"Criminal hackers have been known to hack each other, but is that what is happening here?"
After years of researching computer security and cybercrime I think this is most likely the case with this one.
"KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web."
If Law Enforcement people are after them they wouldn't do this they would simply seize the website and put notification on website's front page so it seems like rival group hacked them or simply whitehat hackers.
Some of this cybercrime forums are running for more than a decade so no wonder they have attention and problems with Law and cyber criminals alike.
Brain drain, infosec edition. Pandemic struck, and suddenly relocation is all the rage. I know a few infosec guys moving from Russia to various places outside of reach of local law enforcement (and "law enforcement") agencies . Next steps are usually easy to guess - infosec guys are doing what they were doing before, but for new management, and with new targets (ex-allies) in sight.
Just a wild guess, of course.
The problem with infosec,even during good times, is that it's a low paid job. I don't mean it's 10$/h or something, however taking into consideration what's at risk and usually the knowledge required, majority get paid peanuts. No surprise more lucrative deals of questionble sort pop up and attract the more talented ones.
I just love the arrogance of these fuckers. “No one but state level law enforcement could take us down!” What a crock of shit. More likely just an ex member with an axe to grind.
Yep, everyone always says they were the victim of a sophisticated hack by advanced state-sponsored level hackers, whereas maybe their password was <company name>123.
Yeah, today's hackers lack class. The Cyberpunk codebase hack would be pretty funny if someone awk'd the subtitle files to say "Can I haz cheeseburger?", but I guess today's crowd is more interested in editing HTML and CSS.
> spurring fears among criminals that their identities might be exposed
I imagine there is very little to gain from the leaked credentials. I mean we are talking about cyber-criminals, who always like to mess with their real IP with Tor or VPNs. And who would be stupid enough to use their legal name on a darkweb carding forum?
You'd be surprised, after 10+ years worth of accounts and online presence it's easy to trip up - reuse an account name from years earlier, use their real email to register for a domain, etc. Krebsonsecurity.com has a few articles where he tracks down an attacker's real identity - e.g. https://krebsonsecurity.com/2020/07/twitter-hacking-for-prof...
People have lost hundreds of thousands because they reused their forum logins on jabber... Lots (most?) of the people on these forums aren’t hackers, but banking experts moving tens of millions of stolen money around the world.
Everyone's excuse is "state actors" now and maybe they're right;
Only intelligence services or people who know where the servers are located can pull off things like that,” mused one mainstay of Exploit. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.
The thing with the state actor stuff is; once a actor state creates some tooling and methodologies, what could possibly prevent this from getting into private hands? (I mean, serious question) States have huge computing power for cracking passwords or whatever, state have "patience" but still, computing power can be stolen (via botnets or however), any process can be automated, etc.
Is it just me, or has the number of large hacks on “things you’d expect to be at least somewhat secure” picked up since the pandemic started? It seems like every week now there’s a source-code leak for some high-profile project.
My own assumption so far is that credentials that were previously being passed along through (essentially) in-person key-exchange parties, have now been forced to be passed along over channels like email/Slack/etc., making the ability to spin “mail/chat server admin creds” into “general system-level elevated creds” a lot more frequent.
It wouldn't surprise me if the pandemic had an influence on some of these hacks. E.g. at our company there are some PCs still running Windows 7. For that reason they had no direct internet access, only to the internal network. But since about half the workforce, or at times more, had to work from home, and the licenses of our ERP software are bound to hardware, IT had to connect those PCs to the internet again, so the office workers could access them from home.
Of course the whole situation was less than ideal to begin with, but now it's even worse.
I think the pandemic has a role to play in this for sure. I imagine may were required to use computers/tech as they've not done before. Often times those who are uneducated have to be accounted for so concessions are made.
For example, Sam needs to use a corporate network, doesn't really understand "apps" or what a "TOTP" is, so they optimize (weaken security) to allow them in.
Sort of: since 2017 the number of CVEs have basically gone up a steady 8% per year [1], but the fact that you only noticed it this year also suggests that this alone is not why you noticed.
The more likely reason you're noticing is that thanks to covid, and the accelerated death of real news services, combined with the echo chamber effect where we're all reminding each other of how bad things are, means you're getting more exposure to sensationalism, because that echos the best. And hacks certainly qualify as sensational, especially on slow news days, where news services desperately need clicks, and "X got hacked" gets those (even if it's a report on a hack that isn't actually one, like when someone walked into a data container with tens of servers, one of which happened to be rented by a password manager).
Pandemic has nothing to do with frequency of cyber security incidents at least not on a large scale. Every time when something global is happening spammers jump on the bandwagon and try to lure people into opening their email spam and buy something or download attachments filled with malware.
This global situation is specific because a lot of people are working remotely so they easier to target and compromise then before.
In the last decade or so a lot of businesses moved their presence and other ops online and lots of them practice poor cyber security that's why you see a lot of hacks happening.
