sâmbătă, 4 noiembrie 2017

Websites mining using users CPU power – Cyber security research

Many of us are trying to make money online from home. One solution would be the websites that offer some software and if you keep it running you can earn money.
 

 
   

I do not care if it works, but I want to show you something.So i will try it!
In may way!
I always use Extract here for rar archive… never double click on it!


How you can see, now i have a rar archive and a application on my folder. I’m still suspicios and with right click on the application i will find the properties … or more ..then that.



So my application is more then a simple .exe file, how you can see there is another Extract here. That means the ”application” is a SFX 7-Zip Archive with 117 total files.



Watch that… alot of files and there somewere i have the real installer EarnMoney.exe.
It’s not ok, but let’s install it!

 
   
 

With some issues starts. I see it on running applications… on Process Hacker… seems ok.
But i have some problems during the installation process..

 
  
  

After some errors… i have it installed!



Let’s start to collect some informations!



The application is closed.. but stil runs underground, connected with:




TCP Connections on 443:

94.130.129.235


 

 


144.76.114.98

 

 
 


This is strange? Wait….
Remember… the software is closed!!!
At the first minutes:
Total CPU usage: 4.30%
Aplication CPU: 0.00%
Private bytes: 28.32 MB



I reduce the CPU usage closing some applications an then…
Total CPU usage: 44.26%
Aplication CPU: 40.93%
Private bytes: 158.06 MB



Like every silent miner… works better when you are not doing anything on your computer…
And i wait to see changes … and here they are:
Total CPU usage: 44.93%
Aplication CPU: 41.43%
Private bytes: 234.56 MB



So here we are at the end of this crazy winning money process.
Now you know… learn the basic to safe online!
Have fun & Stay safe!!!

miercuri, 1 noiembrie 2017

Silent miner backdoored – Malware reverse

Today i found new backdoored hacking tool to play with.
A new Silent Miner made to infect with remote access some ”hackers”.
The exe it is binded with some files to work underground.




taskhost.exe
original filename: canhost.exe
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY“; Key: “DISABLESECURITYSETTINGSCHECK
netsh firewall add allowedprogram “%APPDATA%\taskhost.exe
http://120988.myq-see.com
178.137.146.32 – Ukraine
41.226.243.30:1337
Temp1.exe
C:\Users\mourad\Documents\Visual Studio 2012\Projects\canhost\canhost\obj\Debug\canhost.pdb
HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY”; Key: “DISABLESECURITYSETTINGSCHECK
netsh firewall add allowedprogram “%APPDATA%\taskhost.exe
http://120988.myq-see.com
178.137.146.32 – Ukraine
41.226.243.30:1337
Temp2.exe
original filename: BcnSilentminerBytcoin.exe
stratum+tcp://mine.p2pool.com:9327
http://www.bitcoin-adder.com
\visual studio 2012\Projects\Bcn Silent miner Bytcoin\Bcn Silent miner Bytcoin\obj\Debug\Bcn Silent miner Bytcoin.pdb
The antivirus software’s… hmmmm…  31/68 ?!?

Payload Security Team was there to.

And reported in the forum i found it!

Have fun & Stay safe!!!
Prodefence Team

marți, 24 octombrie 2017

Silent minergate miner reverse – Backdoored



I found some ”free” software on the internet backdoored with that Silent Minergate, so this time i downloaded the Minergate to play with.
What i found?
Surprise, surprise … i have a backdoored one!!!
svchost.exe – 66.176.134.167:2404
cykaa.duckdns.org / NS1.DUCKDNS.ORG
getcamsi’N|mc$A{n
startcam1Fd
OpenCamera
Dhrefox StoredLogins
\key3.db
\logins./Q}d
[Firefox StoredLogi;Z5fj;
[Firefox Cookie0
tehwCzgokds & stored logins!]
pwgrab
autopswd$Rs
Downloading file: …. and more.
So.. why this Minergate tries to steal from me and control my computer?!?
Have fun & Stay safe!!!

Fake bitcoin wallet stealer – Silent miner backdoor – Reverse

I found another backdoored software. This was made for thouse who want to become hackers… or to make some easy money.
Founded on Youtube.com with a search ”Bitcoin stealer”.
How to use it… the uploader helps you.

