A kernel driver to practice writing exploits against, as well as some example exploits using public techniques.
more here........https://github.com/clymb3r/KdExploitMe
more here........https://github.com/clymb3r/KdExploitMe
↧
KdExploitMe
↧
China ELF botnet malware infection & distribution scheme unleashed
There are so many ELF malware infection with the multiple type of backdoors and DDoS'ers originated from China.
more here........http://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html
more here........http://blog.malwaremustdie.org/2014/11/china-elf-botnet-malware-infection.html
↧
↧
Gov.uk quietly disrupts the problem of online identity login
The government’s own expert digital design team have spent three years building a new, safe system for verifying user’s identities - now in action on gov.uk
more here..........http://www.theguardian.com/technology/2014/nov/06/govuk-quietly-disrupts-the-problem-of-online-identity-login
more here..........http://www.theguardian.com/technology/2014/nov/06/govuk-quietly-disrupts-the-problem-of-online-identity-login
↧
Paper: Cross-Tenant Side-Channel Attacks in PaaS Clouds
We present a new attack framework for conducting cach-
based side-channel attacks and demonstrate this framework
in attacks between tenants on commercial Platform-as-a-
Service (PaaS) clouds. Our framework uses the Flush-
Reload attack of Gullasch et al. as a primitive, and ex-
tends this work by leveraging it within an automaton-driven
strategy for tracing a victim’s execution. We leverage our
framework first to confirm co-location of tenants and then
to extract secrets across tenant boundaries. We specifically
demonstrate attacks to collect potentially sensitive applica-
tion data (e.g., the number of items in a shopping cart), to
hijack user accounts, and to break SAML single sign-on. To
the best of our knowledge, our attacks are the first granular,
cross-tenant, side-channel attacks successfully demonstrated
on state-of-the-art commercial clouds, PaaS or otherwise
more here...........http://www.cs.unc.edu/~reiter/papers/2014/CCS1.pdf
based side-channel attacks and demonstrate this framework
in attacks between tenants on commercial Platform-as-a-
Service (PaaS) clouds. Our framework uses the Flush-
Reload attack of Gullasch et al. as a primitive, and ex-
tends this work by leveraging it within an automaton-driven
strategy for tracing a victim’s execution. We leverage our
framework first to confirm co-location of tenants and then
to extract secrets across tenant boundaries. We specifically
demonstrate attacks to collect potentially sensitive applica-
tion data (e.g., the number of items in a shopping cart), to
hijack user accounts, and to break SAML single sign-on. To
the best of our knowledge, our attacks are the first granular,
cross-tenant, side-channel attacks successfully demonstrated
on state-of-the-art commercial clouds, PaaS or otherwise
more here...........http://www.cs.unc.edu/~reiter/papers/2014/CCS1.pdf
↧
What Do Attackers Do After Bypassing Defenses?
Vectra Networks, a leader in real-time detection of incoming cyber-attacks, recently discovered from results the first edition of The Post Breach Industry Report, an industry study using real-world data from enterprise networks to reveal what attackers do within a network once they expose perimeter defenses.The study report found out that all sample organizations had internal networks breached by a Cyber Attack; 75 percent of hosts with multiple attack detections experienced botnet attacks.
more here.........http://ist323infosec.wordpress.com/2014/11/09/what-do-attackers-do-after-bypassing-defenses/
more here.........http://ist323infosec.wordpress.com/2014/11/09/what-do-attackers-do-after-bypassing-defenses/
↧
↧
Google Calender XSS
The journey of this report start with Google Bug Bounty on August 2014 and will be focus on Google Apps for domains which is admin.google.com.
In admin console there's component called Google Apps which contains services of Google such as docs, calender and etc.
I thought to focus on Calender and went to check the documents and see if there's a different between regular calender and calender for business.
more here...........http://sasi2103.blogspot.co.il/2014/11/google-me-and-xss.html
In admin console there's component called Google Apps which contains services of Google such as docs, calender and etc.
