Login
Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of
Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system.
It's trashing the storage, dropping the iptables rules, removing the network configuration and then halting the device. pic.twitter.com/Ue661ku0fy
— Larry W. Cashdollar (@_larry0) June 25, 2019
The only way to recover infected devices is to manually reinstall the device’s firmware.
Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide.
According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days.
“The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet.
“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.”
The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices.
Traced the attacker who has claimed responsibility and also claiming to brick 361 devices. Will try to interview him. What we speculated is right, this is a bot to cause bricking ( which the attacker says as PDOS, permanent DOS)
— Ankit Anubhav (@ankit_anubhav) June 25, 2019
There is no financial motive. pic.twitter.com/gUjWCdSIQO
Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet,
According to Cashdollar, the Silex malware uses a list of known default credentials for
“I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.”
The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device.
The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS.
The malware could brick Linux servers having Telnet ports open that use known credentials.
The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.
According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex).
At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.
|
|
(
The post Silex malware bricks thousands of IoT devices in a few hours appeared first on Security Affairs.
Researchers at Cybereason uncovered an ongoing long-running espionage campaign, tracked as Operation Soft Cell, that targets telco providers. Tactics, techniques, and procedures, and the type of targets suggest the involvement of a nation-state actor likely linked to Chinese APT10.
Once compromised the networks of telecommunication companies, attackers can access to mobile phone users’ call data records.
“Based on the data available to us, Operation Soft Cell has been active since at least 2012, though some evidence suggests even earlier activity by the threat actor against telecommunications providers. The attack was aiming to obtain CDR records of a large telecommunications provider.” reads the report published by Cybereason.
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.”
According to Amit Serper, head of security research at Cybereason, attackers
Experts explained that
Attack scenario sees hackers planting a malicious web shell on an IIS server, identified as a modified version of the China Chopper web shell, that was used to run reconnaissance commands, steal credentials, and deploy other hacking tools.
Then
Hackers also used a modified version of Nbtscan to determine the availability of NetBIOS name servers locally or over the network. The attackers also used multiple Windows built-in tools (i.e. whoami, net.exe, ipconfig, netstat, portqry) and WMI and PowerShel commands.
The threat actors also used Poison Ivy RAT to maintain long-term access across the compromised network, and a modified version of Mimikatz to dump credentials. WMI and PsExec were used by the hackers for lateral movement, while Winrar was used to compress and password-protect stolen data, and a modified version of hTran was used to exfiltrate the data.
Experts believe that hundreds of millions of mobile phone users around the world have been affected, including foreign intelligence agents, politicians, opposition candidates for espionage.
“Beyond targeting individual users, this attack is also alarming because of the threat posed by the control of a telecommunications provider. Telecommunications has become
“This attack has widespread implications, not just for individuals, but also for organizations and countries alike.”
| |
(SecurityAffairs –
The post Operation Soft Cell – Multiple telco firms hacked by nation-state actor appeared first on Security Affairs.
RSS Security shard.yml:dependencies:
tourmaline:
github: watzon/tourmaline
version: ~> 0.7.0require "tourmaline/bot"
alias TGBot = Tourmaline::Bot
bot = TGBot::Client.new(ENV["API_KEY"])
bot.command(["start", "help"]) do |message|
text = "Echo bot is a sample bot created with the Tourmaline bot framework."
bot.send_message(message.chat.id, text)
end
bot.command("echo") do |message, params|
text = params.join(" ")
bot.send_message(message.chat.id, text)
end
bot.pollbot.on(:text) do |update|
text = update.message.not_nil!.text.not_nil!
