D4TA-HUNTER is a tool created in order to automate the collection of information about the employees of a company that is going to be audited for ethical hacking.
GET API KEY
git clone https://github.com/micro-joan/D4TA-HUNTER
chmod +x run.sh
After executing the application launcher you need to have all the components installed, the launcher will check one by one, and in the case of not having any component installed it will show you the statement that you must enter to install it:
First you must have a free or paid api-key from BreachDirectory.org, if you don't have one and do a search D4TA-HUNTER provides you with a guide on how to get one.
Once you have the api-key you will be able to search for emails, with the advantage of showing you a list of all the password hashes ready for you to copy and paste into one of the online resources provided by D4TA-HUNTER to crack passwords 100 % free.
You can also insert a domain of a company and D4TA-HUNTER will search for employee emails, subdomains that may be of interest together with IP's of machines found:
Apis and tools
|BreachDirectory.org||Email, phone or nick leaks||
|TheHarvester||Domains and emails of company||
Video Demo: https://darkhacking.es/d4ta-hunter-framework-osint-para-kali-linux
My website: https://microjoan.com
My blog: https://darkhacking.es/
Buy me a coffee: https://www.buymeacoffee.com/microjoan
This toolkit contains materials that can be potentially damaging or dangerous for social media. Refer to the laws in your province/country before accessing, using,or in any other way utilizing this in a wrong way.
This Tool is made for educational purposes only. Do not attempt to violate the law with anything contained here. If this is your intention, then Get the hell out of here!
The post Should you learn to code before you learn to hack? appeared first on Detectify Labs.
Threat actors are exploiting interest in a popular TikTok challenge, dubbed Invisible Challenge, to trick users into downloading info-stealing malware.
Threat actors are exploiting the popularity of a TikTok challenge, called Invisible Challenge, to trick users into downloading information-stealing malware, Checkmarx researchers warn.
People participating in the Invisible Challenge have to apply a filter called Invisible Body that removes the character’s body from a video, in which they pose naked, making a blurred contour image of it.
The experts spotted threat actors sharing TikTok videos with links to a fake software called “unfilter” that claims to remove TikTok filters on videos revealing the naked body of the actor.
TikTok videos posted by the threat actors behind this campaign have already reached over a million views in just a couple of days. The TikTok videos were posted by the TikTok users @learncyber and @kodibtc on November 11, 2022.
“Instructions to get the “unfilter” software deploy WASP stealer malware hiding inside malicious Python packages. TikTok videos posted by the attacker reached over a million views in just a couple of days.” reads the report published by CheckMarx.
“GitHub repo hosting the attacker’s code listed GitHub’s daily trending projects. Over 30,000 members have joined the Discord server created by the attackers so far and this number continues to increase as this attack is ongoing.”
In Mid November, Checkmarx uncovered an ongoing supply chain attack conducted by a threat actor they tracked as WASP that is targeting Python developers.
The W4SP Stealer was spotted by Checkmarx in Mid November when it was employed as part of an ongoing supply chain attack conducted by a threat actor targeting Python developers.
The malicious code is able to steal the victim’s Discord accounts, passwords, crypto wallets, credit cards, and other sensitive data on the victim’s PC. Stolen data have been sent them back to the attacker through a hard-coded Discord webhook address.
The threat actor is offering the WASP stealer for $20 claiming it is undetectable and is heavily “protected by some awesome obfuscation.” The supply chain attacks seem to be financially motivated.
The video includes an invite link to a Discord server (“Unfilter Space”) under the control of the attackers, the experts reported that 32,000 members have joined the Discord server before it was deleted.
Once joined to the server, the victims received a link to a GitHub repository hosting the info-stealing malware.The README file of the project also contains a link to a now-removed YouTube tutorial instructing users on how to run the installation script.
After the Discord server “Unfilter Space” was deleted the attacker changed his GitHub repository name to 42World69/Nitro-generator and deleted old files on his repo and uploaded files to fit Nitro-generator.
The campaign is linked to other malicious Python packages, the info-stealing malware has been embedded in various Python packages such as “tiktok-filter-api,” “pyshftuler,” “pyiopcs,” and “pydesings.”
