• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Us

Exploit Brokers

  • Home
  • Hacking Tutorials
  • System Admin
    • Linux
  • Podcasts
  • Hacking Tools
  • Courses

NASA Hacked, Ransomware LooCipher, & Steam Phishing Website

June 23, 2019 by Exploit Leave a Comment

Hey, Guys welcome back for another episode of Exploit Brokers Hacking News!

I’m your host Lauro, lets login!

 

NASA’s Raspberry Pi and Hacker Problems

So I would say it’s safe to assume most of my listeners are aware of the space agency NASA. What many of you may not be aware of is that NASA’s Jet Propulsion Laboratory, or the JPL, was the target of a year-long attack back in 2018.

According to a ZDNet.com article, “NASA hacked because of unauthorized Raspberry Pi connected to its network”, hackers were able to compromise the JPL’s network by planting a compromised raspberry pi onto the JPL’s internal network.

The lack of segmentation of the JPL’s network meant the attackers could pivot throughout the entire network without issue. For my listeners who may not be aware of the practice. It is a good security practice to segment or to create smaller network segments within the larget network by using devices like a switch, router, or some other network device. The purpose of segmenting a network is that you can prevent devices in one smaller network from connecting to a device in another network. If NASA’s JPL segmented their network it would have been harder for the hacker to move around.

This information comes from the NASA Office of Inspector General’s report. There was some information stolen.

About 500 Megabytes of data was stolen, some of which contained regulated information under ITAR or the International Traffic in Arms Regulations. The fact that ITAR related information was stolen is a major security concern. ITAR regulation was created to ensure that government and military defense tech does not fall into malicious hands.

Now the data in question belonged to NASA’s Mars Science Lab which is known for their Curiosity rover. There is a bit of concern because the hacker or hackers appeared to have accessed NASA’s Deep Space Network of satellites that communicates and controls with equipment and spacecraft. The report appears to point to JPL’s dedication to upkeeping security systems and protocols in place as the main reason for this attack.

So some of you may be wondering, do they know who hacked the JPL? Well, the article goes to point out that it could be the Chinese elite hacking group APT10. This is in connection to two Chinese nationals being charged by the US Department of Justice for hacking cloud providers, the US Navy, and NASA back in 2018. The two Chinese nationals are believed to be APT10 hackers.

NASA Hacked by Raspberry Pi
NASA Hacked by Raspberry Pi

src: https://www.zdnet.com/article/nasa-hacked-because-of-unauthorized-raspberry-pi-connected-to-its-network/

WeTransfer just to the wrong people

So if you use WeTransfer then unfortunately private wasn’t private for 2 days. According to  bleepingcomputer.com’s article, “WeTransfer Security Incident Sent Files to the Wrong People”, there was a period from June 16th to June 17th were files were sent to a designated people or group also resulted in other people receiving the files as well.

WeTransfer did release an email to users warning about the incident but have not released why the accidental distribution happened. They did take proactive measures by logging out some accounts, resetting passwords, and blocking transfer links for those accounts involved in the incident.

I do agree with bleepingcomputer’s statement at the end of the article. They question the incident being a simple bug in the code. Now from a software developer’s perspective, I don’t think this is a simple bug if they also went to the hassle of resetting accounts. If this was a bug then it’s understandable blocking the links but logging out and resetting passwords sound suspicious of something else they are not telling users.

Only time, another email or another security release will tell.

src: https://www.bleepingcomputer.com/news/security/wetransfer-security-incident-sent-files-to-the-wrong-people/

Ransomware Alert: LooCipher on the loose

So guys Ransomware has now become a prominent part of the cybersecurity threats out in the wild. This new ransomware is another addition. According to bleepingcomputer’s article,” New LooCipher Ransomware Spreads Its Evil Through Spam” the ransomware LooCiper, I may have butchered the name, uses a malicious word document with macros to spread.

The order of infection appears to be similar to the following:

  1. The victim comes across and opens a word document called Info_BSV_2019.docm
  2. Once it is open word will prompt to enable macros
  3. Once the victim Enables Editing and allows the macros the macro connects to a Tor Server
  4. The macro downloads a malicious executable at http[:]//hcwyo5rfapkytajg[.]onion[.]pet/3agpke31mk[.]exe
  5. Once downloaded the executable is renamed to LooCipher.exe
  6. At this point LooCipher.exe is auto-executed

 

Once the ransomware begins executing it appears to follow similar patterns as other ransomware. The encrypting appears to follow a particular order.

