An SQL database containing the personal data of 1.3 million Clubhouse users was leaked online for free, a few days after LinkedIn and Facebook suffered similar leaks.

Researchers from Cyber News have discovered that the personal data of 1.3 million Clubhouse users was leaked online days after LinkedIn and Facebook also suffered data leaks.

The experts found an ad on a hacker forum offering for free a SQL database containing 1.3 million scraped Clubhouse user records.

“Days after scraped data from more than a billion Facebook and LinkedIn profiles, collectively speaking, was put for sale online, it looks like now it’s Clubhouse’s turn. The upstart platform seems to have experienced the same fate, with an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.” reported CyberNews.

The leaked records include Clubhouse user IDs, names, usernames, Twitter handles, Instagram handles, number of followers, number of people followed by the users, accounts’ creation date, and invited by user profile names. Financial data was not included in the data leak.,photo URLs

The experts reported their findings to the company, but at the time of this writing, Clubhouse has yet to confirm the authenticity of the exposed data.

Leak data could be abused by threat actors to carry out malicious activities, such as phishing/spear-phishing attacks, identity theft, and scams.

“The leaked SQL database only contains Clubhouse profile information – we did not find any deeply sensitive data like credit card details or legal documents in the archive posted by the threat actor. With that said, even a profile name, with connections to the user’s other social media profiles identified and established, can be enough for a competent cybercriminal to cause real damage.” continues the experts.

In February, an attacker demonstrated that Clubhouse chats are not secure, he was able to siphon audio feeds from “multiple rooms” into its own website.

Clubhouse is an invite-only social media app launched in March 2020 that allows its users to participate in audio conversations, or “rooms,” talking about various topics. The app is becoming even more popular, analysts evaluated the value of the company at some billions.

Clubhouse users should follow these simple recommendations:

• Watch out for suspicious Clubhouse messages and connection requests from strangers.
• Enable two-factor authentication (2FA) on all your online accounts.
• Using a strong and unique password for each web service, a password manager could help you.
• Be vigilant on potential phishing messages that ask you to provide information.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Clubhouse)

The post Personal data of 1.3 million Clubhouse users leaked online appeared first on Security Affairs.

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. Any incoming requests that do not share the profiles user-agent, URI paths, headers, and query parameters, will be redirected to a configurable decoy website. The validated C2 traffic is relayed to a team server within the same virtual network that is further restricted by a network security group. Allowing the VM to only expose SSH.

Deploy

AzureC2Relay is deployed via terraform azure modules as well as some local az cli commands

Make sure you have terraform , az cli and the dotnet core 3.1 runtime installed

Windows (Powershell)

&([scriptblock]::Create((Invoke-WebRequest -UseBasicParsing 'https://dot.net/v1/dotnet-install.ps1'))) -runtime dotnet -version 3.1.0
Invoke-WebRequest 'https://releases.hashicorp.com/terraform/0.14.6/terraform_0.14.6_windows_amd64.zip'  -OutFile 'terraform.zip'
Expand-Archive -Path terraform.zip -DestinationPath "$([Environment]::GetFolderPath('ApplicationData'))\TerraForm\"
setx PATH "%PATH%;$([Environment]::GetFolderPath('ApplicationData'))\TerraForm\"
Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi

Mac

curl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0
brew update 
brew tap hashicorp/tap
brew install hashicorp/tap/terraform
brew install azure-cli

Ubuntu , Debian

curl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0
wget https://releases.hashicorp.com/terraform/0.14.5/terraform_0.14.5_linux_amd64.zip
unzip terraform_0.14.5_linux_amd64.zip
sudo cp terraform /usr/local/bin/terraform
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Kali

curl -L https://dot.net/v1/dotnet-install.sh | bash -s --  --runtime dotnet --version 3.1.0
wget https://releases.hashicorp.com/terraform/0.14.5/terraform_0.14.5_linux_amd64.zip
unzip terraform_0.14.5_linux_amd64.zip
sudo cp terraform /usr/local/bin/terraform
echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ stretch main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
curl -L https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-get update && sudo apt-get install apt-transport-https azure-cli

1. Modify the first variables defined in config.tf to suit your needs
2. Replace the dummy "cobaltstrike-dist.tgz" with an actual cobaltstrike download
3. Edit/Replace the Malleable profile inside the Ressources folder (Make sure the profile filename matches the variables you set in step 1)
4. login with azure az login
5. run terraform init
6. run terraform apply -auto-approve to deploy the infra
7. Wait for the CDN to become active and enjoy!