“The high number of users tempted to join this Discord server and potentially install this malware is concerning.” concludes the report. “The level of manipulation used by software supply chain attackers is increasing as attackers become increasingly clever. It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name.”
(SecurityAffairs – hacking, TikTok)
The post Attackers abused the popular TikTok Invisible Challenge to spread info-stealer appeared first on Security Affairs.
- The Hacker News
- This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms
- Security Affairs
- China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines
An alleged China-linked cyberespionage group, tracked as UNC4191, used USB devices in attacks aimed at Philippines entities.
Mandiant researchers spotted an alleged China-linked cyberespionage group, tracked as UNC4191, leveraging USB devices as attack vectors in campaigns aimed at Philippines entities.
This campaign has been active dates as far back as September 2021 and targeted public and private sector entities primarily in Southeast Asia, along with organizations in the U.S., Europe, and APJ
“UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to the U.S., Europe, and APJ; however, even when targeted organizations were based in other locations, the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.” reads the analysis published by Mandiant.
The attackers leveraged legitimately signed binaries to side-load malware, experts observed the use of three new families tracked by Mandiant as MISTCLOAK, DARKDEW, and BLUEHAZE. Below are reported the details of the above malware families:
|MISTCLOAK||MISTCLOAK is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.|
|BLUEHAZE||BLUEHAZE is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).|
|DARKDEW||DARKDEW is a dropper written in C++ that is capable of infecting removable drives.|
|NCAT||NCAT is a command-line networking utility that was written for the Nmap Project to perform a wide-variety of security and administration tasks. While NCAT may be used for legitimate purposes, threat actors may also use it to upload or download files, create backdoors or reverse shells, and tunnel traffic to evade network controls.|
“The infection chain begins when a user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volume (T1091). The initial binaries—named Removable Drive.exe or USB Drive.exe—are versions of a legitimately signed application called USB Network Gate, developed by the company Electronic Team, Inc.” continues the report. “These are used to side-load the MISTCLOAK malware that impersonates a legitimate DLL.”
Once the target system has been compromised, UNC4191 deploys a renamed NCAT binary and executes a reverse shell to maintain a foothold in the infected system.
The malicious code shows wormable capabilities and replicates by infecting new removable drives that are plugged into a compromised system. This means that the malicious payloads propagate to additional systems and potentially compromise air-gapped systems.
Mandiant researchers observed threat actors enumerating domain trusts and querying domain and local group permissions in a time span of several minutes.
“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.” Mandiant concludes.
(SecurityAffairs – hacking, UNC4191)
The post China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines appeared first on Security Affairs.
- The Hacker News
- French Electricity Provider Fined for Storing Users’ Passwords with Weak MD5 Algorithm
- Security Affairs
- ENC Security, the encryption provider for Sony and Lexar, leaked sensitive data for over a year
CyberNews experts discovered that ENC Security, a Netherlands software company, had been leaking critical business data since May 2021.
Original post at https://cybernews.com/security/encsecurity-leaked-sensitive-data/
When you buy a Sony, Lexar, or Sandisk USB key or any other storage device, it comes with an encryption solution to keep your data safe. The software is developed by a third-party vendor – ENC Security.
Netherlands-based company with 12 million users worldwide provides “military-grade data protection” solutions with its popular DataVault encryption software.
As it turns out, ENC Security had been leaking its configuration and certificate files for more than a year, the Cybernews research team discovered.
“The data that was leaking for over a year is nothing less than a goldmine for threat actors,” Cybernews researcher Martynas Vareikis said.
The company said a misconfiguration by a third-party supplier caused the issue and fixed it immediately upon notification.
The data inside the leaky server included Simple Mail Transfer Protocol (SMTP) credentials for sales channels, the single payment platform’s Adyen keys, email marketing company’s Mailchimp API keys, licensing payment API keys, HMAC message authentication codes, and public and private keys stored in .pem format.
The data was accessible from 27 May 2021 up until 9 November 2022. The server was closed after Cybernews disclosed the vulnerability to ENC Security.
