Russian authorities arrested four alleged members of the international cyber theft ring tracked as ‘Infraud Organization.’

In February 2008, the US authorities dismantled the global cybercrime organization tracked as Infraud Organization, which was involved in stealing and selling credit card and personal identity data.

The Justice Department announced indictments for 36 people charged with being part of a crime ring. The group has been active since 2010 and was created in Ukraine by Svyatoslav Bondarenko. According to th experts, the activities of the gang caused $530 million in losses.

Bondarenko remained at large, but Russian co-founder Sergey Medvedev was arrested by the authorities in 2018.

Most of the members of the gang were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.

The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained Deputy Assistant Attorney General David Rybicki.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

Last week, Russian authorities arrested Andrey Sergeevich Novak, an alleged leader of the gang. According to the TASS media agency, other three individuals (Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman) are under house arrest.

Russia’s FSB and law enforcement have detained four members of the Infraud Organization hacking group. Its purported founder Andrey Novak is wanted in the US on the accusations of cybercrime. As a source in law enforcement told TASS, Novak was arrested while three other purported hackers are under a house arrest.

“During intelligence-gathering activities, Russian special services with the operational support of the law enforcement and cooperation of the US law enforcement, managed to establish and detain four members of the Infraud Organization hacking group whose main income was the use of stolen credit card data.” reported the TASS,

“The purported founder of the criminal group, Andrey Sergeevich Novak, wanted in the US on the accusations of cybercrime, has been arrested for two months, another three members of the group – Kirill Samokutyaev, Konstantin Vladimirovich Bergman and Mark Avramovich Bergman have been detained under a house arrest,” the source said.

Novak, aka “Unicc,” “Faaxxx,” and “Faxtrod,” will be judged in Russia and will not be extradited to the United States.

“According to an informed source, Russia is not planning to extradite Novak to the US. “Russian legislation prohibits an extradition of its citizens to a foreign state,” the source said. That said, if a foreign citizen wanted abroad is among the arrested, that individual will be extradited following the investigation and court proceedings in Russia, the source added.” continues the press agency.

Recently, the Russian Federal Security Service (FSB) announced to have shut down the REvil ransomware gang, the group that is behind a long string of attacks against large organizations, such as Kaseya and JBS USA. The FSB claims to have identified all members of the REvil gang and monitored their operations.

The police operation was conducted by Russian authorities following a request by the United States that shared info about members of the gang.

The Russian police arrested 14 alleged members of the ransomware gang and raided 25 addresses seizing computer equipment and cryptocurrency wallets.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

E-commerce websites are much more popular than they used to be, people tend to shop online more and more often. This leads to the growth of an attack called web skimming. Web skimming is a type of attack on e-commerce websites in which an attacker inserts malicious code into a legitimate website. One of the most targeted e-commerce platforms is Magento. The reason why Magento is so popular among attackers is that Magento is known for many vulnerabilities. However, this doesn’t mean that other platforms aren’t being targeted, for example, sites using WooCommerce have also been victims.

In this posting, we go over what web skimming attacks are and how they work. We then analyze a series of web skimming attacks that we found which were active from March 2021 to the present. These attacks abused the Google Tag Manager and mainly targeted sites in Argentina and Saudi Arabia.

Overview of Web Skimming Attacks

The purpose of the malicious web skimming code is to steal the website’s customers’ payment details. This attack can simply be compared to an attack on physical ATMs, where instead of hardware skimmers, malicious code is used to steal payment card information.

Web skimming is dangerous because the customer often has no chance to know that a website has been compromised. Mostly, the attackers go after small e-commerce websites with poor security, but sometimes even a big e-commerce site can become a victim. In 2018, the British Airways website was infected by a web skimming attack. In 2019, forbesmagazine[.]com was infected, payment details were sent to the fontsawesome[.]gq. Later in 2020 a big online retailer selling beauty products, wishtrend[.]com, also became a victim of another web skimming attack. In 2021 another big e-commerce website store.segway[.]com was infected with a skimming attack.

