Login
RSS Security docker run -it --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-e CSF_CDN='<TO-UPDATE>' \
-v /etc:/etc \
-v /usr/bin/docker-containerd:/usr/bin/docker-containerd \
-v /usr/bin/docker-runc:/usr/bin/docker-runc \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
--label csf_client \
-d armourbird/csf_clientdocker run -p 80:8000 -d armourbird/csf_servergit clone git@github.com:armourbird/csf.git
cd csf_client
docker build . -t csf_clientgit clone git@github.com:armourbird/csf.git
cd csf_server
docker build . -t csf_server
Atlassian released security updates to address critical vulnerabilities in Jira Service Desk and Jira Service Desk Data Center. One of the flaw can lead to information disclosure, while another critical vulnerability addressed by Atlassian could allow server-side template injection leading to remote code execution. The Jira Service Desk is a help desk request tracker brought to you by Atlassian that allows companies to easily receive, track, manage, and resolve requests from your team’s customers.
The first vulnerability affecting Service Desk and Service Desk Data Center is a URL path traversal.
The flaw, tracked as CVE-2019-14994, could lead to information disclosure, it could be exploited by anyone with access to the portal, including customers. The vulnerability has been discovered by the security researcher Sam Curry.
Should be publishing a PoC explaining a bug I found in Jira Service Desk sometime here soon – it's a really neat find that mirrors some past work from @orange_8361
— Sam Curry (zlz) (@samwcyo) September 18, 2019
“Affected JIRA Service Desk versions in CVE-2019-14994 will allow
“This allows Service Desk Customers who normally don’t have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects.”
An attacker could exploit the flaw to view all issues within all Jira projects contained in the vulnerable installation, including Service Desk projects, Jira Core projects, and Jira Software projects.
The security researchers Satnam Narang of Tenable reported that tens of thousands of installs are exposed online, the IT ticketing application is widely adopted in several sectors including the healthcare, government, education and manufacturing industry.
“According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests.” reported Tenable. “In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group – Anyone.”
The vulnerability
The following versions of Service Desk Server and Service Desk Data Center address the CVE-2019-14994: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, and 4.4.1.
A possible workaround consists of blocking requests to JIRA containing ‘..’ at the reverse proxy or
<rule>
<from>^/[^?]*\.\..*$</from>
<to type="temporary-redirect">/</to>
</rule>The second critical flaw addressed by Atlassian is a Template injection issue in Jira Importers Plugin.
The flaw tracked as CVE-2019-15001 affects version 7.0.10 of
“There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with “JIRA Administrators” access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.” reads the security advisory.
The vulnerability was reported by the researcher Daniil Dimitriev, it affects versions of the product start from 7.0.10 and include the following:
| |
(
The post Critical flaws affect Jira Service Desk and Jira Service Desk Data Center appeared first on Security Affairs.
BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. During a Windows build review we found a setup where BITS was intentionally disabled and port 6666 was taken.For the theory, see Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM and follow the chain of links and references.We discovered that, other than
BITS there are a several COM servers we can abuse. They just need to:IMarshal interfaceCreateProcessWithToken (needs SeImpersonate)CreateProcessAsUser (needs SeAssignPrimaryToken)both135...T:\>JuicyPotato.exe
JuicyPotato v0.1
Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
Optional args:
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's userSeImpersonate or SeAssignPrimaryToken privileges then you are SYSTEM.DCOMCNFG but good luck, this is gonna be challenging.* SERVICE accounts. Stopping DCOM would certainly inhibit this exploit but could have a serious impact on the underlying OS.Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.
Once again thank you!
|
|
(
The post Security Affairs newsletter Round 232 appeared first on Security Affairs.
On January 14, 2020, support for Window 7, Windows Server 2008 and 2008 R2 will end, this means that users will no longer receive security updates.
In order to address security issued in their operating systems, users can install
0Patch platform from ACROS Security announced that it will released
“Once we have a POC and know how the vulnerability was fixed by the people who know the vulnerable code best (i.e., Microsoft developers), we’ll port their fix, functionally speaking, as a series of
The experts at 0Patch will review Microsoft’s security advisories to determine which flaws could affect Windows versions that reached the EOF. Then they will provide
0Patch researchers will provide
Of course, the time to release a
0Patch will
|
|
(SecurityAffairs – patch management, hacking)
The post 0patch will provide micropatches for Windows 7 and Server 2008 after EoS appeared first on Security Affairs.