  • Senha: Techup
  • Desativar Antivirus (Claro, se trata de um hack)
  • Chave
  • Servidor de Ligação
  • Adicionar a sua carteira
  • Use Proxy
  • Aceite os termos
  • Verifique se o programa está atualizado

  • Password: Techup
  • Disable Antivirus (Of course, this is a hack)
  • Key
  • Connection Server
  • Add to your wallet
  • Use Proxy
  • Accept the terms
  • Make sure the program is up to date

All you have to do is to download it, run it and you become a rich guy…
We will not double click the .exe file…( it looks like a .exe).. or better say this SFX rar archive?!?
Let’s see something about the archive with richt click and propreties!
I dont like this SILENT=1. LOL If we dont run the ”.exe”, the backdoor will not run in the background, so let’s Extract it … and surprise.. there are more then one file, including the backdoor files.
winhlp32.exe
Isass.exe

After reversing the backdoor files i found this:
C:/Users/user/Documents/projects/minergate.app/sources/cudaminer/src/cuda_cryptonight_core.cu
… so what about this minergate?!?
With this lovely usage:
Usage:
minergate-cli [-version] -user <email> [-proxy <url>] -<currency> <threads> [<gpu intensity>] [-<currency> <threads> [<gpu intensity>] …] [-o <pool> -u <login> [-t <threads>] [-i <gpu intensity>]]
And so many options:
Options:
-user account email from minergate.com
proxy server URL. Supports only socks protocols (for example: socks://192.168.0.1:1080
possible values: bcn xmr qcn xdn fcn mcn aeon dsh inf8 <mm_cc>+bcn <mm_cc>+xmr <mm_cc>+qcn <mm_cc>+xdn <mm_cc>+aeon <mm_cc>+dsh. Where <mm_cc> is fcn or mcn
threads count for specified currency
GPU mining intensity (NVidia only) (values range: 1..4. Recommended: 2)
mining pool URL
mining pool login
CPU threads count
GPU mining intensity
Conecting to: h**ps://minergate.com
It seems that we have a nice backdoored software.
After you will run it.. in the backgound a silent miner will be instaled on your computer and in front of you will apare a nice error like this:
Blockchain Wallet Stealer 2017\message.vbs
x=msgbox(“Hardware is not compatible, try on another PC or restart and run with disabled antivirus.”, 0+16, “Error“)
If you dont understand, you will download this software, after the first run will appear a error message and it will not work, but in underground you will have already instaled a virus.
This time the virus is a Silent Miner, that will use your computer to work for some hacker and this will help hit to make some bitcoins.
The Youtube channel Teck up has more videos like this one .. and all of them are with this backdoor.

Have fun & Stay safe!!!

duminică, 22 octombrie 2017

The secret spy agency is releasing a malware-fighting tool for free

Canada’s electronic spy agency says it is taking the “unprecedented step” of releasing one of its own cyber defence tools to the public, in a bid to help companies and organizations better defend their computers and networks against malicious threats.
The Communications Security Establishment (CSE) rarely goes into detail about its activities — both offensive and defensive — and much of what is known about the agency’s activities have come from leaked documents obtained by U.S. National Security Agency whistleblower Edward Snowden and published in recent years.
But as of late, CSE has acknowledged it needs to do a better job of explaining to Canadians exactly what it does. Today, it is pulling back the curtain on an open-source malware analysis tool called Assemblyline that CSE says is used to protect the Canadian government’s sprawling infrastructure each day.
“It’s a tool that helps our analysts know what to look at, because it’s overwhelming for the number of people we have to be able to protect things,” Scott Jones, who heads the agency’s IT security efforts, said in an interview with CBC News.

