RSS Security

❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — July 21st 2019Your RSS feeds

Emsisoft releases a second decryptor in a few days, this time for ZeroFucks ransomware

Security experts at Emsisoft released a second decryptor in a few days, this time announced a free decryptor for the ZeroFucks ransomware.

A few days ago, the experts at Emsisoft released a free decryptor for the Ims00rry ransomware, now the malware team announced the released of a decryptor for the ZeroFucks ransomware.

Victims of the ZeroFucks ransomware don’t have to pay the ransom, they only need to download the decryptor form the link below:

Fucks ransomware

ZeroFucks ransomware encrypts files with AES-256 and replaces the extension in the filename with “.zerofucks” (i.e. “myphoto.jpg” is changed to “ myphoto.zerofucks”.

When the ransomware encrypts files the following GUI is displayed to the victims, crooks demand a €400 ransom worth of Bitcoins.

Fucks ransomware 2

Below the ransom note left on the infected systems by the ransomware:

“All your important files have been encrypted. If you want your files back, you need to pay €400 in Bitcoins. After the payment is received, we will give you access to unlock your files. Click on the Payment button to get more info.” reads ransom note.

“If you don’t pay within 48 hours, the price will be doubled. After another 24 hours, the price will be doubled again. If you don’t pay within 96 hours your files will be destroyed.”

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – ZeroFucks, malware)

The post Emsisoft releases a second decryptor in a few days, this time for ZeroFucks ransomware appeared first on Security Affairs.

Security Affairs newsletter Round 223 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

For nearly a year, Brazilian users have been targeted with router attacks
NCSC report warns of DNS Hijacking Attacks
SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent
A flaw could have allowed hackers to take over any Instagram account in 10 minutes
Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw
Emsisoft released a free decryptor for the Ims00rry ransomware
Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code
La Porte County finally opted to pay $130,000 Ransom
The npm installer for PureScript package has been compromised
A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files
DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape
iOS URL Scheme expose users to App-in-the-Middle attack
Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram
Mysterious hackers steal data of over 70% of Bulgarians
Sprint revealed that hackers compromised some customer accounts via Samsung site
Anti-Debugging Techniques from a Complex Visual Basic Packer
Expert was awarded $10,000 for disclosing XSS flaw to Tesla
Turla APT group adds Topinambour Trojan to its arsenal
CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites
Experts detailed new StrongPity cyberespionage campaigns
Experts spotted a rare Linux Desktop spyware dubbed EvilGnome
Scraping the TOR for rare contents
The Problem With the Small Business Cybersecurity Assistance Act
Dutch police arrested the author of Dryad and Rubella Macro Builders
Israel surveillance firm NSO group can mine data from major social media
Poland and Lithuania fear that data collected via FaceApp could be misused
Slack resetting passwords for roughly 1% of its users
Former NSA contractor sentenced to 9 years for stealing classified data

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 223 – News of the week appeared first on Security Affairs.

Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw

Hackers breached at least 62 college and university networks exploiting a flaw in Ellucian Banner Web Tailor, a module of the Ellucian Banner ERP.

US Department of Education warned that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP.

The module is used by colleges and universities to customize their web applications.

The vulnerability, tracked as CVE-2019-8978, was discovered by the security expert Joshua Mulliken, it affects the authentication process used by the two modules of the ERP, including the Ellucian Banner Enterprise Identity Services used to manage user accounts.

“An improper authentication vulnerability (CWE-287) was identified in Banner Web Tailor and Banner Enterprise Identity Services. This vulnerability is produced when SSO Manager is used as the authentication mechanism for Web Tailor, where this could lead to information disclosure and loss of data integrity for the impacted user(s).” reads the security advisory published by the expert.

Ellucian Banner Web 2

The vulnerability could be exploited by a remote attacker to hijack users’ accounts.

“A user’s unique identifier, UDCID, is leaked via a cookie and it could lead to account compromise if this identifier is captured or otherwise known, in the case tested the UDCID was known to be the institutional ID printed on ID cards. The UDCID could be used to exploit a race condition that would provide an attacker with unauthorized access.” continues the advisory. “For a student, the attacker could drop them from their courses, reject financial aid, change their personal information, etc. For a professor, this could lead to an inability to manage their courses, allow a malicious student to put in false final grades, etc. For an administrator, an attacker could change users information, place false holds on student accounts, etc.”

Affected versions are Banner Enterprise Identity Services 8.3 and later, Ellucian addressed the vulnerability in May.

Unfortunately, threat actors started exploiting the CVE-2019-8978 flaw in the wild.

“The Department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. We have also recently received information that indicates criminal elements have been actively scanning the internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation.” reads the alert published on the Federal Student Aid.

