Silent minergate miner reverse – Backdoored

I found some ”free” software on the internet backdoored with that Silent Minergate, so this time i downloaded the Minergate to play with.
What i found?
Surprise, surprise … i have a backdoored one!!!

svchost.exe – 66.176.134.167:2404
cykaa.duckdns.org / NS1.DUCKDNS.ORG
getcamsi’N|mc$A{n
startcam1Fd
OpenCamera
Dhrefox StoredLogins
\key3.db
\logins./Q}d
[Firefox StoredLogi;Z5fj;
[Firefox Cookie0
tehwCzgokds & stored logins!]
pwgrab
autopswd$Rs
Downloading file: …. and more.

So.. why this Minergate tries to steal from me and control my computer?!?
Have fun & Stay safe!!!

Fake bitcoin wallet stealer – Silent miner backdoor – Reverse

I found another backdoored software. This was made for thouse who want to become hackers… or to make some easy money.
Founded on Youtube.com with a search ”Bitcoin stealer”.
How to use it… the uploader helps you.

• Senha: Techup
• Desativar Antivirus (Claro, se trata de um hack)
• Chave
• Servidor de Ligação
• Adicionar a sua carteira
• Use Proxy
• Aceite os termos
• Verifique se o programa está atualizado

• Password: Techup
• Disable Antivirus (Of course, this is a hack)
• Key
• Connection Server
• Add to your wallet
• Use Proxy
• Accept the terms
• Make sure the program is up to date

All you have to do is to download it, run it and you become a rich guy…
We will not double click the .exe file…( it looks like a .exe).. or better say this SFX rar archive?!?
Let’s see something about the archive with richt click and propreties!
I dont like this SILENT=1. LOL If we dont run the ”.exe”, the backdoor will not run in the background, so let’s Extract it … and surprise.. there are more then one file, including the backdoor files.

winhlp32.exe

Isass.exe

After reversing the backdoor files i found this:

C:/Users/user/Documents/projects/minergate.app/sources/cudaminer/src/cuda_cryptonight_core.cu

… so what about this minergate?!?
With this lovely usage:

Usage:
minergate-cli [-version] -user <email> [-proxy <url>] -<currency> <threads> [<gpu intensity>] [-<currency> <threads> [<gpu intensity>] …] [-o <pool> -u <login> [-t <threads>] [-i <gpu intensity>]]

And so many options:

Options:
-user account email from minergate.com
proxy server URL. Supports only socks protocols (for example: socks://192.168.0.1:1080
possible values: bcn xmr qcn xdn fcn mcn aeon dsh inf8 <mm_cc>+bcn <mm_cc>+xmr <mm_cc>+qcn <mm_cc>+xdn <mm_cc>+aeon <mm_cc>+dsh. Where <mm_cc> is fcn or mcn
threads count for specified currency
GPU mining intensity (NVidia only) (values range: 1..4. Recommended: 2)
mining pool URL
mining pool login
CPU threads count
GPU mining intensity

Conecting to: h**ps://minergate.com
It seems that we have a nice backdoored software.
After you will run it.. in the backgound a silent miner will be instaled on your computer and in front of you will apare a nice error like this:

Blockchain Wallet Stealer 2017\message.vbs
x=msgbox(“Hardware is not compatible, try on another PC or restart and run with disabled antivirus.”, 0+16, “Error“)

If you dont understand, you will download this software, after the first run will appear a error message and it will not work, but in underground you will have already instaled a virus.
This time the virus is a Silent Miner, that will use your computer to work for some hacker and this will help hit to make some bitcoins.

The Youtube channel Teck up has more videos like this one .. and all of them are with this backdoor.

Have fun & Stay safe!!!

The secret spy agency is releasing a malware-fighting tool for free

Canada’s electronic spy agency says it is taking the “unprecedented step” of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats.
The Communications Security Establishment (CSE) rarely goes into detail about its activities — both offensive and defensive — and much of what is known about the agency’s activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years.
But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government’s sprawling infrastructure each day.
“It’s a tool that helps our analysts know what to look at, because it’s overwhelming for the number of people we have to be able to protect things,” Scott Jones, who heads the agency’s IT security efforts, said in an interview with CBC News.