puts "TEXT: #{text}"
endTourmaline::Bot::Middleware class. All middleware classes need to have a call(update : Update) method. The middleware will be called on every update.class MyMiddleware < TGBot::Middleware
# All middlware include a reference to the parent bot.
# @bot : Tourmaline::Bot::Client
def call(update : Update)
if message = update.message
if user = message.from_user
if text = message.text
puts "#{user.first_name}: #{text}"
end
end
end
end
end
bot.use MyMiddleware# bot.poll
bot.set_webhook("https://example.com/bots/my_tg_bot")
bot.serve("0.0.0.0", 3400)
# or with ngrok.cr
require "ngrok"
Ngrok.start({ addr: "127.0.0.1:3400" }) do |ngrok|
bot.set_webhook(ngrok.ngrok_url_https)
bot.serve("127.0.0.1", 3400)
endsend_invoice, answer_shipping_query, and answer_pre_checkout_query methods to send invoices and accept payments.bot.command("buy") do |message, params|
bot.send_invoice(
message.chat.id,
"Sample Invoice",
"This is a test...",
"123344232323",
"YOUR_PROVIDER_TOKEN",
"test1",
"USD",
bot.labeled_prices([{label: "Sample", amount: 299}, {label: "Another", amount: 369}]).to_json
)
endrequire "kemal"
require "tourmaline/kemal/tourmaline_handler"
require "./your_bot"
add_handler Kemal::TourmalineHandler.new(
bot: YourBot.new,
url: "https://something.com",
path: "/bot-webhook/#{ENV["TGBOT_API_KEY"]}"
)
Kemal.runEarlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.
“Yehuo” (野火) is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.
An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.
Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.
The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”
“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.
A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.
Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.
In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.
At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]com — were seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.
A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:
Domain Name Create Date Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”
Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.
The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.
The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd. According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.
“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016. “The company is mainly engaged in mobile phone pre-installation business.”
That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:
-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme
Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.
Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.
“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”
Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.
The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”
It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.
According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.
Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.
It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.
Article tags
Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.
“Yehuo” (野火) is Mandarin for “wildfire,” so one might be forgiven for concluding that Google was perhaps using another dictionary than most Mandarin speakers. But Google was probably just being coy: The vendor in question appears to have used both “blazefire” and “wildfire” in two of many corporate names adopted for the same entity.
An online search for the term “yehuo” reveals an account on the Chinese Software Developer Network which uses that same nickname and references the domain blazefire[.]com. More searching points to a Yehuo user on gamerbbs[.]cn who advertises a mobile game called “Xiaojun Junji,” and says the game is available at blazefire[.]com.
Research on blazefire[.]com via Domaintools.com shows the domain was assigned in 2015 to a company called “Shanghai Blazefire Network Technology Co. Ltd.” just a short time after it was registered by someone using the email address “tosaka1027@gmail.com“.
The Shanghai Blazefire Network is part of a group of similarly-named Chinese entities in the “mobile phone pre-installation business and in marketing for advertisers’ products to install services through mobile phone installed software.”
“At present, pre-installed partners cover the entire mobile phone industry chain, including mobile phone chip manufacturers, mobile phone design companies, mobile phone brand manufacturers, mobile phone agents, mobile terminal stores and major e-commerce platforms,” reads a descriptive blurb about the company.
A historic records search at Domaintools on that tosaka1027@gmail.com address says it was used to register 24 Internet domain names, including at least seven that have been conclusively tied to the spread of powerful Android mobile malware.
Two of those domains registered to tosaka1027@gmail.com — elsyzsmc[.]com and rurimeter[.]com — were implicated in propagating the Triada malware. Triada is the very same malicious software Google said was found pre-installed on many of its devices and being used to install spam apps that display ads.
In July 2017, Russian antivirus vendor Dr.Web published research showing that Triada had been installed by default on at least four low-cost Android models. In 2018, Dr.Web expanded its research when it discovered the Triada malware installed on 40 different models of Android devices.
At least another five of the domains registered to tosaka1027@gmail.com — 99youx[.]com, buydudu[.]com, kelisrim[.]com, opnixi[.]com and sonyba[.]com — were seen as early as 2016 as distribution points for the Hummer Trojan, a potent strain of Android malware often bundled with games that completely compromises the infected device.
