A hacker is selling stolen credentials that purportedly give
access to servers of the US Navy, Centers for Disease Control, US
Postal Service, and other US government sites.
Listings for the accounts were found recently by Tech Insider on
a dark web marketplace called The Real Deal, a popular
site many cyber criminals use for buying and selling everything
from illegal drugs to zero-day software exploits. It’s unclear
when the postings were made, since the site offers no dates for
when sellers create their listings.
In all, the seller “popopret” was offering file
transfer protocol (FTP) access to servers of noaa.gov (National
Oceanic and Atmospheric Administration), usps.gov (The US Postal
Service), cdc.gov (Centers for Disease Control), jpl.nasa.gov
(NASA Jet Propulsion Laboratory), and navy.mil (US Navy).
Prices range from .5 Bitcoin ($329) for the CDC to 3.5
Bitcoin for the Navy, or about $2,300 at current market
Popopret told Tech Insider the credentials were
acquired by “sniffing a botnet,” which suggests the hacker had
hijacked a large number of computers (a botnet) and was
actively keeping an eye on them (sniffing) for
interesting traffic being passed through, such as usernames,
passwords, and documents.
Neither this claim nor whether the seller’s
credentials are legitimate could be independently verified by TI.
However, it’s worth noting that The Real Deal is often the source
of major data breaches and hacker exploits. And the site
allows payments to be placed into escrow, so a buyer can confirm
what they are buying is as described before their money is
transferred to the seller.
What the purported credentials can actually be used
for also remains unclear.
Since the seller is offering accounts for either FTP (file
transfer protocol) or SFTP (secure file transfer protocol), it’s
likely these give access to the backend of public-facing
websites. Web developers typically upload changes to websites via
FTP, so a hacker with that same level of access could deface a
website by replacing a file with one of their own.
For instance, a hacker could potentially connect to the CDC
server and upload a new homepage with a hoax warning of a
dangerous Ebola outbreak in the US, or to the Jet Propulsion
Laboratory with a faked message claiming that a
devastating asteroid was headed toward Earth. While such
defacements would likely be corrected quickly, they have the
potential to be market-moving events.
Still, a hacker could move on to other things if the user
accounts being sold are at a higher level.
“If you had root access, you should be able to … do whatever
you wanted,” a hacker told Tech Insider on condition of
anonymity, since he is a “grey
hat” who wants to maintain personal security. “I would
personally save the server to attack another site from a .mil,”
he added, meaning that he could potentially hack into some other
network that would likely trace the intrusion back to the US
Tech Insider reached out to all of the government agencies with
purported credentials being sold. The Centers for Disease
Control, Jet Propulsion Laboratory, and US Navy declined to
The US Postal Service told Tech Insider its corporate information
security office would conduct “criminal investigations into these
The National Oceanic and Atmospheric Administration provided
the following statement:
“NOAA takes all cyber threats seriously,” Ciaran Clayton, a
spokesperson for NOAA, told Tech Insider. “Our Cyber Security
Division reviewed the purported NOAA File Transfer Protocol sites
found for sale online in the Dark Web. NOAA has concluded that
these are not valid sites, and the agency is under no risk for
any cyber vulnerability.”
from SAI http://ift.tt/2aux0yR