Jump to content

Search the Community

Showing results for tags 'hacking'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 90 results

  1. The accounts of Eamonn Holmes and Louis Theroux were among those hacked An online hacking security agency has “hijacked” multiple Twitter accounts in an effort to make a point regarding online security issues. On Thursday, the message: “This account has been temporarily hijacked by Insinia Security,” appeared on the Twitter accounts of a “number of celebrities” including Eamonn Holmes and Louis Theroux. The tweet also appeared on the Twitter feed of The Independent's travel correspondent Simon Calder. According to a post on Medium by Insinia Security, which explains the hijacking, it was done to highlight the security dangers of having a phone number associated with a Twitter account. Mike Godfrey, the CEO of Insinia Security, confirmed to The Independent the reason behind the hacking, explaining: “Insinia have warned for years that using text messaging for authentication, interaction or security is totally unacceptable and leaves people vulnerable to attack. “This issue was highlighted to Twitter in 2007, again in 2009, again in 2011 and almost every year since. Quite simply; Twitter doesn’t listen. The campaign today was to highlight these vulnerabilities, how serious they can be and how someone with a relatively low skill set and a range of tools can control social media that people use to control their brands, career, image and much more. People have a right to know the truth about the state of insecurity that huge companies like Twitter leave innocent users in.” And, according to Godfrey, hijacking the accounts was easy - “In this case, it was a simple task of ‘spoofing’ the Twitter users MSISDN (mobile phone number) and sending texts that appeared to be from their phone to Twitter, which will automatically accept commands provided it believes that the text has come from the users phone number, which it did,” he told us. While Godfrey would not disclose “how these numbers were obtained,” he did say the entire attack “took less than 10 minutes to carry out and complete.” On Medium, the depth of the hijacking was further explained - and the dangers this lack of security poses. “We used this method to successfully control the targets Twitter account, allowing us to send DM’s, retweet and like tweets, follow and unfollow people and much more,” the post reads. According to Insinia Security, this flaw in security could lead to potential risks such as the spread of offensive or extremist material and the spread of fake news. To protect oneself, Godfrey told us the best way is to use a “separate number for TFA (two-factor authentication) on Twitter.” “People must understand that even someone having your phone number puts you at risk,” he continued. “We shouldn’t be so relaxed with who we give our numbers to and Twitter certainly shouldn’t be allowing people to tweet and control accounts by sending texts with no authentication.” source
  2. When a government body creates a self-service payment system for paying for everything from utility bills to permits and fines, you would expect convenience to be tied to adequate security for financial data. Not necessarily so in the case of Click2Gov, a payment portal system used by many US cities, both small and large. Developed by Central Square, formerly known as Superion, it was rumored last year that the local government portal service may have been subject to a data breach. In September this year, cybersecurity firm FireEye confirmed that a security incident had taken place, in which threat actors had planted never-before-seen malware to scrape payment card details from US citizens. It was suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details. Security research firm Gemini Advisory has now released a report examining the after-effects of the attack, in which it is believed 294,929 payment records have been compromised across at least 46 cities in the US, as well as one in Canada. The findings suggest that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites. On Tuesday, the company said that by selling this information in the Dark Web, the threat actors have earned themselves at least $1.7 million. In the meantime, Central Square is still trying to work out how the attacks took place -- and potentially portals are still at risk. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov, but told Gemini Advisory that "the system remains vulnerable for an unknown reason." However, the firm added that the affected systems were all locally hosted, while the cloud-based Click2Gov software was not affected. It seems, then, that local systems have security issues which are yet to be addressed. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months. Payment data from these portals have been found for sale in the web's underbelly. "In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised," Gemini Advisory says. "Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card. " Two hackers have been tracked through their wares, of which the cybersecurity firm believes both are likely part of the criminal ring which conducted the widespread attacks. Gemini advisory's Director of Research, Stas Alforov, told Fortune that Click2Gov is working with local authorities to resolve the security issues which still exist, and the data theft is due in part to "a lack of sophistication on the part of municipal IT workers." source
  3. An Australian teenager has pled guilty to hacking Apple’s system multiple times in a span of several months, but will not be going to jail. He said he did it because he’s just a huge Apple fanboy. Melbourne news outlet the Age reported that Apple had alerted the FBI after the company detected a breach. Then authorities notified the Australian Federal Police, which raided the teen’s home. There agents found 90Gb of sensitive files in a folder titled “hacky hack hack.” A magistrate told the court that the teen (not named for legal reasons) exploited a VPN intended for remote connection, according to Bloomberg. Apple reportedly blocked his access in November 2016, but he regained access last year. Apple did not immediately respond to a Gizmodo request for comment, but in a statement to Bloomberg Apple said that customers’ personal data was not compromised. The teen’s lawyer said at the boy’s appearance at Children’s Court in August that he hacked Apple “because he was such a fan” of the company, according to the Age. Bloomberg reports the teen told police that he breached Apple’s systems, in part, because he enjoyed “just being in the corporation pretending you were employees,” and the activity was apparently addictive. According to Bloomberg, the magistrate told the court that the teenager had shown remorse and had cooperated with law enforcement, and would only be given an eight-month probation instead of jail time. “Your offending is serious,” the magistrate said to the teen, according to Bloomberg. “It was sustained, sophisticated, and a successful attack on the security of a major multinational corporation.” The teen was 16 when he first accessed Apple’s system. According to the Age, he is now 19 and has been accepted at a university where he plans on studying criminology and cyber security. Source
  4. A Romanian Woman Eveline Cismaru. 28, pled guilty to federal charges for illegally gaining access to more than 126 computers that connected to Surveillance cameras installed and used by Metropolitan Police Department (MPD) and infected them with ransomware. She pled guilty before the Honorable Dabney L. Friedrich to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud, carry statutory maximums of 20 years and five years in prison, Cismaru agrees to cooperate fully in the investigation and she is to be sentenced on Dec. 3, 2018. Investigators arrested Cismaru, 28, and a co-defendant, Mihai Alexandru Isvanca, 25 in Romania, Cismaru extradited to the united states on July 26, 2018, and Isvanca pending extradition to the United States. “According to the government’s evidence, beginning in early January 2017, and continuing through Jan. 12, 2017, a computer hacking attack on the MPD computer network disabled two-thirds of the outdoor surveillance cameras operated by MPD in the District of Columbia, just days before the 2017 Presidential Inauguration.” reads Department of Justice press release. Investigators also spotted that the conspirators were in the process of attacking as many as 179,616 other computers using stolen e-mails, e-mail passwords, and banking credentials. The ransomware attack held on 2017 just before the day of Presidential Inauguration and due to the rapid response by investigators and MPD’s Chief Technology Office, the overall security of the 2017 Inauguration was not impacted by this event. Source
  5. The internet and technology have become a way of life for us all. From cars to homes, we depend on technology. While it serves as a relief to us, there are always drawbacks to it. In case of the internet, the risks involves hacking. In the past few months, we have seen cryptocurrency hacks, data hacks, bank hacks, phone hacks, social media hacks and whatnot. Keeping that in mind, researchers have invented a black box chip that makes it difficult for hackers to hack into a system. There was a need to come up with a working solution to prevent hacking, and this black box seems to be the answer to it. What Is The Black Box Chip? It’s a memory chip that makes the entire system complex so that hackers can’t clone the system. A circuit that is made up of black box chips (memory resistors), makes it hard to predict the voltage outputs of a system. This makes it nearly impossible to clone a system, create nodes in a network to attack it. Hence, this chip can help prevent hacking. Who Invented It? An electrical and computer engineering professor at University Of California, Dmitri Strukov, is working on this technology and it will soon be available commercially to prevent hacking. The Bottomline While the technology is still in its testing stage, there finally looks hope to prevent hacking in the future. < Here >