A records search at Domaintools for “Shanghai Blazefire Network Technology Co” returns 11 domains, including blazefire[.]net, which is registered to a yehuo@blazefire.net. For the remainder of this post, we’ll focus on the bolded domain names below:
Domain Name Create Date Registrar
2333youxi[.]com 2016-02-18 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
52gzone[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
91gzonep[.]com 2012-11-26 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]com 2000-08-24 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
blazefire[.]net 2010-11-22 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
hsuheng[.]com 2015-03-09 GODADDY.COM, LLC
jyhxz.net 2013-07-02 —
longmen[.]com 1998-06-19 GODADDY.COM, LLC
longmenbiaoju[.]com 2012-12-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
oppayment[.]com 2013-10-09 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
tongjue[.]net 2014-01-20 ALIBABA CLOUD COMPUTING (BEIJING) CO., LTD
Following the breadcrumbs from some of the above domains we can see that “Blazefire” is a sprawling entity with multiple business units and names. For example, 2333youxi[.]com is the domain name for Shanghai Qianyou Network Technology Co., Ltd., a firm that says it is “dedicated to the development and operation of Internet mobile games.”
Like the domain blazefire[.]com, 2333youxi[.]com also was initially registered to tosaka1027@gmail.com and soon changed to Shanghai Blazefire as the owner.
The offices of Shanghai Quianyou Network — at Room 344, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai, China — are just down the hall from Shanghai Wildfire Network Technology Co., Ltd., reportedly at Room 35, 6th Floor, Building 10, No. 196, Ouyang Rd, Shanghai.
The domain tongjue[.]net is the Web site for Shanghai Bronze Network Technology Co., Ltd., which appears to be either another name for or a sister company to Shanghai Tongjue Network Technology Co., Ltd. According to its marketing literature, Shanghai Tongjue is situated one door down from the above-mentioned Shanghai Quianyou Network — at Room 36, 6th Floor, Building 10, No. 196, Ouyang Road.
“It has developed into a large domestic wireless Internet network application,” reads a help wanted ad published by Tongjue in 2016. “The company is mainly engaged in mobile phone pre-installation business.”
That particular help wanted ad was for a “client software development” role at Tongjue. The ad said the ideal candidate for the position would have experience with “Windows Trojan, Virus or Game Plug-ins.” Among the responsibilities for this position were:
-Crack the restrictions imposed by the manufacturer on the mobile phone.
-Research and master the android [operating] system
-Reverse the root software to study the root of the android mobile phone
-Research the anti-brushing and provide anti-reverse brushing scheme
Many of the domains mentioned above have somewhere in their registration history the name “Hsu Heng” and the email address yehuo@blazefire.net. Based on an analysis via cyber intelligence firm 4iq.com of passwords and email addresses exposed in multiple data breaches in years past, the head of Blazefire goes by the nickname “Hagen” or “Haagen” and uses the email “chuda@blazefire.net“.
Searching on the phrase “chuda” in Mandarin turns up a 2016 story at the Chinese gaming industry news site Youxiguancha.com that features numerous photos of Blazefire employees and their offices. That story also refers to the co-founder and CEO of Blazefire variously as “Chuda” and “Chu da”.
“Wildfire CEO Chuda is a tear-resistant boss with both sports (Barcelona hardcore fans) and literary genre (playing a good guitar),” the story gushes. “With the performance of leading the wildfire team and the wildfire product line in 2015, Chu has won the top ten new CEO awards from the first Black Rock Award of the Hardcore Alliance.”
Interestingly, the registrant name “Chu Da” shows up in the historical domain name records for longmen[.]com, perhaps Shanghai Wildfire’s oldest and most successful mobile game ever. That record, from April 2015, lists Chu Da’s email address as yehuo@blazefire.com.
The CEO of Wildfire/Blazefire, referred to only as “Chuda” or “Hagen.”
It’s not clear if Chuda is all or part of the CEO’s real name, or just a nickname; the vice president of the company lists their name simply as “Hua Wei,” which could be a real name or a pseudonymous nod to the embattled Chinese telecom giant by the same name.
According to this cached document from Chinese business lookup service TianYanCha.com, Chuda also is a senior executive at six other companies.
Google declined to elaborate on its blog post. Shanghai Wildfire did not respond to multiple requests for comment.
It’s perhaps worth noting that while Google may be wise to what’s cooking over at Shanghai Blazefire/Wildfire Network Technology Co., Apple still has several of the company’s apps available for download from the iTunes store, as well as others from Shanghai Qianyou Network Technology.