In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought. The company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.
After the Cambridge Analytica privacy scandal in 2018, the social network giant launched a review of privacy practices. Facebook’s review of all apps on the platform aimed at determining alleged abuse of user data and violation of its privacy rules.
Now Facebook announced that the suspensions of tens of thousands of apps.
According to vice president of partnerships Ime Archibong, the suspensions are “not necessarily an indication that these apps were posing a threat to people.” Archibong also added that some “did not respond to our request for information.”
In July, the United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.
“Any developer that doesn’t go along with these requirements will be held accountable.” concluded Archibong.
|
|
(SecurityAffairs – social network, privacy)
The post Facebook suspends tens of thousands of apps from hundreds of developers appeared first on Security Affairs.
--debug argument), request a new feature, or send a pull request.$ python scout.py --help$ python scout.py PROVIDER --help$ python scout.py aws --profile PROFILE$ python scout.py aws$ python scout.py azure --cli$ python scout.py gcp --user-accountLast
Western
Immediately after Saudi Arabia oil attacks, experts speculated an escalation of cyber attacks against Iranian oil infrastructure as retaliation.
Today Iran denied that its oil infrastructure had been successfully hit by a cyber attacks.
“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.
Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.
According to
Confirmed: Network data show intermittent disruptions to internet connectivity in #Iran from 6:30 PM UTC amid reports of disruptions and outages affecting online industrial and government platforms; limited impact affecting specific providers; root cause not yet established
— NetBlocks.org (@netblocks) September 20, 2019
The cause of the outage affecting online industrial and government platforms is not clear, but it could be consistent with a cyber attack.
“Data are consistent with a cyber attack or unplanned technical incident on affected networks as opposed to a purposeful withdrawal or shutdown incident,” it added.
In June, after
The Iranian telecommunications minister Mohammad Javad Azari Jahromi labeled the activity against its state as “cyber terrorism — such as Stuxnet — and
|
|
(
The post Iran denies successful cyber attacks hit infrastructures of its oil sector appeared first on Security Affairs.
It was after September 2016 when we decided to move our blog and since then I had a lot of fun in learning and experimenting much with “Jekyll” (based on “Poole”) and “BlackDoc”, and I just convert all posts statically into “Markdown” and all syntax highlighter into “Rouge” highlighter with templates coded in “Liquid”, and I was seriously dealing with coding in Ruby on FreeBSD for it. Wasn’t easy, but with help from the team, we did that, and I learned a lot.
Then on posting my research I moved along to try out several platforms, it’s good to actually know that we don’t have to depend only into a platform, and 3 (three) years out there was making us learning a lot about other reliable services in here and there. What me and the mates have learned is, in using any media services, either it’s your own or other’s party ones, they all are having their pro’s and con’s points. And frankly speaking, you won’t know for sure about each one of those con’s unless you go out there and try them yourself.
So, here we are, back to service where we first started to do MalwareMustDie blog. And I found that this environment is nicer than before, thank you Google for doing the hard work in satisfying and securing bloggers. So I just set it up and switched all access to HTTPS and hopefully the dead-links effect are minimum. For those who had problem with broken RSS this effort may be a good news to you. You can still access the MMD (MalwareMustDie) blog under sub-domain of “blog2” with HTTP but I won’t add more posts on those servers and I will minimize its service.
The bad side of all of these adventure is, now I have my research materials scattering around all over the internet during these past three years (smile). Oh yes, the research and its activity is still active as usual, yet now we’re happy that we don’t need to make much voice anymore, the security awareness are blooming..not like we had before in 2012, I am still hanging out with our friends and we’re still on to dissecting malware.. Linux or not.. Intel CPU ones or not, and to be noted: I am still a great fan of radare2 and FreeBSD!
I think some followers may not know what we’ve been doing all of these three years, or maybe they can’t track well our activities on our security research, so I decided to list some links for you to catch up with. Some of those reports are just screenshots with comments (security related pictures really paint thousand words), some are just posts in reddit or others, but all contains important information.
Does this means I am posting analysis blog again? Well, you’re going to find that out too
Here’s the list of what’s been done during these three years, enjoy:
Raccoon stealer infection in the wild
Dissecting on memory post exploitation powershell beacon w/ radare2
Intel POPSS Vulnerability PoC Reversed
“FHAPPI attack” : FreeHosting APT PowerSploit Poison Ivy
Honda Car’s Panel’s Rootkit from China
GoARM.Bot + static strip ARM ELF by ChinaZ
Linux/Mandibule (Process Injector)
So Many Mirai..Mirai on the wall)
Linux/Kaiten (modded ver) in Google clouds
Linux/Qbot or GafGyt ..in Kansas city?