  6. Is it allowed under the site terms and conditions to talk about learning and preventing hacking?
  7. ATM makers warn of 'jackpotting' hacks on U.S. machines (Reuters) - Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cyber criminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.” The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details. The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico. The companies confirmed to Reuters on Saturday they had sent out the alerts to clients. NCR said in a Friday alert that the cases were the first confirmed “jackpotting” losses in the United States. It said its equipment had not been targeted in the recent attacks, but that it was still a concern for the entire ATM industry. “This should be treated by all ATM deployers as a call to action to take appropriate steps to protect their ATMs against these forms of attack,” the alert said. Diebold Nixdorf said in a separate Friday alert that U.S. authorities had warned the company that hackers were targeting one of its ATM models, known as Opteva, which went out of production several years ago. A confidential U.S. Secret Service alert sent to banks said the hackers targeted stand-alone ATMs typically located in pharmacies, big box retailers and drive-thru ATMs, Krebs on Security reported. Diebold Nixdorf’s alert described steps that criminals had used to compromise ATMs. They include gaining physical access, replacing the hard drive and using an industrial endoscope to depress an internal button required to reset the device. Reuters was unable to obtain a copy of the Secret Service report and an agency representative declined comment. Officials with the Federal Bureau of Investigation could not immediately be reached. Russian cyber security firm Group IB has reported that cyber criminals remotely attacked cash machines in more than a dozen countries across Europe in 2016. Similar attacks were also reported that year in Thailand and Taiwan. Source
  8. JenX Botnet Has Grand Theft Auto Hook Researchers at Radware have discovered a new botnet that uses vulnerabilities linked with the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect IoT devices. Satori is a derivative of Mirai, the notorious botnet that in 2016 infamously managed to take down Dyn, a DNS hosting provider that supports some of the world’s largest websites. The vulnerabilities in question are CVE-2014-8361 and CVE-2017-17215, which affect certain Huawei and Realtek routers, Radware researcher Pascal Geenens said in a blog post. Radware’s inquiry into the botnet led it to a command-and-control server hosted at the site San Calvicie, which offers not only multiplayer mod support for Grand Theft Auto: San Andreas, but also DDoS attacks for a fee. Enthusiasts of the venerable videogame series, which places players in an immersive 3-D world of violence and vicarious thrills, have created an extensive universe of add-on features and tweaks, or “mods,” in the name of enriching and extending their experience. Sites such as San Calvicie cater to GTA gamers who want to host their own custom versions of GTA for multiplayer action. “The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” Geenens wrote of the site’s DDoS offering. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.” Shortly after Geenens made his initial discovery, he returned to the site and found that the terms of engagement had changed. Now the listing included a reference to “bots,” and offered a DDoS volume of between 290 and 300 Gbps, for the same low price of $20 a pop. While derived from established code, the San Calvicie-hosted botnet, which Geenens has dubbed “JenX”, is deployed in a different manner than its predecessors. “Untypical for IoT botnets we have witnessed in the past year, this botnet uses servers to perform the scanning and the exploits,” he wrote. “Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet, but comes at the price of flexibility and sophistication of the malware itself.” The centralized approach employed by JenX trades slower growth for lower detection, he added. The danger from JenX should be mostly confined to GTA San Andreas users, Gessens said, but with a stern caveat. “[T]here is nothing that stops one from using the cheap $20 per target service to perform 290 Gbps attacks on business targets and even government related targets,” he wrote. “I cannot believe the San Calvicie group would oppose to it.” Radware filed abuse notifications related to JenX, resulting in a partial takedown of the botnet’s server footprint, but it remains active. JenX’s implementation makes taking it down a tricky task. “As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he wrote. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers’ location and take them down.” SOURCE
  9. When you think of a standard hacker toolkit, software vulnerabilities and malware come to mind. But a pair of researchers are testing a different type of instrument: a physical tool that can break into devices with a wave of your hand. At the recent REcon computer security conference, Red Balloon Security founder Ang Cui and research scientist Rick Housley presented a new approach to hacking a processor that uses electromagnetic pulses to produce specific glitches in hardware. By disrupting normal activity at precise intervals, the technique can defeat the Secure Boot protection that keeps processors from running untrusted code. Researchers have experimented with “fault injection attacks”—hacks that cause a strategic glitch, which in turn triggers abnormal, exploitable computer behavior—for decades. Those attacks, though, typically require physical access to a target's components. “The advantage of this technique is that it’s physically noninvasive. You don’t have to touch the device, and you don’t leave any physical marks behind,” Cui says. “There’s no exchange of data at the electromagnetic pulse stage, so this would never be caught by a firewall.” Insecure Boot Red Balloon specializes in internet-of-things-intrusion defense; think of it as antivirus software for IoT. But the company has run into problems putting its security tool on IoT devices guarded by Secure Boot. Red Balloon's products don't undermine this safeguard; the company works with vendors to make its software compatible. But the dilemma got Cui and Housley interested in the theoretical question of whether a fault-injection attack could circumvent Secure Boot on locked-down IoT devices. They started experimenting with the Cisco 8861 VoIP phone model that they had tried and failed to equip with their security product. (Cui also has a history of hacking Cisco phones.) The two found that if they poked the phone’s flash memory with a charged wire at the right moment while it booted up, they could cause a glitch that stopped the boot process. Instead, the phone surfaced access to a command-line interface that Cisco normally uses for debugging. Consumers are never supposed to see it. Cui and Housley also found vulnerabilities in the TrustZone security scheme of the phone's processor that allowed them to write code on processor memory that was supposed to be protected. (They disclosed these bugs to Cisco in April 2016.) Once they had access to the troubleshooting portal during boot, the researchers could load and execute their own code in a secure part of the processor to override Secure Boot. Invisible Touch All of which makes for a complicated hack, and one that requires cracking a phone open when you have a charged wire handy. But Cui and Housley wanted to take the attack a step farther, and realized that a well-timed EMP blast could trigger the same fault. They could execute the whole hack without needing to tamper with the components of the phone. Lab-grade EM pulsing equipment costs hundreds of thousands of dollars, so instead the researchers built their own system for about $350 using a 3-D printer and readily available components. They plan to release open source schematics of the setup so other researchers can use it too. Eventually, Cui and Housley worked out that delivering a 300 volt pulse to the phone's RAM 4.62 seconds into startup reliably created the glitch they wanted. With access to the debugging portal, they could use the phone’s console port—an auxiliary port on the back of the phone—to load in and run their Secure Boot override protocol within five seconds. "The attack’s principle is clever," says Jean-Max Dutertre, a hardware security researcher at École Nationale Supérieure des Mines de Saint-Étienne in France. "Finding a way to bypass timing and spatial resolution issues is always highly effective." The system can currently deliver the pulse from 3 millimeters away from the phone, so while the hack doesn't require physical contact, it does need proximity. Still, an attacker could cause the crucial fault by, say, waving their hand over the device while holding a tiny electromagnetic pulse generator—a subtler action than opening up the phone and sticking a wire into it. “With any hardware attack you need to be physically present, so that’s already a huge barrier,” says Jasper van Woudenberg, the chief technology officer of Riscure North America, a firm that tests hardware and software security. “But this is a nice proof of concept to show that if you don’t take care of these attacks, they could actually happen.” Who's Down With EMP What makes the attack so challenging is, in part, the Broadcom multicore 1Ghz ARM processor it targets. Modern processors pack transistors in densely and have high clock speeds, making it difficult to discharge EM pulses quickly and accurately enough to impact one specific process on a chip without collateral damage. But by thinking of the interconnected components in a device (like the processor, flash memory, and RAM) as a network of computers in and of themselves, researchers can create fault injection strategies that are more like network hacking—attacking a system's weakest point to compromise the real target, in this case the powerful processor. “We wanted to look at the second-order effects of an electromagnetic pulse, as it affects not just a single machine but a complex network of interdependent components,” Cui says. “So that allows us to sidestep the traditional electromagnetic fault injection limitations, and use electromagnetic pulses to predictably change the way computers compute.” As electromagnetic fault injection hacking becomes more robust, it will in turn become more important to protect components from physical, noninvasive hacks. Some ultrasecure devices already include such defenses, because further refinement would put not only IoT devices at risk but also full-service computers. "This kind of attack could be devastating because it is relatively easy to perform," Dutertre says. And while Cui and Housley's research exists strictly as a proof of concept, they caution that other groups may have capabilities that far exceed academia's. “We don’t think we’re the farthest along in this research,” Cui says. “We’ve been doing this on our off time as a side project. If somebody wanted to put significant resource into this, they would certainly be ahead of us." < Here >