Article tags
Experts at Mac security software firm Intego discovered a new piece of Mac malware dubbed OSX/Linker that exploits a recently disclosed macOS Gatekeeper bypass vulnerability.
The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.
Researchers speculate the Linker malware has the same authors of the OSX/Surfbuyer adware.
In late May, the Italian security researcher Filippo Cavallarin demonstrated how to bypass
Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.
Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.
In late May, security researcher Filippo Cavallarin disclosed a bug in Gatekeeper that would allow a malicious binary downloaded from the Internet to bypass the Gatekeeper scanning process.
The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.
The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).
The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.
Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.
An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper.
Below a video
The Gatekeeper bypass flaw affects all macOS versions, including the latest one (ver. 10.14.5), and Apple has yet to release an update to address the issue.
Cavallarin reported the vulnerability to Apple on February 22, but Apple missed a 90-days deadline and is no longer responding to the emails of the expert.
Unfortunately, vxers are already working on the includes the exploit code in their malware. Intego experts already analyzed some malware samples that appear as a sort of test for the exploiting of the Gatekeeper bypass.
The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file.
“Intego observed four samples that were uploaded to VirusTotal on June 6, seemingly within hours of the creation of each disk image, that all linked to one particular application on an Internet-accessible NFS server.” reads the analysis published by Intego.
“Each of the four files were uploaded anonymously, meaning the user was not signed into a VirusTotal account.”
All the OSX/Linker malware samples analyzed by the experts were disguised as Adobe Flash Player installers, a circumstance that suggests they were actual malware payload testing.
At the time of writing, OSX/Linker malware samples haven’t been observed in the wild yet.
Intego notified Apple of the OSX/Surfbuyer adware gang abusing an Apple Developer ID to sign their malicious OSX/Linker samples in order to allow the tech giant to revoke the abused certificate.
|
|
(
The post OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass appeared first on Security Affairs.
Introduction Resumes are the window that organizations use to see what candidates have to offer and are used to filter all who interview for job positions. You can also think of resumes as the face of your career up to this point: it should show an organization what you can do for them from just […]
The post Penetration tester resume tips appeared first on Infosec Resources.
Introduction For some, aiming for one of the most glamorous or cool jobs is their cup of tea, and for many in information security their equivalent role is penetration tester. Much like an action movie in the vein of “Mission Impossible,” you’ll get to hack into computer systems for a legitimate purpose. The question then […]
The post Penetration tester salary appeared first on Infosec Resources.
Introduction Are you interested in a career as penetration tester? If you have “a thorough understanding of pentesting methodologies and vulnerability assessments, as well as the ability to exploit systems and effectively communicate findings,” then this might be the right field for you. How does an IT professional become a penetration tester? There is no […]
The post Penetration tester career path appeared first on Infosec Resources.
| One-liner function | What this function refers to |
|---|---|
| Reverse Shell | Various methods and commands to give you a reverse shell. |
| PrivEsc | Many commands to help in Enumeration and Privilege Escalation |
| Bind Shell | Various methods and commands to give you a bind shell. |
| Dropper | Many ways to download and execute various payload types with various methods. |
seach becomes search and so on, even if you typed any random word similar to an command in this framework.use capabilities and clicked tab, it would be replaced with use linux/bash/list_all_capabilities and so on. I can see your smile, You are welcome!set command, auto-complete for liners after use and info commands and finally it converts all uppercase to lowercase automatically just-in-case you switched cases by mistake while typing.copy <liner> instead of using use <liner> and then copying it which saves a lot of time, of course, if you merged it with the following features.makerc command like in Metasploit but this time it only saves the correct important commands.history and resource commands so you don't need to exit the framework.Note: The liners database is not too big but it will get bigger with updates and contributions.
usage: one-lin3r [-h] [-r R] [-x X] [-q]
optional arguments:
-h, --help show this help message and exit
-r Execute a resource file (history file).
-x Execute a specific command (use ; for multiples).
