Kategorie

Have you recently bought a OnePlus 6? Don't leave your phone unattended. A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked. A bootloader is part of the phone's built-in firmware and locking it down stops users from replacing

In 2017, the three largest most publicized ransomware outbreaks were all reported within the healthcare industry. With ransomware still dominating the world of cybercrime, healthcare continues to be a particularly attractive target for hackers. The valuable data housed on these networks are ripe for financial gain on the dark web. The resulting breaches of protected […]

The post The Viral Threat Doctors Don’t Learn About in Med School appeared first on InfoSec Resources.

The Viral Threat Doctors Don’t Learn About in Med School was first posted on June 13, 2018 at 2:55 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Val Vask is the Commercial Technical Lead at Bridges Consulting, a Maryland-based cybersecurity firm specializing in national security and commercial vulnerability challenges. Before starting work at Bridges, Val spent 20 years in the private sector working with federal and government agencies. He recently enrolled in four InfoSec Institute training courses to refresh his incident response […]

The post How InfoSec Institute Alum Val Vask Stays Current on Pentesting & SCADA Standards appeared first on InfoSec Resources.

How InfoSec Institute Alum Val Vask Stays Current on Pentesting & SCADA Standards was first posted on June 13, 2018 at 12:57 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

The wiper malware affecting 9,000 workstations and 500 servers inside Chile’s largest financial institution turns out to have been a distraction.

Při instalaci a často i při prvním spuštění aplikace na Androidu musí uživatelé odsouhlasit požadovaná oprávnění. Problém je, že většina tyto požadavky nečte a bezmyšlenkovitě je potvrdí. Jak nebezpečný může být tento přístup nyní poznali doslova na vlastní kůži španělští fotbaloví ...

PRIVACY – a bit of an Internet buzzword nowadays, because the business model of the Internet has now shifted towards data collection. Today, most users surf the web unaware of the fact that websites and online services collect their personal information, including search histories, location, and buying habits and make millions by sharing your data with advertisers and marketers. If this is

It's time to gear up for the latest June 2018 Microsoft security patch updates. Microsoft today released security patch updates for more than 50 vulnerabilities, affecting Windows, Internet Explorer, Edge, MS Office, MS Office Exchange Server, ChakraCore, and Adobe Flash Player—11 of which are rated critical and 39 as important in severity. Only one of these vulnerabilities, a remote code

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password. With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious

European copyright directive would be a step towards making the internet "a tool for the automated surveillance and control of its users"

Bill Poplawski is a seasoned security professional with decades of industry experience. After leaving Google in October 2017 to retire, Bill launched OBOTIS Group, a consulting firm offering information confidentiality, integrity and availability solutions to their clients. A certified Project Management Professional (PMP) and Scrum Master, Bill enrolled in InfoSec Institute’s Certified Information Security Manager […]

The post After Google: How Program Manager Bill Poplawski Earned His CISM, Launched Consulting Firm After Retiring appeared first on InfoSec Resources.

After Google: How Program Manager Bill Poplawski Earned His CISM, Launched Consulting Firm After Retiring was first posted on June 13, 2018 at 9:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

After years of laughing in the face of victims BEC scammers have taken one on the chin.

Dixons Carphone said it discovered a massive cyberattack on its processing systems that targeted millions of payment cards and personal data records.

As a female MP Jess Phillips faces threats of violence and aggression every day.

Introduction PowerShell represents one of the most interesting and powerful languages for a pentesting purpose. So, we will try to focus on this context with this suite of articles. This article represents the first one of the lab series about PowerShell for pentesters when we will begin by discovering the basics that we need to […]

The post PowerShell For Pentesters Part 1: Introduction to PowerShell and Cmdlets appeared first on InfoSec Resources.

PowerShell For Pentesters Part 1: Introduction to PowerShell and Cmdlets was first posted on June 13, 2018 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

In this story, three webcam bugs that weren't critical one-by-one could be combined into an exploit giving total device takeover.

Dixons Carphone has revealed what it's calling an "attempt to compromise 5.9 million [payment] cards".

What happened?

In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.

The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression.

Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. A full technical report, IoCs and YARA rules are available from our intelligence reporting service (contact us intelligence@kaspersky.com).

Who’s behind it?

Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. The tools found in this campaign, such as the HyperBro Trojan, are regularly used by a variety of Chinese-speaking actors. Regarding Metasploit’s shikata_ga_nai encoder – although it’s available for everyone and couldn’t be the basis for attribution, we know this encoder has been used by LuckyMouse previously.

Government entities, including the Central Asian ones also were a target for this actor before. Due to LuckyMouse’s ongoing waterholing of government websites and the corresponding dates, we suspect that one of the aims of this campaign is to access web pages via the data center and inject JavaScripts into them.

How did the malware spread?

The initial infection vector used in the attack against the data center is unclear. Even when we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack. It’s possible the actor used a waterhole to infect data center employees.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board. We suspect this router was hacked as part of the campaign in order to process the malware’s HTTP requests. The Sonypsps[.]com domain was last updated using GoDaddy on 2017-05-05 until 2019-03-13.

FMikrotik router with two-year-old firmware and SMBv1 on board used in this campaign

In March 2017, Wikileaks published details about an exploit affecting Mikrotik called ChimayRed. According to the documentation, however, it doesn’t work for firmware versions higher than 6.30. This router uses version 6.34.

There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites. These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.

What did the malware do in the data center?

Anti-detection stages. Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red)

The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db). As a result of all these steps, the last-stage Trojan is injected into svchost.exe’s process memory.

The launcher module, obfuscated with the notorious Metasploit’s shikata_ga_nai encoder, is the same for all the droppers. The resulting deobfuscated code performs typical side loading: it patches pcAnywhere’s image in memory at its entry point. The patched code jumps back to the decryptor’s second shikata_ga_nai iteration, but this time as part of the whitelisted application.

This Metasploit’s encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps thumb.db into the same process’s (pcAnywhere) memory. The first instructions in the mapped thumb.db are for a new shikata_ga_nai iteration. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory.

What does the resulting watering hole look like?

The websites were compromised to redirect visitors to instances of both ScanBox and BEeF. These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer.

Resulting script on the compromised government websites

Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code.

Conclusions

LuckyMouse appears to have been very active recently. The TTPs for this campaign are quite common for Chinese-speaking actors, where they typically provide new solid wrappers (launcher and decompressor protected with shikata_ga_nai in this case) around their RATs (HyperBro).

The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites. Another interesting point is the Mikrotik router, which we believe was hacked specifically for the campaign. The reasons for this are not very clear: typically, Chinese-speaking actors don’t bother disguising their campaigns. Maybe these are the first steps in a new stealthier approach.

Some indicators of compromise

Droppers

22CBE2B0F1EF3F2B18B4C5AED6D7BB79
0D0320878946A73749111E6C94BF1525

Launcher
ac337bd5f6f18b8fe009e45d65a2b09b

HyperBro in-memory Trojan
04dece2662f648f619d9c0377a7ba7c0

Domains and IPs
bbs.sonypsps[.]com
update.iaacstudio[.]com
wh0am1.itbaydns[.]com
google-updata[.]tk
windows-updata[.]tk

LinuxSecurity.com: Today, all organizations are digital by default. However, it has never been more difficult for organizations to map the digital environment in which they operate, or their interactions with it.