  10. Even if a vape pen seems like it's simply charging, it could actually be compromising your computer, security researchers warn. Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers. With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to - even if it seems just like they are charging. Giving a presentation at BSides London, Ross Bevington showed how an e-cigarette could be used to attack a computer by fooling the computer to believe it was a keyboard or by tampering with its network traffic. While Mr Bevington's particular form of attack required the victim's machine to be unlocked, that was not the case for all attacks. "PoisonTap is a very similar style of attack that will even work on locked machines," Mr Bevington told Sky News. Another hacker and researcher known as Fouroctets published a proof-of-concept video which showed arbitrary commands being entered into his unlocked laptop just after plugging in a vape pen to charge. Speaking to Sky News, Fouroctets said he had modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse. A pre-written script that was saved on the vape made Windows open up the Notepad application and typed "Do you even vape bro!!!!" The script could have been modified to do something much more malicious, however. Fouroctets showed Sky News how, using less than 20 lines of code, the computer could be made to download an arbitrary and potentially dangerous file and run it. While e-cigarettes could be used to deliver malicious payloads to machines, there is usually very little space available on them to host this code. "This puts limitations on how elaborate a real attack could be made," said Mr Bevington. "The WannaCry malware for instance was 4-5MB, hundreds of times larger than the space on an e-cigarette. That being said, using something like an e-cigarette to download something larger from the Internet would be possible." The best way to protect against these kind of attacks is to ensure that your machine has updated its security patches, said Mr Bevington, and to "have a good password and lock your machine when you leave it". "If you run a business you should invest in some kind of monitoring solution that can alerted your security team when something like this attack occurs," he said. "In all cases, be wary if someone wants to plug something into your machine." < Here >
  11. Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. The worm's existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws. EternalRocks uses seven NSA tools The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations. Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines. Origin of the EternalRocks name The WannaCry ransomware outbreak, which affected over 240,000 victims, also used an SMB worm to infect computers and spread to new victims. Unlike EternalRocks, WannaCry's SMB worm used only ETERNALBLUE for the initial compromise, and DOUBLEPULSAR to propagate to new machines. EternalRocks is more complex but less dangerous As a worm, EternalRocks is far less dangerous than WannaCry's worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it's actually the opposite. For starters, EternalRocks is far more sneaky than WannaCry's SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage. During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web. Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server. No kill switch domain Additionally, EternalRocks also uses files with identical names to the ones used by WannaCry's SMB worm, in another attempt to fool security researchers into misclassifying it. But unlike WannaCry, EternalRocks does not include a kill switch domain, the Achille's heel that security researchers used to stop the WannaCry outbreak. After the initial dormancy period expires and the C&C server responds, EternalRocks goes into the second stage of its installation process and downloads a second stage malware component in the form of an archive named shadowbrokers.zip. The name of this file is pretty self-explanatory, as it contains NSA SMB-centric exploits leaked by the Shadow Brokers group in April 2017. The worm then starts a rapid IP scanning process and attempts to connect to random IP addresses. The configuration files for NSA tools found in the shadowbrokers.zip archive EternalRocks could be weaponized in an instant Because of its broader exploit arsenal, the lack of a kill switch domain, and because of its initial dormancy, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else. At first glance, the worm seems to be an experiment, or a malware author performing tests and fine-tuning a future threat. This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm's owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks. Furthermore, DOUBLEPULSAR, an NSA implant with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm's author has not taken any measures to protect the DOUBLEPULSAR implant, which runs in a default unprotected state, meaning other threat actors could use it as a backdoor to machines infected by EternalRocks, by sending their own malware to those PCs. IOCs and more info on the worm's infection process are available in a GitHub repo Stampar set up a few days ago. An SMB free-for-all Currently, there are multiple actors scanning for computers running older and unpatched versions of the SMB services. System administrators have already taken notice and started patching vulnerable PCs or disabling the old SMBv1 protocol, slowly reducing the number of vulnerable machines that EternalRocks can infect. Furthermore, malware such as Adylkuzz also shuts down SMB ports, preventing further exploitation from other threats, also contributing to reducing the number of potential targets for EternalRocks and other SMB-hunting malware. Reports from Forcepoint, Cyphort, and Secdo detail other threats currently targeting computers with SMB ports. Nonetheless, the faster system administrators patch their systems the better. "The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer in a private conversation. "Once infected, he can weaponize any time he wants, no matter the late patch." Article source
  12. Hackers managed to inject the NFTC website with malicious code in a watering hole attack Nation state level hackers based out of China have targeted directors at some of the world's largest firms by compromising the website of a global trade lobby group. The sophisticated nature of the campaign against the Washington-based National Foreign Trade Council has led cybersecurity researchers at Fidelis to the conclusion that the attacks were carried out by the Chinese APT10 hacking group. It's the second time in a week that an APT10 campaign has come to light, with PwC also detailing how the group has been targeting managed IT services providers across the globe in order to steal sensitive data. The latest campaign, dubbed Operation Tradesecret, has been detailed in a new report, and has come to light just ahead of US President Donald Trump's meeting with Chinese President Xi Jinping. The two leaders are expected to discuss cyber warfare and cybersecurity. The number of cyberattacks emerging from China has declined recently, although the incidents that are taking place are more sophisticated and targeted. Fidelis security researchers say specific pages of NFTC's website were injected with a watering hole attack link, designed to run malware to compromise a very precise set of targets: those registering for specific meetings at the NFTC, such as a board of directors meeting in Washington DC. The targeted individuals hold key roles in some of the largest corporations in the world and gaining access to their personal data and sensitive corporate information would be a boon for hackers looking for ways to steal company secrets. This particular campaign took place between February 27 and March 1, with malicious links on the NFTC website serving Scanbox malware, a well-known web reconnaissance tool that has been used in cyberespionage campaigns dating back to at least 2014. It has also been associated with campaigns linked to the Chinese government. Cyberespionage capabilities of Scanbox -- which was also used in attacks against the US Office of Personnel Management and Anthem Healthcare -- include monitoring which websites were viewed by the victim as well as their operating system, screen size, and location, along with keylog monitoring. The latter potentially enables attackers to make off with login details and passwords for internal networks and even compromise others using phishing attacks. Indeed, Fidelis notes how the waterhole attack against the National Foreign Trade Council is likely to be a precursor for an upcoming sustained campaign against targets -- and those affected should be mindful. "The reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that such personnel will be subject to further targeted attempts to compromise them -- for example, through a spearphishing campaigns," the report warns. The malicious link itself was removed from the NFTC website on March 2 and Fidelis briefed the organisation about the incident shortly after it was discovered. The APT10 hacking collective has been focusing on espionage since 2009 and has evolved from targeting US defence firms, as well as the technology and telecommunications sectors, to organisations in multiple industries across the globe. The group was behind the Poison Ivy malware family, and today uses custom tools capable of compromising organisations and their customers, as well as stealing large amounts of data. Source