ChinaZ gang is back to shellshock drops Elknot abuses USA networks
Webshell/r57shell, and..
I also posted either in VirusTotal comments, or previously posted some on kernelmode(not anymore), or sometimes making several posts or notes in reddit.
About my presentation of: “Unpacking the non-unpackable” (ELF packers talk) in R2CON2018
I may edit/change my posts to adjust or brush up their contents along with this post on transitioning the services, so there will be addition or changes.
Please stay safe, don’t code/use bad stuff, and enjoy the summary!
#MalwareMustDie!
Original Post: https://blog.malwaremustdie.org/2019/09/mmd-0063-2019-summarize-report-of-three.html
| |
(
The post MMD-0063-2019 – Summarize report of three years MalwareMustDie research (Sept 2016-Sept 2019) appeared first on Security Affairs.
US authorities have indicted two men, Elliot Gunton and Anthony Tyler Nashatka, for hacking the
In December 2017, the popular
According to ZDNet, one of the suspects, the Briton Elliott Gunton(20) aka “Glubz, was also accused of TalkTalk hack.
The other suspect is Anthony Tyler Nashatka, aka “psycho,” from New York city. The duo hacked the EtherDelta systems using employee data (phone number, email address) purchased on the black market.
“The two, over the course of just a week, went from buying an EtherDelta’s employee phone number off the black market to stealing funds from thousands of EtherDelta users.” reported ZDNet.
Court documents obtained by ZDNet in exclusive refer the employee was Z.C., experts believe he is the EtherDelta’s CEO. Clearly the access to the CEO account allowed the hacker to breach the company
The employee’s data wer
Six days later, on December 19, 2017. Gunton tricked a mobile
In this way, any incoming calls were silently forwarded to a Google Voice number operated by the two
On December 20, the two hackers modified DNS settings in the G Suite portal of EtherDelta and redirected Gmail traffic through a server under their control allowing them to reset the password on EtherDelta’s Cloudflare account. Once gained the access the Cloudflare account they were able to lock out any other employee of the company.
At this point, the duo changed EtherDelta’s DNS records associating the EtherDelta domain to a server under their control that was hosting a copy of the legitimate site used to trick victims into providing their credentials.
The DNS redirection was discovered in a few hours, but it was enough for the hackers to steal more than $800,000 from the accounts of the EtherDelta users.
According to ZDNet, the indictment was filed on August 13, in San Francisco, a few days before Gunton was sentenced to 20 months in prison in the UK. He was also ordered to pay back £407,359 and given a three-and-a-half-year community order, which restricts his internet and software use.
|
|
(
The post One of the hackers behind EtherDelta hack also involved in TalkTalk hack appeared first on Security Affairs.
example[.]com to example.com, test[at]example.com to test@example.com, hxxp://example.com to http://example.com, etc.| name | desc. | e.g. |
|---|---|---|
| text | Freetext | any string(s) |
| ip | IPv4 address | 8.8.8.8 |
| domain | Domain name | github.com |
| url | URL | https://github.com |
| Email address | test@test.com | |
| asn | ASN | AS13335 |
| hash | md5 / sha1 / sha256 | 44d88612fea8a8f36de82e1278abb02f |
| cve | CVE number | CVE-2018-11776 |
| btc | BTC address | 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa |
| gaPubID | Google Adsense Publisher ID | pub-9383614236930773 |
| gaTrackID | Google Analytics Tracker ID | UA-67609351-1 |
| name | url | supported types |
|---|---|---|
| AbuseIPDB | https://www.abuseipdb.com | ip |
| archive.org | https://archive.org | url |
| archive.today | http://archive.fo | url |
| BGPView | https://bgpview.io | ip / asn |
| BinaryEdge | https://app.binaryedge.io | ip / domain |
| BitcoinAbuse | https://www.bitcoinabuse.com | btc |
| Blockchain.com | https://www.blockchain.com | btc |
| BlockCypher | https://live.blockcypher.com | btc |
| Censys | https://censys.io | ip / domain / asn / text |
| crt.sh | https://crt.sh | domain |
| DNSlytics | https://dnslytics.com | ip / domain |
| DomainBigData | https://domainbigdata.com | domain |
| DomainTools | https://www.domaintools.com | ip / domain |