‘Super secret spy’ reputation

On the one hand, open sourcing Assemblyline’s code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its “super secret spy agency” reputation in the interest of greater transparency.
But on the other, the agency is acknowledging that, given the widening range of digital threats affecting Canadians and Canadian businesses, it believes it has a more public role to play in cyber defence than it has in the past.
“This is something new for CSE,” he says. It’s a fact not lost on longtime agency observers.
“They’re pushing the envelope in a way they haven’t quite before,” said Bill Robinson, an independent researcher who has studied CSE’s activities for more than two decades, and recently joined the University of Toronto’s Citizen Lab as a fellow. “It’s a big a change, a sea change for them in that way.”
The step may be unprecedented for CSE, but not for its partners in the Five Eyes — an intelligence-sharing alliance involving Australia, Canada, New Zealand, the United Kingdom and the United States.
Both the NSA and the U.K.’s Government Communications Headquarters (GCHQ) have maintained active projects on the code sharing repository GitHub in recent years.

‘A gift’ for companies

Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score, which lets analysts sort old, familiar threats from the new and novel attacks that typically require a closer, more manual approach to analysis.
“There’s only so many ways you can hide malware within a Word document,” said John O’Brien, who leads the development of the tool, which first started in 2010. “So by looking for the hallmark of that type of an attack, that can give us an indication that there’s something in here that’s just off.”
Cybersecurity researcher Olivier Bilodeau says although there is overlap between Assemblyline and existing tools, CSE’s contribution is that it has cobbled together many of the tools that malware researchers already use into one platform, like a Swiss Army Knife for malware analysis that anyone can modify and improve. And it has demonstrated that Assemblyline can scale to handle networks as large as the government’s.
Bilodeau — who leads cybersecurity research at the Montreal security company GoSecure, and has developed a malware research toolbox of his own — says those attributes could make it easier for large organizations such as banks to do more of the kind of specialized work that his company does.
“They usually spend a lot of time fighting the malware, but not a lot of time investing in malware fighting infrastructure,” he said. “So this is definitely a gift for them.”

Spying on spies

The possibility that CSE’s own tool could be used to detect spy software of its own design, or that of its partners, is not lost upon the agency.
“Whatever it detects, whether it be cybercrime or [nation] states, or anybody else that are doing things — well that’s a good thing, because it’s made the community smarter in terms of defence,” said Jones.
Nor does he believe that releasing Assemblyline to the public will make it easier for adversaries to harm the government, or understand how CSE hunts for threats — quite the opposite, in fact.
“We believe that the benefits far outweigh any risks and that we can still use this to be ahead of the threat that’s out there.”

malboxes

Source

A New IoT Botnet Storm is Coming

• A massive Botnet is forming to create a cyber-storm that could take down the internet.
• An estimated million organizations have already been infected.
• The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.

New cyber-storm clouds are gathering. Check Point Researchers have discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.
IoT Botnets are Internet connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements.
While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.
Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.
With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves.

So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing.
Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.
For deeper analysis on the rise of this new IoT Botnet, please see the full research publication on our Research Blog.

Source

The KRACK attack – An Earthquake for Wi-Fi Security

A group of security researchers has discovered several serious key management vulnerabilities in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet connections. The attacks can steal sensitive information such as credit card numbers, passwords, chat messages, emails, and pictures.
The flaws were found by the Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven, who published a detailed paper (titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”) that described an attack method dubbed KRACK attack (Key Reinstallation Attack).

The hacking technique devised by the researchers works against almost any WPA2 Wi-Fi network, because the issues reside in the Wi-Fi WPA2 standard itself, and not in the various implementations meaning that the WPA2 has been compromised.
The impact could be serious for both companies and home users, any working implementation of WPA2 is likely affected, the only limitation is that an attacker needs to be within the range of a victim to exploit the weaknesses.
“We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs),” states a post published by Vanhoef. “Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”
The KRACK attack allows attackers to decrypt WiFi users’ traffic without cracking or knowing the password; the experts highlighted that depending on the network configuration, it is also possible to inject and manipulate data. An attacker can carry on a KRACK attack to inject a malware such as a ransomware or other malicious code into websites.
The researchers explained the KRACK attack works against:

• Both WPA1 and WPA2,
• Personal and enterprise networks,
• Ciphers WPA-TKIP, AES-CCMP, and GCMP