The educational institutions that were targeted by the attacks exploiting the vulnerability have reported that threat actors are using scripts in the admissions or enrollment section of the affected Banner system to create multiple student accounts.

Officials reported that attackers created at least 600 fake or fraudulent student accounts within a 24-hour period. The malicious activity is continuing over multiple days resulting in the creation of thousands of fake student accounts. The bad news is that some of the accounts created in the attacks were involved in criminal activity.

Officials warn that for those organizations that have not implemented network segregation attackers could access students’ financial aid data.

Ellucian denies that the creation of fake accounts is related to the vulnerability in its ERP.

“Although it was reported that attackers can leverage the vulnerability discussed above to create accounts, Ellucian believes this is not correct,” read a statement published by the company. “The issue described in the alert is not believed to be related to the previously patched Ellucian Banner System vulnerability and is not exclusive to institutions using Ellucian products.”

“Attackers are utilizing bots to submit fraudulent admissions applications and obtain institution email addresses through admission application portals,”

The company recommends implementing reCAPTCHA capabilities to the admission process.

Pierluigi Paganini

(SecurityAffairs – Ellucian Banner Web, ERP)

The post Hackers breach 62 US colleges by allegedly exploiting Ellucian Banner Web flaw appeared first on Security Affairs.

WizzAir informed customers it forced a password reset on their accounts

The airline company WizzAir informed its customers that it had reset the account passwords due to a technical issue in the system.

The airline company WizzAir had reset the account passwords of its users due to a technical issue in its system.

In an email message sent to the customers, the company explained that it has discovered and suffered “some temporary technical irregularity.”

WizzAir password-reset

The company did not disclose technical details of the incident, for this reason, some users speculate that the root cause of the problem was a hack. In compliance with EU privacy regulation GDPR, the company must provide a full and detailed account of the incident within 72 hours.

Fortunately, it seems that the company was not hacked.

“It appears that these assumptions are nothing to fret about. BleepingComputer has learned from a company representative that personal data belonging to customers was not affected in any way.” reported BleepingComputer.

The company only provided the following comment:

“We can confirm that we have sent an email today to our customers about the detection of a temporary technical irregularity in our system. At no point was any personal data compromised and resetting the passwords on the WIZZ accounts was a precautionary action. Safety remains a priority for Wizz Air, and that includes the security of our passengers’ data.” – reads the statement sent by WizzAir.

Following the notification message, people with a WizzAir account will receive a new email with instructions about how they can regain access to all features of the Wizz account.

Pierluigi Paganini

(SecurityAffairs – WizzAir)

The post WizzAir informed customers it forced a password reset on their accounts appeared first on Security Affairs.

Twitter account of Scotland Yard hacked and posted bizarre messages

The principal Twitter account of Scotland Yard, which has more than 1.2 million followers, was hacked and tweeted a series of bizarre messages on Friday night.

Hackers took over the Scotland Yard’s principal Twitter account and tweeted a dozen bizarre messages on Friday night, some of the tweets referred to the British rapper Digga D.

Digga D, real name Rhys Herbert, was jailed last year aged 17 along with other four members of his gang after they were caught with baseball bats and machetes, the police discovered they were planning to attack another gang.

The messages were expressing anti-police sentiment and calling for the jailed rapper to be released.

“Free Digga D,” states one of the Tweet. 

Below the message posted by the Met police Supt, Roy Smith after the breach:

We are aware that the @metpoliceuk has been subject to unauthorised access and our media team are working hard to delete the messages and ensure the security of the account. Please ignore any Tweets until we verify that it is back under official control. RT

— Supt Roy Smith (@roysmithpolice) July 19, 2019

London’s Metropolitan Police confirmed that hackers also targeted emails and news pages.

Scotland Yard pointed out that its IT infrastructure had not been compromised, the incident only affected the press office’s online provider, MyNewsDesk. The MyNewsDesk service automatically spreads content to the Met’s website and Twitter account once it is published. It also sends emails to subscribers.

“Unauthorised messages appeared on the news section of our website,” states Scotland Yard. “We apologise to our subscribers and followers for the messages they have received.

“We are confident the only security issue relates to access to our MyNewsDesk account. We have begun making changes to our access arrangements to MyNewsDesk,” .

“There has been no ‘hack’ of the Met Police’s own IT infrastructure. We are assessing to establish what criminal offences have been committed.”

US President Donald Trump caught the opportunity to attack the London Mayor Sadiq Khan, he retweeted an image of the hijacked Metropolitan Police account.

With the incompetent Mayor of London, you will never have safe streets!

— Donald J. Trump (@realDonaldTrump) July 20, 2019

UK authorities regained control of its account on Saturday.

