Aug 08 2024

STAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations

Category: data security,Hackingdisc7 @ 1:24 pm

A sophisticated threat activity cluster, STAC6451, has been identified targeting Microsoft SQL servers.

This cluster, primarily observed by Sophos Managed Detection and Response (MDR) teams, has compromised organizations by exploiting SQL server vulnerabilities.

The attackers have been using a combination of brute-force attacks, command execution, and lateral movement techniques to infiltrate and compromise networks.

This article delves into the intricate details of the STAC6451 attacks, the techniques employed, and the implications for organizations worldwide.

For details: STAC6451 Hacker Hijacking Microsoft SQL Servers to Compromise Organizations

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Microsoft SQL Servers


Jun 27 2024

HACKING MICROSOFT MMC: DISCOVER THE GRIMRESOURCE EXPLOIT

Category: Hackingdisc7 @ 7:04 am

Elastic Security Labs has uncovered a novel technique, GrimResource, that leverages specially crafted Microsoft Management Console (MMC) files for initial access and evasion, posing a significant threat to cybersecurity.

In response to Microsoft’s decision to disable Office macros by default for internet-sourced documents, attackers have been forced to adapt, exploring new infection vectors like JavaScript, MSI files, LNK objects, and ISOs. These traditional methods are now heavily scrutinized by defenders, pushing well-resourced attackers to innovate further. A recent example includes North Korean actors using a novel command execution technique within MMC files.

Elastic researchers have identified GrimResource, a new infection technique that exploits MSC files, allowing attackers to execute arbitrary code in the context of mmc.exe when a user opens a specially crafted MSC file. The first sample leveraging GrimResource was uploaded to VirusTotal on June 6th.

Key Takeaways

  • GrimResource enables attackers to execute arbitrary code in Microsoft Management Console with minimal security warnings, making it ideal for initial access and evasion.
  • Elastic Security Labs provides analysis and detection guidance to help the community defend against this technique.

Detailed Analysis

INITIAL DISCOVERY

The GrimResource method was identified after a sample was uploaded to VirusTotal on June 6th, 2024. This sample demonstrated a novel way to achieve code execution by exploiting the MSC file format, commonly used in administrative tools within Windows.

TECHNICAL BREAKDOWN

Exploitation of apds.dll Vulnerability

The core of the GrimResource technique exploits an old cross-site scripting (XSS) flaw in the apds.dll library. By crafting an MSC file that includes a reference to this vulnerable library in the StringTable section, attackers can execute arbitrary JavaScript in the context of mmc.exe. This approach leverages the following steps:

  1. StringTable Manipulation: The MSC file is modified to include a reference to apds.dll.
  2. JavaScript Execution: The XSS flaw in apds.dll allows JavaScript execution within MMC, enabling further payload delivery.

Combination with DotNetToJScript

To execute arbitrary code, attackers combine the XSS exploit with the DotNetToJScript technique:

  1. Obfuscation Techniques: The initial sample uses the transformNode method for obfuscation, a technique also seen in recent macro-based attacks. This helps evade ActiveX security warnings.
  2. Embedded VBScript: The obfuscated script within the MSC file sets environment variables with the target payload.
  3. DotNetToJScript Execution: The script then uses DotNetToJScript to run an embedded .NET loader, named PASTALOADER, which retrieves the payload from the environment variables and executes it.

PASTALOADER Execution

PASTALOADER is designed to execute the payload in a stealthy manner:

  1. Payload Injection: PASTALOADER injects the payload into a new instance of dllhost.exe, a legitimate system process, to avoid detection.
  2. Stealth Techniques: The injection uses DirtyCLR, function unhooking, and indirect syscalls to minimize detection chances.
https://www.securitynewspaper.com/2023/09/29/send-phishing-emails-with-content-font-size-0px-can-to-hack-into-microsoft-outlook-365-accounts/embed/#?secret=RSwxVMwOix#?secret=Nug7FeGVNf

Final Payload: Cobalt Strike

In the identified sample, the final payload is the Cobalt Strike Beacon, a widely used post-exploitation tool. The injection into dllhost.exe is done carefully to avoid triggering security mechanisms.

