Feed aggregator

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2017/06/23 - 23:47
Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received.
Categories: Security Posts

Obama reportedly ordered implants to be deployed in key Russian networks

ArsTechnica: Security Content - Fri, 2017/06/23 - 22:51
Enlarge (credit: Wikimedia Commons/Maria Joner) In his final days as the 44th president of the United States, Barack Obama authorized a covert hacking operation to implant attack code in sensitive Russian networks. The revelation came in an 8,000-word article The Washington Post published Friday that recounted a secret struggle to punish the Kremlin for tampering with the 2016 election. According to Friday's article, the move came some four months after a top-secret Central Intelligence Agency report detailed Russian President Vladimir Putin's direct involvement in a hacking campaign aimed at disrupting or discrediting the presidential race. Friday's report also said that intelligence captured Putin's specific objective that the operation defeat or at least damage Democratic candidate Hillary Clinton and help her Republican rival Donald Trump. The Washington Post said its reports were based on accounts provided by more than three dozen current and former US officials in senior positions in government, most of whom spoke on the condition of anonymity. In the months that followed the August CIA report, 17 intelligence agencies confirmed with high confidence the Russian interference. After months of discussions with various advisors, Obama enacted a series of responses, including shutting down two Russian compounds, sanctioning nine Russian entities and individuals, and expelling 35 Russian diplomats from the US. All of those measures have been known for months. The Post, citing unnamed US officials, said Obama also authorized a covert hacking program that involved the National Security Agency, the CIA, and the US Cyber Command. According to Friday's report: Read 1 remaining paragraphs | Comments
Categories: Security Posts

TheFatRat – Massive Exploitation Tool

Darknet - The Darkside - Fri, 2017/06/23 - 22:32
TheFatRat is an easy-to-use Exploitation Tool that can help you to generate backdoors and post exploitation attacks like browser attack DLL files. This tool compiles malware with popular payloads and then the compiled malware can be executed on Windows, Linux, Mac OS X and Android. The malware that is created with this tool also has […] The...

Read the full post at darknet.org.uk
Categories: Security Posts

<div class="feedflare">

Room362.com - Fri, 2017/06/23 - 21:48
Categories: Security Posts


Room362.com - Fri, 2017/06/23 - 21:48
Mubix “Rob” Fuller Rob has over 11 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks - as well as performing penetration tests and Red Team assessments against those same networks. More recently, Rob has performed numerous successful Red Team assessments against commercial Fortune 50 companies representing some of the best defensive teams in the industry.
Categories: Security Posts

Reset AD user password with Linux

Room362.com - Fri, 2017/06/23 - 14:35
Image showing how to allow users to be able to reset user passwords Disclaimer: If you are here because you are a helpdesk person, this is a pentest blog, so it’s coming from the mindset of a pentester, but this could just as easily be used for legitmate purposes. There are a great many things you can do with rpcclient for examples outside of this blog post see these posts by Chris Gates:
Categories: Security Posts

Check Point says Fireball malware hit 250 million; Microsoft says no

ArsTechnica: Security Content - Fri, 2017/06/23 - 14:00
Enlarge (credit: Corinne Kuhlmann) Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems. Today, Microsoft said no. Redmond claimed that actually, far from being a recent discovery, it had been tracking Fireball since 2015 and that the number of infected systems was far lower (though still substantial) at perhaps 40 million. The two companies do agree on some details. They say that the Fireball hijacker/downloader is spread through being bundled with programs that users are installing deliberately. Microsoft further adds that these installations are often media and apps of "dubious origin" such as pirated software and keygens. Check Point says that the software was developed by a Chinese digital marketing firm named Rafotech and fingers similar installation vectors; it piggy backs on (legitimate) Rafotech software and may also be spread through spam, other malware, and other (non-Rafotech) freeware. Read 5 remaining paragraphs | Comments
Categories: Security Posts

Fake DDoS Extortions Continue. Please Forward Us Any Threats You Have Received., (Fri, Jun 23rd)

SANS Internet Storm Center, InfoCON: green - Fri, 2017/06/23 - 13:24
We do continue to receive reports about DDoS extortion e-mail. These e-mails are essentially spammed to the owners of domains based on whois records. They claim to originate from well-known hacker groups like Anonymous who have been known to launch DDoS attacks in the past. These e-mails essentially use the notoriety of the groups name to make the threat sound more plausible. But there is no evidence that these threats originate from these groups, and so far we have not seen a single case of a DDoS being launched after a victim received these e-mails. So no reason to pay :) Here is an example of an e-mail (I anonymized some of the details like the bitcoin address and the domain name) We are Anonymous hackers group.
Your site [domain name] will be DDoS-ed starting in 24 hours if you dont pay only 0.05 Bitcoins @ [bit coin address]
Users will not be able to access sites host with you at all.
If you dont pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ [bitcoin address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated. This particular e-mail was rather cheap. Other e-mails asked for up to 10 BTC. There is absolutelyno reason to pay any of these ransoms. But if you receive an e-mail like this, there are a couple of things you can do:
  • Verify your DDoS plan: Do you have an agreement with an anti-DDoS provider? A contact at your ISP? Try to make sure everything is set up and working right.
  • We have seen these threats being issued against domains that are not in use. It may be best to remove DNS for the domain if this is the case, so your network will not be affected.
  • Attackers often run short tests before launching a DDoS attack. Can you see any evidence of that? A brief, unexplained traffic spike? If so, then take a closer look, and it may make the threat more serious if you can detect an actual test. The purpose of the test is often to assess the firepower needed to DDoS your network
And please forward any e-mails like this to us. It would be nice to get a few more samples to look for any patterns. Like I said above, this isnt new, but people appear to still pay up to these fake threats. ---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Brutal Kangaroo y la infección por USB de equipos aislados