Once terraform completes it will provide you with the needed ssh command, the CobaltStrike teamserver will be running inside an tmux session on the deployed VM

When your done using the infra, you can remove it with terraform destroy -auto-approve

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

Clop Ransomware operators plunder US universities

Malware attack on Applus blocked vehicle inspections in some US states

2,5M+ users can check whether their data were exposed in Facebook data leak

33.4% of ICS computers hit by a cyber attack in H2 2020

Firmware attacks, a grey area in cybersecurity of organizations

Chinese Cycldek APT targets Vietnamese Military and Government in sophisticated attacks

Experts discovered a privilege escalation issue in popular Umbraco CMS

Experts found critical flaws in Rockwell FactoryTalk AssetCentre

SAP systems are targeted within 72 hours after updates are released

This service allows checking if your mobile is included in the Facebook leak

Crooks use Telegram bots and Google Forms to automate phishing

European Commission and other institutions were hit by a major cyber-attack

Gigaset Android smartphones infected with malware after supply chain attack

New Cring ransomware deployed targeting unpatched Fortinet VPN devices

Pwn2Own 2021 Day 1 – participants earned more than $500k

Cisco fixed multiple flaws in SD-WAN vManage Software, including a critical RCE

Man arrested after hired a hitman on the dark web

Moodle flaw exposed users to account takeover

Pwn2Own 2021 Day 2 – experts earned $200K for a zero-interaction Zoom exploit

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof

Swarmshop – What goes around comes around: hackers leak other hackers data online

User database was also hacked in the recent hack of PHP ‘s Git Server

330K stolen payment cards and 895K stolen gift cards sold on dark web

CISA releases post-compromise tool Aviary to review Microsoft 365

Cisco will not release updates to fix critical RCE flaw in EoF Business Routers

Pwn2Own 2021: participants earned $1,2M of the $1.5M prize pool

Zerodium will pay $300K for WordPress RCE exploits

Crooks abuse website contact forms to deliver IcedID malware

Hackers compromised APKPure client to distribute infected Apps

This man was planning to kill 70% of Internet in a bomb attack against AWS

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 309 appeared first on Security Affairs.

More than 500,000 Huawei users have been infected with the Joker malware after downloading apps from the company’s official Android store.

More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

Experts from antivirus firm Doctor Web discovered ten apps in AppGallery that were containing the malicious code.

“Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer.” reads the post published by Dr. Web. “They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.”

Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion.

The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd, the remaining 2 by the developer 何斌.

Below the list of apps and packages discovered by the researchers:

Detection name	SHA-1	Application name	Package name	Configuration
Android.Joker.531	2349b2c0238dcc52e072500ea402128de0a216cf	Super Keyboard	com.nova.superkeyboard	hxxps://superkeyboard.oss-ap-southeast-1.aliyuncs.com/
Android.Joker.531	0cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8	Happy Colour	com.colour.syuhgbvcff	hxxps://happycolor.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.531	443c73e1ee2cc7c9301ac4dfe14411762689baf5	Fun Color	com.funcolor.toucheffects	hxxps://funcolortoucheffects.oss-ap-southeast-2.aliyuncs.com/
Android.Joker.531	ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d	New 2021 Keyboard	com.newyear.onekeyboard	hxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/
Android.Joker.594	f1b49a444f554bb942fd8f5a9ff2a212d8db6247	Camera MX – Photo Video Camera	com.sdkfj.uhbnji.dsfeff	hxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/
Android.Joker.594	9dcc00513144612fdfcdb57278b2a54654b996ec	BeautyPlus Camera	com.beautyplus.excetwa.camera	hxxps://beautypluscamera.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.658	3950c89eb27c973dce8c1c0ea3ae30baa0f7544e	Color RollingIcon	com.hwcolor.jinbao.rollingicon	hxxps://colorrollingicon.oss-cn-huhehaote.aliyuncs.com/
Android.Joker.659	9d2337047ca59d1375c898cf7d0361fe56c3576c	Funney Meme Emoji	com.meme.rouijhhkl	hxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/
Android.Joker.660	57148c6e040fb15723e5ca040740ae8901fd2dae	Happy Tapping	com.tap.tap.duedd	hxxp://happytapping.oss-cn-qingdao.aliyuncs.com/
Android.Joker.662	fb184efe017debc57eba118ab7aee17fd946e1ec	All-in-One Messenger	com.messenger.sjdoifo	hxxps://allinonemessenger.oss-cn-shenzhen.aliyuncs.com/

Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.