DETECTION METHODS

Elastic Security Labs’ Detection Techniques

Elastic Security Labs has developed several detection methods to identify GrimResource activity:

  1. Suspicious Execution via Microsoft Common Console:
    • This detection looks for unusual processes spawned by mmc.exe, indicating potential malicious activity.
  2. .NET COM Object Created in Non-standard Windows Script Interpreter:
    • Detects memory allocations by .NET on behalf of Windows Script Host (WSH) engines, indicative of DotNetToJScript usage.
  3. Script Execution via MMC Console File:
    • Monitors file operations and process behaviors related to MSC file execution, particularly looking for the creation and use of apds.dll references.
  4. Windows Script Execution via MMC Console File:
    • Correlates the creation of temporary HTML files in the INetCache folder, a hallmark of the APDS XSS redirection.

Example EQL Rules

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action == “open” and file.path : “?:\\Windows\\System32\\apds.dll”]

Detecting Temporary HTML Files:

sequence by process.entity_id with maxspan=1m

[process where event.action == “start” and process.executable : “?:\\Windows\\System32\\mmc.exe” and process.args : “*.msc”]

[file where event.action in (“creation”, “overwrite”) and process.executable : “?:\\Windows\\System32\\mmc.exe” and file.name : “redirect[?]” and file.path : “?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*\\redirect[?]”]

Forensic Artifacts

The technique leaves several forensic artifacts, including:

  • MSC File Manipulations: Unusual references in StringTable sections.
  • Temporary Files: HTML files in the INetCache directory named “redirect[?]”.
  • Process Anomalies: Unexpected process creation and memory allocations by mmc.exe and dllhost.exe.

Attackers have developed a new technique to execute arbitrary code in Microsoft Management Console using crafted MSC files. Elastic’s defense-in-depth approach has proven effective against this novel threat. Defenders should implement the provided detection guidance to protect themselves and their customers from GrimResource before it proliferates among commodity threat groups.

Windows Security Internals: A Deep Dive into Windows Authentication, Authorization, and Auditing

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: GRIMRESOURCE EXPLOIT, MICROSOFT MMC


Jun 12 2024

20,000 FortiGate appliances compromised by Chinese hackers

Category: Hacking,Security Breachdisc7 @ 7:43 am

How Coathanger persists on FortiGate devices

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.

The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.

The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”

They also attributed the intrusion and the malware to a Chinese cyber-espionage group.

A widespread campaign

On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:

  • The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
  • They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it

“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.

The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”

Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.

Advice for organizations

“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.

“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”

(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)

Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.

“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.

The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chinese hackers, FortiGate appliances, The Hacker and the State


Jun 11 2024

YOUR AZURE SECURITY AT RISK? HOW HACKERS ARE EXPLOITING AZURE SERVICE TAGS (AND HOW TO STOP THEM)?

Category: Hacking,Risk Assessmentdisc7 @ 8:24 am

A significant security vulnerability has been discovered by Tenable Research that affects Azure customers relying on Service Tags for their firewall rules. This vulnerability allows attackers to bypass Azure firewall rules, posing a substantial risk to organizations using these configurations. Here’s an in-depth look at the vulnerability, how it can be exploited, and crucial defensive measures to mitigate the risk.

Azure Security

INITIAL DISCOVERY IN AZURE APPLICATION INSIGHTS

Tenable Research initially uncovered the vulnerability within Azure Application Insights, a service designed to monitor and analyze web applications’ performance and availability. The Availability Tests feature of Azure Application Insights, intended to check the accessibility and performance of applications, was found to be susceptible to abuse. Users can control server-side requests in these tests, including adding custom headers and changing HTTP methods. This control can be exploited by attackers to forge requests from trusted services, mimicking a server-side request forgery (SSRF) attack.

