A Single Click Caused the Massive Yahoo Data Breach

A single click was all it took to launch one of the biggest data breaches ever.

One mistaken click. That’s all it took for a Canadian hacker aligned with rogue Russian FSB spies to gain access to Yahoo’s network and potentially the email messages and private information of as many as 1.5 billion people. To be fair, most ransomware and data breaches start with a single click.

The FBI has been investigating the intrusion for two years, but it was only in late 2016 that the full scale of the hack became apparent. On Wednesday the , the FBI indicted four people for the attack, two of whom are rogue Russian FSB spies who work for the division that is supposed to cooperate with America’s FBI on cybercrime investigations. (The FSB is the successor of the KGB).

Kremlin Intelligence Services Overlap With Russian Cybercrime Underworld

One of these two rogues, Dmitry Dokuchaev, was himself recently arrested on what the Moscow press calls “treason” charges for passing information to the CIA. In reality, Dokuchaev started out as a criminal hacker who moved to the FSB but never stopped his old tricks. He was just one of the many criminals working inside Russia’s intelligence bureaucracy, and for personal profit he sold information to intermediaries that ultimately found its way to the CIA.

The investigation exposed rivalries inside the Kremlin intelligence establishment as well as inside the Russian cybercrime underworld with which it overlaps. Dokuchaev was part of the Shaltai-Boltai, a hacker group that exploits stolen data to embarrass and blackmail Russian politicians and business officials.

Image result for Shaltai-Boltai

The hack began with a spear phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.

Unimaginable that Yahoo did not sufficiently step employees through new-school security awareness training to prevent disasters like this.

How did the hackers do it?:

The hack began with a spear-phishing email sent in early 2014 to a Yahoo company employee. It’s unclear how many employees were targeted and how many emails were sent, but it only takes one person to click on a link, and it happened.

Once Aleksey Belan, a Latvian hacker hired by the Russian agents, started poking around the network. Aleksey had two main objectives: Yahoo’s user database and the Account Management Tool, which is used to edit the database. Being the clever little fellow he is, it didn’t take him long to find these.

He then installed a backdoor on a Yahoo server that would allow him remote access control whenever he required it. Once he had access, he stole a backup copy of Yahoo’s user database back in December and downloaded it to his own computer.

The database contained names, phone numbers, password challenge questions and answers and, crucially, password recovery emails and a cryptographic value unique to each account.

It’s those last two items that enabled Belan and fellow commercial hacker Karim Baratov to target and access the accounts of certain users requested by the Russian agents, Dmitry Dokuchaev and Igor Sushchin.

Karim Baratov is shown in a photo from his Instagram account. Baratov, a Canadian man accused in a massive hack of Yahoo emails, posed an "extremely high flight risk" in part due to his alleged ties to Russian intelligence agents, law enforcement officials allege in documents filed with an Ontario court. (HO - Instagram/THE CANADIAN PRESS)

Karim Baratov is shown in a photo from his Instagram account. Baratov, a Canadian man accused in a massive hack of Yahoo emails, posed an “extremely high flight risk” in part due to his alleged ties to Russian intelligence agents, law enforcement officials allege in documents filed with an Ontario court. (HO – Instagram/THE CANADIAN PRESS)

Read more here:

http://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html

Petya MFT Ransomware Returns, Wrapped in Extra Nastiness

Kasperksy researchers discovered a new variant of last year’s Petya Master File Table (MFT) ransomware, with “new and improved” crypto and ransomware models. Remember, MFT ransomware only encrypts the table where access to all files is kept, and does not encrypt the files themselves. It’s a very effective way to lock a machine and demand ransom in a few seconds.

Kaspersky’s Ivanov and Sinitsyn called the new version “PetrWrap” (because it wraps Petya), which uses the PsExec tool to install ransomware on every workstation and server it can access.

Instead of using the original Petya code, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware ‘on the fly’”, the Kaspersky post states. This on-the-fly patching was created to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.

If the PetrWrap malware coders had stuck with Petya’s ransomware-as-a-service model, they would need a Petya private key to decrypt victims’ data, but with this new version they can use their own keys.

Once the workstation or server is infected, the victim ends up with the file system’s master file table encrypted with a better scheme than the old Petya used. The PetrWrap coders used a tried-and-true, debugged version of Petya’s low-level bootloader, ensuring they had “production-quality” criminal software to make sure their infections would be successful.

Scam of the Week: New FBI and IRS Alerts Against W-2 Phishing

Read more about this scam here:
https://blog.knowbe4.com/scam-of-the-week-new-fbi-and-irs-alerts-against-w-2-phishing

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.