Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums.
On Tuesday, someone dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently pilfered from Mazafaka (a.k.a. “Maza,” “MFclub“), an exclusive crime forum that has for more than a decade played host to some of the most experienced and infamous Russian cyberthieves.
At the top of a 35-page PDF leaked online is a private encryption key allegedly used by Maza administrators. The database also includes ICQ numbers for many users. ICQ, also known as “I seek you,” was an instant message platform trusted by countless early denizens of these older crime forums before its use fell out of fashion in favor of more private networks, such as Jabber and Telegram.
This is notable because ICQ numbers tied to specific accounts often are a reliable data point that security researchers can use to connect multiple accounts to the same user across many forums and different nicknames over time.
Cyber intelligence firm Intel 471 assesses that the leaked Maza database is legitimate.
“The file comprised more than 3,000 rows, containing usernames, partially obfuscated password hashes, email addresses and other contact details,” Intel 471 found, noting that Maza forum visitors are now redirected to a breach announcement page. “Initial analysis of the leaked data pointed to its probable authenticity, as at least a portion of the leaked user records correlated with our own data holdings.”
The attack on Maza comes just weeks after another major Russian crime forum got plundered. On Jan. 20, a longtime administrator of the Russian language forum Verified disclosed that the community’s domain registrar had been hacked, and that the site’s domain was redirected to an Internet server the attackers controlled.
“Our [bitcoin] wallet has been cracked. Luckily, we did not keep large amounts in it, but this is an unpleasant incident anyway. Once the circumstances became clear, the admin assumed that THEORETICALLY, all the forum’s accounts could have been compromised (the probability is low, but it is there). In our business, it’s better to play safe. So, we’ve decided to reset everyone’s codes. This is not a big deal. Simply write them down and use them from now on.”
A short time later, the administrator updated his post, saying:
“We are getting messages that the forum’s databases were filched after all when the forum was hacked. Everyone’s account passwords were forcibly reset. Pass this information to people you know. The forum was hacked through the domain registrar. The registrar was hacked first, then domain name servers were changed, and traffic was sniffed.”
On Feb. 15, the administrator posted a message purportedly sent on behalf of the intruders, who claimed they hacked Verified’s domain registrar between Jan. 16 and 20.
“It should be clear by now that the forum administration did not do an acceptable job with the security of this whole thing,” the attacker explained. “Most likely just out of laziness or incompetence, they gave up the whole thing. But the main surprise for us was that they saved all the user data, including cookies, referrers, ip addresses of the first registrations, login analytics, and everything else.”
Other sources indicate tens of thousands of private messages between Verified users were stolen, including information about bitcoin deposits and withdrawals and private Jabber contacts.
The compromise of Maza and Verified — and possibly a third major forum — has many community members concerned that their real-life identities could be exposed. Exploit — perhaps the next-largest and most popular Russian forum after Verified, also experienced an apparent compromise this week.
According to Intel 471, on March 1, 2021, the administrator of the Exploit cybercrime forum claimed that a proxy server the forum used for protection from distributed denial-of-service (DDoS) attacks might have been compromised by an unknown party. The administrator stated that on Feb. 27, 2021, a monitoring system detected unauthorized secure shell access to the server and an attempt to dump network traffic.
Some forum lurkers have speculated that these recent compromises feel like the work of some government spy agency.
“Only intelligence services or people who know where the servers are located can pull off things like that,” mused one mainstay of Exploit. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.”
Others are wondering aloud which forum will fall next, and bemoaning the loss of trust among users that could be bad for business.
“Perhaps they work according to the following logic,” wrote one Exploit user. “There will be no forums, there will be no trust between everyone, less cooperation, more difficult to find partners – fewer attacks.”
Update, March 4, 6:58 p.m. ET: Intel 471 says there was a fourth crime forum that got hit recently. From the blog post they just published on these events: “In February, the administrator of another popular cybercrime forum, Crdclub, announced the forum sustained an attack that resulted in the compromise of the administrator’s account. By doing so, the actor behind the attack was able to lure forum customers to use a money transfer service that was allegedly vouched for by the forum’s admins. That was a lie, and resulted in an unknown amount of money being diverted from the forum. The forum’s admins promised to reimburse those who were defrauded. No other information looked to be compromised in the attack.”
In what’s a case of hackers getting hacked, a prominent underground online criminal forum by the name of Maza has been compromised by unknown attackers, making it the fourth forum to have been breached since the start of the year. The intrusion is said to have occurred on March 3, with information about the forum members — including usernames, email addresses, and hashed passwords — publicly
The Hacker News
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium,” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
Microsoft’s initial advisory about the Exchange flaws credited Reston, Va. based Volexity for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021, a day when most of the world was glued to television coverage of the riot at the U.S. Capitol.
But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Meanwhile, CISA has issued an emergency directive ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
White House press secretary Jen Psaki told reporters today the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”
“We’re concerned that there are a large number of victims,” Psaki said.
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont, is available from Github.
KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.
“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”
When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.
“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks, in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
This is a fast-moving story, and likely will be updated multiple times throughout the day. Stay tuned.
