Reportedly, over a million accounts on the Supercell community forum have been compromised after a data breach occurred in 2016.

The firm Supercell, the authors of the notorious “The Clash of Clans” mobile game admitted that accounts on Supercell community forum have been hacked. Supercell is the creator of popular games such as Clash of Clans, Hay Day, Clash Royale, and Boom Beach.

According to an official statement issued by the company, hackers compromised more than 1 million accounts in a data breach occurred in September 2016.

LeakBase confirmed that the number of affected user account is 1 million.

The cyber attack affected the Supercell community forum said in an official statement that the breach happened in September 2016 and that the site’s forums were affected. According to the company,  hackers exploited a vulnerability in the Vbulletin CMS used by Supercell for its forums.

The company confirmed that game accounts weren’t affected by the data breach.

“As we’ve said before, to provide our forum service we use software from We’re currently looking into report that a vulnerability allowed third-party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords.” reads the official statement from the company. “Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed. ” 


Supercell urges users to change the password they are using on the affected forum as soon as possible. You can reset your password here:

Users can reset their password here:

As usual, let me suggest users change the password in any other web service they are using with the same login credentials. As a general guideline, matching credentials should not be used on multiple sites.

“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected.” the company added.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Clash of Clans, Data breach)

The post Supercell, Clash of Clans authors, hacked. 1 Million accounts compromised appeared first on Security Affairs.

Source: securityaffairs

The popular investigator Brian Krebs published the details of his investigation on the identity of the Mirai author Anna-Senpai.

In the last months, the Mirai bot monopolized the attention of the media, it was used to power the massive DDoS attack against the Dyn DNS service causing an extended Internet outage.

A large portion of Internet users was not able to reach most important web services, many websites like including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify were down for netizens in the US.

The same IoT botnet was used to launch a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs who decided to investigate about the author of the dangerous malware.

In October a hacker released the source code of the Mirai malware, a reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

mirai author botnet

The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

Brian Krebs believes to have discovered the real identity of the mysterious Anna-senpai, his name is Paras Jha, the owner of a distributed denial-of-service (DDoS) attack mitigation company ProTraf Solutions.

“After months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a co-worker of ProTraf President Paras Jha.

Zuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks. Zuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about launching the DDoS attacks against Rutgers.” wrote Krebs.

“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him,” Zuberi recalled.  “He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks.””

The man alleged created the Mirai botnet and spread it to recruit the largest number of IoT devices.

Krebs reported that in 2014, an earlier variant of the Mirai botnet was used to launch DDoS attacks against Minecraft servers which can generate up to US$50,000 a month.

Krebs discovered that Jha along with other players developed the Mirai bot and used it to power an attack against the Minecraft servers to lure disgruntled customers. The providers that ignored Jha’s requests were hit by massive DDoS attacks.

Krebs explained that Jha contacted upstream providers to request the shutdown of rival IoT firms, then he developed the Mirai bot to attack rival Qbot botnets.

Krebs cited a Webinar presented on December 16, by the experts at the firm Digital Shadows that exposed the findings on the investigation about the Mirai author’s real life identity. According to Digital Shadows, the person behind the Anna-Senpai moniker also used the nickname “Ogmemes123123” and the email address He also discovered that the Mirai author has used another nickname, “OG_Richard_Stallman,” a clear reference to the founder of the Free Software Foundation. The account was also used to register a Facebook account in the name of OG_Richard Stallman.

That Facebook account reports that OG_Richard_Stallman began studying computer engineering at New Brunswick, NJ-based Rutgers University in 2015., the same University attended by Paras Jha. The Rutgers University suffered a series of DDoS attacks on its systems since 2015, the attacker suggested the school purchase a DDoS mitigation service.

Krebs also highlighted that the skills listed on Jha’s LinkedIn page are the same of the Mirai author Anna-senpai ‘s HackForums.

The Krebs’s analysis is very intriguing and full of details … enjoy it!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Anna-senpai, Mirai Author)

The post Which is the real identity of the Mirai Author Anna-Senpai? appeared first on Security Affairs.

Source: securityaffairs

The independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family.

Yesterday the independent malware research @Xylit0l discovered the Satan ransomware, a malware belonging to the Gen:Trojan.Heur2.FU family. Satan is provided as a RaaS (Ransomware-as-a-Service).

The Satan ransomware used RSA-2048 and AES-256 cryptography, it appends the names of encrypted files with the “.stn” extension.


“As mentioned above, Satan’s developers provide a service allowing prospective cyber criminals to make money by distributing this ransomware. In exchange, developers receive 30% of revenues generated by users.” Reads the analysis published on

“The Satan platform has a user-friendly interface, it is really simple to use to create your own ransomware. Users just need to have a Bitcoin wallet to use for ransom payment. Wannabe criminals must specify the ransom amount in Bitcoin and furthermore they can decide to increase the amount of money to pay after a specific deadline.”

