
Security Week 12: card games, manual malware and a healthy approach to leaks
News
Banks and law enforcement agencies have to work hard: well-known dealers of stolen credit card data JokerStash put up for sale the details of the wealthy customers of the elite stores Saks Fifth Avenue and Lord & Taylor Stores - that is, Americans and guests of the United States, for whom the norm is to be spent on a large scale. And withdraw money abroad, of course. It is not so easy to isolate among all these operations the dark deeds of fraudsters.
In addition, dealers from JokerStash, as is customary with them, spread the goods in small portions so that they do not block everything at once. So, the hype on the leak will cease, and they will not sell half as well. For comparison: in December, they stole the data of 7 million cards, and so far have only posted a quarter. So far, 125 thousand credit cards have been sold from the new batch, and a total of 5 million have been stolen.
News
Security researchers have discovered a new malware for Linux systems. Apparently, the name GoScanSSH was invented by akyn, according to the principle of “what I see - that I sing about”: the malware is written in Go, scans the network, infects devices through the SSH port. If he did something, then “spy” or “wiper” would be written there, but the fact is that he ... does not do anything else so far. For what purposes the attackers intend to use the network collected with its help, it is still unclear, but one thing is certain: they should not occupy meticulousness and hard work.
To begin with, when scanning a network, the malware carefully checks to see if it has stumbled upon servers belonging to a military or government organization. If there is even the slightest doubt, the attack immediately stops. Then he spends brute force, sorting out over 7000 commonly used combinations of usernames and passwords. If it is possible to pick it up, it penetrates the system and sends information about its parameters to the command server.
After that, the hackers behind the attack manually configure the new version of their brainchild, each time based on the characteristics of the server or device found, and manually download it. So far, experts have found 70 variations, and this is clearly not the limit.
Why such thorough preparation is needed is not yet clear. It is unlikely for mining: the specifics of brute force make it clear that the new malware is designed not only for servers, but also for IoT devices from which it is impossible to mine cryptocurrency. Maybe for DDoS attacks? In general, the intrigue is growing. Obviously, you will have to find out on your own skin.
News
Other craftsmen attacked the followers of healthy lifestyle. 150 million accounts leaked from MyFitnessPal’s free calorie counter. True, according to the assurances of the owner of the application - the company Under Armor, the attackers didn’t touch the credit cards, they only stole usernames and passwords.
A leak with credential encryption led to the leak. Along with the more robust Bcrypt algorithm, the company still used an old, weak SHA-1 for some records.
To the credit of Under Armor, they promptly responded to the leak: four days after it was discovered, the customers were already notified, and for reliability, both through the application and through the email. So no matter what the attackers want, they will no longer force other people's calories to work for themselves.
Devil-941

Resident very dangerous virus. It is standardly striking. COM files: in the current directory (upon activation) and upon their launch (from its TSR copy). Periodically changes the color of some characters on the screen. Depending on its counters, it decrypts and displays the text: “Have you ever danced with the devil under the weak light of the moon? Pray for your disk! ” Contains the lines: "Drk", "* .com". It hooks int 9, 21h.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

In addition, dealers from JokerStash, as is customary with them, spread the goods in small portions so that they do not block everything at once. So, the hype on the leak will cease, and they will not sell half as well. For comparison: in December, they stole the data of 7 million cards, and so far have only posted a quarter. So far, 125 thousand credit cards have been sold from the new batch, and a total of 5 million have been stolen.
Handmade
News
Security researchers have discovered a new malware for Linux systems. Apparently, the name GoScanSSH was invented by akyn, according to the principle of “what I see - that I sing about”: the malware is written in Go, scans the network, infects devices through the SSH port. If he did something, then “spy” or “wiper” would be written there, but the fact is that he ... does not do anything else so far. For what purposes the attackers intend to use the network collected with its help, it is still unclear, but one thing is certain: they should not occupy meticulousness and hard work.
To begin with, when scanning a network, the malware carefully checks to see if it has stumbled upon servers belonging to a military or government organization. If there is even the slightest doubt, the attack immediately stops. Then he spends brute force, sorting out over 7000 commonly used combinations of usernames and passwords. If it is possible to pick it up, it penetrates the system and sends information about its parameters to the command server.
After that, the hackers behind the attack manually configure the new version of their brainchild, each time based on the characteristics of the server or device found, and manually download it. So far, experts have found 70 variations, and this is clearly not the limit.
Why such thorough preparation is needed is not yet clear. It is unlikely for mining: the specifics of brute force make it clear that the new malware is designed not only for servers, but also for IoT devices from which it is impossible to mine cryptocurrency. Maybe for DDoS attacks? In general, the intrigue is growing. Obviously, you will have to find out on your own skin.
MyFitnessPal - Not Only Calories Lost
News
Other craftsmen attacked the followers of healthy lifestyle. 150 million accounts leaked from MyFitnessPal’s free calorie counter. True, according to the assurances of the owner of the application - the company Under Armor, the attackers didn’t touch the credit cards, they only stole usernames and passwords.
A leak with credential encryption led to the leak. Along with the more robust Bcrypt algorithm, the company still used an old, weak SHA-1 for some records.
To the credit of Under Armor, they promptly responded to the leak: four days after it was discovered, the customers were already notified, and for reliability, both through the application and through the email. So no matter what the attackers want, they will no longer force other people's calories to work for themselves.
Antiquities
Devil-941

Resident very dangerous virus. It is standardly striking. COM files: in the current directory (upon activation) and upon their launch (from its TSR copy). Periodically changes the color of some characters on the screen. Depending on its counters, it decrypts and displays the text: “Have you ever danced with the devil under the weak light of the moon? Pray for your disk! ” Contains the lines: "Drk", "* .com". It hooks int 9, 21h.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.