| DomainWatch | https://domainwat.ch | domain / email |
| EmailRep | https://emailrep.io | |
| FindSubDomains | https://findsubdomains.com | domain |
| FOFA | https://fofa.so | ip / domain |
| FortiGuard | https://fortiguard.com | ip / url / cve |
| Google Safe Browsing | https://transparencyreport.google.com | domain / url |
| GreyNoise | https://viz.greynoise.io | ip / domain / asn |
| Hashdd | https://hashdd.com | ip / domain / hash |
| HybridAnalysis | https://www.hybrid-analysis.com | ip / domain / hash (sha256 only) |
| Intelligence X | https://intelx.io | ip / domain / url / email / btc |
| IPinfo | https://ipinfo.io | ip / asn |
| IPIP | https://en.ipip.net | ip / asn |
| Joe Sandbox | https://www.joesandbox.com | hash |
| MalShare | https://malshare.com | hash |
| Maltiverse | https://www.maltiverse.com | domain / hash |
| NVD | https://nvd.nist.gov | cve |
| OOCPR | https://data.occrp.org | |
| ONYPHE | https://www.onyphe.io | ip |
| OTX | https://otx.alienvault.com | ip / domain / hash |
| PubDB | http://pub-db.com | gaPubID / gaTrackID |
| PublicWWW | https://publicwww.com | text |
| Pulsedive | https://pulsedive.com | ip / domaion / url / hash |
| RiskIQ | http://community.riskiq.com | ip / domain / email / gaTrackID |
| SecurityTrails | https://securitytrails.com | ip / domain / email |
| Shodan | https://www.shodan.io | ip / domain / asn |
| Sploitus | https://sploitus.com | cve |
| SpyOnWeb | http://spyonweb.com | ip / domain / gaPubID / gaTrackID |
| Talos | https://talosintelligence.com | ip / domain |
| ThreatConnect | https://app.threatconnect.com | ip / domain / email |
| ThreatCrowd | https://www.threatcrowd.org | ip / domain / email |
| ThreatMiner | https://www.threatminer.org | ip / domain / hash |
| TIP | https://threatintelligenceplatform.com | ip / domain |
| Urlscan | https://urlscan.io | ip / domain / asn / url |
| ViewDNS | https://viewdns.info | ip / domain / email |
| VirusTotal | https://www.virustotal.com | ip / domain / url / hash |
| Vulmon | https://vulmon.com | cve |
| VulncodeDB | https://www.vulncode-db.com | cve |
| VxCube | http://vxcube.com | ip / domain / hash |
| WebAnalyzer | https://wa-com.com | domain |
| We Leak Info | https://weleakinfo.com | |
| X-Force Exchange | https://exchange.xforce.ibmcloud.com | ip / domain / hash |
| ZoomEye | https://www.zoomeye.org | ip |
| name | url | supported types |
|---|---|---|
| Urlscan | https://urlscan.io | ip / domain / url |
| VirusTotal | https://www.virustotal.com | url |
Read and change all your data on the websites you visit: Display notifications: src directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in dist directory.git clone https://github.com/ninoseki/mitaka.git
cd mitaka
npm install
npm run test
npm run buildWhich are 5 Cybersecurity trends in the professional services sector?
Professional services organizations are especially vulnerable due to the high value of the industry and the data they store — like Social Security numbers, personal financial information and classified business communications.
Employees with non-technical backgrounds or low digital literacy often need access to networks that store highly sensitive data. But these same employees are the most vulnerable to cybercriminals.
The cybersecurity landscape is changing, and every industry will need to adapt. But professional services companies should pay the closest attention to these five trends.
1. Employee Training on Phishing and Digital Security
Hackers aren’t only coders — they’re also social engineers. When the network becomes harder to access, unprepared employees are one of the next best vectors of attack. One in 99 emails is a phishing attack, a fraudulent email designed to look legitimate so an employee will click on a malicious link inside or reply with privileged information.
Employees will need training on digital safety: how to spot phishing emails, and also how to spot bad links and downloads that can be a vector for viruses or other attacks.
2. Hackers Target Mobile Devices
Most phishing happens over email. But hackers can target any device that connects to the internet — including your smartphone. And once a hacker has access to your device, it can be trivial to, for example, intercept and store copies of all the emails you receive. Or use your digital credentials to gain access to confidential information.