-q Quiet mode (no banner).Command Description
-------- -------------
help/? Show this help menu.
list/show List all one-liners in the database.
search [Keywords..] Search database for a specific liner by its name, author name or description.
use <liner> Use an available one-liner.
copy <liner> Use an available one-liner and copy it to clipboard automatically.
info <liner> Get information about an available liner.
set <variable> <value> Sets a context-specific variable to a value to use while using one-liners.
variables Prints all previously specified variables.
banner Display banner.
reload/refresh Reload the liners database.
check Prints the core version and checks if you are up-to-date.
history Display command-line most important history from t he beginning.
makerc Save command-line history to a file.
resource <file> Run the commands stored in a file
os <command> Execute a system command without closing the framework
exit/quit Exit the frameworkpip install one-lin3r
one-lin3r -hpython -m pip install ./One-Lin3r-master
one-lin3r -hgit clone https://github.com/D4Vinci/One-Lin3r.git
apt install libncurses5-dev
pip3 install ./One-Lin3r
one-lin3r -hpip install one-lin3r --upgradecd One-Lin3r && git pull && cd ..
pip3 install ./One-Lin3r --upgradeNote: As the liners are written as python modules, it considered as a part of the framework. So every new liner added to the framework, its version will get updated.
The Anonymous member is a 35-year-old man from Roeselare, Belgium, was arrested after throwing a Molotov cocktail at the Crelan Bank office in Rumbeke, back in 2014.
According to ZDnet, the hacker has been exposed after dropping USB drive on the ground while throwing the Molotov cocktail.
The analysis of the content of the USB drive allowed the authorities to identify the man. Court documents refer to the hacktivist as a Brecht S., the police raided his house and investigated into his computer and electronic devices revealing a long cybercrime activity.
The member of Anonymous was also involved in DDoS attacks against online banking system of the Crelan Bank that shut down the portal on numerous occasions.
Brecht explained that he attacked the bank because its officials refused to meet with him following the disappearance of €300,000 from his mother’s bank account following the divorce from his father. The attack was a revenge for what has happened to his mother.
The man also stated that he was experiencing a difficult period at the time and was involved in drugs.
According to the prosecutors, the man is an active member of Anonymous Belgium and Cyber Crew hacking groups, he was involved in numerous operations of the collectives of hackers, including one aimed at FIFA, the international soccer/football federation.
Brecht also blackmailed some organizations threatening them of DDoS attacks, in one case the victim was a restaurant. The hacker shut down the website of the restaurants several times with DDoS attacks and asked for a ransom payment to halt the attacks.
The police also identified a co-conspirator, a 44-year-old man from Bruges. The hacker was also a member of a cyber criminal gang and had exchanged hacking tools with Brecht.
Brecht S. was already sentenced to three years in prison for throwing the molotov cocktail, along with the other defendant he was also fined for 1,200 euro.
“A 35-year-old man from Roeselare has been sentenced to eighteen months in prison because he hacked the website of Crelan and took it offline for hours.” reported the Belgian news site Het Laatste Nieuws. “
HLN reported that Brecht received an 18 months prison sentence for cybercrimes he committed and was ordered to pay €3,000 to Crelan Bank as compensation for damages caused by the DDoS attacks.
Brecht’s co-conspirator has not been sentenced to prison.
|
|
(
The post Anonymous Belgium hacker identified after dropping USB drive while throwing Molotov cocktail appeared first on Security Affairs.
Last week, media reported that the United States has launched a series of cyber attacks on Iran after the Iranian military has downed an American surveillance drone.
US President Donald Trump first approved military strikes against Iran in retaliation for downing a surveillance drone, but pulled back from launching them on Thursday night after a day of escalating tensions.
The tensions between Iran and the US is increasing after President Trump blamed Iran for the attacks on the oil tankers traveling through the Strait of Hormuz. Iran has immediately denied that accusation. Trump decided to temporary suspend the attacks to attempt negotiation and urge new sanctions against Iran, but at the same time, he secretly authorized US Cyber Command to carry out a retaliatory cyber attack on Iran.
Now Teheran replied to the news reported by the media and revealed that cyber attack against its infrastructure has ever succeeded.