Un informático en el lado del mal - Fri, 2017/06/23 - 09:14
Las técnicas de infección de equipos y distribución de malware usando discos USB no es algo nuevo. Se conocía desde antes, pero saltó a los titulares de todo el mundo con la ciberarma Stuxnet, - atribuido popularmente a la NSA - que, en pocas palabras, fue un malware especialmente creado para distribuirse por medio de discos USB hasta llegar a unos equipos muy concretos de una central de enriquecimiento de uranio en Iran.
Figura 1: Brutal Kangaroo y la infección por USB de equipos aislados
Desde entonces, los exploits y los payloads para, desde un disco USB infectar a un equipo y viceversa, desde un equipo infectar a un USB, han ido apareciendo a lo largo del tiempo. Desde payloads para copiar todos los datos que están en un disco USB conectado y llevarlos a la nube, hasta exploits que ejecutan código arbitrario en el servidor por medio de 0days que se han ido descubriendo.
Figura 2: USB Dumping para OS X
Este es un tema que a mí personalmente me gusta mucho, ya que los discos USB pintan en una organización una Hidden Network que puede ser utilizada para filtrar datos o para infectarte equipos mediante un sistema de polinización. Si tienes el mapa de la Hidden Network creada por discos USB en tu organización, probablemente podrás descubrir qué discos son los responsables de las últimas alertas de seguridad en tus sistemas antimalware o por donde te entró un software malicioso en tu organización.
Figura 3: Bug CVE-2017-8484 en ficheros .LNK
Como he dicho antes, desde Stuxnet todo el mundo puso mucha atención a estas técnicas de infección, y los 0days y payloads se han ido desarrollando a lo largo del tiempo. Sobre todo, porque en los equipos denominados Air-Gapped, es decir, totalmente desconectados de cualquier red, hay siempre dos trabajos a realizar. Primero conseguir llegar a él e infectar el equipo para ejecutar código malicioso y llegar a los datos o el sistema de control que protege ese servidor, y segundo, sacar la información o conectarse remotamente con un panel de control remoto.
Brutal Kangaroo de Vault7

Para el segundo trabajo, los estudios han ido apareciendo en los últimos tiempos, y se han utilizado desde sistemas de Radio Frecuencia, hasta la temperatura de máquinas cercanas, para conseguir esa comunicación entre un malware instalado en un servidor Air-Gapped (asilado) y el panel de control del atacante. Sin embargo, parece una canal muy rápido utilizar también el el propio canal USB, y eso es lo que parece que la CIA estaba utilizando.
Figura 4: Filtraciones de Brutal Kangaroo

La herramienta que ha sido publicada por Wikileaks dentro de las filtraciones de Vault7, lleva por nombre Brutal Kangaroo, y es, como se puede ver, un programa que permite implantar en un servidor aislado un software para infectar cualquier disco USB que se conecte al mismo. Brutal Kangaroo no está pensada para infectar al servidor aislado, sino para estar residente en él e infectar todos los discos USB que se conecten. Por supuesto, se podrían instalar las capacidades de este software malicioso también  por medio de un disco USB.

Figura 5: Brutal Kangaroo Configuration Tool
Una vez que el servidor aislado es infectado - al que denominan en la documentación "Emotional Simian", se utilizan varios 0days para Windows que hoy en día están cerrados por Microsoft en todas sus versiones soportadas (nota a esto, versiones soportadas), para infectar los discos USB. La lista de exploits no es muy larga, pero contaba con el 0day de los ficheros .LNK que Microsoft ha vuelto a revisitar hace dos días o con EzCheese que cuenta con soporte para diferentes versiones. En la imagen se puede ver cómo el creador de la instancia puede elegir su target correctamente.
Figura 6: EZsurvey para configurar payloads de EzCheese
Son más de 150 páginas de documentación, que para los investigadores van a abrir unas cuantas horas de análisis, para entender mejor cómo funcionan las herramientas de ciberespionaje que sacan partido de los 0days y payloads que se van descubriendo.
Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

ISC Stormcast For Friday, June 23rd 2017 https://isc.sans.edu/podcastdetail.html?id=5556, (Fri, Jun 23rd)

SANS Internet Storm Center, InfoCON: green - Fri, 2017/06/23 - 03:35
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

