Leaked source codes for researchers to perform tests here.....http://www.malwaretech.com/p/sources.html
↧
Leaked sources of malware and exploit toolkits
↧
Yet another ransomware variant
The blog post of today is a bit different than usual, as you can read the full post on the Panda Security blog.
In this post I'm simply adding some additional information and repeating the most important points.
So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware
more here.........http://bartblaze.blogspot.com/2015/02/yet-another-ransomware-variant.html
In this post I'm simply adding some additional information and repeating the most important points.
So, there's yet another ransomware variant on the loose. You may call this one Chuingam (chewing gum?) ransomware or Xwin ransomware
more here.........http://bartblaze.blogspot.com/2015/02/yet-another-ransomware-variant.html
↧
↧
Notorious Hacking Groups
Knowing your "enemies" is always a good exercise before developing every protection. Different attackers have different techniques and belong to different groups. Each group owns strict beliefs and attacks in a well known way. In this post I want to examine some of the most notorious hacking groups in the history until now (February 2015) in order to show how attackers "attack" and how they live in community.
more here..........http://marcoramilli.blogspot.com/2015/02/notorious-hacking-groups.html
more here..........http://marcoramilli.blogspot.com/2015/02/notorious-hacking-groups.html
↧
Practically Exploiting MS15-014/MS15-011 (Microsoft Group Policy Engine) & Demo
If you’re reading this then you’ve probably seen all the media coverage over the last couple of days surrounding MS15-011 and MS15-014. These bulletins resolve issues in Microsoft’s group policy engine that allow remote code execution at SYSTEM level if an attacker can intercept network traffic from a domain-joined system. This blog post covers some information about what we reported to Microsoft on the issues, including a video demo of both being exploited in practice.
more here..........https://labs.mwrinfosecurity.com/blog/2015/02/13/practically-exploiting-ms15-014-and-ms15-011/
more here..........https://labs.mwrinfosecurity.com/blog/2015/02/13/practically-exploiting-ms15-014-and-ms15-011/
↧
KRBTGT Account Password Reset Scripts now available for customers
One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.
more here..........http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
more here..........http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/
↧
↧
How a simple box might end our need for antivirus software forever
I still remember the day my dad installed the first antivirus program I’d ever seen on my old Pentium II. Adorned in its signature colors of black and gold, I quickly came to learn all the ins and outs of my Norton Antivirus suite, from queuing up its scanning schedule to understanding what settings I needed to fix to ensure my favorite games of the time (Diablo and Starcraft), wouldn’t be flagged when I played with friends.
Over the years I would form a special kind of love-hate relationship with the many security products that would grace my machines, from McAfee to Kaspersky, AVG and Avast. Their incessant notifications would rarely fail to stress that my subscription was about to run out, and served as a constant reminder of how I was paying good money for the privilege of staying safe.
It seems those days will soon be over.
Read more: http://www.digitaltrends.com/computing/decrypt-one-box-rule/#ixzz3ResqAxB0
Over the years I would form a special kind of love-hate relationship with the many security products that would grace my machines, from McAfee to Kaspersky, AVG and Avast. Their incessant notifications would rarely fail to stress that my subscription was about to run out, and served as a constant reminder of how I was paying good money for the privilege of staying safe.
It seems those days will soon be over.
Read more: http://www.digitaltrends.com/computing/decrypt-one-box-rule/#ixzz3ResqAxB0
↧
HumHub .htaccess file upload vulnerability and remote code execution
[+] HumHub .htaccess file upload vulnerability and remote code execution
[+] Discovered by: Jos Wetzels
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0 and earlier.
[+] Advisory URL: https://www.leakfree.nl/
HumHub [1] versions 0.10.0 and prior suffer from a file upload
sanitation vulnerability which allows an attacker to upload arbitrary
.htaccess files with varying consequences [2]. On default
installations this allows an attacker to achieve remote code execution
while on a minority of installations it allows an attacker to execute
an XSS or CSRF attack.
Direct access to the uploads/file/ directory is denied by HumHub
through the usage of .htaccess but an attacker can upload a .htaccess
file starting with:
<Files ~ "^\.ht">
# Uncomment line below for Apache >= 2.4
# Require all granted
Order allow,deny
Allow from all
</Files>
To allow direct access to the uploaded .htaccess file (and override
general .htaccess settings within the directory). Depending on the
enabled apache modules an attacker can execute various types of
attacks ranging from information disclosure (when mod_info and
mod_status are enabled), eg.:
SetHandler server-info
to remote code execution, eg.:
AddType application/x-httpd-php .htaccess
# <?php phpinfo(); ?>
HumHub comes with a .htaccess.dist [3] file in the HumHub root
directory which, if enabled by the user, prevents direct access to
dotfiles (such as .htaccess, .svn, .git, etc.) using mod_rewrite.