EXPANSION TO MORE THAN 10 OTHER AZURE SERVICES

Upon further investigation, Tenable Research found that the vulnerability extends beyond Azure Application Insights to more than 10 other Azure services. These include:

  • Azure DevOps
  • Azure Machine Learning
  • Azure Logic Apps
  • Azure Container Registry
  • Azure Load Testing
  • Azure API Management
  • Azure Data Factory
  • Azure Action Group
  • Azure AI Video Indexer
  • Azure Chaos Studio

Each of these services allows users to control server-side requests and has an associated Service Tag, creating potential security risks if not properly mitigated.

HOW ATTACKERS CAN EXPLOIT THE VULNERABILITY

Attackers can exploit the vulnerability in Azure Service Tags by abusing the Availability Tests feature in Azure Application Insights. Below are detailed steps and examples to illustrate how an attacker can exploit this vulnerability:

1. Setting Up the Availability Test:

  • Example Scenario: An attacker identifies an internal web service within a victim’s Azure environment that is protected by a firewall rule allowing traffic only from Azure Application Insights.
  • Action: The attacker sets up an Availability Test in Azure Application Insights, configuring it to target the internal web service.

2. Customizing the Request:

  • Manipulating Headers: The attacker customizes the HTTP request headers to include authorization tokens or other headers that may be expected by the target service.
  • Changing HTTP Methods: The attacker can change the HTTP method (e.g., from GET to POST) to perform actions such as submitting data or invoking actions on the target service.
  • Example Customization: The attacker configures the test to send a POST request with a custom header “Authorization: Bearer <malicious-token>”.

3. Sending the Malicious Request:

  • Firewall Bypass: The crafted request is sent through the Availability Test. Since it originates from a trusted Azure service (Application Insights), it bypasses the firewall rules based on Service Tags.
  • Example Attack: The Availability Test sends the POST request with the custom header to the internal web service, which processes the request as if it were from a legitimate source.

4. Accessing Internal Resources:

  • Unauthorized Access: The attacker now has access to internal APIs, databases, or other services that were protected by the firewall.
  • Exfiltration and Manipulation: The attacker can exfiltrate sensitive data, manipulate internal resources, or use the access to launch further attacks.
  • Example Impact: The attacker retrieves confidential data from an internal API or modifies configuration settings in an internal service.

DETAILED EXAMPLE OF EXPLOIT

Scenario: An organization uses Azure Application Insights to monitor an internal financial service. The service is protected by a firewall rule that allows access only from the ApplicationInsightsAvailability Service Tag.

  1. Deploying an Internal Azure App Service:
    • The organization has a financial application hosted on an Azure App Service with firewall rules configured to accept traffic only from the ApplicationInsightsAvailability Service Tag.
  2. Attempted Access by the Attacker:
    • The attacker discovers the endpoint of the internal financial application and attempts to access it directly. The firewall blocks this attempt, returning a forbidden response.
  3. Exploiting the Vulnerability:
    • Setting Up the Test: The attacker sets up an Availability Test in Azure Application Insights targeting the internal financial application.
    • Customizing the Request: The attacker customizes the test to send a POST request with a payload that triggers a financial transaction, adding a custom header “Authorization: Bearer <malicious-token>”.
    • Sending the Request: The Availability Test sends the POST request to the internal financial application, bypassing the firewall.
  4. Gaining Unauthorized Access:
    • The financial application processes the POST request, believing it to be from a legitimate source. The attacker successfully triggers the financial transaction.
    • Exfiltration: The attacker sets up another Availability Test to send GET requests with custom headers to extract financial records from the application.

ADVANCED EXPLOITATION TECHNIQUES

1. Chain Attacks:

  • Attackers can chain multiple vulnerabilities or services together to escalate their privileges and impact. For example, using the initial access gained from the Availability Test to find other internal services or to escalate privileges within the Azure environment.