According to Vareikis, the discovery is worrying since bad actors could exploit the aforementioned data for a variety of cyberattacks – from phishing to ransomware.
For example, sales communication channels could be used to phish clients by sending them fake invoices or spreading malware via trusted email addresses.
“Mailchimp API keys add even more value for the malicious actors interested in phishing campaigns, as it allows them to send massive marketing campaigns and view/collect leads. Having a client list and the ability to use real email for phishing campaigns is nothing less than a goldmine for threat actors,” Vareikis explained.
Ransomware operators exploit .pem files – the keys left inside could result in unauthorized access or even a server takeover.
The repercussions of such a takeover could be devastating. Threat actors might switch the download file with an infected one.
“Having clients such as SanDisk, Sony, Lexar, and more promoting (TrustPilot reviewers complain being forced into using this software when purchasing thumb drives) your infected files would produce one of the biggest ransomware campaigns yet,” Vareikis explained.
ECN Security says its solution is downloaded over 2,000 times monthly.
Payment API keys could expose sensitive client information to the public.
ENC Security said it had taken swift action after analyzing the issue discovered by the Cybernews research team. The vulnerability concerned a misconfiguration by a third-party supplier, ENC Security told Cybernews. The issue is now resolved.
“At ENC Security we take the security and protection of our data seriously. Every finding is thoroughly researched and remediated with appropriate measures. Relevant measures are taken when required, amongst which security measures, informing customers and further enhancing security,” the company’s spokesperson said.
Vareikis believes the Cybernews discovery is no less worrying than the researcher’s Sylvain Pelissier discovery in December 2021.
If you want to read more about Pelissier’s discovery read the post published by CyberNews.
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
(SecurityAffairs – hacking, ENC Security)
The post ENC Security, the encryption provider for Sony and Lexar, leaked sensitive data for over a year appeared first on Security Affairs.
- Security Affairs
- Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access
Cyble observed Initial Access Brokers (IABs) offering access to enterprise networks compromised via a critical flaw in Fortinet products.
Researchers at Cyble have observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical flaw, tracked as CVE-2022-40684, in Fortinet products.
In early October, Fortinet addressed the critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies.
The company explained that an attacker can exploit the vulnerability to log into vulnerable devices.
“An authentication bypass using an alternate path or channel [CWE-88] in FortiOS and FortiProxy may allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests,” reads the customer support bulletin issued by the company.
The company urged customers to address this critical vulnerability immediately due to the risk of remote exploitation of the flaw.
The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1, and FortiProxy versions from 7.0.0 to 7.0.6 and 7.2.0
The cybersecurity firm addressed the flaw with the release of FortiOS/FortiProxy versions 7.0.7 or 7.2.2.
The company also provides a workaround for those who can’t immediately deploy security updates.
Customers that are not able to upgrade their systems should restrict access to their devices to a specific set of IP addresses.
On October 18, Fortinet confirmed the critical authentication bypass vulnerability is being exploited in the wild.
“Fortinet is aware of an instance where this vulnerability was exploited, and recommends immediately validating your systems against the following indicator of compromise in the device’s logs: user=”Local_Process_Access”” continues the advisory.
A proof-of-concept (PoC) exploit code for the CVE-2022-40684 flaw has been released online. The public availability of the PoC exploit code can fuel a wave of attacks targeting Fortinet devices.
In October, the Shadowserver Foundation reported that more than 17K Fortinet devices exposed online were vulnerable to attacks exploiting the CVE-2022-40684 flaw, most of them in Germany and in the US.
Now Cyble researchers reported more than 100,000 FortiGate firewalls accessible from the internet that may be targeted by threat actors if not patched yet.
Threat actors might exploit the vulnerability to perform malicious activities such as:
- Modify the admin users’ SSH keys to enable the attacker to log in to the compromised system.
- Add new local users.
- Update networking configurations to reroute traffic.
- Download the system configuration.
- Initiate packet captures to capture other sensitive system information.