The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.

“The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes.” continues the report. “The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”

Doctor Web reported to Huawei its findings, which quickly removed them from AppGallery. Huawei users who have already installed the malicious apps have to manually remove them.

The experts shared a list of indicators of compromise for the above malicious apps.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Huawei apps)

The post Joker malware infected 538,000 Huawei Android devices appeared first on Security Affairs.

Ich freue mich sehr am 07.04.2021 bei der Webkonferenz für IT-Sicherheitsmanagement in Versicherungen einen Vortrag halten zu dürfen.

Der Teilnehmerkreis besteht aus namenhaften Versicherungen und ich bin auf anregende Disskussionen gespannt.

Wie üblich werde ich diesen Beitrag anschließend mit meinen Slides ergänzen 😉

An open-source Go project to test different web application firewalls (WAF) for detection logic and bypasses.

How it works

It is a 3-steps requests generation process that multiply amount of payloads to encoders and placeholders. Let's say you defined 2 payloads, 3 encoders (Base64, JSON, and URLencode) and 1 placeholder (HTTP GET variable). In this case, the tool will send 2x3x1 = 6 requests in a testcase.

Payload

The payload string you wanna send. Like <script>alert(111)</script> or something more sophisticated. There is no macroses like so far, but it's in our TODO list. Since it's a YAML string, use binary encoding if you wanna to https://yaml.org/type/binary.html

Encoder

Data encoder the tool should apply to the payload. Base64, JSON unicode (\u0027 instead of '), etc.

Placeholder

A place inside HTTP request where encoded payload should be. Like URL parameter, URI, POST form parameter, or JSON POST body.

Quick start

Dockerhub

The latest gotestwaf always available via the dockerhub repository: https://hub.docker.com/r/wallarm/gotestwaf
It can be easily pulled via the following command:

docker pull wallarm/gotestwaf

Local Docker build

docker build . --force-rm -t gotestwaf
docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=https://the-waf-you-wanna-test/

Find the report file waf-test-report-<date>.pdf in the reports folder that you mapped to /go/src/gotestwaf/reports inside the container.

Build

Gotestwaf supports all the popular platforms (Linux, Windows, macOS), and can be built natively if Go is installed in the system.

go build -mod vendor

Examples

Testing on OWASP ModSecurity Core Rule Set

Build & run ModSecurity CRS docker image

You can pull, build and run ModSecurity CRS docker image automatically:

make modsec

Or manually with your configuration flags to test:

docker pull owasp/modsecurity-crs
docker run -p 8080:80 -d -e PARANOIA=1 --rm owasp/modsecurity-crs

You may choose the PARANOIA level to increase the level of security.
Learn more https://coreruleset.org/faq/

Run gotestwaf

If you want to test the functionality on the running ModSecurity CRS docker container, you can use the following commands:

make scan_local               (to run natively)
make scan_local_from_docker   (to run from docker)

Or manually from docker:

docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" gotestwaf --url=http://127.0.0.1:8080/ --verbose

And manually with go run (natively):

go run ./cmd --url=http://127.0.0.1:8080/ --verbose

Run gotestwaf with WebSocket check

You can additionally set the WebSocket URL to check via the wsURL flag and verbose flag to include more information about the checking process:

docker run -v ${PWD}/reports:/go/src/gotestwaf/reports gotestwaf --url=http://172.17.0.1:8080/ --wsURL=ws://172.17.0.1:8080/api/ws --verbose