Pierluigi Paganini

(SecurityAffairs – Scotland Yard, hacking)

The post Twitter account of Scotland Yard hacked and posted bizarre messages appeared first on Security Affairs.

Yesterday — July 20th 2019Your RSS feeds

GitGot - Semi-automated, Feedback-Driven Tool To Rapidly Search Through Troves Of Public Data On GitHub For Sensitive Secrets

By: Unknown

GitGot is a semi-automated, feedback-driven tool to empower users to rapidly search through troves of public data on GitHub for sensitive secrets.

How it Works
During search sessions, users will provide feedback to GitGot about search results to ignore, and GitGot prunes the set of results. Users can blacklist files by filename, repository name, username, or a fuzzy match of the file contents.
Blacklists generated from previous sessions can be saved and reused against similar queries (e.g., v.s. v.s. Example Org). Sessions can also be paused and resumed at any time.
Read more about the semi-automated, human-in-the-loop design here:

Install Instructions
[1] Install the ssdeep dependency for fuzzy hashing.
Ubuntu/Debian (or equivalent for your distro):
apt-get install libfuzzy-dev ssdeep
or, for Mac OSX:
brew install ssdeep
For Windows or *nix distributions without the ssdeep package, please see the ssdeep installation instructions.
[2] After installing ssdeep, install the Python dependencies using pip:
pip3 install -r requirements.txt

GitHub requires a token for rate-limiting purposes. Create a GitHub API token with no permissions/no scope. This will be equivalent to public GitHub access, but it will allow access to use the GitHub Search API. Set this token at the top of as shown below:
After adding the token, you are ready to go:
# Query for the string "" using the default RegEx list and logfile location (/logs/<query>.log)
./ -q

# Using GitHub advanced search syntax
./ -q "org:github cats"

# Custom RegEx List and custom log files location
./ -q -f checks/default.list -o example1.log

# Recovery from existing session
./ -q -r

# Using an existing session (w/blacklists) for a new query
./ -q "Example Org" -r

Query Syntax
GitGot queries are fed directly into the GitHub code search API, so check out GitHub's documentation for more advanced query syntax.

UI Commands
  • Ignore similar [c]ontent: Blacklists a fuzzy hash of the file contents to ignore future results that are similar to the selected file
  • Ignore [r]epo/[u]ser/[f]ilename: Ignores future results by blacklisting selected strings
  • Search [/(mykeyword)]: Provides a custom regex expression with a capture group to searches on-the-fly (e.g., /(secretToken))
  • [a]dd to Log: Add RegEx matches to log file, including all on-the-fly search results from search command
  • Next[<Enter>], [b]ack: Advances through search results, or returns to previous results
  • [s]ave state: Saves the blacklists and progress in the search results from the session
  • [q]uit: Quit

Git-Hound - Find Exposed Keys Across GitHub Using Code Search Keywords

By: Unknown

A pattern-matching, batch-catching secret snatcher. This project is intended to be used for educational purposes.

Git Hound makes it easy to find exposed API keys on GitHub using pattern matching, targetted querying, and a scoring system.

echo "" | python or python --subdomain-file subdomains.txt We also offer a number of flags to target specific patterns (known service API keys), file names (.htpasswd, .env), and languages (python, javascript).

  • --subdomain-file - The file with the subdomains
  • --output - The output file (default is stdout)
  • --output-type - The output type (requires output flag to be set; default is flatfile)
  • --all - Print all URLs, including ones with no pattern match. Otherwise, the scoring system will do the work.
  • --regex-file - Supply a custom regex file
  • --api-keys - Enable generic API key searching. This uses common API key patterns and Shannon entropy to find potential exposed API keys.
  • --language-file - Supply a custom file with languages to search.
  • --config-file - Custom config file (default is config.yml)
  • --pages - Max pages to search (default is 100, the page maximum)
  • --silent - Don't print results to stdout (most reasonably used with --output).
  • --no-antikeywords - Don't attempt to filter out known mass scans
  • --only-filtered - Only search filtered queries (languages, file extensions)

  1. Clone this repo
  2. Use a Python 3 environment (recommended: virtulenv or Conda)
  3. pip install -r requirements.txt (or pip3)
  4. Set up a config.yml file with GitHub credentials. See config.example.yml for an example. Accounts with 2FA are not currently supported.
  5. echo "" | python

0v1ru$ hackers breach FSB contractor SyTech and expose Russian intel projects

SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB) has been hacked, attackers stole data about internal projects.

Attackers have hacked SyTech, a contractor for the Federal Security Service of the Russian Federation (FSB), and exfiltrated data about internal projects.