2. Lateral Movement:

  • Once inside the network, attackers can move laterally to compromise other services or extract further data. They might use other Azure services like Azure DevOps or Azure Logic Apps to find additional entry points or sensitive data.

3. Persistent Access:

  • Attackers can set up long-term Availability Tests that periodically execute, ensuring continuous access to the internal services. They might use these persistent tests to maintain a foothold within the environment, continuously exfiltrating data or executing malicious activities.

DEFENSIVE MEASURES

To mitigate the risks associated with this vulnerability, Azure customers should implement several defensive measures:

1. Analyze and Update Network Rules:

  • Conduct a thorough review of network security rules.
  • Identify and analyze any use of Service Tags in firewall rules.
  • Assume services protected only by Service Tags may be vulnerable.

2. Implement Strong Authentication and Authorization:

  • Add robust authentication and authorization mechanisms.
  • Use Azure Active Directory (Azure AD) for managing access.
  • Enforce multi-factor authentication and least privilege principles.

3. Enhance Network Isolation:

  • Use network security groups (NSGs) and application security groups (ASGs) for granular isolation.
  • Deploy Azure Private Link to keep traffic within the Azure network.

4. Monitor and Audit Network Traffic:

  • Enable logging and monitoring of network traffic.
  • Use Azure Monitor and Azure Security Center to set up alerts for unusual activities.
  • Regularly review logs and audit trails.

5. Regularly Update and Patch Services:

  • Keep all Azure services and applications up to date with security patches.
  • Monitor security advisories from Microsoft and other sources.
  • Apply updates promptly to minimize risk.

6. Use Azure Policy to Enforce Security Configurations:

  • Deploy Azure Policy to enforce security best practices.
  • Create policies that require strong authentication and proper network configurations.
  • Use Azure Policy initiatives for consistent application across resources.

7. Conduct Security Assessments and Penetration Testing:

  • Perform regular security assessments and penetration testing.
  • Engage with security experts or third-party services for thorough reviews.
  • Use tools like Azure Security Benchmark and Azure Defender.

8. Educate and Train Staff:

  • Provide training on risks and best practices related to Azure Service Tags and network security.
  • Ensure staff understand the importance of multi-layered security.
  • Equip teams to implement and manage security measures effectively.

https://www.securitynewspaper.com/2024/05/16/how-to-implement-principle-of-least-privilegecloud-security-in-aws-azure-and-gcp-cloud/embed/#?secret=4TeHUyw59w#?secret=RHf1cNP2eR

The vulnerability discovered by Tenable Research highlights significant risks associated with relying solely on Azure Service Tags for firewall rules. By understanding the nature of the vulnerability and implementing the recommended defensive measures, Azure customers can better protect their environments and mitigate potential threats. Regular reviews, updates, and a multi-layered security approach are essential to maintaining a secure Azure environment.

Azure Security

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Azure Security


May 02 2024

VNC Is The Hacker’s New Remote Desktop Tool For Cyber Attacks

Category: Hacking,Security Toolsdisc7 @ 7:26 am

While facilitating remote work, remote desktop software presents security challenges for IT teams due to the use of various tools and ports.

The multitude of ports makes it difficult to monitor for malicious traffic. 

Weak credentials and software vulnerabilities are exploited to gain access to user systems.

Hackers may also use technical support scams to trick users into granting access.  

The Most Targeted Remote Desktop Tools In The Last 12 Months

Researchers identified VNC, a platform-independent remote desktop tool using RFB protocol, as the most targeted remote desktop application (98% of traffic).

The attacks leveraged weak passwords and a critical vulnerability (CVE-2006-2369) in RealVNC 4.1.1, allowing authentication bypass. 

Over 99% of attacks targeted unsecured HTTP ports rather than TCP ports used for application data exchange, which suggests attackers exploit the inherent lack of authentication on HTTP for unauthorized access.