Speaking of big companies they are always targets of state sponsored attacks and industrial espionage.
Generally the only people I've seen transfer credentials securely are IT and software engineers. You can count on every other department to send passwords over plaintext channels.
>things you’d expect to be at least somewhat secure
I feel like with a lot of security or cyber-crime stuff there's a "physician who smokes" dynamic to it where the people who you expect to have great security actually often don't take a lot of precautions. How many hackers end up being exposed because of fairly trivial or random accidents is actually surprising.
Getting the SSH pubkeys of other developers is easy. Grab them from github or from a shared server or ask them once. Then use age/rage to asymmetrically encrypt the secret you want to share. No password has to travel in cleartext anywhere.
And one in which many countries i.e. Russia, Israel, China, Saudi Arabia, North Korea did not want Biden to win and who have a record of state-sponsored hacking.
Solarwinds and the Microsoft compromises for example are clearly at a scale beyond your regular criminal hacker.
None of these hacks were related to the forum software. Maza and VF run ancient vb, but nobody has found vulns in that for ages. Exploit frontend proxy was compromised by someone, most likely the hoster. The forum software doesn’t run on the frontend proxy.
VF was hacked with a MITM attack that intercepted admin credentials, you can check CT logs to verify this.
I'll bet money this is a private corporation that sells 0days taking out their competition.
State-sponsored entities and research groups don't take down forums, for the same reason you don't arrest all the low-level perps on the street. You need to watch them to trail them to the bigger crimes. And blackhats don't take out forums of other blackhats.
It would be out of character for a
government agency to act like that.
Shutdown and a threatening message? Maybe. Dumping the data on darknet? I'm not even sure if they can legally do that. Besides, which agency wouldn't use that to gain even more possibly useful information?
What does elders of HN do recommend if you find serious bug in security company's system?
They don't have security.txt or bug bounty. First time I've had to go thru data I've obtained and email multiple times to get thing patched. They were ass about it.
p.s. The company is affiliated with three letter agencies and basically offer them device decryption.
Personally I would expect to see more of this than we have. After all, with crypto cash exploding in value it seems like there are assets to be seized. But the cynic in me suspects that its really just an escalation of the world wide cyber war that has been going on for years now and is getting more resources as it hits more sensitive spots.
Im surprised there was no mention of Jokers Stash, it seems reasonable to me that after it shut down it left a power vacuum of sorts with several actors looking for new places to ply their trade. Not to mention the real possibility that some "peepls" have an axe to grind because they got burned when J$ closed up shop.
The data that was harvested was leaked to other “dark web” locations. The gangster move to take out your hacker competitors is to “out” these hackers on something more social like a github dump or to pastebin.
A LOT of anti social people seem to act badly thinking no one is going to even look at what logs exist due to existing policy, let alone illegal sources of info that are used in parallel construction.
[+] [-] mrkramer|5 years ago|reply
After years of researching computer security and cybercrime I think this is most likely the case with this one.
"KrebsOnSecurity reports that the intruder subsequently dumped the stolen data on the dark web."
If Law Enforcement people are after them they wouldn't do this they would simply seize the website and put notification on website's front page so it seems like rival group hacked them or simply whitehat hackers.
Some of this cybercrime forums are running for more than a decade so no wonder they have attention and problems with Law and cyber criminals alike.
[+] [-] bmsleight_|5 years ago|reply
[+] [-] 1cvmask|5 years ago|reply
https://news.ycombinator.com/item?id=26362141
[+] [-] YarickR2|5 years ago|reply
[+] [-] cosmodisk|5 years ago|reply
[+] [-] goatinaboat|5 years ago|reply
Yep, everyone always says they were the victim of a sophisticated hack by advanced state-sponsored level hackers, whereas maybe their password was <company name>123.
[+] [-] mannykannot|5 years ago|reply
[+] [-] sunstone|5 years ago|reply
[+] [-] majkinetor|5 years ago|reply
[+] [-] hnick|5 years ago|reply
[+] [-] 1f60c|5 years ago|reply
[+] [-] smoldesu|5 years ago|reply
[+] [-] cyberlab|5 years ago|reply
I imagine there is very little to gain from the leaked credentials. I mean we are talking about cyber-criminals, who always like to mess with their real IP with Tor or VPNs. And who would be stupid enough to use their legal name on a darkweb carding forum?
[+] [-] alksjdalkj|5 years ago|reply
[+] [-] ryanlol|5 years ago|reply
[+] [-] tgsovlerkhgsel|5 years ago|reply
[+] [-] joe_the_user|5 years ago|reply
Only intelligence services or people who know where the servers are located can pull off things like that,” mused one mainstay of Exploit. “Three forums in one month is just weird. I don’t think those were regular hackers. Someone is purposefully ruining forums.