  1. A file called c2056.ini is made on the Windows Desktop
    1. This file contains a unique ID, time limit, and bitcoin wallet address to pay the ransom
  2. The encryption process then beings creating encrypted files with the .lcphr extension appended
  3. Once all files are encrypted the executable creates the @Please_Read_Me.txt file that gives the ransom amount and instructions on how to pay the ransom
  4. The wallpaper is then changed with a similar message to the @Please_Read_Me.txt
  5. Lastly, the LooCipher’s decryptor window shows a countdown with a payment verification button
    1. There is an unverified process to decrypt once payment has been made

As a security precaution, it is important to keep offline backups in case any ransomware hits your system and always take precautions when opening files that are not from trusted sources.

The article notes that the LooCipher ransomware is using spam techniques to spread and it is not known yet how many have been infected with the ransomware.

Ransomware Alert! LooCipher
Ransomware Alert! LooCipher

src: https://www.bleepingcomputer.com/news/security/new-loocipher-ransomware-spreads-its-evil-through-spam/

Steam Phishing Website

A message to my avid gamer audience who like to hack, I got a warning and news for you. Beware those bearing gifts. A new Malwarebytes Lab report, “Fresh “video games” site welcomes new users with Steam phish” discuss a recent phishing campaign aimed toward gamers.

There has been several, what appear to be compromised, accounts sending out a message gifting 1 free game. The URL does some redirection to get to the real phishing page.

  1. There is a twitter shortened t.co link
  2. This takes the users to steamredirect[.]fun that redirects to the true phishing page

The phishing page masks itself as a place where you can win games. The site goes by the name “Gift4Keys” and has a roulette-style game where you can “win”, and I say win sarcastically a free game. To play all you have to do is press the play button on the middle of the site.

Once you “win”, again sarcastically, you are prompted with a timer that gives you 30 minutes to log in to steam and redeem the won game. Once you click login you are given a steam login page that shows gift4keys as a third party affiliate.

Normal third-party affiliates use the sign in at steamcommunity.com but the phishing site’s URL address is simply blank.

If you have supplied credentials then your account has been hacked and it’s important to try to recover it and change your password as soon as possible. If you haven’t had your credentials hijacked then remember this story to help make sure you stay that way.

src: https://blog.malwarebytes.com/social-engineering/2019/06/fresh-video-games-site-welcomes-new-users-with-steam-phish/

 

Conclusion

So guys to conclude this episode and a quick review. We have data being stolen from NASA by a malicious raspberry pi. We also have a new ransomware attack by the name LooCipher that is using spam techniques to spread. If you have a steam account then beware those bearing gifts and never click suspicious links. If it is too good to be true then it may not be true.

That wraps up another episode of Exploit Brokers Hacking New. The show notes can be found at exploitbrokers.com/podcasts/hn05. This has been your host Lauro, signing off until next time.

Filed Under: Podcasts

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • GitHub
  • Instagram
  • Medium
  • Pinterest
  • Twitter
  • YouTube

More to See

Exploit Brokers HN09

Freakout Botnet Attacks DVRs, Ricochet Problems, MyKings Botnet, & Twitch Hacked.

October 23, 2021 By Exploit

Golang How To setup VS Code on WIndows

Golang Setup for VS Code on Windows

July 10, 2021 By Exploit

Tags

Ethical Hacking golang golang tutorial Hacking Linux Network Scanner Port Scanner Python System Administration

Footer

  • GitHub
  • Instagram
  • Medium
  • Pinterest
  • Twitter
  • YouTube

Recent

  • Linux How To Guide for Files and Directories
  • Freakout Botnet Attacks DVRs, Ricochet Problems, MyKings Botnet, & Twitch Hacked.
  • Golang Setup for VS Code on Windows
  • Golang Tutorial – How to build and run golang apps
  • Maze ransomware hits Cognizant, More Covid-19 Scams, Pulse Secure vulnerable, ruby libraries contain malware, and more

Search

Tags

Ethical Hacking golang golang tutorial Hacking Linux Network Scanner Port Scanner Python System Administration

Copyright © 2022 · Magazine Pro on Genesis Framework · WordPress · Log in