When the researchers started their tests on the hacking technique, they discovered that the vulnerabilities affect various operating systems, computers and devices such as Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
CERT/CC published a detailed list of the affected devices by some variant of the attacks.
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
This handshake is executed every time a client joins a protected Wi-Fi network; it is a mechanism used to confirm that both the client and access point possess the correct credentials (e.g., the pre-shared password of the network). The 4-way handshake is also used to negotiate a fresh encryption key that will be used to encrypt all subsequent traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e., nonce) and receive packet number (i.e., replay counter) are reset to their initial value,”
explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found the WPA2 protocol does not guarantee this. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

KRACK attack leverages on the ability of the attacker of tricking victims into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
The experts demonstrated how to execute the key reinstallation attack against an Android smartphone to decrypt a transmission over a protected WiFi.
The researchers explained that KRACK attack is exceptionally effective against Linux and Android 6.0 or higher because it is quite easy for attackers to reinstall already-in-use-key.
“For an attacker, this is easy to accomplish because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks.” explained the expert.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.”

Below is the video PoC of the KRACK attack shared by the researchers:
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies.” the researcher said.
“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past.”
As perfectly summarized by Sean Gallagher on Ars Technica, depending on the type of handshake mechanism used between the devices and the Access Point the KRACK attack can do varying levels of damage:

• For connections using AES and the Counter with CBC-MAC Protocol ((AES)-CCMP), an attacker can exploit the vulnerabilities to decrypt the traffic and inject content into TCP packet streams. In this attack scenario, the attacker cannot break the key or forge it, he cannot join the network, but he should use a “cloned” access point with the same MAC address as the access point of the targeted network, on a different Wi-Fi channel.
• For WPA2 systems using the Temporal Key Integrity Protocol (TKIP), the Message Integrity Code key can be recovered by the attacker. The attacker can replay captured packets to the network, forge and transmit new packets to the targeted client posing as the access point.
• For devices that use the Galois/Counter Mode Protocol (GCMP), the attack is the worst: “It is possible to replay and decrypt packets,” Vanhoef and Piessens wrote. “Additionally, it is possible to recover the authentication key, which in GCMP is used to protect both communication directions [as client or access point]… therefore, unlike with TKIP, an adversary can forge packets in both directions.” That means that the attacker can essentially join the network and pretend to be a client or the access point, depending on the type of access they want. “Given that GCMP is expected to be adopted at a high rate in the next few years under the WiGig name, this is a worrying situation,” the researchers noted.

Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.

• CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
• CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
• CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
• CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
• CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
• CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
• CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
• CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
• CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
• CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

The researchers discovered the vulnerabilities last year and reported them to the affected vendors on July 14; the US-CERT also issued an alert to hundreds of vendors on 28 August 2017.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven will be publicly disclosing these vulnerabilities on 16 October 2017.” the US-CERT warned.
How to protect affected devices?
Users have to wait for firmware updates from their device vendors, security patches for Linux’s hostapd (Host access point daemon) and WPA Supplicant were already released.
The use of VPN and other anonymizing techniques can offer a supplementary level of protection to communications.
“This sounds bad. However, a significant amount of the risk would be mitigated for services that use strong encryption at the transport or application layer (such as TLS, HTTPS, SSH, PGP) as well as applications secured by encrypted VPN protocols,” the Crypto expert Arnold KL Yau told El Reg.
“Despite this, however, the ability to decrypt Wi-Fi traffic could still reveal unique device identifiers (MAC addresses) and massive amounts of metadata (websites visited, traffic timing, patterns, amount of data exchanged, etc.) which may well violate the privacy of the users on the network and provide valuable intelligence to whoever’s sitting in the black van.”

The research team plans to release a tool that will allow users to verify if their Wi-Fi network is vulnerable to the KRACK attack.
“We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released once we had the time to clean up their usage instructions,” concluded the expert.
“We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we have had a chance to prepare the code repository for release).”

The experts will present their findings at the Computer and Communications Security (CCS) conference and the Black Hat Europe conference

References

http://securityaffairs.co/wordpress/64373/breaking-news/wpa-krack-attack.html
https://www.krackattacks.com/
https://papers.mathyvanhoef.com/ccs2017.pdf
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
https://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/



Πηγή : infosecinstitute

The Pirate Bay Caught Secretly Running Cryptocurrency Miner Again

In September 2017, we reported that The Pirate Bay (TPB) was running a cryptocurrency miner provided by CoinHive. The code used visitor’s CPU bandwidth to generate Monero digital coins without informing them or allowing them to Opt-In or Opt-Out.
In reply, TPB claimed, “the miner is being tested for a short period (~24 hours) as a new way to generate revenue.”