The thing with the state actor stuff is; once a actor state creates some tooling and methodologies, what could possibly prevent this from getting into private hands? (I mean, serious question) States have huge computing power for cracking passwords or whatever, state have "patience" but still, computing power can be stolen (via botnets or however), any process can be automated, etc.
[+] [-] derefr|5 years ago|reply
My own assumption so far is that credentials that were previously being passed along through (essentially) in-person key-exchange parties, have now been forced to be passed along over channels like email/Slack/etc., making the ability to spin “mail/chat server admin creds” into “general system-level elevated creds” a lot more frequent.
[+] [-] dEnigma|5 years ago|reply
Of course the whole situation was less than ideal to begin with, but now it's even worse.
[+] [-] aboringusername|5 years ago|reply
For example, Sam needs to use a corporate network, doesn't really understand "apps" or what a "TOTP" is, so they optimize (weaken security) to allow them in.
[+] [-] TheRealPomax|5 years ago|reply
The more likely reason you're noticing is that thanks to covid, and the accelerated death of real news services, combined with the echo chamber effect where we're all reminding each other of how bad things are, means you're getting more exposure to sensationalism, because that echos the best. And hacks certainly qualify as sensational, especially on slow news days, where news services desperately need clicks, and "X got hacked" gets those (even if it's a report on a hack that isn't actually one, like when someone walked into a data container with tens of servers, one of which happened to be rented by a password manager).
The real wtf is what happened in 2017, though.
[1]: https://nvd.nist.gov/vuln/search/statistics?form_type=Basic&...
[+] [-] kilroy123|5 years ago|reply
[+] [-] mrkramer|5 years ago|reply
This global situation is specific because a lot of people are working remotely so they easier to target and compromise then before.
In the last decade or so a lot of businesses moved their presence and other ops online and lots of them practice poor cyber security that's why you see a lot of hacks happening.
Speaking of big companies they are always targets of state sponsored attacks and industrial espionage.
[+] [-] cloudking|5 years ago|reply
[+] [-] lefstathiou|5 years ago|reply
[+] [-] Barrin92|5 years ago|reply
I feel like with a lot of security or cyber-crime stuff there's a "physician who smokes" dynamic to it where the people who you expect to have great security actually often don't take a lot of precautions. How many hackers end up being exposed because of fairly trivial or random accidents is actually surprising.
[+] [-] the8472|5 years ago|reply
Getting the SSH pubkeys of other developers is easy. Grab them from github or from a shared server or ask them once. Then use age/rage to asymmetrically encrypt the secret you want to share. No password has to travel in cleartext anywhere.
[+] [-] threeseed|5 years ago|reply
And one in which many countries i.e. Russia, Israel, China, Saudi Arabia, North Korea did not want Biden to win and who have a record of state-sponsored hacking.
Solarwinds and the Microsoft compromises for example are clearly at a scale beyond your regular criminal hacker.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] tyingq|5 years ago|reply
[+] [-] ryanlol|5 years ago|reply
VF was hacked with a MITM attack that intercepted admin credentials, you can check CT logs to verify this.
[+] [-] wyxuan|5 years ago|reply
[+] [-] imwillofficial|5 years ago|reply
[+] [-] beny23|5 years ago|reply
[+] [-] 0xbadcafebee|5 years ago|reply
State-sponsored entities and research groups don't take down forums, for the same reason you don't arrest all the low-level perps on the street. You need to watch them to trail them to the bigger crimes. And blackhats don't take out forums of other blackhats.
[+] [-] praptak|5 years ago|reply
Shutdown and a threatening message? Maybe. Dumping the data on darknet? I'm not even sure if they can legally do that. Besides, which agency wouldn't use that to gain even more possibly useful information?
[+] [-] libraryatnight|5 years ago|reply
[+] [-] cosmodisk|5 years ago|reply
[+] [-] juanani|5 years ago|reply
[+] [-] temp485850|5 years ago|reply
[+] [-] osipov|5 years ago|reply
[deleted]
[+] [-] thrownaway69|5 years ago|reply
They don't have security.txt or bug bounty. First time I've had to go thru data I've obtained and email multiple times to get thing patched. They were ass about it.
p.s. The company is affiliated with three letter agencies and basically offer them device decryption.
[+] [-] ChuckMcM|5 years ago|reply
[+] [-] sigmaprimus|5 years ago|reply
[+] [-] gigatexal|5 years ago|reply
[+] [-] zelon88|5 years ago|reply
[+] [-] ivrrimum|5 years ago|reply
[deleted]
[+] [-] killjoywashere|5 years ago|reply
[+] [-] Strongylodon|5 years ago|reply
A LOT of anti social people seem to act badly thinking no one is going to even look at what logs exist due to existing policy, let alone illegal sources of info that are used in parallel construction.
https://www.npr.org/2021/03/04/973696073/a-former-police-chi...
[+] [-] marshmallow_12|5 years ago|reply