“Now, the most important part: the bitcoin paid by the victim will be credited to your account. We will keep a 30% fee of the income, so, if you specified a 1 BTC ransom, you will get 0.7 BTC and we will get 0.3 BTC. The fee will become lower depending on the number of infections and payments you have.” Reads the adv for the Satan Platform.

The Satan platform implements multiple services, including a dropper builder that is able to obfuscate malware code to avoid detection by virus scanners.


The RaaS solutions also allows used to choose a language different from English or Portuguese. The platform also allows crooks to update their ransomware.


Satan, while crypt,  changes files’ extension in .stn for example myfile.txt in myfile.txt.stn.

Satan, once encrypted the files, creates an HTML file (HELP_DECRYPT_FILES.html) on desktop containing the ransomware note and instructions for the payment.

Crooks encourage victims to pay ransom to receive the private key for decrypt files. But never pay any ransom or attempt to contact these cyber criminals, because there is no guarantee that your files will be decrypted!.

Satan uses several anti-evasion and anti-debugging techniques, for example, it doesn’t run on a virtual machine making it difficult to analyze.

In a couple of days, crooks already released two version of the Satan platform.

Written by: @GranetMan

Granet is a young and Junior IT Security Researcher, he is passionate in Linux, Arduino, Digital Forensics, Cyber Security, Free software and Malware Analysis



medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Satan ransomware, RaaS)

The post Satan, the ransomware-as-a-service surfaced in the dark web appeared first on Security Affairs.

Source: securityaffairs

Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions.

Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

  • A .plist file that simply keeps the .client running at all times.
  • A .client file containing the malicious payload, a minified and obfuscated Perl script.

The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.


The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Quimitchin spyware, cyber espionage)

The post Quimitchin, a Mac backdoor that includes antiquated code appeared first on Security Affairs.

Source: securityaffairs

A new ransomware campaign has targeted the not-for-profit cancer services organisation “Little Red Door” requesting a US$44,000 ransom.

A new ransomware campaign has targeted a not-for-profit cancer services organisation, the Little Red Door. The organization provides a number of cancer support services, including diagnostics and treatment.

The system at the agency was infected by a ransomware last Wednesday, January 11, 2017, at around 10:00 PM.

According to the Associated Press a ransomware infected its server and demanded a 50 bitcoin ransom (roughly US$44,000) in order to decrypt the files.


“A ransomware group has infected the computers of an Indiana-based cancer agency and have asked for a large payment of 50 Bitcoin ($44,800).” reported

“The victim is Cancer Services of East Central Indiana-Little Red Door, an organization that helps “reduce the financial and emotional burdens of those dealing with a cancer diagnosis.“”

The Little Red Door Executive director, Aimee Fant, confirmed that data of the organization was stored in unspecified cloud storage.

The singularity of this specific ransomware attack it the fact crooks demanding the ransom directly to the cancer agency’s staff via phone and email.

“First, they sent text messages to the agency’s Executive Director, President, and Vice President phones, and then they sent a standardized “form letter” via email. The emails contained detailed payment instructions, but also several threats.” added

According to the cancer agency’s Executive Director Aimee Fant, the group threatened to contact family members of living and deceased cancer clients, donors and community partners.

The organization, of course, will not pay the ransom because its money has to be used to provide the necessary services to cancer patients and their families.

“The agency will not raise money to pay the criminals’ ransom,” Fant said.

This is really a sad story, the organization has no choice, it has to replace the infected server and store the old one in the hope a security firm or law enforcement will find decryption keys during their operations.

The agency plans to replace the server with a “secure cloud-based” platform and hopes to be restored operations within the week.

The attack was reported by the organization to the FBI.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  ransomware, cybercrime)

The post US cancer agency targeted by a singular ransomware attack appeared first on Security Affairs.

Source: securityaffairs

The infamous Carbanak cybercrime gang is back and is leveraging Google services for command-and-control of its malicious codes.

The dreaded Carbanak cybercrime gang is back and is adopting a new tactic for its attacks, it is leveraging Google services for command-and-control of its malware.

The criminal organization is named Carbanak cybergang because of the name of the malware they used to compromise computers at banks and other financial institutions, experts estimated that the hackers swiped over $1 Billion from their victims.

 The majority of financial institutions victims of the gang are located in Russia, but many other attacks have been detected in other countries, including Japan, Europe and in the United States.

Carbanak targets

Figure 1 – Map of Infections, 2015 Attacks against financial Institutions (Kaspersky Lab)

The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, it has been active at least since 2013 and there are strong indications that it may still be ongoing.