- The sensitive system information, system configurations, and network details might be further distributed over the darkweb
“While during routine monitoring, researchers at Cyble observed a Threat Actor (TA) distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums,” reads the analysis published by Cyble. “
“While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user’s account. As per intelligence gathered from sources, the victim organizations were using outdated FortiOS. Hence, with high confidence, we conclude that the Threat Actor behind this sale exploited CVE-2022-40684.”
Cyble researchers observed that threat actors have been targeting Fortinet instances since October 17, 2022.
“The authentication bypass vulnerability in Fortinet products allows an unauthenticated attacker to perform operations on the administrative interface. With large numbers of exposed assets that belong to private-public entities exposed over the internet, the vulnerability falls under the critical category.” concludes the post. “Publicly distributed Proof of Concepts (POCs) and automation tools have made it more convenient for attackers to target victim organizations within a few days of the announcement of the new CVE.”
(SecurityAffairs – hacking, Fortinet)
The post Threat actors are offering access to corporate networks via unauthorized Fortinet VPN access appeared first on Security Affairs.
- Security Affairs
- CISA adds Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities Catalog
CISA added a critical flaw impacting Oracle Fusion Middleware, tracked as CVE-2021-35587, to its Known Exploited Vulnerabilities Catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) a critical vulnerability impacting Oracle Fusion Middleware, tracked as CVE-2021-35587 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog.
An unauthenticated attacker with network access via HTTP can exploit the vulnerability to compromise Oracle Access Manager.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8” states the NIST.
The flaw was reported in March and affects versions 18.104.22.168.0, 22.214.171.124.0 and 126.96.36.199.0. The IT giant fixed the issue in January with the release of the Critical Patch Update.
“This vulnerability was discovered by accident by me and Peterjson while we were analyzing and building PoC for another mega-0day (which is still not fixed by now ).” reads the post published security researcher Nguyen Jang (Janggggg) who reported the flaw alongside peterjson. “It’s quiet easy to access the entrypoint and exploit the vulnerability, so it’s recommend to apply the patch now! It may give the attacker access to OAM server, to create any user with any privileges, or just get code execution in the victim’s server.”
Below is the video PoC published by Nguyen Jang.
CISA orders federal agencies to fix these vulnerabilities by December 19, 2022.
(SecurityAffairs – hacking, CISA)
The post CISA adds Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
- KitPloit - PenTest & Hacking Tools
- Pycrypt - Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products
How To Use:
- Find Any Python Based Backdoor/RAT on github.
- Crypt its payload with pycrypt
- Now Convert crypted payload to exe using pyinstaller
- Don't Upload Any Payloads To VirusTotal.com Bcz This tool will not work with Time.
- Virustotal Share Signatures With AV Comapnies.
- Again Don't be an Idiot!
KleenScan Scanner Result:-
- Generated stub.py Result:- https://kleenscan.com/scan_result/39e61c692ee91dd6cd48aca77a8bb220ef27fcc40df75807d4a1f96b4db8df69
- Crypter Code Result:- https://kleenscan.com/scan_result/24487da561419105e29cabd5fc66c503ee767719029fae2f9a041b04d6a75d4b
*:- For Windows: https://www.python.org/ftp/python/3.10.7/python-3.10.7-amd64.exe
*:- For Linux:
- sudo apt-get install python3
- sudo apt-get install python3-pip
- Make Sure Python3 And Pip Installed
- pip install termcolor
- pip install requests
How To Run:-
*:- For Windows:-
- Make Sure python3 and pip is installed and requriements also installed
- python pycrypt.py
- Then give the path of your payload file and enjoy
*:- For Linux:-
- Make Sure All Requriements is installed.
- python3 pycrypt.py
- Then enter the path of your payload file and enjoy
- Linux Based Os
How To Install:
- git clone https://github.com/pycrypt
- cd pycrypt
- python3 pycrypt.py
- FUD Ratio 0/40
- Bypass Any EDR's Solutions
- Lightweight Crypter
- Very Small And Simple Crypter
Use this tool Only for Educational Purpose And I will Not be Responsible For ur cruel act.
In today’s technological world, educating people about cybersecurity awareness is an absolute necessity.
