Tag Archives: Anonymous

Russian Orthodox Church Hacked

Anonymous continues to target Russian government entities and private businesses. Lastly, it is announced that Russian Orthodox Church’s charitable wing hacked by Anonymous group.

The group leaked 15GB of data however, they offer to share this data only to journalists or researches.

This week, Thozis Corp. was another victim of Anonymous in Russia. Thois Corp. is a Russian investment company and owned by Zakhar Smushkin. The Group have stolen thousands of internal email (about 5500) and shared.

Dozens of Surveillance Cameras in Russia Published by Anonymous

Anonymous announced that dozens of CCTV cameras in Russia had been hacked and they published all these streams in a website.

Some of the them are not reachable now however there are still many broadcast including restaurants, indoor, outdoor, offices and schools. At the beginning, site was including home camera broadcasts too but the hackers then removed these broadcasts from the websites with an explanation:

After some consideration, we’ve decided to take down the house cams out of respect for the privacy of the Russian civilians. We hope you understand.

It is currently unclear how the cameras were accessed by attackers.

Toyota Halts Production due to Cyber Attack

Toyota, Japanese automobile giant halts production at all 28 lines of its 14 plants in Japan starting March 1, after a “system failure” at a supplier caused problems with its just-in-time production control system.

The supplier mentioned here is KOJIMA INDUSTRIES CORPORATION hit by a cyber attack, supplies Toyota several components for both interior and exterior of the vehicle.

The automakers are still determining whether they will be able to return to normal operations after Wednesday. The shutdown will affect production of around 13,000 vehicles, or 4% to 5% of Toyota’s monthly output in Japan” reports https://asia.nikkei.com.

Also, “we apologize to our relevant suppliers and customers for any inconvenience this may cause,” Toyota said.

On Monday, an official close to Kojima Industries told Nikkei: “It is true that we have been hit by some kind of cyberattack. We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota’s production system as soon as possible.

Latest News about Russia & Ukraine Cyber War

Before Russian troops entered Ukraine, both government and companies of Ukraine faced several cyber attacks. While these cyber attacks are expected to spread all over the world, the attacks on Ukraine continue. A few days ago, according to Reuters, Ukraine asks hackers to help defending its cyber structure. “The government of Ukraine is asking for volunteers from the country’s hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project” said Reuters. “Ukrainian cyber community! It’s time to get involved in the cyber defense of our country,” said in the post..

While all this is happening, Anonymous, international hacking collective announced they support Ukraine and has declared war against Russia. After this statement, we saw that several Russian government and company websites faced issues.

As recent progress, Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of Belarusian state-sponsored hackers targeting its military personnel as a phishing campaign. “Mass phishing emails have recently been observed targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel and related individuals.. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages” the CERT-UA said.

Before, in November, Mandiant announced that UNC1151 Assessed with High Confidence to have Links to Belarus government. UNC is a naming of Mandiant for the threat actors that under investigation, but not yet matched to an existing group. and Ukraine now blames UNC1151 group for these attacks.

UNC1151 has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany,” Mandiant researchers said in the report. “The targeting also includes Belarusian dissidents, media entities, and journalists.

Another statement on the subject, some threat actors behind Conti ransomware posted a warning Friday that said it was “officially announcing a full support of Russian government.” Previously, Mandiant announced that “at least a portion of actors involved with Conti ransomware are based in Russia“. As in the past, it seems that Russian government is taking advantage of their talents.

What is CONTI?

CONTI is a Windows ransomware family that has been used in recent years. Later, a linux version was also encountered. Until today, many different people using this ransomware were encountered in the Russian forums.

Anonymous vs. Russia

Anonymous, an international hacking collective that has declared war against Russia and conducted cyber attacks against several organizations including government. The “YourAnonNews” Twitter account declared the war on Twitter on Thursday.

Ukrainian organizations were under attack for a while and thus, the cyber warfare has taken a two-sided turn. “We want the Russian people to understand that we know it’s hard for them to speak out against their dictator for fear of reprisals” the decentralized hacking collective said.

After this declaration, same account posted several attack information including RT News (rt.com) and ISPs in Russia.

It is expected that cyber attacks will continue mutually and spread all over the world. This move of Anonymous is one of the most important signs of this situation.

Turning to White

As we red the details in TheRecord.media, an attacker has abused a vulnerability in a cryptocurrency platform and stole crypto-assets worth $322.8 million at the time of stealing. The news is very detailed in the blog so does not want to mention the details here again.

But, the interesting thing is that the cryptocurrency platform – Wormhole – is now offering a proposal to the hacker including $10 million reward and to take the white hat side. Also it may mean that they won’t file any criminal complaint against the attacker.

This is an interesting situation for many reasons. Firstly, does that unilateral contract mean that the attacker can no longer be blamed, as the TheRecord.media mentioned in their post? The cyber attacks should be treated as a public offense and even if the attacker agrees on the proposal, simply it does not mean that they will never do it again to another organization. The cyber world is just like the real world, at least it should be. Even if you forgive a thief who stole your property, the same is true for cyber crime, just as this criminal is punished. This incident should be treated as a public crime.