According to the Russian media, SyTech has been working with FSB since 2009, in particular, they contributed to several projects for FSB unit 71330 and for fellow contractor Quantum. The company earned 40 million rubles ($635,000) from public contracts in 2018. The latest project is the development of Nalog-3 for the Main Scientific Innovation Implementation Center.

“According to the data received, the majority of non-public projects of Sytech were commissioned by military unit No. 71330, which allegedly is part of the 16th directorate of the FSB of Russia.” states the website CrimeRussia.”This unit is engaged in electronic intelligence, experts form the International Center for Defense and Security in Tallinn believe.”

Some of the research projects accessed by the hackers were for Russia’s intelligence service, including one for deanonymizing Tor traffic.

On July 13, a hacker group named 0v1ru$ hacked into SyTech’s Active Directory server then compromised the entire infrastructure of the company, including JIRA instance.

The hackers exfiltrated 7.5TB of data and defaced the website of the company by publishing “yoba face.”

The hackers published images of the company’s servers on Twitter and also shared the data with another hacker crew known as Digital Revolution, that in 2018 breached the FSB contractor Quantum.

Все мы, журналисты, студенты и даже пенсионеры, находимся под навлюдением ФСБ. Присоединяйтесь к нам, как и 0V1ru$, защищая наше будущее! Они не заглушат наши голоса! @tjournal @Dobrokhotov @bbcrussian @unkn0wnerror

— DigitalRevolution (@D1G1R3V) July 18, 2019
FSB contractor hacked

The hackers provided the stolen data to BBC Russia, who verified the presence of other older projects for compromising other network protocols, including Jabber, ED2K, and OpenFT.

“Among the projects of Sytech there is the work on de-anonymization of users of the Tor-network, collection of information about Facebook, MySpace and LinkedIn users, hidden collection of information on the Web, a system for substituting Internet traffic, through which certain users could be redirected to special sites when requested portals from the “black list.” continues CrimeRussia.

“Sytech was also supposed to explore the possibilities of developing a complex of penetration and covert use of resources of peer-to-peer and hybrid networks, network protocols Jabber, OpenFT and ED2K, which were used by darknet users and hackers.

The list of projects shared by BBCRussia includes:

  • Nautilus – a project for tracking the activity of users on the principal social media platforms (such as Facebook, MySpace, and LinkedIn).
  • Nautilus-S – a project for deanonymizing Tor traffic, it leverages on a network of rogue Tor nodes. In January 2014, researchers from Karlstad University in Sweden, presented the results of a four-month study conducted to test Tor network exit nodes for sneaky behavior. They discovered that a not specified Russian entity was eavesdropping nodes at the edge of the Tor network.
  • Reward – a project to covertly penetrate P2P networks.
  • Mentor – a project to spy on email communications managed by Russian companies.
  • Hope/Nadezhda  – a project to analyzed the overall Russian internet and its connections to the global WWW.
  • Tax-3 – a project to allow you to manually remove from the information system of the FTS data of persons under state protection.

Researchers identified 25 malicious servers, 18 of which were located in Russia, and running Tor version, the same one detailed in the leaked files.

SyTech took down its website after the hack.

“Website “Siteka” is not available – neither in its previous form, nor in the version with “Yob-face”. When you call the company on the answering machine, the standard message is turned on, in which you are invited to wait for the secretary’s response, but short beeps follow.” concludes BBC Russia.

Pierluigi Paganini

(SecurityAffairs – SyTech, data breach)

The post 0v1ru$ hackers breach FSB contractor SyTech and expose Russian intel projects appeared first on Security Affairs.

Parrot Security 4.7 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

By: Zion3R

Parrot is a GNU/Linux distribution based on Debian Testing and designed with Security, Development and Privacy in mind.

It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net.


User Guide

Infrastructure Zone

Developer zone

Side projects


Former NSA contractor sentenced to 9 years for stealing classified data

The former NSA contractor who pled guilty to stealing over 50TB of data from the Agency, was sentenced to nine years in prison

The former National Security Agency contractor Harold Thomas Martin III, who was accused and subsequently pled guilty to stealing over 50TB of classified NSA data, was sentenced to nine years in prison.

The man was arrested by the FBI in October 2016, the US DoJ charged Harold Thomas Martin with theft of secret documents and highly classified government material. According to a court complaint, the stolen data include source codes developed by the NSA to its hacking campaigns against foreign governments.

According to the Politico website, sources informed of the events reported that Kaspersky learned about Martin after he sent strange Twitter messages to two researchers of the firm in 2016, minutes before The Shadow Brokers began leaking the NSA dump online.

“The timing was remarkable — the two messages arrived just 30 minutes before an anonymous group known as Shadow Brokers began dumping classified NSA tools online and announced an auction to sell more of the agency’s stolen code for the price of $1 million Bitcoin. ” reported the Politico website.