We observed a webpage (wishtrend[.]com with more than 1M followers on Facebook) that was infected with web skimming in 2020. Later in 2021, the same website was infected with a phishing attack that imitates a Dropbox login.

How Web Skimming Attacks Work Under the Hood

A website can be breached and compromised both on the client side and on the server side. From the AV perspective, as we protect the end customers (client) and have no visibility on the server side, we focus on the client side. There can either be a single piece of malicious code hidden in infected websites, or more often, the attack can be split into two or more stages. First stage is a simple loader inserted in an infected website’s HTML or in an already existing javascript file. It can look like in the image below.

This code loads additional malicious code from an attacker’s domain, sometimes obfuscated, sometimes not. For the second stage, attackers usually use typosquatting domains to hide and act as a legitimate service. The malicious code gets the data from all (or in some cases specific) input forms and sends this data to the attacker’s server. 

To get the payment details, the attackers use one of the following techniques:

• Stealing payment details directly from the original payment form
• Inserting malicious payment form (used in cases when no form exists)
• Redirecting to a malicious form on another website (can be placed on infected website or also on attacker’s website) 

The image below shows an example of a fake payment form in the red box. It is almost impossible to recognize that something is wrong, because on some e-commerce websites the payment form looks exactly the same and is valid. But in this case a little help is in the yellow box that says: “You will be redirected to the Realex website when you place an order. “ It means that if the website states that you will be redirected, then the payment form should not be directly on the e-commerce website and the user should expect to be redirected to the payment gateway (different website) with the form to enter payment details.

There is more than one way the second stage (the part which is responsible for stealing and sending stolen payment details to the attacker) of a web skimming attack can look. In the code snippet below, there is an example. Here the attackers use a POST request to exfiltrate payment details, but they can also use GET requests and WebSockets. 

Stolen payment details are usually sold on the dark web. These datasets of credit cards that come from web skimming attacks are usually fresh and therefore they are better and can be sold for a higher price than for example data stolen from databases, which can be old in many cases. More information about selling stolen cards can be found in Yonathan Klijnsma’s

VB2019 paper: : Inside Magecart: the history behind the covert card-skimming assault on the e-Commerce industry.

Web Skimming using Google Tag Manager

In Q3 2021 we discovered a web skimming attack that uses Google Tag Manager (GTM) as a first stage. First, the infected webpage loads a script from googletagmanager[.]com/gtm.js?id=gtm-<code> via script injected in the HTML file shown on the image below.

There is nothing unusual in this behaviour, many websites use Google Tag Manager and it looks exactly the same (it can be suspicious that the website loads more than one GTM script though). But if we look closer in the gtm.js file, we can find suspicious code in it. In the image below there is a comparison between malicious and clean GTM script. In the malicious file, there is added custom code that loads another javascript file from ganalitis[.]com. This is the feature of GTM, it is possible to add a custom script (which is then loaded from googletagmanager.com domain). 

We were able to connect (based on our common signature and IP) ganalitis[.]com with similar domains from the same attacker (data from RiskIQ).

The second stage (downloaded from the malicious domain) is a file named favicon (later renamed to refresh) that contains about 400 lines of obfuscated javascript code. We found that this code was being changed over time to avoid detection. The deobfuscated code is shown below, almost everything out of the 400 lines of code was just obfuscation. This file hides malicious code responsible for downloading the final stage through WebSockets.

The final stage of malware is downloaded through WebSockets. First, the web page sends its hostname, and then according to that information the corresponding malicious javascript is received. This communication is shown in the image below.

Malicious javascript code is about 1k lines long (formatted) and as the previous stage is also obfuscated. This code is responsible for stealing the payment details. At the end of the obfuscated javascript code (shown in the image below) is configuration which is different for every infected eshop. The red box at the bottom shows the configuration where the fake payment form will be inserted into an HTML file on the infected website.