Check results

GOTESTWAF : 2021/03/03 15:15:48.072331 main.go:61: Test cases loading started
GOTESTWAF : 2021/03/03 15:15:48.077093 main.go:68: Test cases loading finished
GOTESTWAF : 2021/03/03 15:15:48.077123 main.go:74: Scanned URL: http://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.083134 main.go:85: WAF pre-check: OK. Blocking status code: 403
GOTESTWAF : 2021/03/03 15:15:48.083179 main.go:97: WebSocket pre-check. URL to check: ws://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.251824 main.go:101: WebSocket pre-check: connection is not available, reason: websocket: bad handshake
GOTESTWAF : 2021/03/03 15:15:48.252047 main.go:129: Scanning http://127.0.0.1:8080/
GOTESTWAF : 2021/03/03 15:15:48.252076 scanner.go:124: Scanning started
GOTESTWAF : 2021/03/03 15:15:51.210216 scanner.go:129: Scanning Time:  2.958076338s
GOTESTWAF : 2021/03/03 15:15:51.210235 scanner.go:160: Scanning finished

Negative Tests:
+-----------------------+--   ---------------------+-----------------------+-----------------------+-----------------------+-----------------------+
|       TEST SET        |       TEST CASE       |     PERCENTAGE, %     |        BLOCKED        |       BYPASSED        |      UNRESOLVED       |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| community             | community-lfi         |                 66.67 |                     4 |                     2 |                     0 |
| community             | community-rce         |                 14.29 |                     6 |                    36 |                     0 |
| community             | community-sqli        |                 70.83 |                    34 |                    14 |                     0 |
| community             | community-xss         |                 91.78 |                   279 |                    25 |                        0 |
| community             | community-xxe         |                100.00 |                     4 |                     0 |                     0 |
| owasp                 | ldap-injection        |                  0.00 |                     0 |                     8 |                     0 |
| owasp                 | mail-injection        |                  0.00 |                     0 |                     6 |                     6 |
| owasp                 | nosql-injection       |                  0.00 |                     0 |                    12 |                     6 |
| owasp                 | path-traversal        |                 38.89 |                     7 |                    11 |                     6 |
| owasp                 | shell-injection       |                 37.50 |                     3 |                     5 |                     0 |
| owasp                 | sql-injection         |                 33.33    |                     8 |                    16 |                     8 |
| owasp                 | ss-include            |                 50.00 |                     5 |                     5 |                    10 |
| owasp                 | sst-injection         |                 45.45 |                     5 |                     6 |                     9 |
| owasp                 | xml-injection         |                100.00 |                    12 |                     0 |                     0 |
| owasp                 | xss-scripting         |                 56.25 |                     9 |                     7 |                    12 |
| owasp-api             | graphql               |                100.00 |                     1 |                     0 |                     0 |
| owasp-api             | rest                  |                100.00 |                     2 |                     0 |                     0 |
| owasp-api                | soap                  |                100.00 |                     2 |                     0 |                     0 |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
|         DATE:         |       WAF NAME:       |  WAF AVERAGE SCORE:   |  BLOCKED (RESOLVED):  | BYPASSED (RESOLVED):  |      UNRESOLVED:      |
|      2021-03-03       |        GENERIC        |        55.83%         |   381/534 (71.35%)    |   153/534 (28.65%)    |    57/591 (9.64%)     |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+

Positive Tests:
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
|       TEST SET        |       TEST CASE       |     PERCENTAGE, %     |        BLOCKED           |       BYPASSED        |      UNRESOLVED       |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
| false-pos             | texts                 |                 50.00 |                     1 |                     1 |                     6 |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+
|         DATE:         |       WAF NAME:       |  WAF POSITIVE SCORE:  | FALSE POSITIVE (RES): | TRUE POSITIVE (RES):  |      UNRESOLVED:      |
|      2021-03-03       |        GENERIC        |        50.00%         |     1/2 (50.00%)      |     1/2 (50.00%)      |     6/8 (75.00%)      |
+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+-----------------------+

PDF report is ready: reports/waf   -evaluation-report-generic-2021-March-03-15-15-51.pdf