  13. VMware has released critical security patches for vulnerabilities demonstrated during the recent Pwn2Own hacking contest that could be exploited to escape from the isolation of virtual machines. The patches fix four vulnerabilities that affect VMware ESXi, VMware Workstation Pro and Player and VMware Fusion. Two of the vulnerabilities, tracked as CVE-2017-4902 and CVE-2017-4903 in the Common Vulnerabilities and Exposures database, were exploited by a team from Chinese internet security firm Qihoo 360 as part of an attack demonstrated two weeks ago at Pwn2Own. The team's exploit chain started with a compromise of Microsoft Edge, moved to the Windows kernel, and then exploited the two flaws to escape from a virtual machine and execute code on the host operating system. The researchers were awarded $105,000 for their feat. Pwn2Own is an annual hacking contest organized by Trend Micro's Zero Day Initiative (ZDI) program that runs during the CanSecWest conference in Vancouver, British Columbia. Researchers receive cash prizes for demonstrating zero-day -- previously unknown -- exploits against browsers, operating systems and other popular enterprise software programs. This year, the contest organizers added prizes for exploits in hypervisors like VMware Workstation and Microsoft Hyper-V and two teams stepped up to the challenge. The second team, made up of researchers from the Keen Lab and PC Manager divisions of internet services provider Tencent, exploited the two other flaws patched by VMware this week: CVE-2017-4904 and CVE-2017-4905. The latter is a memory information leak vulnerability that is rated only as moderate, but which could help hackers pull off a more serious attack. Users are advised to update VMware Workstation to version 12.5.5 on all platforms and VMware Fusion to version 8.5.6 on macOS (OS X). Individual patches are also available for ESXi 6.5, 6.0 U3, 6.0 U2, 6.0 U1 and 5.5, where applicable. Virtual machines are often used to create throw-away environments that pose no threat to the main operating system in case of compromise. For example, malware researchers execute malicious code and visit suspicious URLs inside virtual machines to observe their behavior. Companies also run many applications inside virtual machines to limit the potential impact if they're compromised. One of the main goals of hypervisors like VMware Workstation is to create a barrier between the guest operating system that runs inside the virtual machine and the host OS where the hypervisor runs. That's why VM escape exploits are highly prized among hackers. Source
  14. FBI Director James Comey (left) testifies in front of the House Intelligence Committee on Monday regarding Russian hacking during the 2016 election. The agency's director, James Comey, confirms the FBI is looking into any possible ties between the president's campaign and the Russian government. In a rare move, the FBI confirmed that it is investigating whether Russian hackers had any links to President Trump's election team. Citing "unusual circumstances," FBI Director James Comey said that the bureau is looking into whether Trump's campaign worked with Russian officials during the 2016 election. "I have been authorized by the Department of Justice to confirm that the FBI, as part of our counterintelligence mission, is investigating the Russian government's efforts to interfere in the 2016 presidential election," Comey testified at a House committee hearing on Monday. "That includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government, and whether there was any coordination with the campaign and Russia's efforts." These are unusual circumstances indeed. Worries about Russian hacks plagued the US presidential election and its aftermath, with US intelligence agencies accusing Russia of meddling in the race for the White House. The House Intelligence Committee is investigating how the cyberattacks happened and how to protect the nation's democratic processes from interference in the future. The breaches included hacking emails from the Democratic National Committee, Democratic candidate Hillary Clinton and her campaign manager, John Podesta. Comey had earlier testified before the House Intelligence committee concerning Russian hacks during the election, revealing there were no attacks against the Trump campaign or the Republican National Committee. During the campaign, Donald Trump publicly urged Russia to help turn up Clinton's emails. Members of the Trump administration, including attorney general Jeff Sessions, former national security adviser Michael Flynn and Secretary of State Rex Tillerson, have also faced controversy for ties to Russian officials. The Obama administration in late December retaliated against Russia, imposing sanctions over the cyberattacks even as Russian officials continue to deny any involvement in the hacks. Russia's relationships with the US has been on shaky ground since. Comey revealed that the FBI has been investigating Russian influence on the 2016 election since last July, when hackers apparently first infiltrated the DNC. It remains unclear when the investigation will end. During the hearing, Comey also rebutted President Trump's tweets that the Obama administration ordered a wiretap on Trump Tower during the campaign. That echoed House Intelligence committee chairman Devin Nunes and the Justice Department's findings. "I have no information that supports those tweets, and we have looked carefully inside the FBI," Comey said. The National Security Agency director Michael Rogers also denied Trump's claims during the hearing. Source
  15. Your Apple iCloud account may be open to attacks. Worried about hackers destroying your iCloud music, pictures, and documents? Here are three things you should do right now. Maybe the London-based hacker group -- which goes by the name "Turkish Crime Family" -- doesn't have access to 250-million Apple iCloud account names and passwords. But they do have access to some indeterminate number of accounts, and that's more than enough reason to exercise caution: Protect your iCloud password and data today or risk losing it tomorrow. Here's how to do it. Back up vulnerable data First, you need to back up your iCloud data. Yes, I know Apple's idea was you could use iCloud to back up your Apple device data, and that's fine, but it's iCloud itself we're worried about today. For your iPhone, iPad, or iPod, the easiest way to do this is to back up your device's files to your Mac or PC with an iTunes backup. Plug your device into your Mac or PC with iTunes on. In iTunes' top left-hand corner, under the play controls, there's a tiny phone icon. Click here and it will take you to your device's menu. Click on Summary in the left-hand column. You will be presented with three boxes. Choose Select Backups. Choose to automatically or manually back-up your device. If you choose automatic, every time you plug your gadget in, iTunes will start to back it up. Backing up your Apple device locally, and not just to iCloud, is a good idea The only problem here is that iTunes doesn't back everything up. For example, it won't back up your Apple Pay information and settings, photos already on iCloud, or purchased iTunes and App Stores content. So, to be safe, you really must change and secure your password. Change your passwords Apple could help here -- and not just by paying off the Turkish Crime Family. Other major sites -- like Amazon, Netflix, and LinkedIn -- buy cracked password lists, and use one-way hashing matches to check for existing passwords. They then reset vulnerable passwords and ask users to switch passwords. Apple hasn't done that, but it should consider doing it, given just how large the threat appears to be. Since Apple isn't doing this, it's up to you. One thing that has always annoyed me is that Apple talks as if your Apple ID and iCloud ID are different. They're not. They're the same, and they use the same password. To change your Apple ID password, sign in to your Apple ID account page with any web browser and follow the instructions to reset your password. I changed mine using Google Chrome from a Mint Linux system. Your new Apple ID password must contain at least eight characters, a number, an uppercase letter, and a lowercase letter. You also can't use spaces, the same character three times in a row, your Apple ID, or a password you've used in the last year. Whatever you do, do NOT use dumb passwords such as "abcdefgh," "qwerty," or "password." The easiest way to create a secure password that won't try your memory is to use passphrases instead of passwords. Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard (e.g. "sdf9usdf"), use an easy-to-remember but nonsensical phrase instead. For example, "Plump/Trotting Pups:" or "UNC?Win!Duke?Lose!" or "AC!DC!Tesla!Edison?" These are easy to recall and hard for crackers to break. Once you've changed your password, you'll need to change it on all your Apple devices. Then, you're going to want to add another layer of protection: Two-factor authentication (2FA). 2FA Apple's 2FA is clunky, but it still does a great job of protecting your account. For additional protection, turn on Apple's two-factor authentication. When you activate 2FA, you can access your account only from trusted devices such as your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you'll need to provide two pieces of information. These are your Apple ID password and the six-digit verification code that's automatically displayed on your trusted devices. To use Apple 2FA, you'll also need a trusted phone number so you can receive verification codes. To add a trusted phone number, take the following steps: Go to your Apple ID account page Sign in with your Apple ID Go to the Security section and click Edit Click Add a Trusted Phone Number and enter the phone number Now, you're ready for 2FA. For a trusted device, you need an iPhone, iPad, or iPod touch with iOS 9 and later, or you need a Mac running OS X El Capitan or later that you've already signed into with 2FA. To turn on Apple 2FA, take the following steps. On your iPhone, iPad, or iPod touch with iOS 9 or later: Go to Settings > iCloud > tap your Apple ID Tap Password & Security Tap Turn on Two-Factor Authentication On your Mac with OS X El Capitan or later: Go to Apple menu > System Preferences > iCloud > Account Details Click Security Click Turn on Two-Factor Authentication Yes, this can be a lot of work. On the other hand, how much work would it take you to replace your important photos, music, books, or documents if your Apple iCloud account goes up in smoke? Take the time, do it now. You'll be glad you did. Source
