Hacking Incident response Malware

Too many Websites hacked, ransom demanded

Today is a very sunny day, but cloudy online. After the hack of the webpage of the  Ukranian ministry of Energy as shown in figure 1 below.

Figure 1 was displaying this ransomware message before, but later the site was taken down now displaying that it is running an Apache HTTP server on a CentOS server as in the figure 2 below. Meaning the administrator took it offline.

Figure 2

As an investigator, I decided to run a secure search with the terms ”ooops, your website have been encrypted ” using DuckDuckgo as a search engine, and all the sites hacked were indexed as show in figure 3 below.

website encrypted
Figure 3

Too many websites , victims as of today of the ransomware attack. All those live websites displaying the same  message, the attackers even included music this time. The clock showing the time left to pay the ransom.The currency accepted is Bitcoin because it wont be possible to know who received the money.

The only way to bypass this it to make sure that the vulnerability used by the software and third party applications have been patched.

Stay Secured.


Advanced Persistent Threat Hacking Malware

Bitcoin Phishing Ring CoinHoarder

Cisco’s Talos Group has published their findings on a Bitcoin theft campaign they have been tracking in the Ukraine. By purchasing Google AdWords, the attackers were able to target specific search terms, such as “blockchain” or “bitcoin wallet”. Potential victims, searching for these terms, would see the cybercriminals’ links in the search results as a featured ad. Clicking on the fake ad would send the victim’s browser to a landing page in their native language that attempted to garner credential information. These phishing pages were hosted on and, except for the URL, appear quite similar to the real site. Using results from DNS queries and WHOIS data, Talos was not only able to track where the victims resided (Nigeria, Ghana, Estonia, and others), but were able to identify other potentially malicious sites as well. During the time Talos was watching this campaign, they noticed it evolving, the phishing pages began to look more like the real ones as well as the use of secure websites (HTTPS). The secure sites made use of certificates issued by Cloudflare and Let’s Encrypt. Another tactic observed was the use of internationalized domain names, referred to as homograph attacks. This is where an international character closely resembles an English character and could be mistaken by a casual viewer for the real URL.


Click to access BTC_IOCs.pdf

Hacking Malware

5000 websites hacked to serve cryptomining malware

Five thousand websites in the US, UK and Australia have been hacked to serve cryptomining malware. Cryptomining malware is when cybercriminals infect your computer to do the calculations needed to generate a cryptocurrency like Bitcoin, Monero or Euthereum. The crooks use your electricity and processing power but keeps any cryptocoins proceed for themselves. The infection  is coming from , a site that serves Javascript to your website to convert the page into voice reading to assist blind people. Of course, governments sites are meant to help out visitors even those who are not good at reading English. The server was hacked , obfuscated javascript was added to download the code from and start mining cryptocurrency.

The only way to bypass this is to shut down your browser.




Hacking Malware

Ordinypt the ransomware targetting German Human Resources.

Ordinypt is a new ransomware in Germany . It appears as a ransomware but destroys data. It seems to be targetting only people in Germany because of  its email delevering language only in German. The email arrives as a ”job advertisement submission” resume with 2 files attachments : – A JPG image of a woman submitting a resume

-a ZIP file supposedly containing a resume and Curriculum Vitae.


The ZIP archive  contains two EXE files, but appears to be PDFs files to fool the user that those are not executable. Clicking on the EXE files will launch the Ordinypt wiper. This malware does not encrypt files but overwrites these latter with random data.

It displays a ransom note in every folder where it destroys files named  Wo_sind_meine_Dateien.html, translates as where_are_my_files.


The only ways to bypass are:

  • Ensure anti-virus software and associated libraries are up to date
  • Ensure attachments do not have hidden / double extensions prior to clicking to open

CNET Hacked, Remote Servers accessed

CNET the most popular review technology websites has been hacked. A twitter user going by the name of worm and the handle @rev-priv8 posted a photo of a remote access to server . The exploit was done through a vulnerability in the content management system probably WordPress or Joomla. CNET is not saying much about the attack but claims that username and password were not accessed.According to Forbes, Worm has even sold a database of at a price of one Bitcoin.

1 million users affected by hack

Hacking Malware

French manufacturer LaCie admits data breah

LaCie is a french manufacturer of  hard drive. It was a victim of a security breach and obviously sent notifications to customers about the incident . The breach was detected by the FBI on March 19,2014 which forwarded the alarm. A malware was used to gain access to customer’s transactions made between March 27,2013 and March 10,2014. Names, addresses,email addresses,payment card numbers and cards expiration dates belonging to customers  have been accessed by the unauthorized party. LaCie urged everyone to change their password believing that customers’ usernames and passwords  on LaCie’s website could have also been accessed.

Hacking Malware

Ukraine , target of Snake or Uroburo malware


A dangerous cyber weapon has infected many computers in Ukraine in 2014. It is a spyware designed to steal sensitive secret information from high potential networks . Experts believe that this rootkit has been undetected for more than three years. Due to the complexity and the estimated high cost of this malware, G Data the German security company believes a sponsored state is behind this attack, possibly linked to Russia, since the developers of this malicious program speak Russia language.

Uroburo works autonomously and works on peer-to-peer mode .The infected computers spy on documents and send those to a PC connected to the internet. It supports 32 and 64 bit Windows Operating System.


Hackers targeted Finland for years


Finland has been a target of a cyber espionage for years. The minister of foreign affairs Erkki Tuomioja has admitted : I can confirm there has been a severe and large hacking in the ministry’s data network.” The intrusion has not been discovered by the finns themselves, but by another agency reporting to CERT-FI . The malicious code use by the cybercrook is similar to the Red October malware source code . The malware was implanted in the finnish ministry of Foreign affairs network for years during the spying campaign. The actor of this crime is unknown, but the finnish television MTV3 is suspecting Russia or China.


Avira Antivirus Site hacked…

The German software company is experiencing an intrusion. The web page has been hacked by palestinian hackers called KDMS as seen in the picture below.  The two messages put by the attacker does still remain, the first message :” Long live Palestine” and the second message ” There is no full security”. Let see how Avira will bypass it, the page is still Pwned



Adobe Breach

Adobe as usual has been hacked,  customers information and source code stolen.

How did they get in? It obviously appears that they use a vulnerability in Coldfusion as the attack vector this time to breach an adobe site used for payment processing.

What can I do as A coldfusion user? Just patch..

Do I need to reset my password? No, Adobe is taking care of that, concerned customers will get email notifications.