Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Serious Exchange Flaw Still Plagues 350K Servers

Threatpost - 7 Duben, 2020 - 23:19
The Microsoft Exchange vulnerability was patched in February and has been targeted by several threat groups.
Kategorie: Hacking & Security

xHelper: The Russian Nesting Doll of Android Malware

Threatpost - 7 Duben, 2020 - 19:06
Ultimately delivering the Triada payload, xHelper goes to great lengths to become virtually indestructible once installed on a smartphone.
Kategorie: Hacking & Security

FIN6 and TrickBot Combine Forces in ‘Anchor’ Attacks

Threatpost - 7 Duben, 2020 - 18:57
FIN6 fingerprints were spotted in recent cyberattacks that initially infected victims with the TrickBot trojan, and then eventually downloaded the Anchor backdoor malware.
Kategorie: Hacking & Security

These hackers have been quietly targeting Linux servers for years>

LinuxSecurity.com - 7 Duben, 2020 - 17:50
Have you heard about the newly uncovered hacking campaign which has been operating successfully against unpatched Linux servers for almost a decade?
Kategorie: Hacking & Security

Zákeřný trojský kůň útočí přes SMS zprávy

Novinky.cz - bezpečnost - 7 Duben, 2020 - 16:17
Jedním z nejrozšířenějších trojských koňů posledních měsíců je Emotet. V poslední době jej ale útočníci vylepšili – nově se dovede šířit i přes SMS zprávy, zaměřuje se přitom na chytré telefony. Upozornila na to kyberbezpečnostní společnost Check Point.
Kategorie: Hacking & Security

Official Government COVID-19 Apps Hide a Raft of Threats

Threatpost - 7 Duben, 2020 - 15:55
Android apps launched for citizens in Iran, Colombia and Italy offer cyberattackers new attack vectors.
Kategorie: Hacking & Security

Unveiled: How xHelper Android Malware Re-Installs Even After Factory Reset

The Hacker News - 7 Duben, 2020 - 15:48
Remember xHelper? A mysterious piece of Android malware that re-installs itself on infected devices even after users delete it or factory reset their devices—making it nearly impossible to remove. xHelper reportedly infected over 45,000 devices last year, and since then, cybersecurity researchers have been trying to unfold how the malware survives factory reset and how it infected so many
Kategorie: Hacking & Security

Web server protection: Web application firewalls for web server protection

InfoSec Institute Resources - 7 Duben, 2020 - 15:02

Introduction Firewalls are an integral part of the tools necessary in securing web servers. In this article, we will discuss all relevant aspects of web application firewalls. We’ll explore a few concepts that touch on these firewalls, both from a compliance and technical point of view, as well as examine a few examples of how […]

The post Web server protection: Web application firewalls for web server protection appeared first on Infosec Resources.

Web server protection: Web application firewalls for web server protection was first posted on April 7, 2020 at 8:02 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Network traffic analysis for IR: Data exfiltration

InfoSec Institute Resources - 7 Duben, 2020 - 15:00

Introduction Understanding network behavior is a prerequisite for developing effective incident detection and response capabilities. ESG research has found that 87 percent of companies use Network Traffic Analysis (NTA) tools for threat detection and response capabilities, and 43 percent say that NTA is their first line of defense for that purpose. Network communication is one […]

The post Network traffic analysis for IR: Data exfiltration appeared first on Infosec Resources.

Network traffic analysis for IR: Data exfiltration was first posted on April 7, 2020 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Twitter warns users – Firefox might hold on to private messages

Sophos Naked Security - 7 Duben, 2020 - 14:11
Whose fault was it - Twitter or Firefox? (It's fixed now, to be clear.)

Two schoolkids sue Google for collecting biometrics

Sophos Naked Security - 7 Duben, 2020 - 13:24
The suit is about biometrics and children's privacy in Google's education apps, which are suddenly, wildly popular now due to COVID-19.

Thousands of Android apps contain undocumented backdoors, study finds

Sophos Naked Security - 7 Duben, 2020 - 12:21
A study has found that thousands of legitimate Android apps are taking liberties or installing with capabilities that users wouldn’t expect to exist.

test

Kaspersky Securelist - 7 Duben, 2020 - 12:09

test

Unkillable xHelper and a Trojan matryoshka

Kaspersky Securelist - 7 Duben, 2020 - 11:00

It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment — once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelper’s creators furnished it with such survivability.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Share of Kaspersky users attacked by the xHelper Trojan in the total number of attacks, 2019-2020

How does xHelper work?