  16. Apple has received a ransom threat from a hacking group claiming to have access to data for up to 800 million iCloud accounts. The hackers, said to be a London-based group called the "Turkish Crime Family," have threatened to reset passwords and remotely wipe the iPhones of millions of iCloud users if Apple fails to hand over a total of US$700,000. They have given the company an ultimatum to respond by April 7. Apple reportedly has denied that the group succeeded in hacking its systems, maintaining that it obtained the email addresses and passwords from previously compromised third-party services. Apple is working with law enforcement on the threats. The data set in the iCloud hack matches the data found in the 2012 hack of 117 million accounts on LinkedIn, according to some published reports. However, the Turkish Crime Family strongly denied that in a message to TechNewsWorld on Friday. Correcting the Message The initial reports of a ransom demand of just $75,000 were incorrect, the group said in response to our email query. It actually demanded $100,000 for each of its seven members, plus "extra stuff from Apple that are worth more to us than money," which it promised Apple it would keep secret. The group also told TechNewsWorld that the only member based in London is Kerem Albayrek, who is facing charges related to listing a hacked Yahoo database for sale. It claimed that its iCloud ransom demands were in part to spread awareness of Albayrek, as well as of Karim Baratov, a Canadian resident charged earlier this month, along with a second hacker and two Russian FSB agents, in the 2014 breach of 500 million Yahoo account holders. The group told TechNewsWorld that it showed Apple scan logs that contain 800 million iCloud accounts, and that Apple claimed the data had come from outside sources. The group said it planned to launch a website that would list iCloud user names, last names, dates of birth and a captcha of their current location from an iCloud app. The site will not disclose passwords initially, the group said, but it would do so "most probably in the future." Shaking Down Apple The Turkish Crime Family threat should be taken seriously, said Pierluigi Paganini, a cybersecurity analyst and member of the Cyber Group G7 2017 Summit in Italy. "I consider the threat is credible, even if it is quite impossible to know the exact number of iCloud credentials in the hands of hackers," he told TechNewsWorld. The group is known in the hacking underground for the sale of stolen databases, Paganini said. The group reportedly has approached several media outlets directly; it told TechNewsWorld that it had been in contact with five. However, it is unlikely that the group's efforts to stir public pressure against Apple will be effective, noted Mark Nunnikhoven, vice president for cloud research at Trend Micro, in an online post. Apple is too large and has too many resources to give in to public pressure, he pointed out. The group's demands are similar to a shakedown in the physical world, in which criminals demand monthly payments to "protect" a business, Nunnikhoven noted. "In the digital world, the pressures that make victims pay (e.g. keeping your store in one piece) don't apply," Nunnikhoven wrote. "With iCloud accounts, Apple has the ultimate safety valve ... they control the infrastructure behind the accounts," he added. "Which removes most of the pressure points criminals could use." There is no evidence of state involvement in this cyberthreat, Nunnikhoven told TechNewsWorld. However, there is "mounting evidence that this is a group whose eyes are bigger than their stomachs," he suggested. "Selling credentials on the underground is rather commonplace. Attempting to extort one of the biggest companies on the planet with poor quality data is quite another." Credible Threat A report in ZDNet appeared to lend credence to some of the hacking group's claims, however. The group provided 54 credentials to the publication, which were verified as authentic based on a check of the password reset function. Most of the accounts were outdated, but 10 people did confirm to the publication that the obtained passwords were legitimate and that they since had changed them. Those 10 people were living in the UK, and had UK mobile numbers. Trend Micro is urging iCloud users to protect their accounts by using two-factor authentication, and also to use a password manager. A password manager helps users create unique passwords for every account and stores them remotely so that hackers cannot access one or two accounts and thereby gain access to many more. The FBI declined to comment for this story. Apple officials did not respond to our request to comment, and a Yahoo spokesperson was not immediately available. Source
  17. Most Android phones are don't have the latest security patch -- despite efforts by Google to distribute software fixes monthly via phone carriers -- researchers at Skycure found. A cybersecurity company found that 71 percent of Android users on major US carriers are easy targets for hackers. Chances are, your Android phone would be easy pickings for hackers. That's according to research released Thursday by cybersecurity company Skycure, which found that 71 percent of Android phones on the five major US carriers haven't been patched with the latest security updates. That could be because users haven't installed updates, or because they haven't received them from carriers. The report highlights the risks posed by not updating smartphones, and the challenges Google faces in delivering security updates to Android users. Why should Android users be worried about staying up to date on their security updates? In the hacking world, security updates show bad guys all the ways that phones, computers or other devices can be compromised. For example, an Android security update in December patched a flaw nick-named "Dirty Cow" that could have let hackers get root privileges -- essentially the keys to the kingdom -- on an Android phone. So if you don't (or can't) update, hackers can build tools to break into your phone. Patching makes these hacking tools useless. "Malware, network attacks and advanced exploitation campaigns many times depend on unpatched vulnerabilities to be successful," Yair Amit, co-founder and chief technical officer at Skycure, said in a statement. The carriers in the Skycure study are T-Mobile, MetroPCS, AT&T, Verizon and Sprint. T-Mobile (which merged with MetroPCS in 2013) didn't immediately provide a comment. Sprint, Verizon and AT&T didn't immediately respond to requests for comment. Google declined to respond to the Skycure report, but a spokesman pointed to its report published Wednesday on Android security, which gave details on the company's efforts to distribute monthly Android security updates. These updates have to first go to carriers like those listed in the Skycure report before they can be sent to users' phones. "We released monthly Android security updates throughout [2016] for devices running Android 4.4.4 and up -- that accounts for 86.3 percent of all active Android devices worldwide," members of the Android security team wrote in a blog post about the report on Wednesday. The report also said the company improved its ability to stop dangerous apps from getting onto the Google Play store and then to users' phones. But Android acknowledged there was "a lot of room for improvement" in its security update process. "About half of devices in use at the end of 2016 had not received a platform security update in the previous year," members of the Android security team wrote in their blog post. Source