Update, 8:27 p.m. ET: Wired cybersecurity reporter Andy Greenberg has confirmed hearing the same number of victim numbers cited in this report: “It’s massive. Absolutely massive,” one former national security official with knowledge of the investigation told WIRED. “We’re talking thousands of servers compromised per hour, globally.” Read Greenberg’s account here.
Also, the first and former director of CISA, Chris Krebs (no relation) seems to be suggesting on Twitter that the victim numbers cited here are conservative (or just outdated already):
Update 8:49 p.m.: Included a link to one of the more recommended tools for finding systems vulnerable to this attack.
Update, 10:17 p.m.: Added mention from Reuters story, which said White House officials are concerned about “a large number of victims.”
For most small businesses, the chances of falling prey to a long-term covert surveillance operation by well-resourced, likely state-backed actors are slim. To recap, that is what the evidence suggests happened in the SolarWinds compromise discovered last December. Many believe the company’s Orion update was used to conduct cyber espionage for months prior to being discovered.
However, data shows the time to detect a data breach for businesses averages 280 days, according to research conducted by IBM and the Ponemon Institute; a significant gap between the time a network is compromised and its discovery. This shows that stealthily surveilling a network is not a tactic exclusive to highly sophisticated threat actors targeting enterprise businesses.
What would reducing the time to discovery mean for small businesses? Likely it would mean less of their data on the dark web, fewer important pieces of intellectual property leaked, ransomware attacks thwarted or less reputational damage to companies.
Here are some ideas IT admins can use to detect a network compromise sooner, potentially limiting the damage of an adverse cyber event.
Consider booby trapping your network
As swashbuckling as it sounds, adopting an “offensive defensive” posture against cyberattacks can help your organization level the playing field against attackers. Because so much of cybersecurity relies on passive forms of protection (think firewalls, antivirus solutions, password protection, etc.), hackers have an asymmetrical advantage when probing defenses. Passive protection is good and necessary, to be sure, but network “booby traps,” sometimes called canary tokens, can help reduce the advantage held by hackers.
These measures may include setting up a domain administrator account that is bound to look like a juicy target to a network intruder. It may be configured according to default settings or with a particularly weak password – some way that makes it easy for a determined hacker to access. Once inside, though, the intruder’s presence triggers alarms alerting IT staff that an attack is underway and even locking out the suspicious user.
Researchers have laid out several ways booby trapping could work, but all rely on the principal of an action being taken by an attacker that would typically not occur otherwise. While they may not reveal who is behind the attack or their motivations, booby traps trigger a response alerting admins and allowing time to react.
Configure and pay close attention to failed login attempts
Allowing attackers unlimited tries at cracking passwords is never wise, but sometimes the configurations for preventing this are overlooked. This is especially dangerous when remote desktop protocol (RDP) is enabled. RDP-enabled machines can often be located using search engines like Shodan.io, making them sitting ducks for attackers armed with brute-force tools.
When configured properly, however, RDP and other password protected tools should lock users out after a given number of incorrect attempts and alert an admin. This would force a user, legitimate or otherwise, to wait some predetermined time before attempting to login again. Reaching out to the locked-out user could then help determine if the credentials have been stolen or if it is a genuine case of “fat fingers.”
If credentials have been compromised, it is a good idea to force password resets and keep an eye out for further failed login attempts. If there is no limit to the number of times a password can be tried without being timed out, an organization may never know it is in an attacker’s crosshairs.
Monitor anomalous web traffic
Skilled threat actors like those involved in the SolarWinds attack take steps to conceal their true locations when attempting to compromise a network. This can prevent alarm bells from ringing when, suddenly, an IP address from Eastern Europe is trying to connect to a network housed in Silicon Valley. Other times, malicious hackers do not have the skills or resources to cover their tracks. Their attack may also be so broadly aimed they simply do not care to.
That is why the difference between looking for malware and looking for “weird stuff” matters. It takes time to gather the data to truly know what constitutes “anomalous activity,” but once it is there it can automatically alert admins when it occurs. This could include communication with previously unknown IP addresses or uncommon application traffic patterns. In other words, a platform that has never talked to a domain in China but now does so often should be cause for alarm.
Monitoring access lists, including who is logged into what and whether anything is out of the ordinary, is another good option for spotting potential breaches early on. These so-called “spot-checks” can be too resource intensive for small businesses without dedicated IT positions, and too expensive to farm out to MSPs, but they are good to consider for businesses with dedicated IT resources.
Staying on guard against attacks
The best strategies for ensuring cyberattacks are not successful – and do not go unnoticed if they do – involve a mix of active and passive defenses. But poor configurations can undermine both. While small businesses are unlikely to become targets of highly skilled state-sponsored attackers, there are steps they can still take to make sure defenses are not undermined by the same common tactics.
Here are a few quick tips:
- Do not rely on the default configuration for RDP. Enforce 2FA and passwords time outs.
- Disable powerful tools like PowerShell, Office macros and WMI where not needed.
- Limit access rights on your internal network so that only those who need access have it.
- Strictly control access to the dev and QA processes if these take place within your organization.
The post Reducing the Time to Discovery: How to Determine if You Have Been Hacked appeared first on Webroot Blog.