The code from the yellow box is decoded in the white box. It is a dictionary, the key E528330211747l contains the form field names that match the input form field names on the infected webpage. The last key contains an exfiltration URL that is encoded in base64. In the image below is a code from an infected website, we can see that the id of the email field (customer-email) is in the mentioned code.

The missing field names (from fake payment form) are in the variable a0_0x11ac38. Which is an array and contains the following fields:

The fake payment form embedded on the infected website is shown in the image below. Above is the infected webpage, while below is how the webpage looks normally.

The stolen payment details (including details such as name and address) are sent to the attacker encoded in base64 through WebSockets.

Affected users

In the map below are shown countries with the most affected users. The top is Argentina, because of prune[.]com[.]ar. Site was infected with the new malicious domain gstatlcs[.]com.

The second one is Saudi Arabia e-commerce website souqtime[.]com. From RiskIQ data we can see that this e-commerce website was infected over time with at least seven different web skimming domains.

Currently Avast detects the malicious domain gstatuslink[.]com on souqtime[.]com.

Conclusion

Overall, we can say that the attacker uses Google Tag Manager to avoid detection. At the same time they were able to change the domains from which the malicious code was loaded over time, he also changed the malicious code itself to hide from detection by antivirus.

Some websites were infected for several months (for example souqtime[.]com). It can be difficult for users to spot that the site is infected. For example, it is suspicious if the user fills in the payment form on the website itself and is then redirected to another payment form on the payment gateway webpage. But in cases where the payment form is normally present directly on the e-commerce website and the attacker steals payment details from this legitimate form, it is really hard to notice that the website is infected. Therefore we recommend using a second factor (e.g. mobile app or SMS code) to confirm internet payments if the bank supports it.

Website owners should keep software updated, monitor logs for any suspicious activity, use strong passwords and also use Web Application Firewall.

IOC malicious domains:

• pixstatics[.]com
• ganalitics[.]com
• bingfindapi[.]com
• webfaset[.]com
• ganalitis[.]com
• gstatsc[.]com
• gstatlcs[.]com
• gstatuslink[.]com
• gtagmagr[.]com

The post Web Skimming Attacks Using Google Tag Manager appeared first on Avast Threat Labs.

Experts warn Emotet malware campaign using “unconventional” IP address formats in an attempt to evade detection.

Threat actors behind a recent Emotet malware campaign have been observed using using “unconventional” IP address formats to evade detection. Trend Micro researchers reported that threat actors are using hexadecimal and octal representations of the IP address.

“We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers.” reported Trend Micro.

The attack chain is the same used in previous campaigns, treat actors distribute the malware through weaponized Excel documents using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in the popular Office software.

Once tricked recipient in enabling document macros, the malicious code will contact a URL that’s obfuscated with carets (“h^tt^p^:/^/0xc12a24f5/cc.html”), with the host incorporating a hexadecimal representation of the IP address to execute an HTML application (HTA) code from a remote host under the control of the attackers:

Experts pointed out that once executed, the macro also invokes cmd.exe > mshta.exe with the URL as an argument to download and execute an HTA code from the remote host. This specific behavior could be used to detect the ongoing attack.

The researchers also spotted another variant of this malspam campaign that obfuscated the URL with carets but the IP contains an octal representation. Decoding the string “h^tt^p^:/^/0056.0151.0121.0114/c.html” into a dotted quad format we obtain 46[.]105[.]81[.]76.

“Moreover, the unconventional use of hexadecimal and octal IP addresses may result in evading current solutions reliant on pattern matching. But in the same vein, the unusual technique in the command lines can be used as a detection opportunity, with security teams using filters as leverage that can be enabled to treat such IP addresses as suspicious and associate them with malware.” concludes the report that also includes indicators of compromise for these attacks.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

In December, the Emotet malware was observed directly installing Cobalt Strike beacons to give the attackers access to the target network.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

1. Emotet’s unmatched continuous loader capabilities
2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet)

The post Emotet spam uses unconventional IP address formats to evade detection appeared first on Security Affairs.

VulnLab

A web vulnerability lab project developed by Yavuzlar.

