UK Teenager, Aged 18, Charged With Running DDoS-For-Hire Service

A teenage student has been charged with running a supplying malware that was used for launching distributed denial of service (DDoS) attacks against websites of some of the world's leading businesses.

Jack Chappell, an 18-year-old teenager from Stockport, is accused of helping cyber criminals with his DDoS booter service (DDoS-for-hire service) to flood millions of websites around the world with the massive amount of data and eventually bring them down, making them unavailable to their users.

Among the victims that were allegedly attacked by Chappell's malware are the National Crime Agency (NCA), T-Mobile, O2, Virgin Media, the BBC, Amazon, Vodafone, BT, Netflix, and NatWest that had its online banking systems down in a 2015 cyber attack.

Chappell is charged following an investigation led by the West Midlands Regional Cyber Crime Unit and assisted by Israeli Police, the Federal Bureau of Investigation (FBI) and Europol’s European Cybercrime Centre (EC3).

According to authorities, the teenager rented his DDoS-for-hire service to criminals and also ran an online helpdesk for would-be hackers as part of his operation.

"He has been charged with impairing the operation of computers under the Computer Misuse Act, plus encouraging or assisting an offense and money laundering crime proceeds together with an American national," West Midlands Police said in a statement.

Chappell is due to appear at Manchester Magistrates' Court on July 4, Tuesday.

Late last year, another 19-year-old student from Hertford (Town in the UK) was pled guilty for running Titanium Stresser DDoS-for-hire service, one of the most popular DDoS booter tool that was used to launch over 1.7 Million DDoS attacks worldwide and brought him an income of more than US$385,000.

Critical Skype Bug Lets Hackers Remotely Execute Malicious Code

A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.

Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity.

Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web's messaging and call service during a team conference call.


The vulnerability is considered a high-security risk with a 7.2 CVSS score and affects Skype versions 7.2, 7.35, and 7.36 on Windows XP, Windows 7 and Windows 8, Mejri said in a public security disclosure published on Monday.

"The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched," the security firm wrote.

No User Interaction Needed

What's worst? The stack buffer overflow vulnerability doesn't require any user interaction, and only require a low privilege Skype user account.

So, an attacker can remotely crash the application "with an unexpected exception error, to overwrite the active process registers," or even execute malicious code on a target system running the vulnerable Skype version.

The issue resides in the way Skype uses the 'MSFTEDIT.DLL' file in case of a copy request on local systems.

Here's How Attackers can Exploit this Flaw

According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.


Once this image is hosted on a clipboard on both the remote and the local systems, Skype experiences a stack buffer overflow, causing errors and crashing the application, which left the door open for more exploits.

"The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process," researchers from Vulnerability Lab says. 

"Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software," they added.

Proof-of-Concept Code Released

The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.

Vulnerability Lab reported the flaw to Microsoft on 16th May, and Microsoft fixed the issue and rolled out a patch on 8 June in Skype version 7.37.178.

If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.

'Shadow Brokers' Threatens to Unmask A Hacker Who Worked With NSA

The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.

Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD.

Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits.

To subscribe to the VIP service, one has to make a one-time payment of 400 ZEC (around US$128,800).

Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the future leaks.

The Shadow Brokers' June data dump costs 100 ZEC, but after looking at successful growth in the number of subscribers for this month, the group said it is raising the price for the next month's subscription.

Threatens to Unmask Equation Group Hacker

In typically broken English, the mysterious hacking group threatened to unmask a former member of the NSA's elite hacking group called Equation Group, who developed several hacking tools to break into Chinese organizations.

The Shadow Brokers did not reveal much about the former Equation Group member, except that the person is living in Hawaii and currently a "co-founder of a new security company and is having much venture capital."


The group, who called the NSA Equation Group member as "doctor," threatened because of his/her "ugly tweets" targeting the Shadow Brokers.

"TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers," the group said. "Then doctor person is deleting ugly tweets, maybe too much drinking and tweeting?" 

"TheShadowBrokers is hoping 'doctor' person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of 'doctor' persons hacks of China with real id and security company name."