According to one report, 82% of data breaches involved the human element, from social attacks to misuse of technologies. These errors are not always entirely preventable, as some level of human error is inevitable, but proper training in cybersecurity awareness can greatly decrease the likelihood of human mistakes leading to data breaches. Due to the increasing use of digital tools for business operations and reliance on employee conduct to ensure security, new solutions are required.
While cybersecurity awareness training can take many forms, most training programs are computer-based. It is important when developing and implementing these programs to be aware of what methods of education work best. This training must reach users who may not have any background or knowledge in cybersecurity, and it must be effective enough to ensure that security is “not only top of mind, but a fluent language.”
In service of that end, gamification is a highly effective tactic. There are many benefits to gamifying your approach to cybersecurity awareness training, all of which contribute to the goal of educating employees and decreasing risk. Gamification incentivizes and motivates employees to be more engaged, participate more actively, retain information, and implement behavioral changes moving forward.
Below are five tips to gamify your cybersecurity awareness training program.
1. Visual Aids
One of the most basic elements of gamification is the use of visual aids. Visual aids such as graphs, charts, pictures, or videos are a quick and efficient way to convey information that might be harder to understand in text format. Statistics and numerical data are easily transferable into a visual format, and other information can also be translated into this context. These visual aids can help to keep employees engaged with the content by breaking up what could otherwise be a monotonous block of text. They are also often more easily remembered.
Offering rewards for completion or performance is an incredible motivator. Whether the rewards are simply in-game points or real-life prizes like gift cards, the possibility of receiving something back for their hard work is a good incentive for employees to not only do the training, but pay attention and perform well. While there have previously been policies in place to administer consequences to employees who do not adhere to security measures, the implementation of positive repercussions is just as important in ensuring maximum retention and compliance.
Multiple results can be achieved with one simple tool in the form of quizzes. Quizzing employees on their training necessitates them paying attention to the training and retaining information that is vital for cybersecurity. It also presents them with a situation where their performance determines their score, and performing well on a quiz might earn them a reward. If quizzes are leveraged for healthy competition, employees can be even more motivated to do well.
There are many different ways to deploy simulations in cybersecurity awareness training. Putting employees in a situation that mirrors a real-life attack, whether it be phishing emails or data breaches, gives them an opportunity to practice how they would respond should the real thing occur. This is similar to the idea behind fire drills: it is one thing to be told how to respond in case of an unfortunate event, and another thing entirely to actually go through the process of responding to it. Additionally, simulated security events are helpful for impressing upon employees that their training is not merely theoretical and that they will be expected to know what to do in a real-life attack.
5. Team Exercises
Adding social elements to your cybersecurity awareness training is a good practice because it allows employees to work together just as they would have to in the event of an attack. Employees who feel isolated during their training may not trust their colleagues to be reliable in this area, whereas employees who have worked together in training are more likely to be able to work together in practice. Cooperation is key, not just for security breaches, but for all aspects of a business. Employees who understand their role in a team and know how to work together to solve problems are not just better prepared in terms of cybersecurity awareness, but also better prepared to carry out their normal operations.
The digital landscape is constantly changing, and cyber threats are evolving as well. This, combined with the human tendency to forget information or push it to the back of our minds after a while, means that ongoing training is vital. Refreshing information that employees have previously learned and providing new information that has emerged in the intervening time will help employees to understand that their cybersecurity awareness training is always relevant and present, rather than a distant concern. Depending on the frequency of training and the methods used, this can also allow you to track employees’ progress over time and potentially bestow rewards for consistently good performance or improvement.
As with many things in life, cybersecurity awareness training is often considered a necessary evil. While it is necessary, it does not have to be an evil at all. Gamification is a highly effective tactic to make sure that employees understand and internalize important information, and possibly even look forward to their training sessions. By leveraging simple concepts of rewards, teamwork, simulations, quizzes, and visual aids, you can give your employees an experience that is more engaging, more entertaining, and more effective than traditional methods.
About the Author: PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also regular writer at Bora.
(SecurityAffairs – hacking, cyberSecurity)
The post Tips for Gamifying Your Cybersecurity Awareness Training Program appeared first on Security Affairs.