I thought to focus on Calender and went to check the documents and see if there's a different between regular calender and calender for business.
more here...........http://sasi2103.blogspot.co.il/2014/11/google-me-and-xss.html
↧
[ SUPER FUNDAY MINI SERIES : LINE FORENSIC ARTIFACTS - ANDROID EDITION ]
This is the 2nd article in the “Super Funday Mini Series” about recovering forensics artifacts from mobile applications for your digital forensics investigations.
more here........http://www.vxsecurity.sg/2014/11/09/super-funday-mini-series-line-forensic-artifacts-android-edition/
more here........http://www.vxsecurity.sg/2014/11/09/super-funday-mini-series-line-forensic-artifacts-android-edition/
↧
The Dangers of Hosted Scripts – Hacked jQuery Timers
Google blacklisted a client’s website claiming that malicious content was being displayed from forogozoropoto.2waky.com.
A scan didn’t reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery.offput.ca/js/jquery.timers.js – a jQuery Timers plugin that was moderately popular 5-6 years ago.
more here..........http://blog.sucuri.net/2014/11/the-dangers-of-hosted-scripts-hacked-jquery-timers.html
A scan didn’t reveal anything suspicious. The next step was to check all third-party scripts on the website. Soon we found the offending script. It was hxxp://jquery.offput.ca/js/jquery.timers.js – a jQuery Timers plugin that was moderately popular 5-6 years ago.
more here..........http://blog.sucuri.net/2014/11/the-dangers-of-hosted-scripts-hacked-jquery-timers.html
↧
China suspected of breaching U.S. Postal Service computer networks
Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees.
more here.........http://www.washingtonpost.com/blogs/federal-eye/wp/2014/11/10/china-suspected-of-breaching-u-s-postal-service-computer-networks/
more here.........http://www.washingtonpost.com/blogs/federal-eye/wp/2014/11/10/china-suspected-of-breaching-u-s-postal-service-computer-networks/
↧
↧
BrowserStack: “We did get hacked.”
BrowserStack, the cross-browser testing tool website, has not had a very good weekend. There was a compromise and a rather odd email was sent to customers.
more here........https://blog.malwarebytes.org/hacking-2/2014/11/browserstack-we-did-get-hacked/
more here........https://blog.malwarebytes.org/hacking-2/2014/11/browserstack-we-did-get-hacked/
↧
Hacking SQL Server Stored Procedures – Part 1: (un)Trustworthy Databases
SQL Server allows DBAs to set databases as “trustworthy”. In a nutshell that means the trusted databases can access external resources like network shares, email functions, and objects in other databases. This isn’t always bad, but when sysadmins create trusted databases and don’t change the owner to a lower privileged user the risks start to become noticeable. In this blog I’ll show how database users commonly created for web applications can be used to escalate privileges in SQL Server when database database ownership is poorly configured. This should be interesting to penetration testers, application developers, and dev-ops. Most DBAs already know this stuff.
more here.........https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
more here.........https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
↧
Playing with MS14-060 and MS14-058 [CVE-2014-4113 CVE-2014-4114] : Attacks and Defenses
Recently two 0-day exploits were revealed. The first one was given the name Sandworm, however the name convention was mistakenly including the “worm” term as we will see. The second one CVE-2014-4113 is a privilege escalation local exploit for Windows.
more here..........http://labs.jumpsec.com/2014/11/10/playing-ms14-060-ms14-058-cve-2014-4113-cve-2014-4114-attacks-defenses/
more here..........http://labs.jumpsec.com/2014/11/10/playing-ms14-060-ms14-058-cve-2014-4113-cve-2014-4114-attacks-defenses/
↧
(I) Malware Management takes care of variants like Backoff.C!tr.spy
We all knew variants of BackOff would occur and infections spreading to other retailers and PoS machines.
By practicing the process of Malware Management you can keep up with variants of malware as they are discovered and reports or Blogs written. Then you can tweak your scripts and tools to detect the variants.
more here........http://hackerhurricane.blogspot.com/2014/11/i-malware-management-takes-care-of.html
By practicing the process of Malware Management you can keep up with variants of malware as they are discovered and reports or Blogs written. Then you can tweak your scripts and tools to detect the variants.
