Stantinko Bots Targets Russia

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan. the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, but observed to be a Linux proxy version .

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX.

OOBU For Kerberos released by Microsoft

The issue is related to the PerformTicketSignature registry subkey value in CVE-2020-17049, a security feature bypass bug in Kerberos Key Distribution Center (KDC) that Microsoft fixed on last patch Tuesday

CVE-2020-17049, the tech company explains, resides in the manner in which KDC determines whether tickets are eligible for delegation via Kerberos Constrained Delegation (KCD).

“To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD,”

Last week, the company identified a series of issues that could occur on writable and read-only domain controllers (DC), namely tickets not being renewed for non-Windows Kerberos clients and S4UProxy delegation failing when PerformTicketSignature is set to 1 (the default), and services failing for all clients when PerformTicketSignature is set to 0.

“An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue affecting Kerberos authentication. As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail. This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments,”

The company recommends that only impacted organizations install the out-of-band update on their domain controllers. Microsoft warns that there are some issues that enterprises should be aware of when installing the update, related to the Microsoft Input Method Editor (IME) for Japanese or Chinese languages.

Microsoft Japan provided the steps that admins should take to address such issues, in addition to deploying the update to all of the DCs and RODCs (Read-Only Domain Controllers) in the environment.

Spotify… Got a Credential Stuffing pblm

Security experts from vpnMentor have uncovered a possible credential stuffing operation that affected some Spotify accounts. Threat actors behind the campaign are using a database containing over 380 million records, including login credentials and other data for Spotify accounts, likely amassed from various sources. Experts estimated that the number of impacted users ranges between 300,000 and 350,000.null

“The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts.” .

“Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users. We also helped the company isolate the issue and ensure its customers were safe from attack.”

Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

The database is 72 GB in size, it includes 380+ million records containing email addresses and login credentials , and whether the credentials could successfully login to a Spotify account.

spotify credential stuffing

The exposed data could expose users to multiple malicious activities, including identity theft & fraud, scams, phishing and malware attacks, and of course account abuse.

Below the timeline shared by the researchers:

  • Date discovered: July 3rd, 2020 (reviewed on July 9th)
  • Date Spotify contacted: July 9th, 2020
  • Date of Response: July 9th, 2020
  • Date of Action: Between July 10th and July 21st

Spotify announced that it is forcing the password reset for all the impacted users. 

Let’s remind that Spotify does not support two-factor authentication for its users, this means hackers who have had access to the unsecured Elasticsearch DB discovered by vpnMentor may have had access to the Spotify accounts.

Tesla X Bluetoothed

Tesla is using over the air updates to patch vulnerabilities and add new features to its keyless entry system in Tesla Model X vehicles. However, according to a specialist at Leuven Catholic University (Belgium) Lennert Wouters (Lennert Wouters), using this update delivery mechanism can be stolen in a matter of minutes.

Wouters discovered vulnerabilities both in the Tesla Model X keyless entry system and in the car itself, which allowed him to rewrite the firmware of the key fob via a Bluetooth connection, remove the unlock code and steal the car. A hijacker who manages to read the identification number and approach the victim’s key fob at a distance of 4.6 m will be able to exploit these vulnerabilities. The equipment required for this will cost $ 300, it can easily fit into a backpack, and is controlled using a smartphone.

In just 90 seconds, the device presented by Wouters can extract the radio code to unlock the Tesla Model X. Once inside the car, the hijacker can exploit the second vulnerability and start the car in just a minute using his own key fob.

“A combination of the two vulnerabilities allows a hacker to hijack a Model X in minutes. If you combine them, the attack will be much more powerful, ”the researcher said.

Wouters notified Tesla of the issue in August of this year, and the company has promised to release fixes for key fobs soon . According to the manufacturer, it can take up to one month to send updates to all vulnerable Tesla Model Xs, so owners must install all available updates to protect themselves from the above attack. For his part, the researcher promised not to publish any codes and details about vulnerabilities ahead of time in order to avoid their possible exploitation by hackers.