Author: Dan Goodin

Underscoring the flourishing world of for-profit hacking, researchers have uncovered a thriving marketplace that sells access to more than 70,000 previously compromised servers, in some cases for as little as $6 apiece.

As of last month, the xDedic trading platform catalogued 70,624 servers, many belonging to government agencies or corporations from 173 countries, according to a report published Wednesday by researchers from antivirus provider Kaspersky Lab. That number was up from 55,000 servers in March, a sign that the marketplace operators carefully maintain and update the listed inventory.

"From government networks to corporations, from Web servers to databases, xDedic provides a marketplace for buyers to find anything," Kaspersky researchers wrote in a separate blog post. "And the best thing about it—it's cheap! Purchasing access to a server located in a European Union country government network can cost as little as $6." The post continued:

Attackers are exploiting a critical vulnerability in Adobe's widely used Flash Player, and Adobe says it won't have a patch ready until later this week.

The active zero-day exploit works against the most recent Flash version 21.0.0.242 and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to a blog post published Tuesday by Costin Raiu, the director of the company's global research and analysis team. It's being carried out by "ScarCruft," the name Kaspersky has given to a relatively new hacking group engaged in "advanced persistent threat" campaigns that target companies and organizations for high-value information and data. Raiu wrote:

ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits—two for Adobe Flash and one for Microsoft Internet Explorer.

Currently, the group is engaged in two major operations: Operation Daybreak and Operation Erebus. The first of them, Operation Daybreak, appears to have been launched by ScarCruft in March 2016 and employs a previously unknown (0-day) Adobe Flash Player exploit, focusing on high profile victims. The other one, “Operation Erebus” employs an older exploit, for CVE-2016-4117 and leverages watering holes. It is also possible that the group deployed another zero day exploit, CVE-2016-0147, which was patched in April.

We will publish more details about the attack once Adobe patches the vulnerability, which should be on June 16. Until then, we confirm that Microsoft EMET is effective at mitigating the attacks. Additionally, our products detect and block the exploit, as well as the malware used by the ScarCruft APT threat actor.

The currently unfixed vulnerability is indexed as CVE-2016-4171. Adobe's bare-bones advisory is here.

A hack on the Democratic National Committee has given attackers access to a massive trove of data, including all opposition research into presidential candidate Donald Trump and almost a year's worth of private e-mail and chat messages, according to a published report.

In an article published Wednesday, The Washington Post reported that researchers with CrowdStrike, the security firm DNC officials hired to investigate and contain the breach, determined the intrusions were carried out by two separate hacker groups that both worked for the Russian government. One, dubbed Cozy Bear, gained access last summer and has been monitoring committee members' e-mail and chat communications. The other is known as Fancy Bear and is believed to have broken into the network in late April. It was the latter intrusion that obtained the entire database of Trump opposition and later tipped off IT team members the network may have been breached.

The DNC intrusion is just one of several targeting US political organizations, the WaPo said, with the networks of Trump, rival presidential candidate Hillary Clinton, and some republican political action committees also being targeted by Russian spies. Details about those campaigns weren't available. The hackers who penetrated the DNC network were expelled last weekend. No financial and donor information appears to have been taken, leaving analysts to suspect the attack was a case of traditional espionage and not the work of criminal hackers. According to Wednesday's report:

A German university student has demonstrated an effective way to get code of his choosing to run on the computers of software developers, at least some of whom work for US governmental and military organizations.

The eye-opening (if ethically questionable) research was conducted by University of Hamburg student Nikolai Philipp Tschacher as part of his bachelor thesis. Using a variation of a decade-old attack known as typosquatting, he uploaded his code to three popular developer communities and gave them names that were similar to widely used packages already submitted by other users. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script.

"There were also 23 .gov domains from governmental institutions of the United States," Tschacher wrote in his thesis. "This number is highly alarming, because taking over hosts in US research laboratories and governmental institutions may have potentially disastrous consequences for them."

The jury is still out, but at this early stage, there's good reason to doubt the legitimacy of claims that more than 32 million Twitter passwords are circulating online.

The purported dump went live on Wednesday night on LeakedSource, a site that bills itself as a breach notification service. The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."

Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.

Canada's University of Calgary paid almost $16,000 ($20,000 Canadian) to recover crucial data that has been held hostage for more than a week by crypto ransomware attackers.

The ransom was disclosed on Wednesday morning in a statement issued by University of Calgary officials. It said university IT personnel had made progress in isolating the unnamed ransomware infection and restoring affected parts of the university network. It went on to warn that there's no guarantee paying the controversial ransom will lead to the lost data being recovered.

"Ransomware attacks and the payment of ransoms are becoming increasingly common around the world," Wednesday's statement read. "The university is now in the process of assessing and evaluating the decryption keys. The actual process of decryption is time-consuming and must be performed with care. It is important to note that decryption keys do not automatically restore all systems or guarantee the recovery of all data. A great deal of work is still required by IT to ensure all affected systems are operational again, and this process will take time."

Online miscreants took over the National Football League's Twitter account and used it to falsely report the death of league commissioner Roger Goodell.

During the brief span that @NFL was taken over, it followed exactly one new Twitter account—specifically, @IDissEverything, which has now been suspended. Before the account was suspended, it claimed the password protecting the NFL Twitter feed was "olsen3culvercam88." The Daily Dot said someone connected to the IDissEverything account claimed the password was revealed after someone managed to get into the email of a social media staffer at the NFL, where we found the credentials in a message." It's still not clear how the group got access to the e-mail account.

Tuesday's breach was only the latest one to affect a high-profile Twitter user. Facebook founder and CEO Mark Zuckerberg recently saw his dormant Twitter account taken over by someone who discovered its password—"dadada"—was the same one that protected his LinkedIn account. Zuckerberg's LinkedIn account, in turn, had been compromised in a 2012 breach of the career networking site. Other celebrities, including Kate Perry, Lana Del Rey, and Kylie Jenner have also reportedly had their Twitter accounts taken over in recent days.

In a scenario that's growing increasingly common, the chief technologist of the US Federal Trade Commission recently lost control of her smartphone after someone posing as her walked into a mobile phone store and hijacked her number.

Details of the incident were provided by the FTC's Lorrie Cranor in a blog post published Tuesday morning with the headline "Your mobile phone account could be hijacked by an identity thief." In it, Cranor wrote:

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s identitytheft.gov website to report the theft and learn how to protect myself. Identitytheft.gov is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the Identitytheft.gov checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

The FTC chief technologist went on to invoke federal law to force the unnamed carrier to provide the paperwork filed by the identity thief who hijacked her account. Cranor discovered that the thief used a fake ID that showed Cranor's name and the thief's photo. The thief acquired the iPhones at a retail store in Ohio hundreds of miles from Cranor's home and charged them to Cranor's account on an installment plan.

Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.

The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they're the first exploits found in the wild that successfully pierce the mitigations.

"The level of sophistication in exploit kits has increased significantly throughout the years," FireEye researchers wrote. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."

It was a tough week for TeamViewer, a service that allows computer professionals and consumers to log into their computers from remote locations. For a little more than a month, a growing number of users have reported their accounts were accessed by criminals who used their highly privileged position to drain PayPal and bank accounts. Critics have speculated TeamViewer itself has fell victim to a breach that's making the mass hacks possible.

On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was "significant," but it continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services.

Ars spoke with Schmidt to get the latest. What follows is a lightly edited transcript of the conversation: