Security Weekly 16

Security Weekly 16

Security Weekly 16: The Well-Wishers Donating a Money for Marcus Hutchins, Withdrew 500 Thousand Pacemakers, 711 million E-mails Were Found in the Spam-Bot

The tragic but instructive story of the young British intelligence specialist Marcus Hutchins, who has arrested in the US a month ago, began to slip into a frank slapstick. I must say, the States treated Marcus relatively gently: the guy was released on bail of $ 30 thousand so that he waits with a bracelet on his leg at will. Not even limited access to the computer.

  • Meanwhile, in defense of Hutchins, many colleagues made speeches. Indeed, Marcus proved himself worthy in the history of WannaCry, and posing as a Troyan writer could also for research purposes. As a result, well-wishers organized for him the collection of money. After all, with money, protection always goes somehow more eager. The collection was ruled by the New York lawyer Thor Eckland, who specializes in such matters. For a couple of weeks friends and sympathizers pulled up as much as $ 150 thousand.

However, friends at Marcus were somehow suspicious. Processing company processing transactions determined that of the donations made only $ 4900 is legitimate, the rest of the money came from stolen bank cards. Thor was upset by such news and announced that all honest donors would receive a refund.

  • Meanwhile, it became known about the evidence of the charges in the main case of Marcus. In addition to the samples of the Kronos banker, which he allegedly bungled, the investigation has 150 pages of Jabber Hutchins chat with some unknown, 350 pages from the forum and interrogation records. About real witnesses in the case so far nothing is audible. And if the story ends, it will be another reminder that on the Internet one should not talk too much. After all, the network chatterbox is a find for the investigator.

FDA Recalls Half a Million Pacemakers Due to Vulnerabilities

Security Week 16 photo 2

There is an influential government agency in the USA – the FDA, it is the Food and Drug Administration. A terrible force when it comes to protecting citizens from harmful drugs and dangerous food. So these guys for about a year investigated the vulnerability in medical technology company St. Jude Medical and decided to withdraw the pacemakers especially distinguished models. A total of 465 thousand pieces.

  • But back in 2016, when this story was just beginning. Med Sec has published a description of the vulnerabilities of medical equipment. Jude Medical. The researchers explained their decision to “disclose the holes” like this: they say that these seals can not achieve the patching of vulnerabilities, so we have to take the rubbish out of the hut. St. Jude responded with a lawsuit, accusing Med Sec of self-serving lies. According to the plaintiff’s version, this story was invented to shorten shares in St. Petersburg. Jude and earn on their fall during the publication of news about vulnerabilities.

Medsecs answered that they did, but they were short-lived, but only to pay back the costs of searching for these vulnerabilities. The company is young, there are no customers, there is no money, turn around as you want. However, the stock exchange was a stock exchange, and the vulnerabilities turned out to be real ones – something had to be done. First, the FDA tried to reason with the developers of devices “somehow fix” them. But in the end, I took a radical decision – to recall pacemakers. Straight from the chest.

In fact, to withdraw devices, of course, will not be needed. Patients will have to visit a cardiologist, under the supervision of which in the pacemaker will update the firmware. The procedure is unsafe – as in the case of firmware update of any other device, there is always the risk of “turning it”, which, of course, is fraught with lethal outcomes. And yet it is necessary to do this, given the danger of vulnerabilities:

  1. CVE-2017-12712 allows you to control a pacemaker over a wireless channel without authentication;
  2. CVE-2017-12714 with “proper” use can quickly “discharge” the battery of the device;
  3. CVE-2017-12716 is suitable for draining monitoring data.

While it is for certain is not known whether hackers were interested in these holes in the last year, but not so long ago Reuters reported that two people in Europe died due to premature depletion of Stimulator batteries. Jude.

Of the Botnet, 40 GB of External Credentials Were Extracted

Security Week 16 photo 3

Many Trojans are created solely to steal from people different valuable data – for example, logins and passwords. And if it did not work, then the even email will go, it can be sold to spammers. It seems not very scary. But the scale of such data mining is really horrifying.

  • Botnet Onliner, which researchers learned about in 2016, specializes in sending spam, including malware – for example, the Trojan-banker Ursnif. To work Onliner you need someone else’s credentials from e-mail to send your spam on behalf of legitimate users. So he gets much better through spam filters.

Comrade Benkov from Benkowlab broke into the Onliner control and monitoring server and found there a powerful data layer, the present big data is 40 GB of files with email addresses, logins, and passwords from the email, the configuration of SMTP servers, etc., and then contacted Troy Hunt, the leader of the well-known project Have I Been Pwned, who dug properly in the found.
According to the results in the database Have I Been Pwned added 711 million records? This is a caressing figure – as if the entire population of Europe, including children, was hacked. In fact, the victims, of course, are smaller, and not all emails have credentials, but still, the find is, to put it mildly, unpleasant. You can punch yourself through this database on HIBP.