“The case unfolded after someone who U.S. prosecutors believe was Martin used an anonymous Twitter account with the name ‘HAL999999999’ to send five cryptic, private messages to two researchers at the Moscow-based security firm,” Politico reports.

nsa contractor

A first message sent on Aug. 13, 2016, asked one of the researchers to arrange a conversation with Kaspersky Lab CEO Eugene Kaspersky.

Kaspersky reported the events to the NSA that identified Martin and the FBI arrested him later.

The DoJ’s chief national security prosecutor John Carlin revealed that Martin was employed by Booz Allen Hamilton.  Booz Allen Hamilton is the same defense contractor that employed the notorious Edward Snowden at the time the whistleblower when he disclosed the mass surveillance program conducted by the NSA on a global scale.

The theft was the largest heist of classified government material in the history of the US.

Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, he abused his top-secret security clearances to stole at least 50 terabytes of classified national defense data from government computers over two decades while working for a number of NSA departments between 1996 and 2016.

In March 2019, the man signed a guilty plea, even if the connection with the Shadow Brokers was ever proven.

At the time, federal prosecutors decided to drop the remaining 19 charges against Martin and recommended a 9-year prison sentence and three years of supervised release.

Now the judge sentenced Martin to nine years in prison, including time served, and three years of supervised release.

“Harold Martin apologized to the federal judge who sentenced him for a theft that prosecutors have called “breathtaking” in scope.” reported the AP agency.

“My methods were wrong, illegal and highly questionable,” Martin told U.S. District Judge Richard Bennett.

Pierluigi Paganini

(SecurityAffairs – NSA contractor, data breach)

The post Former NSA contractor sentenced to 9 years for stealing classified data appeared first on Security Affairs.

Before yesterdayYour RSS feeds

Israel surveillance firm NSO group can mine data from major social media

The Israeli surveillance firm NSO Group informed its clients that it is able to scoop user data by mining from major social media.

The Financial Times reported that the Israeli surveillance firm NSO Group informed its clients that it is able to mine user data from major social media. NSO is based in Herzliya, near Tel Aviv, and employs 600 people worldwide. The private equity firm Novalpina Capital has the majority of the shares in NSO Group.

“[NSO Group] told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch” reported the FT.

According to the AFP, an NSO spokesperson denied the allegation.

“There is a fundamental misunderstanding of NSO, its services and technology,” the spokesman said

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

The FT report cites documents it had viewed and descriptions of a product demonstration. According to the report, the surveillance capabilities of the company had “evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos”.

NSO pointed out that it does not operate its solutions, including the Pegasus spyware, instead, it only licenses them law enforcement and government agencies “for the sole purpose of preventing or investigating serious crime including terrorism”.

NSO Group Pegasus spyware

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

The NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.” 

Pierluigi Paganini

(SecurityAffairs – NSO Group, surveillance)

The post Israel surveillance firm NSO group can mine data from major social media appeared first on Security Affairs.

Kali NetHunter App Store - The New Android Store Dedicated to Free Security Apps

By: Zion3R

The Kali NetHunter App Store is a one-stop-shop for security relevant Android applications. It is the ultimate alternative to the Google Play store for any Android device, whether rooted or not, NetHunter or stock. If you are after any security application for your Android device, the NetHunter Store will be the place to get it.

The NetHunter store is powered by a slightly modified version of F-Droid, thanks to the hard work of the F-Droid community, in particular Peter Serwylo whose help was invaluable. Whilst F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, we went a step further and removed the entire code – just to make sure that our privacy cannot be compromised by accident. We also widened the inclusion policy to allow proprietary applications into the store.

Dutch police arrested the author of Dryad and Rubella Macro Builders

Dutch authorities announced the arrest of a 20-year old man for allegedly developing Dryad and Rubella Macro Builders.

Dutch authorities announced have arrested a 20-year old man that is accused to be the author of Dryad and Rubella Macro Builders.

The man lives in Utrecht, it created and distributed Rubella, Cetan and Dryad toolkits.

“Recently the high tech crime team (THTC) of the Dutch National Police Unit arrested a 20 year old resident of the Dutch city of Utrecht. He is suspected of large-scale production and selling of malware.” reads the announcement. “The young man offered programs with names like Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst others  Word or Excel files.”

Both macro builders allow crooks to easily create malicious Office documents that are usually involved in hacking campaigns as a first-stage loader for other malware.

The Rubella Macro Builder crimeware kit appeared in the threat landscape on April 2018 and rapidly gained popularity in the cybercriminal underground. It allows crooks to generate a malicious payload for social-engineering spam campaigns, the author was offering it as a service for a three-month license of $120.