  18. Police officers push back demonstrators as they protest against US President Donald Trump in Washington, DC, on January 20, 2017. Court papers say data is being extracted from 100 locked phones seized during arrests at anti-Trump protests. Prosecutors are trying to pull data from 100 locked phones seized during arrests made in Washington, DC on Inauguration Day, according to court papers filed Wednesday. Prosecutors said they have search warrants to extract data from the phones, which were seized by law enforcement officers on January 20 from 214 individuals arrested on felony rioting charges related to demonstrations protesting the inauguration of Donald Trump, according to a BuzzFeed report. The filing suggests that even though the phones are locked prosecutors have successfully copied data from them, although it doesn't describe their methods. Prosecutors said in the filing they expect to "produce all of the data from the searched [phones] in the next several weeks." Wednesday's filing comes amid a mounting war of words between tech companies and policy makers, who contend that terrorist groups are benefiting from encryption, the technology that jumbles communications and files so that only the intended recipient can read them. Tech companies have become increasingly diligent about including encryption in products and services in the wake of revelations about US government surveillance programs from documents leaked by former NSA contractor Edward Snowden. Apple's iPhone was at the center of a legal back-and-forth between the government and Apple last year after the December 2015 attack that left 14 people dead. The government wanted Apple to write new software that would unlock the phone and make its data readable, but Apple refused, saying that weakening the encryption would potentially leave other iPhone users at risk. In a surprise revelation in March 2016, the Department of Justice said an unnamed outside party helped agents break into an iPhone 5C that was used by shooter Syed Farook. However, the agency wouldn't disclose exactly how the hacker got into the phone. The data extracted from protesters' phones includes personal information irrelevant to the charges, so prosecutors are seeking a court order that would prohibit defense lawyers from copying or reproducing information unless it's relevant to the defense of their client. Representatives for the US Attorney's Office for the District of Columbia, which filed the papers Wednesday in the DC Superior Court, did not immediately respond to a request for comment. Source
  19. Hacking the Western Digital MyCloud NAS Sometimes at Exploitee.rs, we look for fun devices to hack and sometimes the devices find us. Today we’re going to talk about a recent time where we found ourselves in the latter situation and our experience with the Western Digital series of Networked Attached Storage devices. In the middle of last year I (Zenofex) began looking for a NAS that provided hardware decoding through my currently prefered media player, Plex. After a bit of research I ordered a Western Digital “MyCloud” PR4100. This device met all the requirements of what I was looking for and came highly recommended by a friend. After adding the NAS to my network and visiting the device’s admin page for the first time, I grew weary of adding a new device to my network without giving it a proper audit. So, I logged in, enabled SSH access, and looked at how the web server functionality of the device worked. Login Bypass I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables. Using cookies for authentication isn’t necessarily a bad thing, but the way that the Western Digital MyCloud interface uses them is the problem. Examine the code below. /lib/login_checker.php function login_check() { $ret = 0; if (isset($_SESSION['username'])) { if (isset($_SESSION['username']) && $_SESSION['username'] != "") $ret = 2; //login, normal user if ($_SESSION['isAdmin'] == 1) $ret = 1; //login, admin } else if (isset($_COOKIE['username'])) { if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") $ret = 2; //login, normal user if ($_COOKIE['isAdmin'] == 1) $ret = 1; //login, admin } return $ret; } The above code contains a function called “login_check”, this function is used by all of the backend PHP scripts and is used to verify pre-authenticated users. The above code has two paths, one which involves checking the session values for “username” and “isAdmin” and another (if the prior fails) attempts to complete the same process but with cookies. Because cookies are supplied by the user, the requirements that the scripts are looking for can be met by the attacker. The above process for sessions and cookies is summed up as follows. “username” variable is set and is not empty – User is logged in as a normal privileged user. “isAdmin” variable is set to 1 – User is logged in as an administrator. This means that any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying 2 specially crafted cookie values. During the process of writing up my findings a new firmware was rolled out patching the above bug. However, this patch introduced a new vulnerability which had the same consequences as the original (prior to the update). Below is the current version including the fixed code. /var/www/web/lib/login_checker.php 20 function login_check() 21 { 22 $ret = 0; 23 24 if (isset($_SESSION['username'])) 25 { 26 if (isset($_SESSION['username']) && $_SESSION['username'] != "") 27 $ret = 2; //login, normal user 28 29 if ($_SESSION['isAdmin'] == 1) 30 $ret = 1; //login, admin 31 } 32 else if (isset($_COOKIE['username'])) 33 { 34 if (isset($_COOKIE['username']) && $_COOKIE['username'] != "") 35 $ret = 2; //login, normal user 36 37 if ($_COOKIE['isAdmin'] == 1) 38 $ret = 1; //login, admin 39 40 if (wto_check($_COOKIE['username']) === 0) //wto check fail 41 $ret = 0; 42 } 43 44 return $ret; 45 } 46 ?> In the updated version of the code, a call to the new method “wto_check()” is made (line 40). This function runs a binary on the device with the client supplied username as an argument along with the user’s IP address. If the user is currently logged in and hasn’t timed out the value 1 is returned, otherwise 0 is returned (indicating the user isn’t logged in). The code for the “wto_check()” method can be found below. /var/www/web/lib/login_checker.php 3 /* 4 return value: 1: Login, 0: No login 5 */ 6 function wto_check($username) 7 { 8 if (empty($username)) 9 return 0; 10 11 exec(sprintf("wto -n \"%s\" -i '%s' -c", escapeshellcmd($username), $_SERVER["REMOTE_ADDR"]), $login_status); 12 if ($login_status[0] === "WTO CHECK OK") 13 return 1; 14 else 15 return 0; 16 } 17 18 /* ret: 0: no login, 1: login, admin, 2: login, normal user */ 19 In the above you can see that on line 11 the command is formatted to include the username and IP address as arguments to the “wto” binary. The problem with the above is the incorrect use of the PHP method “escapeshellcmd()” which, in its intended usage, handles an entire command string, and not just an argument. This is because the “escapeshellcmd()” function does not escape quotes and therefore allows an attacker the ability to break out of the encapsulating quotes (in our case for the “-n” argument), allowing for new arguments to be supplied to the binary. Because of this, instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves. Although we do not believe simply verifying that the user is already logged in by checking an IP address and login timeout is sufficient. The programmer who wrote this code should have used “escapeshellarg()”, which is intended to filter independent binary arguments and which does filter out quotes. Using “escapeshellarg()” as opposed to the currently used “escapeshellcmd()” would have at least prevented this attack from working. Command Injection Bugs A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitization. For example, consider the following code from the device. php/users.php 15 $username = $_COOKIE['username']; 16 exec("wto -n \"$username\" -g", $ret); The code above assigns a value from the COOKIE superglobal variable, which contains array indexes for cookies submitted from the request, to the local variable “$username”. This value is then immediately used in a PHP “exec()” call as an argument to the local “wto” binary. Since there is no sanitization, using a username value like username=$(touch /tmp/1) turns the existing exec command into wto -n "$(touch /tmp/1)" -g and executes the user supplied command within. Because the argument is encapsulated with double quotes and we use the “$(COMMANDHERE)” syntax, the command “touch /tmp/1” is executed prior to the execution of the “wto” binary and the return value of which is used as its “-n” argument. This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface. While some may have normally been prevented by authentication being required, that restriction is overcome by the authentication bypass mentioned above. Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root. Other Errata While you may think that the above bugs are severe, there are a number of other errors within the web interface with some being as simple as the normal authentication being commented out: addons/ftp_download.php 6 //include ("../lib/login_checker.php"); 7 // 8 ///* login_check() return 0: no login, 1: login, admin, 2: login, normal user */ 9 //if (login_check() == 0) 10 //{ 11 // echo json_encode($r); 12 // exit; 13 //} And others being more functionality specific, like the following example of a bug allowing a non-authenticated user the ability to upload files onto the myCloud device. addons/upload.php 2 //if(!isset($_REQUEST['name'])) throw new Exception('Name required'); 3 //if(!preg_match('/^[-a-z0-9_][-a-z0-9_.]*$/i', $_REQUEST['name'])) throw new Exception('Name error'); 4 // 5 //if(!isset($_REQUEST['index'])) throw new Exception('Index required'); 6 //if(!preg_match('/^[0-9]+$/', $_REQUEST['index'])) throw new Exception('Index error'); 7 // 8 //if(!isset($_FILES['file'])) throw new Exception('Upload required'); 9 //if($_FILES['file']['error'] != 0) throw new Exception('Upload error'); 10 11 $path = str_replace('//','/',$_REQUEST['folder']); 12 $filename = str_replace('\\','',$_REQUEST['name']); 13 $target = $path . $filename . '-' . $_REQUEST['index']; 14 15 //$target = $_REQUEST['folder'] . $_REQUEST['name'] . '-' . $_REQUEST['index']; 16 17 move_uploaded_file($_FILES['file']['tmp_name'], $target); 18 19 20 //$handle = fopen("/tmp/debug.txt", "w+"); 21 //fwrite($handle, $_FILES['file']['tmp_name']); 22 //fwrite($handle, "\n"); 23 //fwrite($handle, $target); 24 //fclose($handle); 25 26 // Might execute too quickly. 27 sleep(1); The above code consists of no checks for authentication and, when called will simply retrieve the uploaded file contents and use the user supplied path to determine where to place the new file. Beyond the bugs listed in this blog post, our wiki is full of bugs we’ve found within the MyCloud web interface. Our general goal at Exploitee.rs is to get bugs fixed as quickly as possible. However, the large number of severe findings means that we may need to re-evaluate the product after the vendor has properly fixed the released vulnerabilities. Responsible Disclosure At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices. Bugs Found Statistics 1 x Login Bypass 1 x Arbitrary File Write 13 x Unauthenticated Remote Command Execution Bugs 70 x Authentication Required Command Execution Bugs* *”Authentication Required” bugs can be reached with the login bypass bug. Scope Most, if not all, of the research can be applied to the entire series of Western Digital MyCloud products. This includes the following devices: My Cloud My Cloud Gen 2 My Cloud Mirror My Cloud PR2100 My Cloud PR4100 My Cloud EX2 Ultra My Cloud EX2 My Cloud EX4 My Cloud EX2100 My Cloud EX4100 My Cloud DL2100 My Cloud DL4100 Video Demo Source