‘Super secret spy’ reputation

On the one hand, open sourcing Assemblyline’s code is a savvy act of public relations, and Jones readily admits the agency is trying to shed its “super secret spy agency” reputation in the interest of greater transparency.
But on the other, the agency is acknowledging that, given the widening range of digital threats affecting Canadians and Canadian businesses, it believes it has a more public role to play in cyber defence than it has in the past.
“This is something new for CSE,” he says. It’s a fact not lost on longtime agency observers.
“They’re pushing the envelope in a way they haven’t quite before,” said Bill Robinson, an independent researcher who has studied CSE’s activities for more than two decades, and recently joined the University of Toronto’s Citizen Lab as a fellow. “It’s a big a change, a sea change for them in that way.”
The step may be unprecedented for CSE, but not for its partners in the Five Eyes — an intelligence-sharing alliance involving Australia, Canada, New Zealand, the United Kingdom and the United States.
Both the NSA and the U.K.’s Government Communications Headquarters (GCHQ) have maintained active projects on the code sharing repository GitHub in recent years.

‘A gift’ for companies

Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score, which lets analysts sort old, familiar threats from the new and novel attacks that typically require a closer, more manual approach to analysis.
“There’s only so many ways you can hide malware within a Word document,” said John O’Brien, who leads the development of the tool, which first started in 2010. “So by looking for the hallmark of that type of an attack, that can give us an indication that there’s something in here that’s just off.”
Cybersecurity researcher Olivier Bilodeau says although there is overlap between Assemblyline and existing tools, CSE’s contribution is that it has cobbled together many of the tools that malware researchers already use into one platform, like a Swiss Army Knife for malware analysis that anyone can modify and improve. And it has demonstrated that Assemblyline can scale to handle networks as large as the government’s.
Bilodeau — who leads cybersecurity research at the Montreal security company GoSecure, and has developed a malware research toolbox of his own — says those attributes could make it easier for large organizations such as banks to do more of the kind of specialized work that his company does.
“They usually spend a lot of time fighting the malware, but not a lot of time investing in malware fighting infrastructure,” he said. “So this is definitely a gift for them.”

Spying on spies

The possibility that CSE’s own tool could be used to detect spy software of its own design, or that of its partners, is not lost upon the agency.
“Whatever it detects, whether it be cybercrime or [nation] states, or anybody else that are doing things — well that’s a good thing, because it’s made the community smarter in terms of defence,” said Jones.
Nor does he believe that releasing Assemblyline to the public will make it easier for adversaries to harm the government, or understand how CSE hunts for threats — quite the opposite, in fact.
“We believe that the benefits far outweigh any risks and that we can still use this to be ahead of the threat that’s out there.”


Source

sâmbătă, 21 octombrie 2017

A New IoT Botnet Storm is Coming

  • A massive Botnet is forming to create a cyber-storm that could take down the internet.
  • An estimated million organizations have already been infected.
  • The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.
New cyber-storm clouds are gathering. Check Point Researchers have discovered of a brand new Botnet evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.
IoT Botnets are Internet connected smart devices which have been infected by the same malware and are controlled by a threat actor from a remote location. They have been behind some of the most damaging cyberattacks against organizations worldwide, including hospitals, national transport links, communication companies and political movements.
While some technical aspects lead us to suspect a possible connection to Mirai, this is an entirely new and far more sophisticated campaign that is rapidly spreading worldwide. It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes.
Ominous signs were first picked up via Check Point’s Intrusion Prevention System (IPS) in the last few days of September. An increasing number of attempts were being made by hackers to exploit a combination of vulnerabilities found in various IoT devices.
With each passing day the malware was evolving to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others. It soon became apparent that the attempted attacks were coming from many different sources and a variety of IoT devices, meaning the attack was being spread by the IoT devices themselves.

So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing.
Our research suggests we are now experiencing the calm before an even more powerful storm. The next cyber hurricane is about to come.
For deeper analysis on the rise of this new IoT Botnet, please see the full research publication on our Research Blog.

Source

joi, 19 octombrie 2017

The KRACK attack – An Earthquake for Wi-Fi Security

A group of security researchers has discovered several serious key management vulnerabilities in the core of Wi-Fi Protected Access II (WPA2) protocol that could be exploited by an attacker to hack into Wi-Fi network and eavesdrop on the Internet connections. The attacks can steal sensitive information such as credit card numbers, passwords, chat messages, emails, and pictures.
The flaws were found by the Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven, who published a detailed paper (titled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2”) that described an attack method dubbed KRACK attack (Key Reinstallation Attack).