Now researchers from Forcepoint Security Labs have spotted a new campaign conducted by the Carbanak gang that exploits Google’s Apps Script, Sheets, and Forms cloud-based services to control their malicious code.

The attack vector is a trojanized RTF document with an encoded Visual Basic script that is spread via email.

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.” reads the analysis published by Forcepoint.

“For each infected user a unique Google Sheets spreadsheet is dynamically created in order to manage each victim. The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight,” Forcepoint wrote in a blog post today.




The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

“The use of a legitimate third party service like this one gives the attacker the ability to hide in plain sight. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully.” states the report.

The following diagram describes the way the Carbanak cybercrime gang exploited the Google Services as C&C.


Once infected the victim’s machine, the malware first attempt to contact the hard-coded Google Apps Script URL with the user’s unique infection ID. Because no spreadsheet currently exists for the specific victim, the malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim.

The second time the Google Apps Script is requested by the malicious code, the C&C will return the unique Google Sheet and Google Form ID values.

“The “entry” value is also a unique ID which is sent with each subsequent Google Forms C&C request.” 

Let me suggest to read the report that also includes the IoCs for this specific threat.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  bank hacking, Carbanak cybergang)

The post The Carbanak gang is with a new modus operandi, Google services as C&C appeared first on Security Affairs.

Source: securityaffairs

Malware researchers from the MalwareHunterTeam have discovered a new strain of ransomware dubbed Popcorn Time on the Dark Web.

Malware researchers from MalwareHunterTeam have spotted a new ransomware, dubbed Popcorn Time, that appears to be still under development.

The researchers at MalwareHunterTeam found the Popcorn Time ransomware code on the Dark Web.

This ransomware comes with a singular feature, it allows victims to either pay up or they can opt to infect two others using a referral link. Then is the two other potential victims pay the ransom the original target receives a free key to unlock his encrypted files.

“Time that intends to give victim‘s a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.” wrote Lawrence Abrams from

The researchers noticed that the ransom note offers two options, pay up the ransom or spread the infections.

“We are sorry to say that your computer and your files have been encrypted, but wait, don’t worry. There is a way you can restore your computer and all of your files… Send the link below to other people, if two or more people will install the file and pay, we will decrypt your files for free.” states the ransom note.

Popcorn Time ransomware

Lawrence explained that it is the first ransomware ever seen with this characteristic.

Abrams, who analyzed the code of the ransomware, said it is incomplete, some of the command and control servers are not working and there are many features that still have to be developed.

The ransom note demands 1 bitcoin, victims have a limited number of attempts to provide a decryption key.

“To make matters worse, there is unfinished code in the ransomware that may indicate that if a user enters the wrong decryption key 4 times, the ransomware will start deleting files.” added Abrams.

The Popcorn Time ransomware is able to encrypt more than 500 file types using AES-256 encryption. The malware appends the .filock extension to the encrypted files.

The ransom note reveals that the authors of the Popcorn Time ransomware developers claim to be “a group of computer science students from Syria.”

Another interesting aspect of this ransomware is the content of the note who promises that ransomware proceeds will go to food, medicine, and shelter for the victims of the civil war in Syria.

“We are extremely sorry that we are forcing you to pay,” states the note.

More info on the threat are available on

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Popcorn Time ransomware, cybercrime)

The post Popcorn Time ransomware, pay up the ransom or spread it to decrypt the files appeared first on Security Affairs.

Source: securityaffairs

A Turkish hacker is advertising into the hacking underground a new DDoS platform, dubbed Surface Defense (Translation to English).

According to the security firm Forcepoint the hacker started prompting the DDoS platform in Turkey. He was offering a tool known as Balyoz, the Turkish word for Sledgehammer, that can be exploited by hackers to launch powerful DDoS attacks against a select number of websites.

The hacker rewards with a point its customers for every ten minutes they hit a website. These prizes include a more powerful DDoS attacking tool, access to bots designed to generate revenue from

These hacker is offering interesting prizes for the users of its Sledgehammer platform. they include a more powerful DDoS attacking tool, a malicious code that can be used to scare the victim with sounds and images, and the access to a click fraud botnet that could allow them to earn money.

The researchers discovered that DDoS platform has been advertised on Turkish hacking forums, but Forcepoint has no idea about the number of participants recruited with this gamification of DDoS attacks.

The list of websites targeted by the tool is composed of 24 political websites having a specific position with regards of Turkey.

“Most, if not all, of the targets identified on the target list were chosen because of their political position with regards to Turkey. Kurdistan was prominent, with organizations such as the Kurdistan Workers Party (PKK)2 and its military wing the People’s Defense Force (HPG)3 being targeted. But the German Christian Democratic Party (CDU) was also among the targets, as was the Armenian Genocide archive run by the Armenian National Institute in Washington DC” continues the report.