IT departments will also need to train employees on the security of personal devices, and — if necessary — restrict what sort of devices can access sensitive data.
3. Ransomware Will Cost Businesses More
Ransomware is a term used to describe viruses that encrypt all the files on a user’s computer and hold them hostage for a fee. Ransomware costs small business an estimated $75 billion each year. And the ransoms continue to get higher and higher.
One major virus — the WannaCry ransomware — nearly shut down the British health care system in 2016. The virus is still infecting computers, even though researchers discovered a killswitch in the virus’ code two years ago.
In 2016, the professional services industry in the United States had a value of $1,100 billion. The industry’s presumed high ability to pay makes it a major target for ransomware.
Cybersecurity professionals need to learn how to respond to this specific kind of attack, and employees need training in digital literacy that will help them identify ransomware attacks and refer them to a security professional.
4. Data Privacy and Data Stewardship Are Becoming High Priorities
New data regulations, like the GDPR in Europe, have made data breaches more costly than ever. Companies who hold on to customer data must take the necessary precautions to defend that data by encrypting the data and restricting access to their network. Companies must also inform customers as soon as possible after a breach — sometimes within just a few days.
Companies, seeing the fines paid by major businesses like Equifax and British Airways, will want to beef up their security in a way that complies with U.S. (and possibly GDPR) regulations. These companies will also want to prepare for the worst-case scenario — how will we know if there has been a breach? And how will we respond?
5. Automation and AI Will Come to Cybersecurity
In cybersecurity, a burnout crisis is looming on the horizon. As demand outstrips the number of cybersecurity professionals on the job market, cybersecurity experts are working longer hours, defending against more threats — and shouldering more of the blame in the case of a breach. Cybercrimes are more common than ever, but the number of people entering cybersecurity hasn’t kept up.
Enterprises, wanting to lighten the burden placed on their IT and cybersecurity teams, are looking for any chance to automate processes.
Cybersecurity platforms that use artificial intelligence to beat digital threats are the latest trend in cybersecurity solutions — even if cybersecurity experts are wary of the technology. Be ready to see AI-based cybersecurity tools to become commonplace in the future, but don’t expect they will make your company invulnerable to attack.
What These Changes Mean for Professional Services
The professional services industry will need to adapt to a changing cybersecurity landscape. As data breaches become more common, businesses will need to make sure their employees can spot suspicious emails and links. And even the most secure company should prepare for the possibility of a data breach.
Cybersecurity is constantly advancing, but so are cybercriminals. Professional services industry will need to stay on top of these trends to keep their information safe.
Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.
|
|
(
The post 5 Cybersecurity Trends in the Professional Services Sector appeared first on Security Affairs.
Researchers at Wandera discovered two adware selfie filter camera apps on the Google Play that were pushing ads and that can record audio. The bad news is that the two apps were downloaded 1.5M+ times.
The two apps are Sun Pro Beauty Camera (1M+ installs) and Funny Sweet Beauty Selfie Camera (500K installs)
The researchers
The adware pushed by the two malicious app covered the entire display of the Android device. The analysis of the two apps revealed that they required additional permissions such as access to the camera.
The two apps request RECORD_AUDIO permission that
Both apps request the SYSTEM_ALERT_WINDOW permission that allows the app to overlay some information and trick the user into clicking something he did not want or typing sensitive data.
Once the apps are launched, they created a shortcut and then removed
One of the main differences between the two apps is that SunPro Beauty Camera did not even need to be launched to push the ads, while the Funny Sweet Beauty Camera starts displaying the ads only when the app is used to download filtered photos on the device.
The experts reported the apps to Google on September 11 and the tech giant immediately removed them from Google Play.
Below recommendations published by the experts:
| |
(
The post Two selfie Android adware apps with 1.5M+ downloads removed from Play Store appeared first on Security Affairs.
Security experts at Cofense uncovered a phishing campaign that is targeting taxpayers in the United States attempting to infect them with a new piece of malware named Amadey.
The Amadey bot is a quite simple piece of malware that is available for hire for
“The Cofense Phishing Defense CenterTM has detected a new wave of attacks targeting the US taxpayer by delivering Amadey
The phishing messages used in this campaign purport to be from the Internal Revenue Service (IRS), they claim that the recipient is eligible for a tax refund.
In classic social engineering attack, the phishing message presents a “one time username and password” to the victims and urges the user to click the “Login Right Here” button.