Since mod_rewrite is unaffected by the override (and using the
RewriteEngine Off directive does not affect the .htaccess file itself)
this prevents the above scenario from being exploitable. Regardless,
it is still possible for an attacker to execute an unrestricted XSS or
CSRF attack by abusing the ErrorDocument directive, eg.:
ErrorDocument 403 <htmlpayload>
Since the included .htaccess.dist is not enabled by default, however,
an attacker can exploit this vulnerability to its full extent on an
out-of-the-box HumHub installation.
[*] References:
1. http://humhub.org
2. https://github.com/wireghoul/
3. https://github.com/humhub/
[+] Discovered by: Jos Wetzels
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0 and earlier.
[+] Advisory URL: https://www.leakfree.nl/
HumHub [1] versions 0.10.0 and prior suffer from a file upload
sanitation vulnerability which allows an attacker to upload arbitrary
.htaccess files with varying consequences [2]. On default
installations this allows an attacker to achieve remote code execution
while on a minority of installations it allows an attacker to execute
an XSS or CSRF attack.
Direct access to the uploads/file/ directory is denied by HumHub
through the usage of .htaccess but an attacker can upload a .htaccess
file starting with:
<Files ~ "^\.ht">
# Uncomment line below for Apache >= 2.4
# Require all granted
Order allow,deny
Allow from all
</Files>
To allow direct access to the uploaded .htaccess file (and override
general .htaccess settings within the directory). Depending on the
enabled apache modules an attacker can execute various types of
attacks ranging from information disclosure (when mod_info and
mod_status are enabled), eg.:
SetHandler server-info
to remote code execution, eg.:
AddType application/x-httpd-php .htaccess
# <?php phpinfo(); ?>
HumHub comes with a .htaccess.dist [3] file in the HumHub root
directory which, if enabled by the user, prevents direct access to
dotfiles (such as .htaccess, .svn, .git, etc.) using mod_rewrite.
Since mod_rewrite is unaffected by the override (and using the
RewriteEngine Off directive does not affect the .htaccess file itself)
this prevents the above scenario from being exploitable. Regardless,
it is still possible for an attacker to execute an unrestricted XSS or
CSRF attack by abusing the ErrorDocument directive, eg.:
ErrorDocument 403 <htmlpayload>
Since the included .htaccess.dist is not enabled by default, however,
an attacker can exploit this vulnerability to its full extent on an
out-of-the-box HumHub installation.
[*] References:
1. http://humhub.org
2. https://github.com/wireghoul/
3. https://github.com/humhub/
↧
Nullsecuritynet Tools- security and hacking tools, exploits, proof of concepts, shellcodes, scripts
This section offers a selection of Nulls fully featured security and hacking tools. They also provide some exploits, proof of concept code, shellcodes and snippets. That means some tools are not tested and may not have the feature set.
more here.........https://github.com/nullsecuritynet/tools
more here.........https://github.com/nullsecuritynet/tools
↧
Bypass GPO (Group Policy Object) path restrictions for Runas.exe
function Invoke-RunAs {
<#
.DESCRIPTION
Runas knockoff. Will bypass GPO path restrictions.
.PARAMETER UserName
Provide a user
.PARAMETER Password
Provide a password
.PARAMETER Domain
Provide optional domain
.Example
Invoke-RunAs -username administrator -password "P@$$word!" -domain CORPA
#>
[CmdletBinding()]Param (
[Parameter(
ValueFromPipeline=$True,
Mandatory=$True)]
[String]$username,
[Parameter(
ValueFromPipeline=$True,
Mandatory=$True)]
[String]$password,
[Parameter(
ValueFromPipeline=$True,
Mandatory=$False)]
[String]$domain,
[Parameter(
ValueFromPipeline=$True,
Mandatory=$False)]
[String]$cmd
)
PROCESS {
$sec_password = convertto-securestring $password -asplaintext -force
$startinfo = new-object System.Diagnostics.ProcessStartInfo
$startinfo.UserName = $username
$startinfo.Password = $sec_password
$startinfo.Domain = $domain
$startinfo.FileName = $cmd
$startinfo.UseShellExecute = $false
[System.Diagnostics.Process]::Start($startinfo)
}
}
Authored by rvrsh3ll
Reference link: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1
↧
↧
Bank Hackers Steal Millions via Malware
In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.