How the CIA infects air-gapped networks

ArsTechnica: Security Content - Fri, 2017/06/23 - 01:55
Enlarge / A configuration screen found in the Drifting Deadline exploit. (credit: WikiLeaks) Documents published Thursday purport to show how the Central Intelligence Agency has used USB drives to infiltrate computers so sensitive they are severed from the Internet to prevent them from being infected. More than 150 pages of materials published by WikiLeaks describe a platform code-named Brutal Kangaroo that includes a sprawling collection of components to target computers and networks that aren't connected to the Internet. Drifting Deadline was a tool that was installed on computers of interest. It, in turn, would infect any USB drive that was connected. When the drive was later plugged into air-gapped machines, the drive would infect them with one or more pieces of malware suited to the mission at hand. A Microsoft representative said none of the exploits described work on supported versions of Windows. The infected USB drives were at least sometimes able to infect computers even when users didn't open any files. The so-called EZCheese exploit, which was neutralized by a patch Microsoft appears to have released in 2015, worked any time a malicious file icon was displayed by the Windows explorer. A later exploit known as Lachesis used the Windows autorun feature to infect computers running Windows 7. Lachesis didn't require Explorer to display any icons, but the drive letter the thrumbdrive was mounted on had to be included in a malicious link. The RiverJack exploit, meanwhile, used the Windows library-ms function to infect computers running Windows 7, 8, and 8.1. Riverjack worked only when a library junction was viewed in Explorer. Read 4 remaining paragraphs | Comments
Categories: Security Posts

News about the x64 edition

Hex blog - Wed, 2017/06/14 - 17:04
Sorry for the long silence since IDA v6.95, we all were incredibly busy with the transition to the 64-bit version. We are happy to say now that we are close to the finish line and will announce the beta test soon. Transition to x64 itself was not that hard. We have been compiling IDA in … Continue reading News about the x64 edition
Categories: Security Posts

Join Fortinet at HPE Discover 2017!

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 17:22
Fortinet is a Gold sponsor at Discover 2017, and will showcase several important security innovations to help you stay ahead of cyber threats. Join Fortinet at booth 231 while you’re at Discover 2017 to see a demo of the Fortinet Security Fabric in action! We’ll also have technical experts on hand to discuss any security needs you ma A key focus area for many attendees will be cybersecurity, given the challenges they face from today’s sophisticated and rapidly evolving threats. The isolated, proprietary security devices most organizations...
Categories: Security Posts

Governmental Entities Bringing Financial Cybersecurity to Center Stage

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 17:20
By now, it’s no secret that cybercriminals have targeted, and continue to target, the financial services industry with advanced attacks that are designed to steal or otherwise jeopardize valuable data. As a result, many organizations have taken at least some initial steps to better secure their networks and the information that lives within them. In fact, according to Duff & Phelps’ “Global Regulatory Outlook,” 86 percent of professionals in the financial services industry say their companies have plans to put more...
Categories: Security Posts

An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 03:52
FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack. While there are plenty of articles discussing this vulnerability, most of them are intended for technical readers and primarily focus on how to create proof-of-concept...
Categories: Security Posts

Support my videos on Patreon!

Niels Provos - Sun, 2017/05/28 - 01:18

Add your support on Patreon to help me create more videos. Your support will help with materials, rent as well as other equipment, e.g. cameras, lights, software, etc. It is not required but appreciated. Due to time constraints I can make no promises on how often I will be able to publish new videos but my plan is to continue producing videos as long as people find them interesting.
Categories: Security Posts

LaCon2k16 Call For Pulpos

48Bits Blog - Fri, 2016/07/15 - 10:54
We are proud to present the call for papers for Lacon 2016!, get your papers in now. We are accepting short talks of 30min and long talks of ~1h. [when] conf will be held from the 23rd to the 25th of Sept 2016 [where] undisclosed location [who] a bunch of crazy bastards [topics] topics include:
  • h/p/v/c/e …
  • satellites, antennas and radioactive crap
  • cryptocurrencies
  • human powered vehicles
  • knitting
  • radare2
  • cats
  • cyborgs
  • 8===========D
[submit] submit your talk proposals to lacon2k16.org@lists.48bits.com [gpgkey] gpg –keyserver pgp.mit.edu –recv-key 0BC0E27E
Categories: Security Posts

A Scheme to Encrypt the Entire Web Is Actually Working

Wired: Threat Level - Thu, 2016/04/14 - 13:00
The non-profit certificate authority Let's Encrypt is enabling a sea change toward HTTPS encryption online. The post A Scheme to Encrypt the Entire Web Is Actually Working appeared first on WIRED.

Categories: Security Posts

Matthew Keys Sentenced to Two Years for Aiding Anonymous

Wired: Threat Level - Wed, 2016/04/13 - 23:30
The former Tribune Company employee was convicted of giving Anonymous information that helped hackers access an LA Times server and alter a headline. The post Matthew Keys Sentenced to Two Years for Aiding Anonymous appeared first on WIRED.

Categories: Security Posts

Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers?

Wired: Threat Level - Wed, 2016/04/13 - 23:03
Here's how to distinguish the colors of the hacker rainbow. The post Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers? appeared first on WIRED.

Categories: Security Posts
Syndicate content