According to Flashpoint, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email.

The macro might also purposely attempt to bypass endpoint security defenses. 

The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.

Rubella Macro Builder

According to Flashpoint experts, some popular criminal gangs used Rubella malware in their campaign, including the criminal crews behind the Panda and Gootkit banking malware.

The Dutch man was identified by law enforcement with the support of McAfee and another private company.

According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them. 

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder.” reads a post published by McAfee. “McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation.”

The man was also promoting a variety of different products and services, ranging from stolen credit card data, a malware to steal funds from crypto wallets and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

The Dutch authorities also revealed that the man had in possession access credentials for thousands of websites. 

The police also seized around 20,000 Euro (around $22,000) in cryptocurrency such as Bitcoins. 

Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. “concludes McAfee. “Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.”

Pierluigi Paganini

(SecurityAffairs – Macro builder, GDPR)

The post Dutch police arrested the author of Dryad and Rubella Macro Builders appeared first on Security Affairs.

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack

Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.

A message from iNSYNQ to customers.

Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware.

“The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.”

iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

Meanwhile, iNSYNQ’s customers — many of them accountants who manage financial data for a number of their own clients — have taken to Twitter to vent their frustration over a lack of updates since that initial message to users.

In response, the company appears to have simply deleted or deactivated its Twitter account (a cached copy from June 2019 is available here). Several customers venting about the outage on Twitter also accused the company of unpublishing negative comments about the incident from its Facebook page.

Some of those customers also said iNSYNQ initially blamed the outage on an alleged problem with U.S.-based nationwide cable ISP giant Comcast. Meanwhile, competing cloud hosting providers have been piling on to the tweetstorms about the iNSYNQ outage by marketing their own services, claiming they would never subject their customers to a three-day outage.

iNSYNQ has not yet responded to requests for comment.

Update, 4:35 p.m. ET: I just heard from iNSYNQ’s CEO Elliot Luchansky, who shared the following:

While we have continually updated our website and have emailed customers once if not twice daily during this malware attack, I acknowledge we’ve had to keep the detail fairly minimal.

Unfortunately, and as I’m sure you’re familiar with, the lack of detailed information we’ve shared has been purposeful and in an effort to protect our customers and their data- we’re in a behind the scenes trench warfare doing everything we possibly can to secure and restore our system and customer data and backups. I understand why our customers are frustrated, and we want more than anything to share every piece of information that we have.

Our customers and their businesses are our number one priority right now. Our team is working around the clock to secure and restore access to all impacted data, and we believe we have an end in sight in the near future.

You know as well as we that no one is 100% impervious to this – businesses large and small, governments and individuals are susceptible. iNSYNQ and our customers were the victims of a malware attack that’s a totally new variant that hadn’t been detected before, confirmed by the experienced and knowledgeable cybersecurity team we’ve employed.

Original story: There is no question that a ransomware infestation at any business — let alone a cloud data provider — can quickly turn into an all-hands-on-deck, hair-on-fire emergency that diverts all attention to fixing the problem as soon as possible.

But that is no excuse for leaving customers in the dark, and for not providing frequent and transparent updates about what the victim organization is doing to remediate the matter. Particularly when the cloud provider in question posts constantly to its blog about how companies can minimize their risk from such incidents by trusting it with their data.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are completely unable to serve their customers while a ransomware infestation is active.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can send many customers scrambling to find new providers. As a result, the temptation to simply pay up may become stronger with each passing day.

That’s exactly what happened in February, when cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

KrebsOnSecurity will endeavor to update this story as more details become available. Any iNSYNQ affected by the outage is welcome to contact this author via Twitter (my direct messages are open to all) or at krebsonsecurity @

Poland and Lithuania fear that data collected via FaceApp could be misused

Poland and Lithuania are probing the potential privacy and security risks of using a Russian-made app FaceApp.

Millions of people recently downloaded the FaceApp app and are taking part in the “#FaceApp Challenge” to show friends how they can look like when they will be old and grey. Many security experts are warning of the risks of using the popular app, threat actors could be potentially interested in data collected by FaceApp.

FaceApp was developed in 2017 by Wireless Lab, when it was downloaded 80 million times, but now thanks to the challenge it is becoming viral. Wireless Lab is a Russian firm based in the Skolkovo hub that is located near Moscow and is considered Russia’s Silicon Valley created by the Kremlin.

The app leverages neural networks to simulate people aging, it adds wrinkles, it turns teeth yellow and colors the hair with gray.

Source AGI

Poland’s digital affairs ministry is investigating into the app and it is evaluating the security risks posed by FaceApp to the personal data of its users.