The hacking technique devised by the researchers works against almost any WPA2 Wi-Fi network, because the issues reside in the Wi-Fi WPA2 standard itself, and not in the various implementations meaning that the WPA2 has been compromised.
The impact could be serious for both companies and home users, any working implementation of WPA2 is likely affected, the only limitation is that an attacker needs to be within the range of a victim to exploit the weaknesses.
“We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs),” states a post published by Vanhoef. “Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks.”
The KRACK attack allows attackers to decrypt WiFi users’ traffic without cracking or knowing the password; the experts highlighted that depending on the network configuration, it is also possible to inject and manipulate data. An attacker can carry on a KRACK attack to inject a malware such as a ransomware or other malicious code into websites.
The researchers explained the KRACK attack works against:
  • Both WPA1 and WPA2,
  • Personal and enterprise networks,
  • Ciphers WPA-TKIP, AES-CCMP, and GCMP
When the researchers started their tests on the hacking technique, they discovered that the vulnerabilities affect various operating systems, computers and devices such as Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys.
CERT/CC published a detailed list of the affected devices by some variant of the attacks.
The KRACK attack works by exploiting a 4-way handshake of the WPA2 protocol that’s used to establish a key for encrypting traffic.
This handshake is executed every time a client joins a protected Wi-Fi network; it is a mechanism used to confirm that both the client and access point possess the correct credentials (e.g., the pre-shared password of the network). The 4-way handshake is also used to negotiate a fresh encryption key that will be used to encrypt all subsequent traffic.
“When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e., nonce) and receive packet number (i.e., replay counter) are reset to their initial value,”
explained Vanhoef. “Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found the WPA2 protocol does not guarantee this. By manipulating cryptographic handshakes, we can abuse this weakness in practice.”

KRACK attack leverages on the ability of the attacker of tricking victims into re-installing an already-in-use key, which is achieved by manipulating and replaying cryptographic handshake messages.
The experts demonstrated how to execute the key reinstallation attack against an Android smartphone to decrypt a transmission over a protected WiFi.
The researchers explained that KRACK attack is exceptionally effective against Linux and Android 6.0 or higher because it is quite easy for attackers to reinstall already-in-use-key.
“For an attacker, this is easy to accomplish because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks.” explained the expert.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations.”

Below is the video PoC of the KRACK attack shared by the researchers:
“Adversaries can use this attack to decrypt packets sent by clients, allowing them to intercept sensitive information such as passwords or cookies.” the researcher said.
“Decryption of packets is possible because a key reinstallation attack causes the transmit nonces (sometimes also called packet numbers or initialization vectors) to be reset to zero. As a result, the same encryption key is used with nonce values that have already been used in the past.”
As perfectly summarized by Sean Gallagher on Ars Technica, depending on the type of handshake mechanism used between the devices and the Access Point the KRACK attack can do varying levels of damage:
  • For connections using AES and the Counter with CBC-MAC Protocol ((AES)-CCMP), an attacker can exploit the vulnerabilities to decrypt the traffic and inject content into TCP packet streams. In this attack scenario, the attacker cannot break the key or forge it, he cannot join the network, but he should use a “cloned” access point with the same MAC address as the access point of the targeted network, on a different Wi-Fi channel.
  • For WPA2 systems using the Temporal Key Integrity Protocol (TKIP), the Message Integrity Code key can be recovered by the attacker. The attacker can replay captured packets to the network, forge and transmit new packets to the targeted client posing as the access point.
  • For devices that use the Galois/Counter Mode Protocol (GCMP), the attack is the worst: “It is possible to replay and decrypt packets,” Vanhoef and Piessens wrote. “Additionally, it is possible to recover the authentication key, which in GCMP is used to protect both communication directions [as client or access point]… therefore, unlike with TKIP, an adversary can forge packets in both directions.” That means that the attacker can essentially join the network and pretend to be a client or the access point, depending on the type of access they want. “Given that GCMP is expected to be adopted at a high rate in the next few years under the WiGig name, this is a worrying situation,” the researchers noted.
Below the full list of WPA2 Vulnerabilities discovered in the WPA2 protocol.
  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
The researchers discovered the vulnerabilities last year and reported them to the affected vendors on July 14; the US-CERT also issued an alert to hundreds of vendors on 28 August 2017.
“US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others. Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven will be publicly disclosing these vulnerabilities on 16 October 2017.” the US-CERT warned.
How to protect affected devices?
Users have to wait for firmware updates from their device vendors, security patches for Linux’s hostapd (Host access point daemon) and WPA Supplicant were already released.
The use of VPN and other anonymizing techniques can offer a supplementary level of protection to communications.
This sounds bad. However, a significant amount of the risk would be mitigated for services that use strong encryption at the transport or application layer (such as TLS, HTTPS, SSH, PGP) as well as applications secured by encrypted VPN protocols,” the Crypto expert Arnold KL Yau told El Reg.
“Despite this, however, the ability to decrypt Wi-Fi traffic could still reveal unique device identifiers (MAC addresses) and massive amounts of metadata (websites visited, traffic timing, patterns, amount of data exchanged, etc.) which may well violate the privacy of the users on the network and provide valuable intelligence to whoever’s sitting in the black van.”

