Hackers may be already cashing in on tech flaws
‘Dark web’ site offers sale of passwords and personal data as a billion devices prove vulnerable to attack
CRIMINALS may already be cashing in a recently discovered microchip flaw that has left billions of computers and other electronic devices across the globe vulnerable to hacking.
Advertisements claiming to belong to notorious hacking group the Shadow Brokers have appeared on a hackingfor-sale site, offering to retrieve passwords and personal information from victims’ smartphones or computers in return for $8,900 (£6,550) – or the equivalent in Bitcoin.
The microchip bugs, which affect almost every computer processor in the world, were disclosed earlier this week despite technology giants knowing about them for a year.
Apple on Friday warned that more than a billion iPhones, iPads and Mac computers remain vulnerable thanks to a microchip flaw. Computers running Microsoft Windows and Android smartphones are also at risk.
Since the announcement of the bug, it was feared that criminals would seize the opportunity to exploit it to steal passwords for online services, or personal and confidential files.
The authenticity of the advert has yet to be confirmed but it is likely to be the first of many claimed sales across the dark web, as thieves look to profit from the flaws.
“The advert is enough to show that attackers are trying to exploit and monetise on it. If not from the Shadow Brokers, then other practical exploits will likely surface soon,” said Michael Hickey, security consultant and cofounder of My Hacker House.
As software giants work around-theclock to send out updates that could protect customers devices, criminal gangs are likely to be tapping the keyboard full speed to profit.
“I’m sure there are people attempting to exploit these vulnerabilities for real, right now,” said Michael Marriott, a research analyst at Digital Shadows, which monitors the dark web.
Mr Marriott said hackers have taken to the dark web and notorious hacking forums to find ways to target the public and businesses. Some may just be an attempt at defrauding people. “Criminals like to scam other criminals, so in the next couple of months we should see more of this,” he said.
In June 2017, security researchers warned Intel, AMD and ARM that a flaw in their chips could leak sensitive information stored on the devices that use them. This included passwords, web history and encryption keys. The issue was not disclosed to the public until Tuesday, reportedly to give companies time to find a fix for the issue. Apple on Friday admitted that all of its devices except for the Watch were affected, and that it had already put some fixes in place but that customers should still be wary of untrustworthy apps or websites and wait for further updates.
Google said it is working on an update to its Chrome browser and Android phones and Microsoft will be sending out patches for its operating system Windows 10.
The vulnerabilities allow attackers to extract information from a computer that was previously believed to be inaccessible. This includes passwords and encryption keys for any service running on a machine.
The WannaCry “hero” facing trial in the US accused of creating a separate malware was coerced into an alleged confession while intoxicated and sleepdeprived, say lawyers. Marcus Hutchins, 23, was arrested at a Las Vegas airport as he prepared to fly home to the UK after a hacking convention. Prosecutors say the cybersecurity researcher admitted during interrogation that he created and sold the Kronos malware, which harvests bank details.