  20. Mozilla Fixes Critical Vulnerability in Firefox 22 Hours After Discovery White hats were rewarded $30,000 for the effort The new Firefox version 52.0.1 which was released late on Friday contains the patch for the flaw discovered by hackers in the competition. The fix was confirmed via Twitter by Asa Dotzler, Mozilla participation director for Firefox OS, as well as Daniel Veditz, security team member at Mozilla. The bug was discovered by the Chaitin Security Research Lab from China. The hackers managed to escalate privileges in an exploit during the hacking competition by combining the bug with an initialized buffer in the Windows kernel. The bug bounty for this particular vulnerability was of $30,000 indicating that it was a serious matter. In a security advisory published by Mozilla, the company marks the integer overflow in the createImageBitmap() as "critical." They say that the bug was fixed in the newest version by disabling experimental extensions to the createImageBitmap API. Mozilla also claims that since the function works int he content sandbox, it would have required a second vulnerability to compromise a user's computer. Chaitin used, in this instance, the Windows kernel. Largest awards so far Many vulnerabilities were discovered during the hacking competition. So far, few have been fixed, and definitely not many as fast as the one Mozilla patched up in Firefox. Microsoft and Apple are two of the companies people are waiting to hear from int his regard In total, contestants were awarded $833,000 for the discovered vulnerabilities this year, nearly double than what was awarded last year. In 2016, the awards reached $460,000 and the previous year $577,000. In the end, it all depends on how good a day the hackers have to find something critical to exploit. Source
  21. The attackers patch Petya on the fly to use their own encryption key, bypassing the malware's original creators in the process In a case of no honor among thieves, a group of attackers has found a way to hijack the Petya ransomware and use it in targeted attacks against companies without the program creators' knowledge. A computer Trojan dubbed PetrWrap, being used in attacks against enterprise networks, installs Petya on computers and then patches it on the fly to suit its needs, according to security researchers from antivirus vendor Kaspersky Lab. The Trojan uses programmatic methods to trick Petya to use a different encryption key than the one its original creators have embedded inside its code. This ensures that only the PetrWrap attackers can restore the affected computers to their previous state. The Trojan also removes all mentions of Petya from the ransom message, as well as its signature red skull designed in ASCII. Petya first appeared a year ago and immediately stood out from other ransomware programs. Instead of encrypting files directly, it replaces the hard drive's master boot record (MBR) code, which normally starts the operating system, with malicious code that encrypts the drive's master file table (MFT). The MFT is a special file on NTFS volumes that contains information about all other files: their name, size, and mapping to hard disk sectors. The actual contents of the user's files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. Unlike other ransomware infections that only lock access to certain files by encrypting them, Petya locks access to the entire computer. With a corrupted MBR and MFT, the operating system will no longer start, and users will only be greeted by a ransom message on the screen when they turn on their computer. The decision to hijack and use Petya without its authors' consent is clever because it solves several problems for the PetrWrap attackers. First of all, they don't have to write their own ransomware program, which is hard to get right, and they don't have to pay someone else for a ready-made solution either. Second, because it has been around for a while, Petya has had time to mature into a well-developed piece of malware. The PetrWrap attackers use Petya version 3, the latest variant of the program, which, unlike previous versions, has no known flaws. That's because its creators have perfected their encryption implementation over time. Creating something like Petya from scratch would not only be prone to errors but would also require knowledge of writing low-level bootloader code for the MBR. Once inside a network, the PetrWrap attackers look for and steal administrative credentials. They then use the PsExec tool to deploy the malware to all endpoint computers and servers they can access. There is no tool to decrypt the MFT of hard disk volumes affected by Petya, but because this malware doesn't actually encrypt the file contents, some data recovery tools might be able to reconstruct the files from hard disk raw data.
  22. Julian Assange said WikiLeaks will work with tech companies to resolve the CIA's exploits. Julian Assange, the founder of WikiLeaks, wants big players like Apple and Samsung to disarm the CIA's exploits before he releases them to the world. WikiLeaks wants to join forces with tech giants against the CIA. The leak-focused site on Tuesday released thousands of alleged CIA documents, accusing the intelligence agency of amassing tools that can break into iPhones, Android devices, smart TVs and cars. WikiLeaks' "Vault 7" release also indicated that the CIA hoarded vulnerabilities in iOS and Android and kept them secret so it could continue using them to gain access to devices. CNET is unable to verify whether the documents are real or have been altered. On Thursday, WikiLeaks founder Julian Assange said that his organization will work with tech giants like Apple, Google and Samsung to plug those holes before it releases more details on the CIA's hacking program. "We have quite a lot of exploits ... that we want to disarm before we think about publishing it," Assange said at a press conference streamed on Periscope. "We're going to work with some of these manufacturers to try and get these antidotes out there." His press conference was the latest turn in a drama that has potentially blown open how the CIA could use our own devices to spy on us. The documents show how the agency has allegedly been able to break into even encrypted devices such as phones and computers by taking control of their operating systems. Assange said he's been keeping WikiLeaks' findings under wraps while the CIA's exploits can still be used because he doesn't want them falling into the wrong hands. He said the CIA has already "lost control of its entire cyberweapons arsenal," which he criticized for being poorly secured. He said WikiLeaks has much more information on the CIA's cyberweapons program that it's waiting to reveal. "This is an historic act of devastating incompetence," Assange said, "to have created such an arsenal and stored it all in one place and not secured it." The CIA has not confirmed or denied the authenticity of WikiLeaks' release but did say that it is the CIA's job to "be innovative" and "cutting edge" with its technology. The intelligence agency said it will continue to spy on foreign countries to "protect America from terrorists, hostile nation states and other adversaries." The agency also sought to cast suspicion on the messenger. "As we've said previously, Julian Assange is not exactly a bastion of truth and integrity," CIA spokesman Jonathan Liu said Thursday in a statement. Challenges for Android and others For some of the smaller exploits, it will take companies two or three days to patch up the vulnerabilities, Assange said. For exploits on so-called internet of things devices like smart baby monitors or refrigerators, it could take much longer. Samsung said it is "urgently looking" into the CIA's alleged exploits after WikiLeaks named a program that could secretly turn its TVs into listening devices. Apple said it had already patched up most of the vunerabilities with its latest version of iOS. Microsoft said that it's aware of the CIA's alleged tools and that it's "looking into it." Google said in a statement that it had already patched up most of the holes. However, the various makers of Android devices add their own custom software, which may still be vulnerable. Android users will also have the most difficulty in getting fixes for some of the CIA's exploits because the operating system is used by multiple manufacturers with different rollout schedules for updates. "For some systems, like Android with many manufacturers, there is no automatic update to the system. That means that only people who are aware of it can fix it," Assange said. "Android is significantly more insecure than iOS, but both of them have significant problems." WikiLeaks is still sorting through thousands of documents for future releases. The organization redacted more than 78,000 IP addresses, more than a quarter of which came from the US. The CIA said it does not spy on US citizens, but WikiLeaks is still investigating how many of the 22,000 IP addresses in the US are from the CIA's hacking unit and how many are malware victims. Assange said the CIA's hacking programs cannot be properly regulated by its design. "The technology is designed to be unaccountable. It's designed to be untraceable," he said. Source