Vulnerabilities

• SQL Injection
• Cross Site Scripting (XSS)
• Command Injection
• Insecure Direct Object References (IDOR)
• Cross Site Request Forgery (CSRF)
• XML External Entity (XXE)
• Insecure Deserialization
• File Upload
• File Inclusion
• Broken Authentication

Installation

Install with DockerHub

1. If you want to install on DockerHub, just type this command.

    docker run --name vulnlab -d -p 1337:80 yavuzlar/vulnlab:latest

2. Go to http://localhost:1337

Manuel Installation

1. Clone the repo

    git clone https://github.com/Yavuzlar/VulnLab

2. Build docker image

    docker build -t yavuzlar/vulnlab .

3. Run container

    docker run -d -p 1337:80 yavuzlar/vulnlab

4. Go to http://localhost:1337

Google Cloud

Contact

Website
Linkedln
Twitter
Instagram

Are you great with details? Do you like juggling multiple projects at once? Is your organization system the topic of awed discussion between your co-workers? Or are you just interested in getting into cybersecurity from a different angle? If so, you might already be a top-notch project manager and not even know it!

Join a panel of past Cyber Work Podcast guests as they discuss their tips to become a project management all-star:
– Jackie Olshack, Senior Program Manager, Dell Technologies
– Ginny Morton, Advisory Manager, Identity Access Management, Deloitte Risk & Financial Advisory

If you’re interested in project management as a long-term career, Jackie and Ginny will discuss their career histories and tips for breaking into the field. If you plan to use project management as a way to learn more about other cybersecurity career paths, we’ll also cover how to leverage those skills to transition into roles.

This episode was recorded live on December 15, 2021. Want to join the next Cyber Work Live and get your career questions answered? See upcoming events here: https://www.infosecinstitute.com/events/

Want to earn your PMP certification? Learn more here: https://www.infosecinstitute.com/courses/pmp-boot-camp-training/

The topics covered include:
0:00 - Intro
0:51 - Meet the panel
3:12 - Why we're talking project management
6:27 - Agenda for this discussion
6:55 - Part 1: Break into cybersecurity project management
7:45 - Resume recommendations for project managers
12:35 - Interview mistakes for project managers
19:22 - Creating your elevator pitch
23:10 - Importance of your LinkedIn page
25:05 - What certifications should I get?
30:38 - Do I need to be technical to be successful?
34:20 - How to build cybersecurity project management skills
38:28 - Part 2: Doing the work of project management
40:47 - Getting team members to lead themselves
44:50 - Dealing with customer ambiguity
47:30 - Part 3: Pivoting out of project management
47:48 - How do I change roles in an organization
51:50 - What's the next step after cybersecurity project manager?
53:43 - How to move from PMing security teams into leading them?
59:05 - Outro

About Infosec
Infosec believes knowledge is power when fighting cybercrime. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and privacy training to stay cyber-safe at work and home. It’s our mission to equip all organizations and individuals with the know-how and confidence to outsmart cybercrime. Learn more at infosecinstitute.com.

The FBI warns that cybercriminals are using malicious QR codes to steal their credentials and financial info.

The Federal Bureau of Investigation (FBI) published a public service announcement (PSA) to warn that cybercriminals are using QR codes to steal their credentials and financial info.

QR codes are widely adopted by businesses to facilitate payment. In a classic use case, a business provides customers with a QR code directing them to a site where they can make a payment.

Crooks can replace the QR code with a tampered one and hijack the sender’s payment.

Unaware people that scan the QR codes are redirected to malicious websites that are crafted to steal login and financial information.

“cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” reads the FBI’s PSA. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

Malicious websites could also deliver malware on the victims’ devices or hijack their payments to accounts under their control.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI states. 

The FBI announcement includes tips to protect people from such kind of attacks; feds recommend checking the URL obtained by scanning a QR code to make sure it is the intended site and looks authentic. Threat actors could use a malicious domain name that is similar to the intended URL but with typos or a misplaced letter.