Irish data protection commission (DPC) fined Meta for not protecting Facebook’s users’ data from scraping.
Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook in 2021 that exposed the data belonging to millions of Facebook users.
The Data Protection Commission is also imposing a range of corrective measures on Meta.
“The Data Protection Commission (DPC) has today announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures.” reads the DPC’s press release.
On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online.
The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.
The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.
Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.
“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”
Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.
“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.
Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.
(SecurityAffairs – hacking, Meta)
The post Irish data protection commission fines Meta over 2021 data-scraping leak appeared first on Security Affairs.
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2022-11-14 to 2022-11-28.
- A Confused Deputy Vulnerability in AWS AppSync. The cloud is just someone else's computer. And sometimes it has vulnerabilities too. This one is particularly bad; case insensitivity led to the ability to access resources in other AWS accounts - aka the worst thing possible in a cloud provider. There is a reason some workloads should stay on prem - but only if your on prem security is better than AWS's ability to prevent cross account access (unlikely).
- Stable Diffusion 2.0 Release. AI is shaping up to be a major disruptor. Play with it locally with DiffusionBee. Want to be more awed by the power of AI? Read this.
- Researchers Quietly Cracked Zeppelin Ransomware Keys. Score one for the good guys.
- CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures. Another border device manufacturer with RCE...
Techniques and Write-ups
- Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice. This post digs into some of the technical details of the Nighthawk commercial C2 agent. MDSec claims the same was collected as part of legitimate red team activity and posted their own rebuttal: Nighthawk: With Great Power Comes Great Responsibility.
- Mind the Gap. TLDR: The patch gap is real, take advantage of it.
- A dive into Microsoft Defender for Identity. Some good ideas for detecting MDI after you land a phish or start an internal assessment with low privileges.
- Microsoft Defender for Identity Encrypted Password. More MDI fun, along with a tool release: Microsoft-Defender-for-Identity-Encrypted-Password.
- An End to KASLR Bypasses?. The new THREATINT_PROCESS_SYSCALL_USAGE ETW event coming to Windows 11 23H2 might make API based kernel address leaks, VM detection, and hardware persistence more difficult to get away with undetected.
- CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management. "A remote authenticated attacker can exploit the vulnerability by sending a crafted request to the target server. Successful exploitation could lead to arbitrary SQL code execution in the security context of the database service, which runs with SYSTEM privileges."
- Chrome Browser Exploitation, Part 2: Introduction to Ignition, Sparkplug and JIT Compilation via TurboFan. Another meaty post on Chrome internals and exploitation - the best browser exploit series since Connor McGarr's posts on Edge exploitation.
- Analysing Misconfigured Firebase Apps: A Tale of Unearthing Data Breaches (Wave 10). Back in the day I worked on an app with a firebase backend and the permission model was non-trivial. Not surprised this research showed that 20% of tested firebase instances exposed data. Want to try your hand at it? Check out firebaseExploiter.
- Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment. .NET may be easy to decompile but it can still be tricky to trace a mutli-stage dropper all the way back.
- The Art of Bypassing Kerberoast Detections with Orpheus. Kerberoasting becomes fully customizable with the orpheus tool. Beware of honeySPNs, but otherwise, targeted-roast away!
- macOS Sandbox Escape vulnerability via Terminal. One ENV variable could be set to escape the sandbox on macOS!
- Yet Another Azure VM Persistence Using Bastion Shareable Links. Convenient.
Tools and Exploits
- Sapling: A Scalable, User-Friendly Source Control System. Meta open sourced their in house version control system. Don't worry, it's written in Rust.
- BrokenFlow A simple PoC to invoke an encrypted shellcode by using an hidden call.
- nanorobeus COFF file (BOF) for managing Kerberos tickets.
- GCTI CobaltStrike rules. 165 yara rules for CobaltStrike. More info here.
- ReverseSock5Proxy A tiny Reverse Sock5 Proxy written in C.
- psmsi Create MSIs using PowerShell.
- MemoryEvasion A Cobalt Strike memory evasion loader for redteamers.