“The media are asking about the veracity of the alleged cyber attack against Iran. No successful attack has been carried out by them, although they are making a lot of effort,” ICT Minister of Iran Mohammad Javad Azari Jahromi said on Twitter.
The Iranian telecommunications minister labeled the activity against its state as “cyber terrorism — such as Stuxnet — and unilateralism — such as sanctions”.
"The media are asking about the veracity of the alleged cyber attack against Iran. No successful attack has been carried out by them…" – telecommunications minister Mohammad Javad Azari Jahromi. https://t.co/fzEEap8OfR
— Al Jazeera News (@AJENews) June 24, 2019
US media on Saturday said Washington launched cyber attacks against Iranian missile control systems and a spy network this week after Tehran downed an American surveillance drone.
“President Trump approved an offensive cyberstrike that disabled Iranian computer systems used to control rocket and missile launches, even as he backed away from a conventional military attack in response to its downing Thursday of an unmanned U.S. surveillance drone, according to people familiar with the matter.”reported The Washington Post.
“The cyberstrikes, launched Thursday night by personnel with U.S. Cyber Command, were in the works for weeks if not months, according to two of these people, who said the Pentagon proposed launching them after Iran’s alleged attacks on two oil tankers in the Gulf of Oman earlier this month.”
The cyber attacks carried out by the US Cyber Command aimed at destroying computers systems that control rocket and missile launches.
According to Yahoo, two former intelligence officials confirmed that cyber attacks also hit spying group responsible for tracking ships in the strategic Strait of Hormuz.
This isn’t the first time that the US opted out for a cyber attack to hit Iran, the Stuxnet virus first uncovered in 2010, was used to shut down nuclear facilities in Iran at least since 2005.
Since the Stuxnet attack, Iran-linked APT groups have increased their cyber capabilities and have intensified their activities against entities worldwide.
“We foiled last year not one attack but 33 million attacks with Dejpha shield,” declared Azari Jahromi referring to a cyber defence system.
|
|
(
The post Iran denies attack against its infrastructure has ever succeeded appeared first on Security Affairs.
SocialEngineered.net, the forum dedicated to social engineering topics, announced it has suffered a data breach two weeks ago.
Hackers accessed data from tens of thousands of members and leaked them online on a hacker forum.
The hackers exploited a vulnerability in the MyBB forum to access forum data.
“Mybb had a
Owner of the SocialEngineered forum decided to move to the XenForo forum platform after the incident. The administrator urges members of changing their login passwords.
In June, experts at RIPS Tech discovered security flaws (a stored cross-site scripting (XSS) and file write issue) in MyBB prior to version 1.8.21 that could allow attackers to take over any board hosted by sending a malicious private message to an administrator or by creating a malicious post.
MyBB has already released a patched version, but evidently, administrators are slow in updating their websites.
On June 13, the attacker leaked data on a hacker forum claiming that he had “uploaded the full database and root directory of this website.”
The dump includes data of 55,121 forum users, compromised info includes usernames, passwords stored as salted MD5 hashes, email addresses, IP addresses, and private messages.
A post published on a rival forum also revealed that the dump includes the source code of the website, along with data and logs.
The HaveIBeenPwned websites added the leaked data to its system, data set includes 89,000 unique email addresses from 55,000 forum users.
“In June 2019, the “Art of Human Hacking” site Social Engineered suffered a data breach. The breach of the XenForo forum was published on a rival hacking forum and included 89k unique email addresses spread across 55k forum users and other tables in the database. The exposed data also included
“Breach date: 13 June 2019
Date added to HIBP: 23 June 2019
Compromised accounts: 89,392
Compromised data: Email addresses, IP addresses, Passwords, Private messages, Usernames”
| |
(
The post SocialEngineered forum hacked and data leaked online appeared first on Security Affairs.
Experts at Microsoft uncovered a malicious campaign that delivers the FlawedAmmyy RAT directly in memory.
The FlawedAMMYY backdoor borrows the code of the
FlawedAmmyy Remote Access Trojan was involved in attacks carried out by the threat actors tracked as TA505.
Microsoft observed weaponized spam messages using .xls attachments with content in Korean. The macro included in the documents executes the legitimate msiexec.exe tool that downloads an MSI archive.