“For several days in Poland and the world over, social media have been flooded by a wave of modified photos of ‘ageing’ users,” states Poland’s digital affairs ministry.

“Various experts point to possible risks related to inadequate protection of users’ privacy,”

Another EU country Lithuania is also investigating the potential risks posed by the use of the app on a large-scale.

According to deputy defense minister Edvinas Kerza the FaceApp authors had cooperated with other Russian internet companies which may not comply with European privacy and security regulations.

In the US, Senate Minority Leader Chuck Schumer called the FBI and the Federal Trade Commission to “look into the national security & privacy risks” associated with the use of FaceApp. 

FaceApp CEO Yaroslav Goncharov attempted to reassure privacy advocates by explaining that Russian authorities did not have access to any user data.

He pointed out that most of the photos collected by the users are deleted from its servers within 48 hours and that is not used for other purposes.

Pierluigi Paganini

(SecurityAffairs – FaceApp, cybersecurity)

The post Poland and Lithuania fear that data collected via FaceApp could be misused appeared first on Security Affairs.

Userrecon v1.1.0 - Recognition Usernames In 187 Social Networks

By: Zion3R

Find usernames in 187 social networks.

  1. Install dependencies (Debian/Ubuntu):
sudo apt install python3 python3-pip
  1. Install with pip3:
sudo -H pip3 install git+
userrecon-py --help

Building from Source
Clone this repository, and:
git clone ; cd userrecon-py
sudo -H pip3 install -r requirements.txt
python3 build
sudo python3 install

To update this tool to the latest version, run:
sudo -H pip3 install git+ --upgrade
userrecon-py --version

Start by printing the available actions by running userrecon-py --help. Then you can perform the following tests:
userrecon-py --target decoxviii -o test_one
Watch this demo video

This program is possible thanks to:


Kazakhstan Begins Intercepting HTTPS Internet Traffic Of All Citizens Forcefully

If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you're not alone. The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet

Slack resetting passwords for roughly 1% of its users

Slack is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack announced it is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack Enterprise Key Management

“In response to new information about our 2015 security incident (explained here at the time), we are resetting passwords for approximately 1% of Slack accounts.” reads the announcement published by the company.

“This announcement affects you only if you

  • created your account before March 2015,
  • AND have not changed your password since,
  • AND your account does not require logging in via a single-sign-on (SSO) provider.

In March 2015, Slack detected unauthorized access to a database containing details of users’ accounts, including usernames, email addresses, hashed passwords, phone numbers and Skype IDs.

The hackers also injected malicious code in the systems of the company to steal plaintext passwords as they were entered by Slack users. No financial or payment information was accessed or compromised in this attack.

Immediately after the discovery of the data breach, Slack reset the passwords for a limited number of users impacted by the incident. The company also recommended remaining users to change the password and enable 2FA.

Recently Slack discovered through its bug bounty program that credentials of other users might have been compromised. According to the company, attackers could have obtained them via malware or a third-party hack.

“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.” continues the announcement. “We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users.”

Slack has reset the passwords of these users and sent them notifications.

“We were recently notified that your sign-in credentials (email address and password) for your xxxxx account on were discovered as being in the possession of an unauthorized individual.” reads the notification. “This may be the result of malware installed on a computer you’ve used to sign in to Slack or your credentials being reused from a previous breach of a third party, such as those listed on sites like”

Slack is still investigating the latest incident and will share more information after it will be completed.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Slack resetting passwords for roughly 1% of its users appeared first on Security Affairs.

The Problem With the Small Business Cybersecurity Assistance Act

The Small Business Cybersecurity Assistance Act may provide business owners with access to government-level tools to secure small business against attacks.

Perhaps the best approach to rampant malware, ransomware and cybercrime is stronger cooperation between the public and private sectors.

The American Congress took a stab at that kind of ecumenical solution to the looming $6 trillion problem of cybersecurity in the form of the Small Business Cybersecurity Assistance Act (SBCAA). It’s as bipartisan a bill as the U.S. can hope for at present and an encouraging sign that the problem is on the government’s radar.

Regrettably, the Small Business Cybersecurity Assistance Act has already gathered criticism and detractors, with some saying it falls short of the mark. Let’s look at why this might be the case and what the Act actually contains that might, or might not, be of value to worried business owners.

What Does the SBCAA Seek to Accomplish?

The two main co-sponsors of the Act — Senators Gary Peters and Marco Rubio — frame the SBCAA’s mission as primarily an educational effort to bring small business owners up to speed on cybercrime-related issues such as:

  • The variety of cyber threats in the world today
  • The potential risk that small business owners face
  • The tools available to help them protect themselves

The small business community must understand that they represent a larger — not a smaller — portion of the threat surface where cybercrime is concerned. Small business owners are less likely to have taken adequate measures to protect their digital systems and are consequently at an even higher risk of sustaining a data breach or a ransomware attack than a major corporation.