The research team plans to release a tool that will allow users to verify if their Wi-Fi network is vulnerable to the KRACK attack.
“We have made scripts to detect whether an implementation of the 4-way handshake, group key handshake, or Fast BSS Transition (FT) handshake is vulnerable to key reinstallation attacks. These scripts will be released once we had the time to clean up their usage instructions,” concluded the expert.
“We also made a proof-of-concept script that exploits the all-zero key (re)installation present in certain Android and Linux devices. This script is the one that we used in the demonstration video. It will be released once everyone had a reasonable chance to update their devices (and we have had a chance to prepare the code repository for release).”

The experts will present their findings at the Computer and Communications Security (CCS) conference and the Black Hat Europe conference

References

http://securityaffairs.co/wordpress/64373/breaking-news/wpa-krack-attack.html
https://www.krackattacks.com/
https://papers.mathyvanhoef.com/ccs2017.pdf
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4
https://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/



Πηγή : infosecinstitute

The Pirate Bay Caught Secretly Running Cryptocurrency Miner Again


In September 2017, we reported that The Pirate Bay (TPB) was running a cryptocurrency miner provided by CoinHive. The code used visitor’s CPU bandwidth to generate Monero digital coins without informing them or allowing them to Opt-In or Opt-Out.
In reply, TPB claimed, “the miner is being tested for a short period (~24 hours) as a new way to generate revenue.”

Another one

But now, another researcher has revealed that TPB is using yet another cryptocurrency miner to generate Monero digital coins without alerting users or providing them options to allow the site to use their CPU bandwidth or not.
According to Nic Carter, a financial and digital currency specialist, The Pirate Bay is mining Monero using crypto-loot, a new software that offers similar services as CoinHive. “The Pirate Bay is mining Monero in user’s browsers again, this time using crypto-loot (12% rake) rather than coinhive (30% rake),” tweeted Carter.

CloudFlare is booting off such sites

Remember, last week CloudFlare booted off a torrent website ProxyBunker for secretly using cryptocurrency miner. In their reply to ProxyBunker, CloudFlare stated that “Coinhive mining code without notifying users. … We consider this to be malware, and as such, the account was suspended, and all domains removed from CloudFlare.”
However, since The Pirate Bay also uses CloudFlare’s DDoS protection, it could be a matter of time before the firm decides to boot off the site for mining digital currency without informing users.
“They’re doing it without informing users, a violation of CloudFlare’s TOS. Could see this escalated into a serious wrangle with CloudFlare,” Carter further explained.

Who else was caught doing it?

Currently, the trend of using cryptocurrency miners is increasing; therefore, a number of websites are signing up for the code. However, two domains owned by CBS Corporation’s premium cable network Showtime were also caught mining cryptocoins without notifying users.
Although a rare practice, if adopted widely on a long-term basis it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining is deeply concerning for users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.
Here is an example screenshot HackRead was able to grab showing what it looks like when a site decides to inform users about mining cryptocurrency:
The Pirate Bay Caught Running Another Cryptocurrency Miner Secretly
If you know a site secretly using cryptocurrency miner share with us in the comment section.