The MSI archive includes a digitally signed executable that decrypts and execute another executable in memory once it is opened.
Anomaly detection helped us uncover a new campaign that employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory. The attack starts with an email and .xls attachment with content in the Korean language. pic.twitter.com/PQ2g7rvDQm
— Microsoft Security Intelligence (@MsftSecIntel) June 21, 2019
This executable then downloads and decrypts another file, wsus.exe, which was also digitally signed on June 19. wsus.exe decrypts and runs the final payload directly in memory. The final payload is the remote access Trojan FlawedAmmyy.
— Microsoft Security Intelligence (@MsftSecIntel) June 21, 2019
“This
One of the samples involved in this campaign, detected on June 22, was digitally signed using a certificate issued by Thawte for Dream Body Limited.
2019-06-22:
— Vitali Kremez (@VK_Intel) June 22, 2019
Digital Cert
C2: 169.239.128. 185
h/t @malwrhunterteam
Seems every day they leverage new malware signing
MD5: fb5a09e073324e99b979831a98b120b0 pic.twitter.com/oYT96blamA
In May, experts at Yoroi-Cybaze Z-Lab observed a spike in the number of attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group.
Earlier June, researchers at Trend Micro observed the TA505 group carrying out attacks, involving the FlawedAmmyy RAT and other RATs, against users in Latin America and Asia.
|
|
(
The post Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory appeared first on Security Affairs.
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.
Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use it to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Researchers from Netlab, discovered that Free-Socks.in proxy service is leveraging a huge botnet of hacked WordPress sites.
According to the experts, traffic managed by the proxy service is routed through a network of hacked WordPress sites.
Threat actors compromised the WordPress sites with highly obscured web shells and the Linux
The variant analyzed by the researchers is a Linux porting of the Win32.Ngioweb malware that was first detected in the wild in August 2018 by experts at Check Point.
“We determined that this is a Proxy Botnet, and it is a Linux version variant of the Win32.Ngioweb malware. We named it Linux.Ngioweb. It shares a lot of code with Win32.Ngioweb, except that it has DGA features.” reads the analysis of Netlab.
“In addition, we have observed that Linux.Ngioweb malware has been implanted into a large number of WordPress Web servers.”
The experts registered one of the DGA C2 domain names (
The Linux.Ngioweb Bot sample implements Back-Connect Proxy on the victim’s machine.
“The attacker builds multiple Bots into a Proxies Pool and controls it through a two-tier C2 protocol, then provides a Rotating Proxy Service.” continues the analysis.
The first stage (Stage-1) manages all the infected sites, while the second one (Stage-2) set the C&C servers. At the Stage 2, the bot establishes communication with the C2 of Stage-2 and enables the Back-Connect Proxy function. Command and Control servers of the stage-2 is specified by the CONNECT command.
Sinkholing the C2 domain experts observed connections from 2,692 WordPress compromised sites, most of which are located in the US.
Netlab plans to share the list of infected servers with other security firms and law enforcement agencies.
Relevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP addresses.
“Readers are always welcomed to reach us on twitter, WeChat 360Netlab or email to netlab at 360 dot cn.” concludes the report.
|
|
(
The post Free proxy service runs on top of Linux Ngioweb Botnet appeared first on Security Affairs.
Introduction In this article, we’ll discuss the Volatility framework and how to perform analysis on ransomware using it. We’ll discuss various capabilities of the tool that can allow us to perform forensic analysis. For this article, we’ll be analyzing two notorious forms of malware, WannaCry and Jigsaw. The malware handled in this article will be […]
The post Ransomware analysis with Volatility appeared first on Infosec Resources.
Introduction Cybersecurity managers are advanced-level IT professionals who have worked their way up through the ranks to take on responsibilities in leadership and management. Typically, they have boots-on-the-ground experience with security risk assessment and remediation, computer forensics, incident response and network security; with all this experience and more, they’ve reached a point in their career […]
The post CyberSeek Cybersecurity Career Pathway: Cybersecurity manager/admin appeared first on Infosec Resources.