Double-check any site navigated to from a QR code before providing login, personal, or financial information.

If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.

Never download an app from a QR code, avoid making any payment requested through unsolicited email that uses social engineering techniques to trick recipients into scanning the embedded QR code.

Do not download a QR code scanner app from unofficial stores to avoid being infected with tainted apps, most phones today have a built-in scanner through the camera app.

If users will receive a QR code from someone they know, they can reach them via an alternative channel to verify that the code is from them.

Never make payments through a site navigated to from a QR code, it is recommended to manually enter a known and trusted URL to complete the payment.

In November, the FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.ⓘThis payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

Cybersecurity provider F5 released security patches to address 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products.

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5).

The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

The vulnerabilities can cause the termination of the Traffic Management Microkernel (TMM), can lead to an increase in memory resource utilization, freezing virtual servers, or executing JavaScript code.

F5 addressed the flaws with the release of versions 14.x, 15.x, and 16.x.

The security provider also addressed two high-severity vulnerabilities in BIG-IQ centralized management and NGINX controller API management tracked as CVE-2022-23009 and CVE-2022-23008 respectively.

Regarding the CVE-2022-23008 flaw, an authenticated attacker with access to the ‘user’ or ‘admin’ role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.

All the medium-severity vulnerabilities affect BIG-IP, but the CVE-2022-23023 issue also impacts BIG-IQ as well.

The company has also addressed a low-severity vulnerability, tracked as CVE-2022-23032, that can lead to a DNS rebinding attack.

The United States Cybersecurity and Infrastructure Security Agency (CISA) published a security advisory to encourage administrators to review the F5 security advisory.

“F5 has released its January 2022 Quarterly Security Notification addressing vulnerabilities affecting multiple versions of BIG-IP, BIG-IQ, and NGINX Controller API Management. A remote attacker could exploit these vulnerabilities to either deny service to, or take control of, an affected system.” reads the advisory published by CISA.

“CISA encourages users and administrators to review the F5 security advisory and install updated software or apply the necessary mitigations as soon as possible.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.

Rationale:

I've long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Sample output:

mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gim   p
mode:  read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/g   imp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu

Use:

• basic use, launches ls and writes output to a log file in the current directory:

  $ whatfiles ls -lah ~/Documents

• specify output file location with -o:

  $ whatfiles -o MyLogFile cd ..

• include debug output, print to stdout rather than log file:

  $ whatfiles -d -s apt install zoom

• attach to currently running process (requires root privileges):

  $ sudo whatfiles -p 1234

Distribution

Ready-to-use binaries are on the releases page! Someone also kindly added it to the Arch repository, and letompouce set up a GitLab pipeline as well.

Compilation (requires gcc and make):

$ cd whatfiles
$ make
$ sudo make install

Supports x86, x86_64, ARM32, and ARM64 architectures.

Questions that could be asked at some point:

• Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

  Yes. Though it aims to be simpler and more user friendly.

• Are there Mac and Windows versions?

  No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. dtruss on Mac can be used to follow a single process and its children, though the -t flag seems to only accept a single syscall to filter on. fs_usage does something similar though I'm not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.

Known issues:

• Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it's running works fine, as does using whatfiles to launch a second Firefox window if one's already open.)

Planned features:

• None currently, open to requests and PRs.

Thank you for your interest, and please also check out Cloaker, Nestur, and Flying Carpet!

OpenSubtitles has suffered a data breach, the maintainers confirmed that the incident impacted 7 Million subscribers.

OpenSubtitles is a popular subtitles websites, it suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

The administrator of the website become aware of the hack after a hacker notified them via Telegram in August 2021 demanding the payment of a ransom. The attacker also offered his support to OpenSubtitles to address the security flaws he has found on the website. Administrators of the website agreed to pay the ransom due to the low amount, but after receiving the ransom, the attackers never helped them to secure the website and on 11 January 2022 they leaked the data online.

The hack is the result of poor cyber security since its launch in 2006, administrator OSS said. It seems that the threat actor exploited a SQL injection to access the database of the website.