- geacon_pro A cross-platform Cobalt Strike Beacon written in Go, supports 4.1+.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- nuvola is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
- ofrak is a binary analysis and modification platform that combines the ability to unpack, analyze, modify, and repack binaries.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices.
Pushwoosh says it is a U.S. based company that provides code for software developers to profile smartphone app users based on their online activity, allowing them to send tailor-made notifications. But a recent investigation by Reuters raised questions about the company’s real location and truthfulness.
The Army told Reuters it removed an app containing Pushwoosh in March, citing “security concerns.” The Army app was used by soldiers at one of the nation’s main combat training bases.
Reuters said the CDC likewise recently removed Pushwoosh code from its app over security concerns, after reporters informed the agency Pushwoosh was not based in the Washington D.C. area — as the company had represented — but was instead operated from Novosibirsk, Russia.
Pushwoosh’s software also was found in apps for “a wide array of international companies, influential nonprofits and government agencies from global consumer goods company Unilever and the Union of European Football Associations (UEFA) to the politically powerful U.S. gun lobby, the National Rifle Association (NRA), and Britain’s Labour Party.”
The company’s founder Max Konev told Reuters Pushwoosh “has no connection with the Russian government of any kind” and that it stores its data in the United States and Germany.
But Reuters found that while Pushwoosh’s social media and U.S. regulatory filings present it as a U.S. company based variously in California, Maryland and Washington, D.C., the company’s employees are located in Novosibirsk, Russia.
Reuters also learned that the company’s address in California does not exist, and that two LinkedIn accounts for Pushwoosh employees in Washington, D.C. were fake.
“Pushwoosh never mentioned it was Russian-based in eight annual filings in the U.S. state of Delaware, where it is registered, an omission which could violate state law,” Reuters reported.
Pushwoosh admitted the LinkedIn profiles were fake, but said they were created by a marketing firm to drum up business for the company — not misrepresent its location.
Pushwoosh told Reuters it used addresses in the Washington, D.C. area to “receive business correspondence” during the coronavirus pandemic. A review of the Pushwoosh founder’s online presence via Constella Intelligence shows his Pushwoosh email address was tied to a phone number in Washington, D.C. that was also connected to email addresses and account profiles for over a dozen other Pushwoosh employees.
Pushwoosh was incorporated in Novosibirsk, Russia in 2016.
THE PINCER TROJAN CONNECTION
The dust-up over Pushwoosh came in part from data gathered by Zach Edwards, a security researcher who until recently worked for the Internet Safety Labs, a nonprofit organization that funds research into online threats.
Edwards said Pushwoosh began as Arello-Mobile, and for several years the two co-branded — appearing side by side at various technology expos. Around 2016, he said, the two companies both started using the Pushwoosh name.
A search on Pushwoosh’s code base shows that one of the company’s longtime developers is a 41-year-old from Novosibirsk named Yuri Shmakov. In 2013, KrebsOnSecurity interviewed Shmakov for the story, “Who Wrote the Pincer Android Trojan?” wherein Shmakov acknowledged writing the malware as a freelance project.
Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.
“I was working on this app for some months, and I was hoping that it would be really helpful,” Shmakov wrote. “[The] idea of this app is that you can set it up as a spam filter…block some calls and SMS remotely, from a Web service. I hoped that this will be [some kind of] blacklist, with logging about blocked [messages/calls]. But of course, I understood that client [did] not really want this.”
Shmakov did not respond to requests for comment. His LinkedIn profile says he stopped working for Arello Mobile in 2016, and that he currently is employed full-time as the Android team leader at an online betting company.
In a blog post responding to the Reuters story, Pushwoosh said it is a privately held company incorporated under the state laws of Delaware, USA, and that Pushwoosh Inc. was never owned by any company registered in the Russian Federation.
“Pushwoosh Inc. used to outsource development parts of the product to the Russian company in Novosibirsk, mentioned in the article,” the company said. “However, in February 2022, Pushwoosh Inc. terminated the contract.”
However, Edwards noted that dozens of developer subdomains on Pushwoosh’s main domain still point to JSC Avantel, an Internet provider based in Novosibirsk, Russia.