Another one

But now, another researcher has revealed that TPB is using yet another cryptocurrency miner to generate Monero digital coins without alerting users or providing them options to allow the site to use their CPU bandwidth or not.
According to Nic Carter, a financial and digital currency specialist, The Pirate Bay is mining Monero using crypto-loot, a new software that offers similar services as CoinHive. “The Pirate Bay is mining Monero in user’s browsers again, this time using crypto-loot (12% rake) rather than coinhive (30% rake),” tweeted Carter.

CloudFlare is booting off such sites

Remember, last week CloudFlare booted off a torrent website ProxyBunker for secretly using cryptocurrency miner. In their reply to ProxyBunker, CloudFlare stated that “Coinhive mining code without notifying users. … We consider this to be malware, and as such, the account was suspended, and all domains removed from CloudFlare.”
However, since The Pirate Bay also uses CloudFlare’s DDoS protection, it could be a matter of time before the firm decides to boot off the site for mining digital currency without informing users.
“They’re doing it without informing users, a violation of CloudFlare’s TOS. Could see this escalated into a serious wrangle with CloudFlare,” Carter further explained.

Who else was caught doing it?

Currently, the trend of using cryptocurrency miners is increasing; therefore, a number of websites are signing up for the code. However, two domains owned by CBS Corporation’s premium cable network Showtime were also caught mining cryptocoins without notifying users.
Although a rare practice, if adopted widely on a long-term basis it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining is deeply concerning for users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.
Here is an example screenshot HackRead was able to grab showing what it looks like when a site decides to inform users about mining cryptocurrency:

If you know a site secretly using cryptocurrency miner share with us in the comment section.



Πηγή : hackread

MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

Since new forms of cybercrime are on the rise, traditional techniques seem to be shifting towards more clandestine that involve the exploitation of standard system tools and protocols, which are not always monitored.Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.

Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic.The exploitation technique that the researchers described displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—however, this popup alert could also be eliminated “with proper syntax modification,” the researchers say.

The duo has also provided a proof-of-concept video demonstrating the technique.

MS Word DDE Attack Being Actively Exploited In the Wild

As described by Cisco researchers, this technique was found actively being exploited in the wild by hackers to target several organisations using spear phishing emails, which were spoofed to make them look as if they’re sent by the Securities and Exchange Commission (SEC) and convince users into opening them.

“The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware,” reads a blog post published by Talos researchers.

Earlier March, Talos researchers found attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers.

Once opened, victims would be prompted with a message informing them that the document contains links to external files, asking them to allow or deny the content to be retrieved and displayed.If allowed, the malicious document will communicate to the attacker hosted content in order to retrieve code that’ll be executed to initiate the DNSMessenger malware infection.

“Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose,” the researchers say.

How to Protect Yourself And Detect MS Word DDE Attacks

What’s more worrying? Microsoft doesn’t consider this as a security issue, rather according to the company the DDE protocol is a feature that can not be removed but could be improved with better warning alerts for users in future.
Although there’s no direct way to disable DDE code execution, users can proactively monitor system event logs to check possible exploitation.

Besides this, the researchers at NVISO Labs have also shared two YARA rules to detect DDE vector in Office Open XML files.
The best way to protect yourself from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless properly verifying the source.