“In August 2021 we received message on Telegram from a hacker, who showed us proof that he could gain access to the user table of opensubtitles.org, and downloaded a SQL dump from it.” reads a data breach notification published on the website. “He asked for a BTC ransom to not disclose this to public and promise to delete the data.

“We hardly agreed, because it was not low amount of money. He explained us how he could gain access, and helped us fix the error. On the technical side, he was able to hack the low security password of a SuperAdmin, and gained access to an unsecured script, which was available only for SuperAdmins. This script allowed him to perform SQL injections and extract the data.”

The financial data of the subscribers haven’t been compromised by the attacker.

Subscribers are recommended to change opensubtitles.org and opensubtitles.com and forum password. Subscribers that shared opensubtitles.org password somewhere else are recommended to change it as well.

Administrators announced the improvement of the security of the website, including the introduction of new password policy.

“The site SHOULD be more secure now, we improved the way users are connecting to the site, the accounts will be locked after some successful logins, we introduced new password policy, we removed session info from table, IP should not be spoofable anymore, Captchas on login, register, password-reset, CSRF on forms, requests will be cancelled if admins change their IP during session, user passwords are saved in safe form using hash_hmac and sha256 algo with salt and pepper, all md5() passwords are deleted. For IT geeks – yes, we are using password_hash(), with peppered sha256 password, BCRYPT and for verification password_verify()” concludes the notification. “Note that our new site, opensubtitles.com was built with stronger security concerns, and already included all the points described above.”

Subscribers can check if their data have been exposed by querying the data breach notification website Have I Been Pwned that received the list of compromised users.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, OpenSubtitles)

The post OpenSubtitles data breach impacted 7 million subscribers appeared first on Security Affairs.

US CISA added seventeen new actively exploited vulnerabilities to the ‘Known Exploited Vulnerabilities Catalog’.

The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) this week added seventeen actively exploited vulnerabilities to the Catalog.

The total number of vulnerabilities included in the catalog reached this week 341 vulnerabilities.

CISA is requiring 10 of 17 vulnerabilities added this week to be addressed within February 1st, 2022.

One of the issues added this week is a vulnerability in the October CMS, tracked as CVE-2021-32648, which was recently exploited in attacks against websites of the Ukrainian government.

CISA also added a vulnerability, tracked as CVE-2021-35247, recently addressed by SolarWinds in Serv-U products that threat actors are actively exploited in the wild. The company pointed out that all the attack attempts failed.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool, it aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.

You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

CFRipper should be part of your CI/CD pipeline. It runs just before a CloudFormation stack is deployed or updated and if the CloudFormation script fails to pass the security check it fails the deployment and notifies the team that owns the stack.

Read the rest of CFRipper – CloudFormation Security Scanning & Audit Tool now! Only available at Darknet.

Cyberespionage group Molerats has been observed abusing legitimate cloud services, like Google Drive and Dropbox as attack infrastructure.

Zscaler ThreatLabz analyzed an active espionage campaign carried out by Molerats cyberespionage group (aka TA402, Gaza Hackers Team, Gaza Cybergang, and Extreme Jackal) that abuses legitimate cloud services like Google Drive and Dropbox as attack infrastructure. Public cloud services are used to host malicious payloads or for command-and-control infrastructure in attacks aimed at targets across the Middle East.

In December 2021, ThreatLabz researchers identified several macro-based MS office files that were used in attacks against entities in the Middle East. The bait files were employed in cyber espionage attacks, they contain decoy themes related to geo-political conflicts between Israel and Palestine. Similar bait files were also used in previous cyberespionage campaigns attributed to the Molerats APT group.

MoleRATs is an Arabic-speaking, politically motivated group of hackers that has been active since 2012, 

The researchers discovered that the current campaign has been active since July 2021, the threat actors switched the distribution method in December 2021 and applied minor changes in the .NET backdoor.

“The targets in this campaign were chosen specifically by the threat actor and they included critical members of banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey.” reads the analysis published by Zscaler.