Well, that's enough of a threat.

Since June is going to end, it seems like the Shadow Brokers subscribers who paid in June will start receiving zero-day exploit and hacking tools from the first week of July.

Although what the June dump would contain is not clear at the moment, the group's last announcement claimed that the upcoming data dump would include:

• Compromised data from banks and Swift providers.
• Exploits for operating systems, including Windows 10.
• Exploits for web browsers, routers, and smartphones.
• Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.

The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.
Apart from this, many victims have also informed that Petya ransomware has also infected their patch systems.

"Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit." Mikko Hypponen confirms, Chief Research Officer at F-Secure.

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya ransomware replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Don't Pay Ransom, You Wouldn’t Get Your Files Back 

Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.

Posteo, the German email provider, has suspended the email address i.e. wowsmith123456@posteo.net, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

At the time of writing, 23 victims have paid in Bitcoin to '1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX' address for decrypting their files infected by Petya, which total roughly $6775.

Petya! Petya! Another Worldwide Ransomware Attack

Screenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here's what the text read:

"If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service."

According to a recent VirusTotal scan, currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.

Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies

Supermarket in Kharkiv, East Ukraine

Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, "Kyivenergo" and "Ukrenergo," in past few hours.

"We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine's Security Service (SBU) to switch them back on," Kyivenergo's press service said.

There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.

Maersk, an international logistics company, has also confirmed on Twitter that the latest Petya ransomware attacks have shut down its IT systems at multiple locations and business units.

"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers' business is our top priority. We will update when we have more information," the company said.

The ransomware also impacts multiple workstations at Ukrainian branch's mining company Evraz.

The most severe damages reported by Ukrainian businesses also include compromised systems at Ukraine's local metro and Kiev's Boryspil Airport.

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack.

How Petya Ransomware Spreading So Fast?

Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

"Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)," security researcher using Twitter handle ‏HackerFantastic tweeted.

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.

Just three days ago, we reported about the latest WannaCry attack that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.

Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.

How to Protect Yourself from Ransomware Attacks

What to do immediately? Go and apply those goddamn patches against EternalBlue (MS17-010) and disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers.

Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).

Prevent Infection & Petya Kill-Switch

Researcher finds Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

"If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine." ‏HackerFantastic tweeted. "Use a LiveCD or external machine to recover files"

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. "C:\Windows\perfc" to prevent ransomware infection.

To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.

To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn't always connected to your PC.

Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.

WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack

A SQL Injection vulnerability has been discovered in one of the most popular Wordpress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely.

The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics.

Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites.

SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database.
Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website's database and possibly gain unauthorized access to websites.

SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database.

The SQL injection vulnerability in WP Statistics plugin resides in multiple functions, including wp_statistics_searchengine_query().

"This vulnerability is caused by the lack of sanitization in user-provided data," researchers said. "Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized." 

"One of the vulnerable functions wp_statistics_searchengine_query() in the file 'includes/functions/functions.php' is accessible through WordPress' AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode()."

 This function does not check for additional privileges, which allows website subscribers to execute this shortcode and inject malicious code to its attributes.

The researchers at Sucuri privately disclosed the flaw to the WP Statistics team and the team had patched the vulnerability in its latest version WP Statistics version 12.0.8.

So, if you have a vulnerable version of the plugin installed and your website allowing user registration, you are definitely at risk, and you should install the latest version as soon as possible.

Your Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response

A critical vulnerability has been discovered in Systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.

The vulnerability, designated as CVE-2017-9445, actually resides in the 'dns_packet_new' function of 'systemd-resolved,' a DNS response handler component that provides network name resolution to local applications.
According to an advisory published Tuesday, a specially crafted malicious DNS response can crash 'systemd-resolved' program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.

Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.

This means the attackers can remotely run any malware on the targeted system or server via their evil DNS service.

"In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small," explains Chris Coulson, Ubuntu developer at Canonical. 

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it."

 This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.

Of course, systemd-resolved must be running on your system for it to be vulnerable.

The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.

Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.