Let’s analyze the family’s logic based on the currently active sample Trojan-Dropper.AndroidOS.Helper.h. The malware disguises itself as a popular cleaner and speed-up app for smartphones, but in reality there is nothing useful about it: after installation, the “cleaner” simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.

The Trojan’s payload is encrypted in the file /assets/firehelper.jar (since its encryption is practically unchanged from earlier versions, it was not difficult to decrypt). Its main task is to send information about the victim’s phone (android_id, manufacturer, model, firmware version, etc.) to https://lp.cooktracking[.]com/v1/ls/get…

Decrypting the URL for sending device information

…and downloading the next malicious module — Trojan-Dropper.AndroidOS.Agent.of.

This malware in turn decrypts and launches its payload using a bundled native library; this approach makes it difficult to analyze the module. At this stage, the next dropper, Trojan-Dropper.AndroidOS.Helper.b, is decrypted and launched. This in turn runs the malware Trojan-Downloader.AndroidOS.Leech.p, which further infects the device.

Leech.p is tasked with downloading our old friend HEUR:Trojan.AndroidOS.Triada.dd with a set of exploits for obtaining root privileges on the victim’s device.

Decoding the URL of the Leech.p C&C

Downloading the Triada Trojan

Malicious files are stored sequentially in the app’s data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions. The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files directly in the system partition.

Note here that the system partition is mounted at system startup in read-only mode. Armed with root rights, the Trojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh. Triada employs its best-known tricks, including remounting the system partition to install its programs there. In our case, the package com.diag.patches.vm8u is installed, which we detect as Trojan-Dropper.AndroidOS.Tiny.d.

And several executable files get copied to the /system/bin folder:

  • patches_mu8v_oemlogo — Trojan.AndroidOS.Triada.dd
  • debuggerd_hulu —AndroidOS.Triada.dy
  • kcol_ysy — HEUR:Trojan.AndroidOS.Triada.dx
  • /.luser/bkdiag_vm8u_date — HEUR:Trojan.AndroidOS.Agent.rt

A few more files are copied to the /system/xbin folder:

  • diag_vm8u_date
  • patches_mu8v_oemlogo

A call to files from the xbin folder is added to the file install-recovery.sh, which allows Triada to run at system startup. All files in the target folders are assigned the immutable attribute, which makes it difficult to delete the malware, because the system does not allow even superusers to delete files with this attribute. However, this self-defense mechanism employed by the Trojan can be countered by deleting this attribute using the chattr command.

The question arises: if the malware is able to remount the system partition in write mode in order to copy itself there, can the user adopt the same strategy to delete it? Triada’s creators also contemplated this question, and duly applied another protection technique that involved modifying the system library /system/lib/libc.so. This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.

On top of that, the Trojan downloads and installs several more malicious programs (for example, HEUR:Trojan-Dropper.AndroidOS.Necro.z), and deletes root access control applications, such as Superuser.

How to get rid of xHelper?

As follows from the above, simply removing xHelper does not entirely disinfect the system. The program com.diag.patches.vm8u, installed in the system partition, reinstalls xHelper and other malware at the first opportunity.

Installing programs without user participation

But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it’s simpler and more reliable to completely reflash the phone.

Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device. If you do use a different firmware, remember that some of the device’s components might not operate properly.

In any event, using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief.

C&C

lp.cooktracking[.]com/v1/ls/get
www.koapkmobi[.]com:8081
45.79.110.191
45.33.9.178
23.239.4.169
172.104.215.170
172.​104.​208.​241
172.​104.​212.​184
45.​33.​117.​188
172.​104.​216.​43
172.​104.​218.​166
104.​200.​16.​77
198.​58.​123.​253
172.​104.​211.​160
172.​104.​210.​184
162.​216.​18.​240
172.​104.​212.​4
172.​104.​214.​199
172.​104.​212.​202
172.​104.​209.​55
172.​104.​219.​210
172.​104.​218.​146
45.​79.​177.​230
45.​33.​0.​123
45.​79.​77.​161
45.​33.​120.​75
45.​79.​171.​160
172.​104.​210.​193
45.​33.​0.​176
45.​79.​146.​48
ddl.​okyesmobi[.​]com
www.​ddl.​okyesmobi[.​]com
45.​79.​151.​241
172.​104.​213.​65
172.​104.​211.​117
www.​ddl.​okgoodmobi[.​]com
ddl.​okgoodmobi[.​]com