more here........http://hackerhurricane.blogspot.com/2014/11/i-malware-management-takes-care-of.html
↧
↧
ProcDOT, a new way of visual malware analysis
There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis. But there’s a major problem with these tools. Any of them works in a so to say separated or isolated way, not knowing anything from each other. Hence it’s kinda hard to get accordingly recorded activities together in one piece or picture. That’s where ProcDOT enters the stage. It fills this actual gap by merging those records together
more here..........http://www.procdot.com/index.htm
more here..........http://www.procdot.com/index.htm
↧
Exploitation modelling matters more than we think
Our own Krzysztof Kotowicz put together a pretty neat site called the Bughunter University. The first part of the site deals with some of the most common non-qualifying issues that are reported to our Vulnerability Reward Program. The entries range from mildly humorous to ones that still attract some debate; it's a pretty good read, even if just for the funny bits.
more here........http://lcamtuf.blogspot.com/2014/11/exploitation-scenarios-matter-more-than.html
more here........http://lcamtuf.blogspot.com/2014/11/exploitation-scenarios-matter-more-than.html
↧
Thoughts on Absolute Computrace
Not too long ago my friend and colleague from Sweden, Jimmy, contacted me in regards to a strange issue. In the firewall, he saw tons of outgoing connections to a certain server
more here.......http://bartblaze.blogspot.com/2014/11/thoughts-on-absolute-computrace.html
more here.......http://bartblaze.blogspot.com/2014/11/thoughts-on-absolute-computrace.html
↧
The Darkhotel APT A Story of Unusual Hospitality
The Darkhotel APT is a threat actor possessing a seemingly inconsistent and con-
tradictory set of characteristics, some advanced and some fairly rudimentary. In-
hospitably operating for almost a decade, the threat actor is currently active. The
actor’s offensive activity can be tied to specific hotel and business center Wi‑Fi
and physical connections, some of it is also tied to p2p/file sharing networks,
and they have been known to spear-phish targets as well.
more here.........https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf
tradictory set of characteristics, some advanced and some fairly rudimentary. In-
hospitably operating for almost a decade, the threat actor is currently active. The
actor’s offensive activity can be tied to specific hotel and business center Wi‑Fi
and physical connections, some of it is also tied to p2p/file sharing networks,
and they have been known to spear-phish targets as well.
more here.........https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf
↧
↧
The Uroburos case: new sophisticated RAT identified Agent.BTZ’s successor, ComRAT, shows that the campaign is still active
In February 2014, the experts of the G DATA SecurityLabs published an analysis of Uroburos, the rootkit with Russian roots. We explained that a link exists between Uroburos and the Agent.BTZ malware, which was responsible for "the most significant breach of U.S. military computers ever." [1] Nine months later, after the buzz around Uroburos, aka Snake or Turla, we now identified a new generation of Agent.BTZ We dubbed it ComRAT and, by now, analyzed two versions of the threat (v3.25 and v3.26).
more here........https://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html
more here........https://blog.gdatasoftware.com/blog/article/the-uroburos-case-new-sophisticated-rat-identified.html
↧
Financial attacks analysis: Tyupkin sample technical analysis and restore the attack process
Some time ago, Kaspersky discovered and reported a new type of malicious program Tyupkin , the malicious program for the bank's ATM machine to attack the financial services controls MSXFS.dl by Microsoft to provide direct control of ATM equipment from a teller machine any money.
Although the event has passed some time, there is not much heat, but in-depth study of a thorough analysis of the financial sector under attack is still very necessary.
more here.........https://translate.google.com/translate?sl=zh-CN&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http://blog.vulnhunt.com/index.php/2014/11/11/tyupkin_analysi/&edit-text=
Although the event has passed some time, there is not much heat, but in-depth study of a thorough analysis of the financial sector under attack is still very necessary.
more here.........https://translate.google.com/translate?sl=zh-CN&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http://blog.vulnhunt.com/index.php/2014/11/11/tyupkin_analysi/&edit-text=
↧
Abusing Samsung KNOX to remotely install a malicious application: story of a half patched vulnerability
We explain a vulnerability found when the Samsung Galaxy S5 was released and patched recently by Samsung. It allows a remote attacker to install an arbitrary application by using an unsecure update mechanism implemented in the UniversalMDMClient application related to the Samsung KNOX security solution. The vulnerability has been patched on the Samsung Galaxy S5 but also Note 4 and Alpha. Yet the Samsung Galaxy S4, Note3 and Ace 4 (and possibly others) are still vulnerable.
more here.........http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html
more here.........http://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html
↧