The macro code embedded in the weaponized decoy document simply executes a command using cmd.exe which in turn executes a PowerShell command to download and drop the stage-2 payload from the URL (“http://45.63.49[.]202/document.html”) to the path “C:\ProgramData\document.htm”. Executes servicehost.exe

Then it renames document.htm to servicehost.exe and executes ‘servicehost.exe.’

The .NET-based malware masquerades itself as a WinRAR application by using the icon and other resources and is obfuscated using the ConfuserEx packer.

The backdoor performs the following operations:

1. Collects the machine manufacture and machine model information using WMI which is used for execution environment checks and is later exfiltrated to C2 server.
2. Checks if it should execute in the current execution environment.
3. Creates a mutex with the name of executing binary.
4. Checks if the mutex is created successfully.
5. Determines if it is executed for the first time using the registry key value “HKCU/Software/{name_of_executing_binary}/{name_of_executing_binary}”. 
6. If the registry key doesn’t exist, the code flow goes via a mouse check function which executes the code further only if it detects a change in either of the mouse cursor coordinates. In the end, the mouse check function also creates the same registry key.

The backdoor supports multiple capabilities, such as taking snapshots, listing and uploading files, and running arbitrary commands on the compromised system.

“The major difference between the new attack chain and the old attack chain is seen in the backdoor delivery. Although we are not sure how these RAR/ZIP files were delivered but considering the past attacks they were likely delivered using Phishing PDFs. Additionally, we found a minor variation in the way the backdoor extracted the primary Dropbox account token.” Zscaler ThreatLabz researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Molerats APT)

The post Molerats cyberespionage group uses public cloud services as attack infrastructure appeared first on Security Affairs.

Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way.

Installation

From binary

Download a prebuilt binary from the releases page and unzip it.

From source

Go version 1.17 is recommended.

go install -v github.com/mhmdiaa/[email protected]

Docker

docker pull mhmdiaa/second-order

Command line options

  -target string
        Target URL
  -config string
        Configuration file (default "config.json")
  -depth int
        Depth to crawl (default 1)
  -header value
    	Header name and value separated by a colon 'Name: Value' (can be used more than once)
  -insecure
        Accept untrusted SSL/TLS certificates
  -output string
        Directory to save results in (default "output")
  -threads int
        Number of threads (default 10)

Configuration File

Example configuration files are in config

• LogQueries: A map of tag-attribute queries that will be searched for in crawled pages. For example, "a": "href" means log every href attribute of every a tag.
• LogNon200Queries: A map of tag-attribute queries that will be searched for in crawled pages, and logged only if they contain a valid URL that doesn't return a 200 status code.
• LogInline: A list of tags whose inline content (between the opening and closing tags) will be logged, like title and script

Output

All results are saved in JSON files that specify what and where data was found

• The results of LogQueries are saved in attributes.json

{
    "https://example.com/": {
        "input[name]": [
            "user",
            "id",
            "debug"
        ]
    }
}

• The results of LogNon200Queries are saved in non-200-url-attributes.json

{
    "https://example.com/": {
        "script[src]": [
            "https://cdn.old_abandoned_domain.com/app.js",
        ]
    }
}

• The results of LogInline are saved in inline.json

{
    "https://example.com/": {
        "title": [
            "Example - Home"
        ]
    },
      "https://example.com/login": {
        "title": [
            "Example - login"
        ]
    }
}

Usage Ideas

This is a list of tips and ideas (not necessarily related to second-order subdomain takeover) on what to use Second Order for.

• Check for second-order subdomain takeover: takeover.json. (Duh!)
• Collect inline and imported JS code: javascript.json.
• Find where a target hosts static files cdn.json. (S3 buckets, anyone?)
• Collect <input> names to build a tailored parameter bruteforcing wordlist: parameters.json.
• Feel free to contribute more ideas!

References

https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/#secondorder

https://edoverflow.com/2017/broken-link-hijacking/

A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)