---

Configuration options

Usage of /go/src/gotestwaf/gotestwaf:
      --blockRegex string      Regex to detect a blocking page with the same HTTP response status code as a not blocked request
      --blockStatusCode int    HTTP status code that WAF uses while blocking requests (default 403)
      --configPath string      Path to the config file (default "config.yaml")
      --followCookies          If true, use cookies sent by the server. May work only with --maxIdleConns=1
      --idleConnTimeout int    The maximum amount of time a keep-alive connection will live (default 2)
      --maxIdleConns int       The maximum number of keep-alive connections (default 2)
      --maxRedirects int       The maximum number of handling redirects (default 50)
      --nonBlockedAsPassed     If true, count requests that weren't blocked as passed. If false, requests that don't satisfy to PassStatuscode/PassRegExp as blocked
      --passRegex string       Regex to a detect normal    (not blocked) web page with the same HTTP status code as a blocked request
      --passStatusCode int     HTTP response status code that WAF uses while passing requests (default 200)
      --proxy string           Proxy URL to use
      --randomDelay int        Random delay in ms in addition to the delay between requests (default 400)
      --reportPath string      A directory to store reports (default "reports")
      --sendDelay int          Delay in ms between requests (default 400)
      --testCase string        If set then only this test case will be run
      --testCasesPath string   Path to a folder with test cases (default "testcases")
      --testSet string         If set then only this test set's cases will be run
      --tlsVerify              If true, the received TLS certificate will be verified
      --url string             URL to check (default "http://localhost/")
      --verbose                If true, enable verbose logg   ing (default true)
      --wafName string         Name of the WAF product (default "generic")
      --workers int            The number of workers to scan (default 200)
      --wsURL string           WebSocket URL to check

APKPure, one of the largest alternative app stores, was the victim of a supply chain attack, threat actors compromised client version 3.17.18 to deliver malware.

Multiple security experts discovered threat actors tampered with the APKPure client version 3.17.18 of the popular alternative third-party Android app store.

APKPure is available only on devices that use Google Mobile Services (GMS) and are firmly tied to Google’s infrastructure.

The tainted client downloads and installs various apps, including other malicious payloads.

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web.

The analysis of the code of the client revealed that attacker modified it by injecting the Android.Triada malware.

Triada was designed with the specific intent to implement financial frauds, typically hijacking financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan is able to infiltrate all process running on the mobile devices gaining persistence, it allows threat actors to download, install/uninstall payloads without users’ permission.

Researchers from Kaspersky pointed out that attackers compromised the APKPure version 3.17.18 with a tainted advertisement SDK.

“Which Trojan gets downloaded (in addition to APKPure’s built-in one) depends on the Android version, as well as on how regularly the smartphone vendor released — and the user installed — security updates.” states Kaspersky.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.”

APKPure has solved the problem with the release of the version 3.17.19, on April 9.

“Fixed a potential security problem, making APKPure safer to use,” reads the release note of the new version.

This week another supply chain attack made the headlines, the German device maker Gigaset announced that threat actors compromised at least one server of the company to deliver malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, supply chain attack)

The post Hackers compromised APKPure client to distribute infected Apps appeared first on Security Affairs.

Microsoft researchers spotted a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

Security experts from Microsoft have uncovered a malware campaign abusing contact forms on legitimate websites to deliver the IcedID malware.

Threat actors behind the operation are using contact forms published on websites to deliver malicious links to enterprises using emails with fake legal threats. The emails attempt to trick recipients into clicking a link to review supposed evidence behind their allegations, but instead, they start the IcedID malware infection.

IcedID banking trojan first appeared in the threat landscape in 2017, it has capabilities similar to other financial threats like Gozi, Zeus, and Dridex. Experts at IBM X-Force that first analyzed it noticed that the threat does not borrow code from other banking malware, but it implements comparable capabilities, including launching man-in-the-browser attacks, and intercepting and stealing financial information from victims.

“Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.” reads the analysis published by Microsoft. “The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.”

The malicious emails tracked by the experts arrive in the recipient’s inbox from the contact form query appearing trustworthy as it was sent from trusted email marketing systems. The messages are originating from the recipient’s own contact form on their website, this means that appear as sent by an actual customer interaction or inquiry.

“As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.” continues Microsoft.

The messages composed by attackers include a link to a sites.google.com page to view the alleged stolen photos for the recipient to view.

Upon clicking the link, the recipient is redirected to a Google page that requires them to authenticate using their Google credentials, this trick allows to avoid detection.

Once the recipient will sign in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file which is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file). The payload is decrypted by using a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, in this way threat actors could remotely control the infected device.

Attackers also implemented a secondary attack chain, in case the sites.google.com page was not available users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file.

“This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IcedID malware)

The post Crooks abuse website contact forms to deliver IcedID malware appeared first on Security Affairs.