Πηγή : thehackernews

Hacking the Election: Security Flaws Need Fixing, Researchers Say

Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat.
The researchers analyzed the results of the “voting village” hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes.
“These machines were pretty easy to hack,” said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. “The problem is not going away. It’s only going to accelerate.”
The report said the DefCon hack was just the tip of the iceberg — with potential weaknesses in voter databases, tabulating software and other parts of the system.
The researchers said most voting machines examined included at least some foreign-manufactured parts, raising the possibility that malware could be introduced even before the devices are delivered.
“This discovery means that a hacker’s point-of-entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line,” the report said.
“With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility.”
– No certainty on 2016 –
Harri Hursti, a researcher with Nordic Innovation Labs and a co-author of the report, said it’s impossible to say with certainty if votes were tampered with in 2016 because many systems “don’t have the capacity” to be audited.
The report said five US states operate entirely on paperless systems which have no paper trail to be reviewed and another nine states are partially paperless.
“The only way to know is if the hacker tells you,” he said, adding that “it can be done without leaving tracks.”
Douglas Lute, former US ambassador to NATO who presented the report, said in a forward to the report that the findings highlight “a serious national security issue that strikes at the core of our democracy.”
Although some researchers in the past have shown individual machines could be breached, this report suggests a range of vulnerabilities across a range of hardware, software and databases.
“What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor — like Russia — with unlimited time and resources, could not do much greater damage,” said University of Chicago cybersecurity instructor Jake Braun, another co-author.
The threat becomes all the more grave “when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain,” he added.
In presenting the findings, the researchers said members of the DefCon hacker community would work with academics and security researchers in a new coalition aimed at improving election security.


Πηγή : securityweek

Hackers are compromising websites to mine cryptocoins via user’s CPU

For the last couple of weeks, the trend of inserting code in websites that generate cryptocurrency has been growing like never before. What might worry some is that it uses visitor’s computers to start and finish the process.
Recently, Trend Micro, a cybersecurity firm discovered that hackers are compromising charity, school, and file sharing websites with a particular code that allows the site to use visitor’s CPU in order to generate cryptocurrency
By doing so, the code converts the visitor’s computer into a miner. This means the greater the number of computers the quicker will be the process of generating digital currency and in return, the greater the amount of money. In the end, the victim will suffer from expensive electricity bill.

Gif credit: Bitminer

According to Rik Ferguson, vice-president of security research at Trend Micro “This is absolutely a numbers game. There’s a huge attraction of being able to use other people’s devices in a massively distributed fashion because you then effectively take advantage of a huge amount of computing resources.”
The security firm discovered that hundreds of famous websites are using the code. Some are using “Coin Hive” code, some are using JSE Coin script while some have no idea how the code got onto their websites.
To get rid of it, some site owners have simply removed the code while some have updated their security policies and issued patches. There are those who are still investigating the issue emphasizing on how their site was compromised and how the code ended up on it without triggering any warning.
BBC reported that developers of Coin Hive are also taking action against those misusing their code for malicious purposes. “We had a few early users that implemented the script on sites they previously hacked, without the site owner’s knowledge. We have banned several of these accounts and will continue to do so when we learn about such cases,” Coin Hive told BBC.
In a tweet, FiveM, a modification framework for GTA V said that they had issued a security update just to stop users from adding miners to their code.
CloudFlare, a content delivery network and Internet security service also booted off a torrent website for secretly mining cryptocurrency miner. The company said “mining code without notifying users. … We consider this to be malware.”
Last month, The Pirate Bay website was caught “testing” cryptocurrency miner while two domains owned by CBS Corporation’s premium cable network Showtime’s sites were also found to be mining cryptocoins without informing their visitors.
In another report, Trend Mirco said that hackers are also using smart home devices to generate cryptocurrency. “Trend Micro data shows that more and more home devices are being compromised—we blocked over 90% more home network attacks in September compared to July, and most of the attacks are attempting to mine cryptocurrency,” said Trend Micro.
Although it is a rare practice; if adopted on a long-term basis, it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining deeply concerns users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.


Πηγή : hackread

Credit agency Experian is using scare tactics to sell a service for tracking traded user data on the dark web

In the dark web, it is quite easy to find a lot of identities of unaware individuals and any other data that could expose companies to frauds.
One of the world’s biggest consumer credit reporting agencies, Experian, is trying to sell an identity theft protection product leveraging the consumers fear of the darknet.
Experian launched at the beginning of September the IdentityWorks Premium program saying it can protect customers from the exposure of personal information on the dark Web. “Is your personal information already being traded on the dark web,” states the of Experian’s advertisements.
“Because of its hidden nature and the use of special applications to maintain anonymity, it’s not surprising that the dark Web can be a haven for all kinds of illicit activity,” Experian says on its own website. “This means if you’ve ever been a victim of a data breach, it’s a place where your sensitive information might live.” states the scaring message from the company.
The company is offering for free a first “Dark Web Email Scan” to allow customers searching for their email on the darknets.
By providing an e-mail address into the scanning service a user grants Experian to, “track and collect certain consumer information specific to,” the user.