Πηγή : hackread

MS Office Built-in Feature Allows Malware Execution Without Macros Enabled


Since new forms of cybercrime are on the rise, traditional techniques seem to be shifting towards more clandestine that involve the exploitation of standard system tools and protocols, which are not always monitored.Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.
Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic.The exploitation technique that the researchers described displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—however, this popup alert could also be eliminated “with proper syntax modification,” the researchers say.
dynamic-data-exchange-ms-word-code-execution
The duo has also provided a proof-of-concept video demonstrating the technique.

MS Word DDE Attack Being Actively Exploited In the Wild

As described by Cisco researchers, this technique was found actively being exploited in the wild by hackers to target several organisations using spear phishing emails, which were spoofed to make them look as if they’re sent by the Securities and Exchange Commission (SEC) and convince users into opening them.
“The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware,” reads a blog post published by Talos researchers.
Earlier March, Talos researchers found attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers.
Once opened, victims would be prompted with a message informing them that the document contains links to external files, asking them to allow or deny the content to be retrieved and displayed.If allowed, the malicious document will communicate to the attacker hosted content in order to retrieve code that’ll be executed to initiate the DNSMessenger malware infection.
“Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose,” the researchers say.

How to Protect Yourself And Detect MS Word DDE Attacks

What’s more worrying? Microsoft doesn’t consider this as a security issue, rather according to the company the DDE protocol is a feature that can not be removed but could be improved with better warning alerts for users in future.
Although there’s no direct way to disable DDE code execution, users can proactively monitor system event logs to check possible exploitation.
ms-office-dde-malware-hacking
Besides this, the researchers at NVISO Labs have also shared two YARA rules to detect DDE vector in Office Open XML files.
The best way to protect yourself from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless properly verifying the source.



Πηγή : thehackernews

miercuri, 11 octombrie 2017

Hacking the Election: Security Flaws Need Fixing, Researchers Say

Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat.
The researchers analyzed the results of the “voting village” hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes.
“These machines were pretty easy to hack,” said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. “The problem is not going away. It’s only going to accelerate.”
The report said the DefCon hack was just the tip of the iceberg — with potential weaknesses in voter databases, tabulating software and other parts of the system.
The researchers said most voting machines examined included at least some foreign-manufactured parts, raising the possibility that malware could be introduced even before the devices are delivered.
“This discovery means that a hacker’s point-of-entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line,” the report said.
“With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility.”
– No certainty on 2016 –
Harri Hursti, a researcher with Nordic Innovation Labs and a co-author of the report, said it’s impossible to say with certainty if votes were tampered with in 2016 because many systems “don’t have the capacity” to be audited.
The report said five US states operate entirely on paperless systems which have no paper trail to be reviewed and another nine states are partially paperless.
“The only way to know is if the hacker tells you,” he said, adding that “it can be done without leaving tracks.”
Douglas Lute, former US ambassador to NATO who presented the report, said in a forward to the report that the findings highlight “a serious national security issue that strikes at the core of our democracy.”
Although some researchers in the past have shown individual machines could be breached, this report suggests a range of vulnerabilities across a range of hardware, software and databases.
“What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor — like Russia — with unlimited time and resources, could not do much greater damage,” said University of Chicago cybersecurity instructor Jake Braun, another co-author.
The threat becomes all the more grave “when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain,” he added.
In presenting the findings, the researchers said members of the DefCon hacker community would work with academics and security researchers in a new coalition aimed at improving election security.


Πηγή : securityweek

marți, 10 octombrie 2017

Hackers are compromising websites to mine cryptocoins via user’s CPU


For the last couple of weeks, the trend of inserting code in websites that generate cryptocurrency has been growing like never before. What might worry some is that it uses visitor’s computers to start and finish the process.
Recently, Trend Micro, a cybersecurity firm discovered that hackers are compromising charity, school, and file sharing websites with a particular code that allows the site to use visitor’s CPU in order to generate cryptocurrency
By doing so, the code converts the visitor’s computer into a miner. This means the greater the number of computers the quicker will be the process of generating digital currency and in return, the greater the amount of money. In the end, the victim will suffer from expensive electricity bill.