If we look at the situation from the side of the attacker, it is not easy living without a trace, especially as long as she continues her similar actions. Considering the possibility that he stole a large amount of money and that she will now retire, with a good plan both during and after the attack, it is meaningless to accept the proposal of the victim. Even if she accepts, as we mentioned above, it does not mean that she will not be punished because of this crime. Putting aside the huge amount of money she stole, accepting the $10 million and with very likely facing a punishment.

Whichever way you look at it, this offer doesn’t make any sense. But still worth a try. We eagerly await the attacker’s response to this offer. We are also curious about your comments on this subject.

TOR As A SOCKS Proxy

Almost all applications and web sites are trying to learn who we are and what we are looking for on the internet. These informations are being used for many different reasons like advertisements and to detect malicious attempts. Again, for many reasons, it is very important to surf internet anonymously. Tor is used for anonymous surfing all over the world. It is free to install and use in both Windows, Linux and OS X operating systems. 

It is very easy to install Tor and use as a browser in operating systems, however it will not be enough to use it as a browser only especially you want to use some other applications anonymously. For using other applications and command line tools anonymously, Tor SOCKS proxy needs to be installed. 

For installation, we need to add related software repositories, so we edit the sources.list file;

        # vim /etc/apt/sources.list

Then, we are adding the line below, to the bottom of the sources.list file. 

        deb http://deb.torproject.org/torproject.org wheezy main

We need to introduce the software repository’s key (gpg key) to the system;
# gpg –keyserver keys.gnupg.net –recv 886DDD89        # gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –

Now, start Tor and check the service if it is running;
 # /etc/init.d/tor start        # service tor status

If the Tor service is running successfully, you need to see output as above. We need to enter one more command to start Tor service automatically after rebooting the machine. 
 # update-rc.d tor enable

After you enter this command, you can test it with rebooting the system. After reboot, check the status of the service;
 # service tor status

Now, this means we can use Tor for all applications that are supporting SOCKS proxy. For test, you can use Firefox. Change the proxy settings as localhost:9050 and check your IP address. Tor is using 9050 as default. 

Third Party Connections’ Security

Do you want your partners trust you directly? Well, do you trust your third party partners directly? When adversaries  are in, they always check different ways to reach more places. So, if one of your trusted third party connection got hacked, it means that there is just a short time they find your connection, and get inside if you did not make your connection secure.

Since 2018, we saw that attacks against third party connections increased. Most of them happened because of the small organizations that are giving support in any subject to larger organizations. Because of these small organizations’ low security budget, it is very difficult to secure the network and PCs for them. Most of these organizations do not have a domain structure, security devices for networks and even endpoint protection tools. What I saw while I am working with them that these type of organizations’ users are local admin in their laptops, and only using an antivirus agent to secure the rarely patched laptop. These laptops are being used to connect to other organizations, and sometimes to keep some sensitive data about of these organizations. They are very close to get hacked, but you must not get this risk while working with them.

Third Party Connection Management in Organizations

Especially in large organizations, since policies not working properly; and maybe since there is no any policy for third party connections, circulation of staff and sudden and fast developing projets, teams can create third party connections how it is easy at that time for them. This creates an unmanaged third party connections structure and so, it becomes worse day by day.

I remember we spent at least four months to fix the third party connections in a large organization. Dozens of leased lines reaching directly to different networks inside, hundereds of S2S VPNs established years ego, has certificates with low key sizes, and etc. Lack of a basic policy like third party connections policy causes a huge waste of time and effort to fix it.

What to Do?

Whoever you are connecting, or connecting to you, you should minimize threats. Because, all organizations are the target for hackers and they all can be hacked. You should not trust anybody else about security. You should understand what security controls they apply in the organization. If they have some weaknesses to determine the attacks made to themselves, it will put you at risk.

Create a 3rd party DMZ network. This is important because these 3rd party PCs should not connect to your network directly from any zone in your firewall. These PCs are something you cannot trust directly. So, at least, a 3rd party DMZ should be created to connect and control these type of connections. If there is no any 3rd party zone and policy, in a long period of time, with some of the activities explained at the beginning, you can see many different 3rd party organizations are connecting to your network from many different zones. And it will be something unmanagable day by day. For the beginning, I suggest to create a different zone for leased line connections to the internet facing firewall, and control these connections policies there. Also, a different firewall should be implemented for S2S VPN connections. It is important to receive these connections in a different firewall and control their connections.

You should use a vendor management program. It helps you to reduce the risk, by collecting more and more information about your third party connection and should be sure they comply with standards and regulations.

You should know what security controls, endpoint security (antivirus, EDR, encryption, etc.) and data leakage prevention methods do your third party connection imply to its users. Mostly, if you do not give a laptop to users that will connect to your network, third party organiztions’ staff uses their own or that company’s PCs. That means, these computer will be connected to your network most of the time, and these PCs will contain your some sensitive information. So, it is important to know whether they are protecting these PCs while working with you.

Screen recording is also a very useful tool. It is impossible to watch directly every consultant’s actions on your network. Most of the time they work on your test servers on test zones, and unfortunately, sometimes they can work directly on production zone or can reach to production zone because of the lack of controls. A screen recording tool will be an important deterrent action for you.

MFA is must. Multi-factor authentication should be used to connect your network. Mostly I suggest time based MFA tools to use. Any time a security incident occurs in 3rd party’s network, MFA will be important to secure you.