Edwards said the U.S. Army’s app had a custom Pushwoosh configuration that did not appear on any other customer implementation.
An Army Times article published the day after the Reuters story ran said at least 1,000 people downloaded the app, which “delivered updates for troops at the National Training Center on Fort Irwin, Calif., a critical waypoint for deploying units to test their battlefield prowess before heading overseas.”
In April 2022, roughly 4,500 Army personnel converged on the National Training Center for a war games exercise on how to use lessons learned from Russia’s war against Ukraine to prepare for future fights against a major adversary such as Russia or China.
Edwards said despite Pushwoosh’s many prevarications, the company’s software doesn’t appear to have done anything untoward to its customers or users.
“Nothing they did has been seen to be malicious,” he said. “Other than completely lying about where they are, where their data is being hosted, and where they have infrastructure.”
Edwards also found Pushwoosh’s technology embedded in nearly two dozen mobile apps that were sold to cities and towns across Illinois as a way to help citizens access general information about their local communities and officials.
The Illinois apps that bundled Pushwoosh’s technology were produced by a company called Government 311, which is owned by Bill McCarty, the current director of the Springfield Office of Budget and Management. A 2014 story in The State Journal-Register said Gov 311’s pricing was based on population, and that the app would cost around $2,500 per year for a city with approximately 25,000 people.
McCarty told KrebsOnSecurity that his company stopped using Pushwoosh “years ago,” and that it now relies on its own technology to provide push notifications through its 311 apps.
But Edwards found some of the 311 apps still try to phone home to Pushwoosh, such as the 311 app for Riverton, Ill.
“Riverton ceased being a client several years ago, which [is] probably why their app was never updated to change out Pushwoosh,” McCarty explained. “We are in the process of updating all client apps and a website refresh. As part of that, old unused apps like Riverton 311 will be deleted.”
FOREIGN ADTECH THREAT?
Edwards said it’s far from clear how many other state and local government apps and Web sites rely on technology that sends user data to U.S. adversaries overseas. In July, Congress introduced an amended version of the Intelligence Authorization Act for 2023, which included a new section focusing on data drawn from online ad auctions that could be used to geolocate individuals or gain other information about them.
Business Insider reports that if this section makes it into the final version — which the Senate also has to pass — the Office for the Director of National Intelligence (ODNI) will have 60 days after the Act becomes law to produce a risk assessment. The assessment will look into “the counterintelligence risks of, and the exposure of intelligence community personnel to, tracking by foreign adversaries through advertising technology data,” the Act states.
Edwards says he’s hoping those changes pass, because what he found with Pushwoosh is likely just a drop in a bucket.
“I’m hoping that Congress acts on that,” he said. “If they were to put a requirement that there’s an annual audit of risks from foreign ad tech, that would at least force people to identify and document those connections.”
ESET announced the discovery of a vulnerability impacting Acer laptops that can allow an attacker to deactivate UEFI Secure Boot.
ESET researchers announced in a series of tweets the discovery of a vulnerability impacting Acer laptops, the issue can allow an attacker to deactivate UEFI Secure Boot.
Same as in Lenovo’s case, an attacker can trigger the issue to deactivate the UEFI Secure Boot by creating NVRAM variable directly from OS.
The Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”
An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled.
The CVE-2022-4020 impacts certain versions of Acer Aspire A315-22 from Acer, the vulnerability resides in the HQSwSmiDxe DXE driver on these consumer Acer Notebook devices. Similar to the Lenovo issues an attacker with elevated privileges can exploit the bug to modify UEFI Secure Boot settings by modifying an NVRAM variable. The DXE driver BootOrderDxe simply disables UEFI Secure Boot if NVRAM variables “BootOrderSecureBootDisable” exists.
ESET explained that the flaws affects only 5 devices Aspire A315-22/22G, A115-21 and Extensa EX215-21/21G. According to Acer, an update should be distributed as a critical Windows update. Alternatively, the updated BIOS version can be downloaded here.
(SecurityAffairs – hacking, Moshen Dragon)
The post A flaw in some Acer laptops can be used to bypass security features appeared first on Security Affairs.