Surface Defense DDoS platform

Users can also suggest new websites to include in the list of targets, the platform displays live scoreboard for participants in the attacks.

The author of the DDoS platform has implemented a series of rules to optimize the use and the access to the Surface Defense, for example, the participants can run the tool only on a single machine, a measure necessary to ensure fairness during the competition.

But Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer.

Forcepoint discovered also the presence of a backdoor in the software executed by the participant to the DDoS platform. This backdoor is triggered if a participant has been banned from the competition.

“When we began to reverse engineer the software, taking it apart in order to analyze what it did, we discovered a backdoor. Whoever wrote this software gave themselves the opportunity to compromise the computers of those participating in the “game”.” continues the report. “What we know about the author is that they have already produced a number of “malicious” tools written in C#/.NET, which they describe on a YouTube channel. However, the evidence in the author’s videos combined with other data points collated during the investigation, led us to hypothesize that it is a realistic possibility this author may work for a Turkish defense contractor which supplies, amongst other things, signals intelligence (SIGINT) systems”

Who is the hacker behind the Surface Defense platform?

Experts believe he is a hacker using the online moniker “Mehmet,” based in the city of Eskisehir (Turkey).

Enjoy the Surface Defense!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Surface Defense, DDoS platform)

The post Surface Defense DDoS platform – Gamification of attacks appeared first on Security Affairs.

Source: securityaffairs

Alleged Asian hackers have targeted the German heavy industry giant ThyssenKrupp to steal company secrets.

Hackers from Southeast Asia targeted the German heavy industry giant ThyssenKrupp in the attempt of obtaining “technological know-how and research results.”

The news was announced on Thursday by a company spokesman that confirmed a report in the Wirschaftswoche weekly and added that the company as successfully repelled the attack.

The cyber attack was discovered by the IT security office, which spotted the hacking activities while they were ongoing and blocked them.

“The attack is over and had been repelled,” said the company spokesman.

The investigators speculate the attack was carried out by a group of professional hacked from Southeast Asia that is interested in the technological know-how and research activities of the company.

At the time I was writing there are no further details on the cyber attack neither the exact nature of the attackers (i.e. nation-state actors, cybercriminals).

The hackers launched a “massive cyber attack” against the divisions dealing with orders planning of industrial plants, the conglomerate’s Industrial Solutions, and Steel Europe business divisions.

Critical IT systems at the ThyssenKrupp such as the Marine Systems business unit and blast furnaces and power plants in Duisburg, were not affected

The ThyssenKrupp Marine should be a privileged target for hackers because it is the division that builds warships, including submarines for the German and Israeli navies.

The company excluded any sabotage or manipulation of data or applications, but it was unable to estimate if a limited portion of data, “data fragments,” had been stolen by the hackers.

“Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks,” the company added.

Stay tuned.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – ThyssenKrupp, hacking)

The post Hackers targeted the heavy industry ThyssenKrupp and stole industrial secrets appeared first on Security Affairs.

Source: securityaffairs

Kapustkiy, one of the most prolific hackers at this moment announced a new data breach, the victim is the India Regional Council.

Last week, I was contacted by a young hacker that breached Indian embassies across the worlds, he goes online with the moniker Kapustkiy.

Kapustkiy is a seventeen years old pentester that is targeting organizations and embassies across the world. Recently he breached the ‘Dipartimento della Funzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (, and a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and LibyaKapustkiy and his friend Kasimierz (@Kasimierz_).

He also targeted Universities, including two subdomains of Virginia University & Sub domain of University of Wisconsin ( ) and another embassy, the Indian Embassy in New York ( )

The Indian authorities have issued a public statement to thank the young hacker for exposing the vulnerabilities in their websites.

“Thank you for your advice,” said Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”

This time the young hacker breached the database at the Eastern India Regional Council and leaked online a small portion of the archive composed of 17,000 users. Kapustkiy leaked an excel file containing more than 2000 user records as proof of the breach.

 India Regional Council breach


The records in the database of Eastern India Regional Council contain many attributes, including membership numbers, usernames, passwords, email addresses, registration numbers.

Kapustkiy used some web scanners to find several vulnerabilities in the target website and a simple SQL Injection tool to exploit the flaw he discovered. The hacker tried to contact the organization but they seem to ignore emails.

Once again Kapustkiy is inviting website administrators to pay attention to the security of their infrastructure.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Kapustkiy,  India Regional Council)

The post Eastern India Regional Council hacked by Kapustkiy appeared first on Security Affairs.

Source: securityaffairs