IOCs

Trojan-Dropper.AndroidOS.Helper.h — 59acb21b05a16c08ade1ec50571ba5d4
Trojan-Dropper.AndroidOS.Agent.of — 57cb18969dfccfd3e22e33ed5c8c66ce
Trojan-Dropper.AndroidOS.Helper.b — b5ccbfd13078a341ee3d5f6e35a54b0a
Trojan-Downloader.AndroidOS.Leech.p — 5fdfb02b94055d035e38a994e1f420ae
Trojan.AndroidOS.Triada.dd — 617f5508dd3066de7ec647bdd1497118
Trojan-Dropper.AndroidOS.Tiny.d — 21ae93aa54156d0c6913243cb45700ec
Trojan.AndroidOS.Triada.dd —  105265b01bac8e224e34a700662ffc4c8
Trojan.AndroidOS.Agent.rt — 95e2817a37c317b17de42e565475f40f
Trojan.AndroidOS.Triada.dy — cfe7d8c9c1e43ca02a4b1852cb34d5a5
Trojan.AndroidOS.Triada.dx — e778d4cc1a7901689b59e9abebc925e1
Trojan-Dropper.AndroidOS.Necro.z — 2887ab410356ea06d99286327e2bc36b

Safari bylo děravé. Kliknutím na odkaz se útočník dostal k obrazu z kamer na iPhonech i Macboocích

Zive.cz - bezpečnost - 7 Duben, 2020 - 11:00
Výzkumník Ryan Pickren v prosinci objevil chyby, které umožňovaly útočníkům získat obraz z kamery či dokonce dění na obrazovce skrze Safari. Některé zranitelnosti byly v prohlížeči i několik let, Apple ale nyní vydal záplaty. Chyba týkající se Safari na macOS a iOS umožňovala útočníkovi získal ...
Kategorie: Hacking & Security

Secure Remote Working During COVID-19 — Checklist for CISOs

The Hacker News - 7 Duben, 2020 - 10:49
Coronavirus crisis introduces a heavy burden on the CISOs with the collective impact of a mass transition to working remotely coupled with a surge of cyberattacks that strive to monetize the general chaos. Security vendors, unintendedly, contribute to this burden by a relentless generation of noise in the form of attack reports, best practices, tips, and threat landscape analysis. Here we
Kategorie: Hacking & Security

NSZ a Masarykova univerzita se společně zaměří na kyberzločin

Novinky.cz - bezpečnost - 7 Duben, 2020 - 09:16
Experti Nejvyššího státního zastupitelství (NSZ) a brněnské Masarykovy univerzity (MU) spojí síly v oblastech, kde se trestní právo setkává s vývojem informačních technologií, jako je zločinnost v kyberprostoru. Nejvyšší státní zástupce Pavel Zeman a rektor Masarykovy univerzity Martin Bareš podepsali dohodu o spolupráci obou institucí. Informovali o tom mluvčí zastupitelství Petr Malý a mluvčí univerzity Tereza Fojtová.
Kategorie: Hacking & Security

New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

The Hacker News - 7 Duben, 2020 - 09:09
Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic overnight made it one of the most favorite communication tool for millions of people around the globe. No doubt, Zoom is an efficient online video meeting solution that's helping people stay socially connected during these unprecedented times, but it's
Kategorie: Hacking & Security

Zoom Caught in Cybersecurity Debate — Here's Everything You Need To Know

The Hacker News - 7 Duben, 2020 - 09:08
Over the past few weeks, the use of Zoom video conferencing software has exploded ever since it emerged the platform of choice to host everything from cabinet meetings to yoga classes amidst the ongoing coronavirus outbreak and work from home became the new normal. The app has skyrocketed to 200 million daily users from an average of 10 million in December — along with a 535 percent increase
Kategorie: Hacking & Security

A Brisk Private Trade in Zero-Days Widens Their Use

Threatpost - 6 Duben, 2020 - 23:05
More zero-day exploits coming up for sale by NSO Group and others is democratizing the attack vector and placing them within reach of less sophisticated attackers.
Kategorie: Hacking & Security
Syndikovat obsah