The login button is an embedded Hyperlink that points to
Once provided the login credentials, the user will be informed of a pending refund and will be asked to download a document, print and sign it. The signed document has to be sent or uploaded to the portal. Experts discovered that when the user attempts to download the document, he will download a ZIP file that contains
The VBScript drops an executable that downloads and executes another executable. To Amadey malware achieves persistence by setting up a registry entry using the Reg.exe command-line tool.
Once the installation process is concluded, the Amedey bot connects to one of the command and control (C&C) servers via HTTP on port 80 and sends it system diagnostic information, then it waits for further instructions.
The Amedey malware sends back to the server several data, including a unique identifier of the infected system, the malware version, operating system, antivirus software, system name, and username.
The analysis published by Cofense includes the Indicators of Compromise (IoCs).
|
|
(SecurityAffairs – APT, hacking)
The post U.S. taxpayers hit by a phishing campaign delivering the Amadey bot appeared first on Security Affairs.
Nowadays the Malware-As-A-Service is one of the criminal favorite ways to breach
During our monitoring operations we discovered an infection-chain designed to deliver this kind of malware to some Italian companies. The attack has been carried out impersonating personnel from the Liberian division of a global Oil Corporate. The malicious email message were spoofed, but the reference to the employee was realistic and suggests he may have conducted some preliminary OSINT.
| Hash | 72087f6eda897bd3deb31fa85cfbeda8eae4bad0d51a123f3e99ae8fb604a8c0 |
| Threat | Macro Dropper |
| Brief Description | Agent Tesla Doc Macro Dropper |
| Ssdeep | 768:nI5p+fXDk6n/lj9uJUWbnyAik8Y61g187083VCP9V9eakw6L8:8p+fzP/bgfix28ly9VZH6L8 |
Table 1. Static information about the doc macro
The document uses a common phishing schema, it invites the user to enable the macro execution due to compatibility reasons with older Microsoft Office versions. The document contains an obfuscated VBA macro.
Despite the variable names and the altered code flow, the macro simply decodes its hidden payload and then executes it. In fact, after a series of text replacement the document spawns another Powershell script.
Code Snippet 1
The Powershell stage is substantially composed of three parts: the first is the declaration of function “b72f3()”, having the purpose to deobfuscate the second part of the script, contained into the “$k61b35e” variable. It actually is a C# source code snippet, compiled and loaded within the Powershell process at execution time. Once loaded, the third part of the script invokes the “o81f67()” method of the just compiled “p99a3fb” class.
Code snippet 2
Code Snippet 2 is the C# class to be loaded. It has the objective to download the payload from the drop url previosly decoded by the “b72f3()” function: “hxxp://www.handrush[.com/wp-content/plugins/akismet/views/DurGhamPop[.exe”
The payload is stored into “%APPDATA%\Roaming” path and it is immediately executed through the “Process.Start()” function.
| Hash | 51a95607ab767b8b70479bdb86cc0a20b53eda92cd11f3abbe9eda5616a50a97 |
| Threat | Agent Tesla Loader |
| Brief Description | Agent Tesla .NET C# loader |
| Ssdeep | 12288:8OQeYYBAkiEK/jfG3JI0YXvL7VIUMbHdX9WBRktIx4urElCccP:8cYCdiEK/jGXqLhqNQAICurrccP |
Table 2. Static information about the AgentTesla evasive loader
The dropped file payload is a .NET executable embedding some anti-analysis tricks. If it is executed on a virtual environment, the malware kills itself. It also uses some anti-debugging trick to decide if terminate its execution.
According to the MSDN documentation, the method Delegate.CreateDelegate “creates a delegate of the specified type that represents the specified static method of the specified class, with the specified case-sensitivity and the specified behavior on failure to bind“. This way, the control flow is switched to the delegated method which actually points to a DLL containing the anti-analysis logic.
Before passing the control to the “swety.dll” library, which is a sort of helper component with no particular scope except the identification of analysis environments, the first instructions executed here are designed to decode and load a byte array embedded inside the executable, unpacking the obfuscated code.
