack, new White House officials said they reserved the right to respond at a time and manner of their choosing to any cyberattack.

At first White House press briefing @PressSec says on SolarWinds breach: “we’ve spoken about this previously…of course we reserve the right to respond at a time and manner of our choosing to any cyberattack”
— Shannon Vavra (@shanvav) January 21, 2021

Moscow’s response to this comment came hours later in the form of a security bulletin published by the National Coordination Center for Computer Incidents (NKTSKI), a security agency founded by the Russian Federal Security Service (FSB), Russia’s internal security and intelligence agency.
The short statement cited the Biden administration’s comments, interpreted as threats, and provided a list of 15 security best practices that businesses should adhere to in order to remain safe online.

(Text translated with Google Translate)
The best practices included in the alert are run of the mill security advice and nothing that companies or even the lowest skilled security practitioner wasn’t aware of already.

The security alert was published more as a response to the Biden administration’s aggressive statements earlier in the day.
The White House’s comments follow a tone set two weeks ago when US officials from the FBI, CISA, ODNI, and NSA formally blamed Russia for orchestrating the wide-reaching SolarWinds supply chain attack.
Kremlin officials denied multiple times of having had any hand in the SolarWinds incident.
During yesterday’s press conference, the Biden administration also promised to commit $9 billion towards cybersecurity in the aftermath of the SolarWinds hack.

SolarWinds Updates More

Image via PIRO4D
Extortion groups that send emails threatening companies with DDoS attacks unless paid a certain fee are making a comeback, security firm Radware warned today.
In a security alert sent to its customers and shared with ZDNet this week, Radware said that during the last week of 2020 and the first week of 2021, its customers received a new wave of DDoS extortion emails.
Extortionists threatened companies with crippling DDoS attacks unless they got paid between 5 and 10 bitcoins ($150,000 to $300,000).
Radware said that some of the emails it seen were sent by a group that was active over the 2020 summer when the extortionists targeted many financial organizations across the world.
Companies that received this group’s emails last summer also received new threats over the winter, Radware said.
The security firm believes that the rise in the Bitcoin-to-USD price has led to some groups returning to or re-prioritizing DDoS extortion schemes.
But Radware said that the Bitcoin price surge was so sudden and unexpected that it caught even some groups by surprise. Extortionists also had to adapt and reduce their demands over time, going from requesting 10 BTC to 5 BTC, as in some cases, the extortion fee would have been too large for some companies to pay, as the Bitcoin price tripled since August 2020.

And just like in the summer of 2020, Radware said that these DDoS extortion groups had the firepower to deliver on their threats.
Radware said it saw some organizations being targeted with DDoS attacks after receiving the extortion emails. Attacks typically lasted around nine hours and ranged around 200 Gbps, with one attack peaking at 237 Gbps.

Image: Radware
But this resurgence in DDoS extortion tactics was also documented by Lumen’s Black Lotus Labs, which reported on their comeback last week.
The former CenturyLink division, now part of Lumen, said these schemes never actually stopped, although the frequency of these email threats died down over the fall, compared to their prevalence over the summer.
Just like before, the DDoS extortion gangs also kept using the names of more famous hacking groups to send their threats, hoping to intimidated victims. Attackers used names such as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective.
But towards the end of the year, Black Lotus Labs reported that some of these extortion emails were also signed using the name of Kadyrovtsy, the name of an elite Chechen military group that has also been associated with DDoS gangs and extortionists in the early 2010s.
Both Black Lotus Labs and Radware recommended that companies not pay the ransom as this merely invites more extortions in the future. Instead, companies are advised to request additional protection against any potential attacks from their security providers. More