By using the “Free Dark Web Email Scan” a user will receive advertisements for Experian products at the e-mail address that is being scanned. The user agreement includes a clause which states that not only will Experian send you advertisements, but “offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
Experian collects and tracks various data for the users, including credit scores, loan and credit card payments, interest rates.
“I clicked on Experian’s terms of service and found a densely written, nearly 17,600-word document — a contract the length of a novella.
Not surprisingly, this is where you’ll find an arbitration clause preventing you from suing the company — an increasingly common aspect of consumer contracts nowadays. That’s the least of your worries, though.” reported a post published by the Los Angeles Times.
“The terms reveal that Experian “receives compensation for the marketing of credit opportunities or other products or services available through third parties,” which is exactly what it sounds like. You’re giving permission for the company to sell you out.
And if you make it to the very bottom of the contract — no small feat, I assure you — you’ll find this little cow chip: Even if you cancel any Experian service, your acceptance of the arbitration clause “shall survive.”
Disturbing! What do you think about?
Without going into the details of the implementation of the Experian scanning service, it is indisputable the company is using scare tactics to get new customers for its service.



Source : securityaffairs

AWSBucketDump – Security Tool to Look For Interesting Files in S3 Buckets

AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It’s similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you’re not afraid to quickly fill up your hard drive.

Pre-Requisites

Non-Standard Python Libraries:

xmltodict

requests

argparse

Created with Python 3.6

General

This is a tool that enumerates Amazon S3 buckets and looks for interesting files.

I have example wordlists but I haven’t put much time into refining them.

https://github.com/danielmiessler/SecLists will have all the word lists you need. If you are targeting a specific company, you will likely want to use jhaddix’s enumall tool which leverages recon-ng and Alt-DNS.

https://github.com/jhaddix/domain && https://github.com/infosec-au/altdns

As far as word lists for grepping interesting files, that is completely up to you. The one I provided has some basics and yes, those word lists are based on files that I personally have found with this tool.

Using the download feature might fill your hard drive up, you can provide a max file size for each download at the command line when you run the tool. Keep in mind that it is in bytes.

I honestly don’t know if Amazon rate limits this, I am guessing they do to some point but I haven’t gotten around to figuring out what that limit is. By default there are two threads for checking buckets and two buckets for downloading.

After building this tool, I did find an interesting article from Rapid7 regarding this research: https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets

Usage:
usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]
optional arguments:-h, --help show this help message and exit-D Download files. This requires significant diskspace-d If set to 1 or True, create directories for each host w/ results-t THREADS number of threads-l HOSTLIST-g GREPWORDS Provide a wordlist to grep for-m MAXSIZE Maximum file size to download.
python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

Download AWSBucketDump

Πηγή : kitploit

WebBreaker – Dynamic Application Security Test Orchestration (DASTO)

Build functional security testing, into your software development and release cycles! WebBreaker provides the capabilities to automate and centrally manage Dynamic Application Security Testing (DAST) as part of your DevOps pipeline.

WebBreaker truly enables all members of the Software Security Development Life-Cycle (SDLC), with access to security testing, greater test coverage with increased visibility by providing Dynamic Application Security Test Orchestration (DASTO). Current support is limited to the World’s most popular commercial DAST product, WebInspect.

Supported Features

• Command-line (CLI) scan administration of WebInspect with Foritfy SSC products.
• Jenkins Environmental Variable & String Parameter support (i.e. $BUILD_TAG)
• Docker container v17.x support
• Custom email alerting or notifications for scan launch and completion.
• Extensible event logging for scan administration and results.
• WebInspect REST API support for v9.30 and later.
• Fortify Software Security Center (SSC) REST API support for v16.10 and later.
• WebInspect scan cluster support between two (2) or greater WebInspect servers/sensors.
• Capabilities for extensible scan telemetry with ELK and Splunk.
• GIT support for centrally managing WebInspect scan configurations.
• Replaces most functionality of Fortify’s fortifyclient
• Python compatibility with versions 2.x or 3.x
• Provides AES 128-bit key management for all secrets from the Fernet encryption Python library.