Under the Small Business Cybersecurity Assistance Act, business owners could visit U.S. Small Business Development Center (SBDC) locations to secure educational materials, enroll in programs, and work with representatives from the Department of Homeland Security to better understand and confront cyber threats and risks. Clearly, the intentions and the desired outcome are heading in the right direction.

The question is: What on earth is a Small Business Development Center?

A Good Idea With Limited Infrastructure Behind It

Like many public services in the United States, Small Business Development Centers are wonderful in theory but consistently go underfunded — despite their value — and remain mostly unknown to the communities most in need of their assistance. Among other things, SBDCs provide services like business counseling and information on local, state and federal government compliance and assistance programs.

But because this service goes underfunded and unheralded, the U.S. has only 63 such centers — barely one for every U.S. state and territory. In contrast, the U.S. had almost 140,000 Starbucks locations in 2018, despite the company employing under 200,000 people that year.

The SBDC’s 63 locations, meanwhile, are meant to support the entire American small business community. In 2016, companies with fewer than 100 employees made up 33.4% of the U.S. workforce, and companies with 500 or fewer made up nearly half.

Many of the criticisms leveled against the SBCAA have latched onto this lack of infrastructure and public awareness. Earmarking additional funding could possibly help raise the SBDC’s public profile and make more people aware of their existence. But this isn’t certain, and it doesn’t look like the SBCAA has addressed the existing funding shortfall.

The Act reportedly permits Small Business Development Centers to use their current funding to make cybersecurity resources available after they’re prepared by other government agencies. But the key phrase is “current funding.” SBDCs, like the one at Wharton School, already face shuttering their doors because of a lack of funding. Adding to the demands placed on their staff without a commensurate rise in funding could be fruitless.

The other problem, apart from a lack of funding and awareness, is that significant numbers of small business owners do business in the cloud. As a result, they outsource most of their IT and digital systems architecture work, including data hosting services, to third parties.

It could be fairly useful to educate small business owners on the security best practices these third parties should follow in their operations — either by law or according to common sense. What’s not useful is doing all of this without backing it up with appropriately harsh fines for the larger companies which mishandle or misplace client data, either by mistake or because they have nefarious intent.

The European Union is off to a slow start levying fines for abusing data privacy and security, but the now-year-old General Data Protection Regulation gives the government the power to do so. Until the U.S. implements a similar measure, U.S. states are left on their own to fine companies which don’t take cybersecurity or client privacy seriously. Any measure undertaken to educate the small business community about cybersecurity won’t do much good if the U.S. government doesn’t stand ready to have their backs.

Another potentially fruitful avenue to explore is providing grants or subsidies to help small business owners purchase cyber liability insurance. Not all small business owners know such products exist, but these services can go a long way toward keeping small businesses in operation after they fall victim to a cybercrime.

Safety on the Internet Isn’t a Luxury

Some seem content to let cybersecurity remain a competitive advantage or a luxury commodity. Others believe the buy-in should be the same for both small entrepreneurships and major corporations when it comes to keeping digital properties safe. Everybody has a right to stay safe online — it shouldn’t be something that only moneyed interests get to enjoy.

The SBCAA is a well-intentioned measure styled after the American tradition of empowering people to pull themselves up by their own bootstraps and know-how.

 But without a more robust support system in place, it risks confirming what many people already believe — that the government throws money at problems instead of solving them. It’s best to think of the SBCAA as a first step toward something better.

A better, second draft would back up its proposals for DHS-SBDC collaboration with additional funding as well as adequate punitive measures for data handlers that get cybersecurity wrong.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(Security Affairs – Small Business Cybersecurity Assistance Act)

The post The Problem With the Small Business Cybersecurity Assistance Act appeared first on Security Affairs.

Brute_Force - BruteForce Gmail, Hotmail, Twitter, Facebook & Netflix

By: Zion3R

Install :
pip install proxylist

pip install mechanize


BruteForce Gmail Attack
python3 -g -l File_list

python3 -g -p Password_Single

BruteForce Hotmail Attack
python3 -t -l File_list

python3 -t -p Password_Single

BruteForce Twitter Attack
python3 -T Account_Twitter -l File_list
python3 -T Account_Twitter -l File_list -X proxy-list.txt

BruteForce Facebook Attack
python3 -f Account_facebook -l File_list
python3 -f Account_facebook -l File_list -X proxy-list.txt

BruteForce Netflix Attack
يفضل تشغيل VPN
python3 -n Account_Netflix -l File_list
python3 -n Account_Netflix -l File_list -X proxy-list.txt