The Figure above shows how this payload is encoded within the byte array and the routine invoked to retrieve it. This byte array is actually a well-formed dll loaded through the “Thread.GetDomain().Load()” method. At this point, the control finally passes to the “swety.dll” library, the module in charge to detect the analysis environment.
| Hash | a0c9472bc1660be648adce938d5447d38ba6d6f166d18d9e9b4ec4dd74c315c0 |
| Threat | Swety evasion module |
| Brief Description | .NET Swety evasion module |
| Ssdeep | 1536:fKTxXyAZ0ngmxSHOKQZfRWC/BiwGJ/827Lwv9kAdhUkIahRm48GSL/bq0g+9R26:fKpXGxxdZfE37+9pdhjTm2k/bmQ26 |
Table 3. Static information about the “swety” evasive module
This component is always a .NET executable. The name of the classes are self-explicative: for instance, there are clear references to Virtual Machine detection logic.
In Figure 9, the malware retrieves the information about the current hardware and compares it with a defined set of criteria, when it finds a match, it kills itself. Otherwise, the dll continues its execution and loads another PE file hidden inside the initial loader. This last executable file runs as a new thread within the initial loader context.
| Hash | 82213cd55fee5374e407b4b98c45d7b0d291682ec0fd91b3ea47c32752b54ab9 |
| Threat | Agent Tesla |
| Brief Description | Agent Tesla Payload |
| Ssdeep | 6144:Ci+WZ3skyQgBYnQ7oEFjaRJ8d8ZxjD1N/a66Gq3ovDuItbP7:CbGyH5ZjaRedapNT6 |
Table 4. Static information about the AgentTesla payload
The extracted payload is a .NET binary file. AgentTesla and Hawkey have lots of pieces of code in common, and the analysis we made two months ago about the Hawkeye payload is similar to this one.
Also in this case every sensitive information, string or other information is encrypted through Rijndael algorithm and it tries to evade the sandbox to the common user names of the principal sandboxes. The persistence mechanisms is practically the same and the installation path of detected during the analysis is “%APPDATA%/Roaming/SecondLORI/SecondLORI.exe”
After its installation, the malware starts to retrieve all the credential stored within a wide list of web browsers, FTP clients, File Downloaders etc. For instance, it is able to steal accounts from:
The harvested credentials are then sent back to the attacker servers. The malware leverages the .NET API to easily set up a mail client to transmit the loot to a particular mailbox.
The name of the sender, “Lori”, matches the name in the persistence mechanism, “SecondLORI”. This username may belong to a previously compromised email account the attacker uses as a sort of SMTP relay to deliver the loot to the real exfiltration address, a GMail mailbox named “chevyview450@gmail.com”.
As we stated in the previous post about a custom weaponization of the Hawkeye info-stealer, these kinds of malware are well known and highly used by cyber criminals. But despite their popularity event into the info-sec community, these “commodity tools” still result to be quite effective especially when combined within custom multistage infection chains, renewing their dangerousness and effectiveness.
Further technical details, including Indicators of Compromise, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB.
| |
(
The post Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign appeared first on Security Affairs.
The same threat actor continues to target celebrity Instagram accounts to push scam sites to their wide audience. Recently the Instagram account of the popular actor Robert Downey Jr.
Once the hackers have ta
In this way attackers could generate profits in two
The experts observed the threat actors behind the attacks following a specific scam pattern.
“Each of the Instagram accounts were hijacked over the past couple of weeks and the attackers were in control enough to rotate multiple shortened links leading to webpages with surveys that collect personal information; this is sold for marketing purposes, typically of a darker shade.” reported BleepingComputer.
Once hacked the celebrity Instagram accounts the modify the bio to post messages saying that the celebrity was allegedly giving away 2000 iPhone XS devices and directing followers to his Story page for more offers like this.
The hackers also published a link, created with the URL shortening service, in the account bio that was pointing to a survey page likely set up to collect personal information.
The landing pages used in the attacks are hosted on the same domain,
In the hack of Nicole Scherzinger and Yanet García accounts, the threat actor used a more effective bait, it
The attackers promise to release the sex tape when the app download counter hit 5,000. The hacked account showed a fake nude image in the attempts to lure the visitor.
Security experts are warning users to secure their online accounts, using strong passwords and enabling
|
|
(
The post Crooks hacked other celebrity Instagram accounts to push scams appeared first on Security Affairs.
Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.
In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9.
“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”
Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.
Trend Micro noticed that infected websites were developed by
Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.
“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to
The code injected in the websites first checks if an HTML element containing the ID “
If the code detects the booking page, it will check if the
The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the
The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.
The script encrypts data with RC4 using a
The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all
Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.
“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.
| |
(
The post Magecart attackers target mobile users of hotel chain booking websites appeared first on Security Affairs.