Quick Local Installation and Configurations
Installing WebBreaker from source:

1. git clone https://github.com/target/webbreaker
2. pip install -r requirements.txt
3. python setup.py install

Configuring WebBreaker:

1. Point WebBreaker to your WebInspect API server(s) by editing: webbreaker/etc/webinspect.ini
2. Point WebBreaker to your Fortify SSC URL by editing: webbreaker/etc/fortify.ini
3. SMTP settings on email notifications and a message template can be edited in webbreaker/etc/email.ini
4. Mutually exclusive remote GIT repos created by users, are encouraged to persist WebInspect settings, policies, and webmacros. Simply, add the GIT URL to the webinspect.ini and their respective directories.

NOTES:

• Required: As with any Python application that contains library dependencies, pip is required for installation.
• Optional: Include your Python site-packages, if they are not already in your $PATH with export PATH=$PATH:$PYTHONPATH.

Usage
WebBreaker is a command-line interface (CLI) client. See our complete WebBreaker Documentation for further configuration, usage, and installation.
The CLI supports upper-level and lower-level commands with respective options to enable interaction with Dynamic Application Security Test (DAST) products. Currently, the two Products supported are WebInspect and Fortfiy (more to come in the future!!)
Below is a Cheatsheet of supported commands to get you started.

List all WebInspect scans:
webbreaker webinspect list --server webinspect-1.example.com:8083

Query WebInspect scans:
webbreaker webinspect list --server webinspect-1.example.com:8083 --scan_name important_site

List with http:
webbreaker webinspect list --server webinspect-1.example.com:8083 --protocol http

Download WebInspect scan from server or sensor:
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth

Download WebInspect scan as XML:
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth -x xml

Download WebInspect scan with http (no SSL):
webbreaker webinspect download --server webinspect-2.example.com:8083 --scan_name important_site_auth --protocol http

Basic WebInspect scan:
webbreaker webinspect scan --settings important_site_auth

Advanced WebInspect Scan with Scan overrides:
webbreaker webinspect scan --settings important_site_auth --allowed_hosts example.com --allowed_hosts m.example.com

Scan with local WebInspect settings:
webbreaker webinspect scan --settings /Users/Matt/Documents/important_site_auth

Initial Fortify SSC listing with authentication (SSC token is managed for 1-day):
webbreaker fortify list --fortify_user matt --fortify_password abc123

Interactive Listing of all Fortify SSC application versions:
webbreaker fortify list

List Fortify SSC versions by application (case sensitive):
webbreaker fortify list --application WEBINSPECT

Upload to Fortify SSC with command-line authentication:
webbreaker fortify upload --fortify_user $FORT_USER --fortify_password $FORT_PASS --version important_site_auth

Upload to Fortify SSC with interactive authentication & application version configured with fortify.ini:
webbreaker fortify upload --version important_site_auth --scan_name auth_scan

Upload to Fortify SSC with application/project & version name:
webbreaker fortify upload --application my_other_app --version important_site_auth --scan_name auth_scan

WebBreaker Console Output

webbreaker webinspect scan --settings MyCustomWebInspectSetting --scan_policy Application --scan_name some_scan_name
 _       __     __    ____                  __            
| |     / /__  / /_  / __ )________  ____ _/ /_____  _____
| | /| / / _ \/ __ \/ __  / ___/ _ \/ __ `/ //_/ _ \/ ___/
| |/ |/ /  __/ /_/ / /_/ / /  /  __/ /_/ / ,< /  __/ /    
|__/|__/\___/_.___/_____/_/   \___/\__,_/_/|_|\___/_/     

Version 1.2.0

JIT Scheduler has selected endpoint https://some.webinspect.server.com:8083.
WebInspect scan launched on https://some.webinspect.server.com:8083 your scan id: ec72be39-a8fa-46b2-ba79-10adb52f8adb !!

Scan results file is available: some_scan_name.fpr
Scan has finished.
Webbreaker complete.