SNOWCRASH creates a script that can be launched on both Linux and Windows machines. Payload selected by the user (in this case combined Bash and Powershell code) is embedded into a single polyglot template, which is platform-agnostic.

There are few payloads available, including command execution, reverse shell establishment, binary execution and some more :>

Basic usage

1. Install dependencies: ./install.sh

2. List available payloads: ./snowcrash --list

3. Generate chosen payload: ./snowcrash --payload memexec --out polyglot_script

4. Change extension of the polyglot script: mv polyglot_script polyglot_script.ps1

5. Execute polyglot script on the target machine

Additional notes

Delay before script run and payload execution can be specified as an interval (using --sleep flag) in the form:

x[s|m|h]

where

x = Amount of interval to spend in idle state
s = Seconds
m = Sinutes
h = Hours

After generation, the extension of generated script containing the payload can be set either to .sh or .ps1 (depending on the platform we want to target).

Generated payload can be written directly to STDOUT (instead of writing to a file) using --stdout flag.

Screenshots

The FBI arrested a man for allegedly planning a bomb attack against Amazon Web Services (AWS) to kill about 70% of the internet.

The FBI arrested Seth Aaron Pendley (28), from Texas, for allegedly planning to launch a bomb attack against Amazon Web Services (AWS) data center on Smith Switch Road in Ashburn, Virginia.

The man was attempting to buy C-4 plastic explosives from an undercover FBI employee, the explosive would have been used to destroy the data center and kill about 70% of the internet.

“Seth Aaron Pendley, 28, was arrested on Thursday after allegedly attempting to obtain an explosive device from an undercover FBI employee in Fort Worth. He was charged via criminal complaint and made his initial appearance in federal court before U.S. Magistrate Judge Jeffrey Cureton Friday morning.” reads the press release published by DoJ.

The plot of the man was uncovered by law enforcement in January when he revealed its plan on the MyMilitia forum using the moniker ‘Dionysus.’

“Dionysus” stated he was planning to “conduct a little experiment,” that he said would “draw a lot of heat” and could be “dangerous,” he was planning to cause “death” and disruption.

In late January, Mr. Pendley started communicating via Signal with another confidential source, who told the FBI that Mr. Pendley was planning to use C-4 plastic explosives to attack the data centers of a prominent tech company. In March the confidential source introduced Pendley to an undercover FBI agent posing as an explosives supplier.

“In late January, Mr. Pendley began using Signal, an encrypted messaging app, to communicate with another confidential source. The source told the FBI that Mr. Pendley allegedly stated he planned to use C-4 plastic explosives to attack prominent tech company’s data centers in an attempt to “kill of about 70% of the internet.”” continues DoJ.

In February, Pendley shared with the confidential source a hand-made map of Amazon’s Virginia-based AWS data center revealing the bomb attack.

“On March 31, the confidential source introduced Mr. Pendley to an individual who he claimed was his explosives supplier. In actuality, the man was an undercover FBI employee.”

Mr. Pendley has chosen that data center because he believes that the web servers it is hosting provide services to the FBI, CIA, and other federal agencies. He was planning to kill “the oligarchy” currently in power in the United States.

On April 8, Mr. Pendley met with the undercover FBI employee to get the explosive devices, which were inert devices.

The agent showed Mr. Pendley how to arm and detonate the devices, but when the defendant loaded them into his car was arrested by FBI agents who were monitoring the delivery of the inert devices.

If the man is found guilty faces up to 20 years in federal prison.

“We are indebted to the concerned citizen who came forward to report the defendant’s alarming online rhetoric. In flagging his posts to the FBI, this individual may have saved the lives of a number of tech workers,” said Acting U.S. Attorney Prerak Shah. “We are also incredibly proud of our FBI partners, who ensured that the defendant was apprehended with an inert explosive device before he could inflict real harm. The Justice Department is determined to apprehend domestic extremists who intend to commit violence, no matter what political sentiment drives them to do so.”

Below the statement shared by Amazon with online media.

“We would like to thank the FBI for their work in this investigation. We take the safety and security of our staff and customer data incredibly seriously, and constantly review various vectors for any potential threats. We will continue to retain this vigilance about our employees and customers.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, AWS)

The post This man was planning to kill 70% of Internet in a bomb attack against AWS appeared first on Security Affairs.