  23. But only to a certain extent… A United States representative has proposed a bill that would allow hacking victims to hack back their attackers. On 3 March, Representative Tom Graves (R-Georgia) proposed a discussion draft of what he's calling "ACDC". No, the bill has nothing to do with the "Thunderstruck" Australian rock band. ACDC in this case stands for "Active Cyber Defense Certainty." It's a term that empowers hacking victims to use "limited defensive measures that exceed the boundaries of one's network" to stop and/or identify digital attackers. Essentially, ACDC empowers companies that have experienced digital intrusions to hack back their attackers. But it's important to note there are some limitations. Indeed, the bill limits victims' defensive measures to gathering data about their attackers and sharing that information with law enforcement. It does not allow other activities such as destroying information, causing physical injury to another person, or creating a threat to public safety and/or health. That's all well and good. I commend Representative Graves for including those provisions in the bill. However, even "gathering information" can be a slippery slope when it comes to digital attackers that use compromised machines to carry out their dirty work. A hacking victim might endeavor to identify to whom an infected computer belongs, for example. In so doing, there's a strong possibility they could violate the computer owner's privacy. Worse, they might discover the machine belongs to a company that stores the personal and/or financial information of customers. By viewing that information without authorization, the victim would inadvertently compromise the confidentiality of that company's data. Representative Graves recognizes there are concerns his bill doesn't address. But it's a start. As he explains on his website At this time, interested parties have a chance to provide feedback and make recommendations for the bill. Once they have done so, Representative Graves can move forward and formally introduce the bill to the U.S. House of Representatives. By David Bisson https://www.grahamcluley.com/draft-bill-would-allow-hacking-victims-to-hack-back/
  24. UK-based activist group Privacy International has highlighted the international ramifications mass hacking operations. In February 2015, the FBI embarked on the largest known law enforcement hacking operation to date, targeting over 8,000 computers in 120 countries. Lawyers in the US have challenged the legality of the underlying warrant, arguing that the judge had no authority to greenlight searches outside of her district. Now, activist and legal group Privacy International has filed a brief in a related case, pushing back against the global nature of the FBI's operation. As Privacy International notes, 83 percent of the computer infections were outside of the United States. "Well-established international law prohibits the government from undertaking law enforcement functions in other countries, without those countries' consent, which the government did not seek here," the amicus brief signed by Privacy International's General Counsel Caroline Wilson Palow reads. Specifically this case concerns the FBI's investigation into a dark web child pornography site called Playpen. When the FBI seized the site in 2015, instead of shutting it down the agency kept Playpen running for 13 days. During this time, the FBI deployed a network investigative technique (NIT)—a piece of malware—in an attempt to identify visitors to the site. This NIT relied on a "non-public" vulnerability for the Tor Browser, and grabbed a target's IP address, MAC address, and other basic system information. The FBI ended up hacking over 8,000 computers across the world, including over 1,000 in the US. Although much attention has been paid to affected cases in the US, there has been relatively little focus on the international legal ramifications. (Motherboard reported the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey and Norway too.) In its brief, Privacy International argues that much of the same concerns around affected cases in the US extends to those outside of the country—that at the time of the Playpen operation, Rule 41, which governs when judges can authorize searches, did not allow for searches outside of the judge's own district. The group adds that these sort of international hacking operations, in which computers are targeted without the host country's permission, pose foreign relation risks. Such a move could lead to diplomatic conflict, or the possibility of breaking local laws. The brief points to a 2002 case, in which Russia's Federal Security Service (FSB) filed criminal charges against an FBI agent for remotely accessing and copying data from a Russian server. (Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law, has made related arguments in a recent paper). "How will other countries react to the FBI hacking in their jurisdictions without prior consent? Would the U.S. welcome hacking operations on a similar scale carried out on U.S. residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?" Scarlet Kim, legal officer at Privacy International wrote in a statement. However, things have shifted since the Playpen investigation. In December 2016, changes around remote searches came into effect. Today, US magistrate judges can sign global hacking warrants. By Joseph Cox https://motherboard.vice.com/en_us/article/activists-push-back-against-fbis-worldwide-hacking-operation
  25. Try These Cool Android Smartphone Hacks And Get The Best Out Of Your Mobile Here are some of the best Android smartphone hacking Apps Android is undoubtedly the world’s most popular mobile operating system. With over 1.5+ billion plus users, Android is way ahead of iOS. Similarly, in Apps space, Android hacking apps are also increasing. Many of these hacking Apps are meant for pros but some can become useful to you also. With such hacking Apps, you can remove unnecessary bloatware utilizing most of the internal storage memory. While other times, such hacking App may help you remove irritating ads or allow you to access blocked system Apps. We bring you such hacking Apps which let you get the best out of your Android smartphone. Remember most of these Apps require a rooted smartphone to try them out. INCREASE RAM Root your phone. Download ROEHSOFT RAM EXPANDER from Google Play Store. Convert desired amount of SD card space into system swap RAM. This will make apps perform better when you have lot of storage area in your SD card. Wi-Fi WPS/WPA TESTER Download WIFI PS/WPA Tester App from Google Play Store. It let’s you analyze your WiFi security and others in the vicinity and attempts to hack their password It only hacks WPS enabled WiFi networks. REMOVE UNWANTED SYSTEM APPS OR BLOATWARE Root your android phone and Download sSystem app remover (ROOT) from Google Play Store. Remove many unwanted inbuilt Apps which you don’t think are necessary from internal storage of your Android phone.\ HACKING HUB Download the app Linux Deploy from Google Play Store. This installs Linux Operating system on your Android phone. Then use use Aircrack and other hacking Apps on your phone to hack WiFi and website passwords. FREE STUFF Root your phone Download and install BusyBox App from Google Play Store. Install modded Play Store from Lucky Patcher. With Lucky Patcher App you hack in-App purchases and get free stuff or game coins ACCESS BLOCKED CONTENT Download CyberGhost App from Google Play Store. Use it to connect to a VPN of a country of your choice. Now you can download apps from Google Play Store which are blocked in your country and also use websites like torrent websites blocked in your country. BATTERY LIFE Root your phone Download Greenify App from Google Play Store Hibernate many user and system apps. Greenify allows you to hibernate apps that won’t use battery and memory in background. So, you can save battery life and RAM. BUILD PROP EDITING Most of the Android smartphones out promise you 8MP images but in fact deliver only 6MP picture quality on 8MP camera. If you are facing a similar issue, you can solve it using this hack. This also requires a rooted smartphone. Download BuildProp Editor App from Google Play Store. Goto –>add entry Ro.ril.max.jpeg.quality. And set it’s value to 100 so it looks like Ro.ril.max.jpeg.quality = 100 Once done, your 8MP smartphone camera will deliver you 8MP images TUBEMOTE Download Tubemote from Google Play Store. Now you can download any and all online videos, not just from YouTube but any website in your desired resolution and quality at high speeds. You can also download just mp3 or m4a sound files from videos. ANDROID ID CHANGER Root your phone. Download Android Device ID Changer App from Google Play Store. Change your Android ID, which apps use to identify you and restart the phone. Your Android smartphone has a new Android ID. DRIVEDROID Download Drivedroid App from Google Play Store. Once installed, open the App and download LINUX.iso file from the dropdown menu. Burn this image on your phone and use it as CD or USB drive to boot your PC. KABOOM THE SELF DESTRUCTING APP Download and install Kaboom App from Google Playstore This App lets you control the photos and messages you post online. You can use this App to make the images and posts disappear at a set time. FAKE LOCATION Download Fake Location GPS App from Google Play Store Go to —> Settings Tap on Build Number 7 times to unlock Developer Options. Enable Mock Locations. Open Fake Location GPS app and set your location to any place in the world you wish. Source
  • Create New...