But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.
more here............http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0
and remember this https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.
more here............http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0
and remember this https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
↧
7170 Bitcoins ($1,727,409.6509 USD) Were Stolen, Claims BTER.com Exchange
When you try to connect to BTER.COM you get the following message below
![]()
↧
MandingoSandbox
Steps required to properly install and run in your system the "Mandingo's Sandbox" for analyzing malware samples here...........https://code.google.com/p/mandingo/wiki/MandingoSandbox
↧
How is apicrypt working
Apicrypt is a cryptography solution that allows health professionals in France to exchange sensitive medical information by email. The official website of apicrypt claims that it uses a one-time pad encryption technique, but it does not say much more about the algorithm it uses.
Thankfully, there are some command linelinux executable files available online that can be used to encrypt or decrypt text messages for apicrypt. Let's have a look at the file here....http://renaud.schleck.free.fr/apicrypt.php
Thankfully, there are some command linelinux executable files available online that can be used to encrypt or decrypt text messages for apicrypt. Let's have a look at the file here....http://renaud.schleck.free.fr/apicrypt.php
↧
↧
SQL Permissions Tool
SqlPermissions is a tool used to calculate the precise minimal permissions necessary for an application using a database. It works in an online fashion by monitoring active connections, or offline by using a sql trace; in both cases each trace event is used to determine a permission grant for every monitored statement. It currently is targeted to work against SQL Server 2012 and 2014, though should be backward compatible with most older SQL Server products after 2005. It does not work with other DBMS's. Though the approach is sound, a different implementation would be required to work with other database platforms.
more here...........https://github.com/iSECPartners/sqlperms
more here...........https://github.com/iSECPartners/sqlperms
↧
Pawn Storm Malware Fact Check Due to Inaccuricies
Fortinet recently published a blog entry analyzing the Pawn Storm malware for iOS. There were some significant inaccuracies, however, and since Fortinet seems to be censoring website comments, I thought I’d post my critique here......http://www.zdziarski.com/blog/?p=4805
↧
PowerShell: Better phishing for all!
A year ago i was watching a presentation by Dave Kennedy (ReL1k) and Josh Kelly called: “PowerShell…omfg” the presentation shows multiple techniques that are very very useful during a pentest. After viewing the video I realized i could make a small addition to a phishing attack
more here...........http://d.uijn.nl/?p=116
more here...........http://d.uijn.nl/?p=116
↧
Technical Report on the activities of criminal groups engaged in targeted attacks - Anunak
In the second half of 2014, we have repeatedly mentioned the targeted attacks on major financial institutions as a new level of fraud. Because now the money is not being kidnapped in "small legal entities", and the large financial companies, which would seem to safety should be at the highest level and complexity of the commission of the offense is approaching «Hell». However, taking into account not subside flow of such crimes, as well as special urgency against the backdrop of the current financial condition of the country, we decided to update the post and add new details about the group Anunak, which uses the same name trojan, also known as Carbanak. Carbanak name is derived from the fusion of two words Anunak + Carberp.
more here...........https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fgroup-ib%2Fblog%2F250627%2F&edit-text=&act=url
more here...........https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fgroup-ib%2Fblog%2F250627%2F&edit-text=&act=url
↧
↧
Paper a Must Read: OPERATION ARID VIPER -reveals the campaign’s technical details and its targets as well as details on a number of individuals who appear to be tied to the campaign.
Trend Micro researchers discovered an ongoing malware campaign that targets Israeli victims and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip and elsewhere.
more here...........http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf
more here...........http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf
↧
Downloaders and Decoys
Recently, we have been receiving samples that use “decoys” to imitate what is to be expected from running a normal file. In this blog post, we will analyze one such sample that Fortinet detects as W32/Kryptik.CWXI!tr.
more here.....http://blog.fortinet.com/post/downloaders-and-decoys
more here.....http://blog.fortinet.com/post/downloaders-and-decoys
↧
Life in a post-database world: using crypto to avoid DB writes
Possibly one of the biggest hurdles that stands in the way of fostering innovation and discovering newer and better techniques of doing old things is the ease with which developers and designers today can quickly research and find so-called “best practices.” While a quick Google search for “user table structure” or “best way to design password reset” can reduce (but never extinguish!) outlandish practices and horrific mistakes, it does nothing to encourage developers to think outside the box, and results in the perpetuation of less-than-optimal approaches.
To that end, there’s one thing in particular that virtually all documented approaches get wrong, and that’s writing to the database when you should be using modern cryptography instead.
more here........https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/
To that end, there’s one thing in particular that virtually all documented approaches get wrong, and that’s writing to the database when you should be using modern cryptography instead.
more here........https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/
↧