Hackers are compromising websites to mine cryptocoins via user CPU
Gif credit: Bitminer
According to Rik Ferguson, vice-president of security research at Trend Micro “This is absolutely a numbers game. There’s a huge attraction of being able to use other people’s devices in a massively distributed fashion because you then effectively take advantage of a huge amount of computing resources.”
The security firm discovered that hundreds of famous websites are using the code. Some are using “Coin Hive” code, some are using JSE Coin script while some have no idea how the code got onto their websites.
To get rid of it, some site owners have simply removed the code while some have updated their security policies and issued patches. There are those who are still investigating the issue emphasizing on how their site was compromised and how the code ended up on it without triggering any warning.
BBC reported that developers of Coin Hive are also taking action against those misusing their code for malicious purposes. “We had a few early users that implemented the script on sites they previously hacked, without the site owner’s knowledge. We have banned several of these accounts and will continue to do so when we learn about such cases,” Coin Hive told BBC.
In a tweet, FiveM, a modification framework for GTA V said that they had issued a security update just to stop users from adding miners to their code.
CloudFlare, a content delivery network and Internet security service also booted off a torrent website for secretly mining cryptocurrency miner. The company said “mining code without notifying users. … We consider this to be malware.”
Last month, The Pirate Bay website was caught “testing” cryptocurrency miner while two domains owned by CBS Corporation’s premium cable network Showtime’s sites were also found to be mining cryptocoins without informing their visitors.
In another report, Trend Mirco said that hackers are also using smart home devices to generate cryptocurrency. “Trend Micro data shows that more and more home devices are being compromised—we blocked over 90% more home network attacks in September compared to July, and most of the attacks are attempting to mine cryptocurrency,” said Trend Micro.
Although it is a rare practice; if adopted on a long-term basis, it might replace ads for good as advertisements can be malicious and annoying at times. However, the fact that it hijacks computers for crypto mining deeply concerns users, therefore, website owners should allow users to choose whether they want the site to use their CPU for mining or not.


Πηγή : hackread

luni, 9 octombrie 2017

Credit agency Experian is using scare tactics to sell a service for tracking traded user data on the dark web

In the dark web, it is quite easy to find a lot of identities of unaware individuals and any other data that could expose companies to frauds.
One of the world’s biggest consumer credit reporting agencies, Experian, is trying to sell an identity theft protection product leveraging the consumers fear of the darknet.
Experian launched at the beginning of September the IdentityWorks Premium program saying it can protect customers from the exposure of personal information on the dark Web. “Is your personal information already being traded on the dark web,” states the of Experian’s advertisements.
“Because of its hidden nature and the use of special applications to maintain anonymity, it’s not surprising that the dark Web can be a haven for all kinds of illicit activity,” Experian says on its own website. “This means if you’ve ever been a victim of a data breach, it’s a place where your sensitive information might live.” states the scaring message from the company.
The company is offering for free a first “Dark Web Email Scan” to allow customers searching for their email on the darknets.
By providing an e-mail address into the scanning service a user grants Experian to, “track and collect certain consumer information specific to,” the user.
dark web
By using the “Free Dark Web Email Scan” a user will receive advertisements for Experian products at the e-mail address that is being scanned. The user agreement includes a clause which states that not only will Experian send you advertisements, but “offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
Experian collects and tracks various data for the users, including credit scores, loan and credit card payments, interest rates.
“I clicked on Experian’s terms of service and found a densely written, nearly 17,600-word document — a contract the length of a novella.
Not surprisingly, this is where you’ll find an arbitration clause preventing you from suing the company — an increasingly common aspect of consumer contracts nowadays. That’s the least of your worries, though.” reported a post published by the Los Angeles Times.
“The terms reveal that Experian “receives compensation for the marketing of credit opportunities or other products or services available through third parties,” which is exactly what it sounds like. You’re giving permission for the company to sell you out.
And if you make it to the very bottom of the contract — no small feat, I assure you — you’ll find this little cow chip: Even if you cancel any Experian service, your acceptance of the arbitration clause “shall survive.”
Disturbing! What do you think about?
Without going into the details of the implementation of the Experian scanning service, it is indisputable the company is using scare tactics to get new customers for its service.



Source : securityaffairs