Download WebBreaker

Πηγή : kitploit

Imperva Incapsula’s Q2 Global DDoS Threat Landscape Report: The key findings

DDoS attacks still have the ability to strike fear into the hearts of security professionals and web server administrators everywhere. The flooding of a targeted system can be a logistical nightmare for organizations of all kinds, affecting normal business function massively.
This week Imperva Incapsula released their Q2 Global DDoS Threat Landscape Report, which represents an opportunity for the cybersecurity industry to take stock, and to view the threatscape in relation to DDoS; How it has changed, what types of attacks we’re seeing, and what types have slowed. Imperva have analysed over 15.000 network and application layer DDoS attacks which their Imperva Incapsula services were able to mitigate. This gives them virtually unparalleled insight into the nature of DDoS in Q2 of 2017, and beyond.
The findings indicate that, for the fifth quarter in a row, the number of layered network assaults dropped to 196 per week to 296 in the quarter before it. There was also a recorded dip in application layer attacks, which fell from 973 per week from an all-time high of 1,099!
They also managed to spot the emergence of the ‘pulse wave attack’, which allows malicious actors to pin down multiple targets, using alternating high-volume bursts; Incapsula referred to this as ‘the DDoS equivalent of hitting two birds with one stone’.
Of the trends observed in Q2 of this year, the persistence of application layer assaults has continued into its 5^th quarter. 75.9% of targets had fell victim to multiple attacks, which is the highest percentage of any quarter that Incapsula have recorded. Of these repeat- DDoS victims, the US was the worst affected area geographically speaking, with 37% of websites hit more than six times, and 23% hit a staggering ten times or more.
Another point of geographical interest is the rise perceived in botnet activity out of Turkey, Ukraine and India. Over 3000 attacking devices were recorded in Turkey, as well as 4,300 emerging from India and Ukraine- a 75% increase.
So the takeaway from this Q2 report is to remember that DDoS attacks are fluid, and the ways in which they happen are changing- But they are going nowhere.

New bitcoin transaction scam!

Payments made by mistake on your account are already known as scams.
In this case I received an email saying that someone sent me bitcoins to my address and should check my account.
0.54798743 BTC = 1.830 EUR ... well... I do not think it bothers such a mistake..

Let's star: 

1.What does transmitel.com have to do with bitcoin transactions?

Transmite.com- Security systems - Barcelona Owned by TRANSMITEL S.L. 

2.Email was sent to 6 addresses, so 6 wrong transactions?

 

 

All the hyperlinks have a hidden secret.

See it? Blockchain.com has become Blockchlain.info!
So.. when you will try to go on blockchain page for login.... you will do it on a diffrent page.
Do not worry, the website is already closed!
 

The consequences are understandable.
If you log in, someone will be in possession of your data and possibly your account.

Have fun & Stay safe! 

MyEtherWallet Notification - Email scam

A new scam.
This time, the hacker tries to steal logging data for the Ethereum wallet.
A site identical to the original was created with the intention of misleading users.

The email comes from an address that is unrelated to the website.*markus.reichenau@t-online.de*Although it could be directly from: myetherwallet.com.

Here you see the differences between the original and the fake websites.

 

And beyond that, the address difference is very clear!!! 

 myetherwallet.com vs myethlerwallet.com

Have fun & Stay safe!!! 

Fake Paypal – Scam

Here we have the old story…. a email that says you got some money from someone… you are pushing the link and the scam starts!!!
Email: secure@@help-report.net
Host: h–ps://www.check-your-account.systems/
All the logs are going to pyplresult@@gmail.com

So… open your eyes and do not be a scam victim!!!

Source : Cyber security news & tools

Hunting Paypal Scammer – Busted 100%

Here’s a new software that promises to increase your revenue.
The point is you do not have to believe in miracles.
Everything looks good, but if you try to log in to your Paypal account, the data will be sent without realizing it.
Data is sent to the email of the person who posted and you have all the chances of losing even the few money you have in your account.
Today i will try to find the ”hacker” for you!

To have time for account changes, it will ask you to wait 72 hours for the payment.

Once you’ve added your data, the software logs in to a google account and sends the data.

Because of Google’s security, I can not log in because does not recognize my device.
 
I have to admit that I have pressed several times to call and send message to the number attached on the account.
I hope I’ve stressed him a little!
If we want to catch the hacker, we just need to send an email identical to the one that comes from Google, where we can attach what we already have:

• Email  – ***sans@gmail.com
• Phone number – (…) …_.. 02
• Password – Nofreewifihere2468

The search on Google and you will find something like that:
***hacker911@gmail.com:Nofreewifihere2468::Pandora
Somewere i’ve that his name is Saif.. ok.
Look who gives good comment on the youtube video:

• A învăţat la Dr. Phillips High School
• Trăieşte în Ocoee, Florida

Mission completed!

Have Fun & Stay Safe!