Nbc Mac Hack

/ Comments off

The latest high-profile organisation to fall victim to cybercriminals is the National Broadcasting Company (NBC), one of the so-called Big Three television networks in the USA.

This high-concept action comedy follows the misadventures of Chuck Bartowski (Zachary Levi), computer geek-turned-top secret agent. The 2020 Twitter Bitcoin scam is an ongoing massive hacking of Twitter accounts which started on July 15, 2020 around 20:00. A number of Twitter accounts, each with millions of followers, were apparently compromised to promote a Bitcoin scam. The scam asked individuals to send Bitcoin currency to a specific cryptocurrency wallet, with the promise that money sent would be doubled.

NBC’s website was “owned” and used as a go-between in a campaign to infect online visitors automatically.

Fortunately, the malevolent content on the site was up only briefly, limiting the harm that was done.

But researchers at Dutch security company SurfRight managed to grab samples of some of the malware on offer during this time.

→ The samples acquired during the NBC infection aren’t necessarily a complete manifest of the malware that was disseminated. The crooks can vary what is served up by their attack sites based on many factors, such as browser type, operating system, your location, the time of day and more.

NBC’s home page and others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon.

Here’s roughly how the attack played out, and how NBC got sucked into the equation:

  • NBC’s hacked pages were altered to add some malicious JavaScript that ran in your browser.
  • The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
  • The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
  • The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
  • If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.

This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialogs you might expect.

Nbc Mac Hack Download

This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.

Nbc mac hackedHacks

Obviously, it’s a big deal for anyone to redirect traffic from a high-profile site such as NBC.

However, fame is fleeting and NBC quickly took the affected pages offline, neutralising the part they played in the danger.

(NBC can’t do much about the sites hosting the other parts of this attack, such as the exploit kit files and the final malware. Nevertheless, if everyone does their bit in disrupting one or more parts of the chain, we all win.)

Make no mistake, this was not a prank or defacement.

The Citadel and ZeroAccess malware families are outright crimeware, meaning that they are malware that is written by cybercriminals, for cybercriminals, to steal items of digital value from unsuspecting users.

→ SophosLabs has published a series of technical papers on these and other phenomena in the crimeware underground. These make fascinating and highly-recommended reading, covering the evolution of malware such as Zeus, also known as Zbot, Citadel and ZeroAccess.

Crimeware is typically available to buy or to rent, so that crooks without the necessary technical skills themselves aren’t excluded from the lucrative business of stealing money, and more besides, online.

Simply put, NBC was unknowingly co-opted into a criminal operation.

If you run a web server, watch out lest you end up in similar straits yourself.

It’s not a comfortable position to be in.

PS. If you would like to learn more about beefing up your web security, take a look at our Securing Websites technical paper. It’s a free downoad (no registration required).

NB. Components seen by SophosLabs from various stages of this attack are detected as follows:

Nbc Mac Hacked

* Mal/ExpJS-AN and Troj/ExpJS-GW: exploit kit JavaScript code that pushes out the exploit components themselves (see below).

* Troj/JavaDI-UB: the Java-based exploit component.

* Troj/PDFEx-HZ: the PDF-based exploit component.

* Mal/Katusha-N: the Citadel-family malware.

* Troj/Mdrop-EVW: the ZeroAccess-family malware.

  1. warn('Kohls Admin House NBC Admin')
  2. plr = game.Players.LocalPlayer
  3. banned = {}
  4. function GetPlayer(String) -- timeless/xfunnieuss
  5. local strl = String:lower()
  6. for i,v in pairs(game.Players:GetPlayers()) do
  7. end
  8. for i,v in pairs(game.Players:GetPlayers()) do
  9. table.insert(Found,v)
  10. end
  11. for i,v in pairs(game.Players:GetPlayers()) do
  12. table.insert(Found,v)
  13. end
  14. for i,v in pairs(game.Players:GetPlayers()) do
  15. if v.Name:lower():sub(1, #String) String:lower() then
  16. end
  17. end
  18. end
  19. plr.Chatted:Connect(function(msg)
  20. if string.sub(msg, 1, 11) (prefix..'btools me') then
  21. for i,v in pairs(game.Players.LocalPlayer.Backpack:GetChildren()) do
  22. v.CanBeDropped = true
  23. end
  24. end
  25. if string.sub(msg, 1, 6) (prefix..'kick ') then
  26. for i,v in pairs(GetPlayer(string.sub(msg, 7))) do
  27. remote:FireServer(v)
  28. print('Kicked:', v.Name)
  29. end
  30. plr.Chatted:Connect(function(ok)
  31. now = game.Players.LocalPlayer.Character.HumanoidRootPart.CFrame
  32. game.Players.LocalPlayer.Character.HumanoidRootPart.CFrame
  33. game.Workspace.Terrain.GameFolder.Admin.Pads['Touch to get admin'].Head.CFrame
  34. wait(0.2)
  35. game.Players.LocalPlayer.Character.HumanoidRootPart.CFrame = now
  36. end)
  37. plr.Chatted:connect(function(wtf)
  38. if string.sub(wtf, 1) (prefix.. 'shutdown') then
  39. if v~= plr then
  40. remote:FireServer(v)
  41. end
  42. end)
  43. if string.sub(lol, 1) (prefix.. 'slock') then
  44. warn'Server Locked!'
  45. end)
  46. plr.Chatted:Connect(function(oyes)
  47. if string.sub(oyes, 1) (prefix.. 'unslock') then
  48. warn'Server Unlocked!'
  49. end)
  50. if string.sub(wtf, 1) (prefix.. 'shutdown') then
  51. plr:Kick'Shutdown game.'
  52. end)
  53. if slock true then
  54. remote:FireServer(xDDD)
  55. warn('Someone tried to join:', xDDD.Name, '-SLOCKED')
  56. end)
  57. plr.Chatted:Connect(function(xd)
  58. if string.sub(xd, 1) (prefix.. 'rworkspace') then
  59. remote:FireServer(Workspace.Terrain.GameFolder)
  60. end)
  61. plr.Chatted:Connect(function(msg)
  62. for i,v in pairs(GetPlayer(string.sub(msg, 6))) do
  63. local remote = game.Workspace.Delete.delete
  64. wait()
  65. end
  66. end)
  67. game.Players.PlayerAdded:connect(function(x)
  68. for i,v in pairs(banned) do
  69. local remote = game.Workspace.Delete.delete
  70. wait()
  71. end
  72. end)
  73. plr.Chatted:Connect(function(rEE)
  74. if string.sub(rEE, 1, 12) (prefix..'radminpads') then
  75. remote:FireServer(game.Workspace.Terrain.GameFolder.Admin.Pads)
  76. end)
  77. plr.Chatted:Connect(function(xAr)
  78. if string.sub(xAr, 1, 8) (prefix..'rregen') then
  79. remote:FireServer(game.Workspace.Terrain.GameFolder.Admin.Regen)
  80. end)
  81. plr.Chatted:Connect(function(wE)
  82. local remote = game.Workspace.Delete.delete
  83. remote:FireServer(game.Workspace.Terrain.GameFolder.Workspace.Obby)
  84. end)
  85. if string.sub(ssA, 1, 11) (prefix..'banlist') then
  86. warn('----------------')
  87. end
  88. end)