The security of VNCs varies depending on the specific software, while some offer weak password limitations, others leverage SSH or VPN tunnelling for encryption.

VNC uses a base port (5800 for TCP, 5900 for HTTP) with an additive display number, making it difficult to secure with firewalls compared to single-port remote desktop solutions. 

Additionally, pinpointing the origin of VNC attacks is challenging due to attackers using proxies and VPNs, but a significant portion seems to originate from China. 

Attackers target RDP, a remote desktop protocol, for credential-based attacks and exploit vulnerabilities to execute malicious code, as RDP is more likely to be involved in large attacks compared to VNC. 

Flaws Exploited

In one study, 15% of RDP attacks leveraged obsolete cookies, possibly to target older, more vulnerable RDP software,  and RDP vulnerabilities like CVE-2018-0886 (targeting credential security), CVE-2019-0708 (with worm potential), and CVE-2019-0887 (hypervisor access) have been reported by Barracuda

Attackers exploit vulnerabilities in RDP to gain access to systems. Brute-force attacks are common, targeting password hashes for privileged accounts. RDP can also be used to launch denial-of-service attacks. 

In social engineering scams, attackers convince users to grant RDP access to fix fake technical problems, and vulnerable RDP instances are sold on the black market for further attacks.

North America is a leading source of RDP attacks, but location tracking is difficult due to anonymizing techniques. 

TeamViewer, a remote desktop tool, rarely encounters attacks (0.1% of traffic). Recent versions target enterprises and integrate with business applications, offering security features like fingerprinting, strong password enforcement, and multi-factor authentication. 

Encrypted communication channels further enhance security. However, phished credentials and technical support scams can still compromise TeamViewer sessions and may use ports beyond the primary port 5938, making malicious traffic detection more challenging for security teams. 

Citrix created ICA as an alternative to RDP. It uses ports 1494 and 2598, while older ICA clients and the ICA Proxy have had RCE vulnerabilities. 

AnyDesk, another RDP solution, uses port 6568 and has been abused in tech support scams and malware, while Splashtop Remote, using port 6783, has been involved in support scams and can be compromised through weak credentials.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot


Apr 24 2024

HACKERS HIJACKED THE ESCAN ANTIVIRUS UPDATE MECHANISM IN MALWARE CAMPAIGN

Category: Antivirus,Hacking,Malwaredisc7 @ 9:04 am

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. â€œThe main objective of GuptiMiner is to distribute backdoors within big corporate networks.”

The threat actors behind this campaign exploited a vulnerability in the update mechanism of the Indian antivirus provider eScan that allowed them to carry out a man-in-the-middle attack to distribute the malware. Avast already reported the issue to eScan and the India CERT. eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

The infection process begins when eScan requests an update from the update server. However, the attackers carry out a MitM attack and replace the legitimate update package with a malicious one. Subsequently, eScan unpacks and installs the package, which results in the sideloading of a DLL by eScan’s clean binaries. This DLL facilitates the continuation of the process, leading to the execution of multiple shellcodes and intermediary PE loaders.

eScan antivirus

The researchers noticed that the downloaded package file is replaced with a malware-laced one on the wire because the process doesn’t use an HTTPS connection. 

Below the infection chain described by Avast:

  1. The eScan updater triggers the update 
  2. The downloaded package file is replaced with a malicious one on the wire because of a missing HTTPS encryption (MitM is performed) 
  3. A malicious package updll62.dlz is downloaded and unpacked by eScan updater 
  4. The contents of the package contain a malicious DLL (usually called version.dll) that is sideloaded by eScan. Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart 
  5. If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1), the malware searches for services.exe process and injects its next stage into the first one it can find 
  6. Cleanup is performed, removing the update package 

GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

GuptiMiner connects directly to malicious DNS servers, bypassing the DNS network entirely. This use of the DNS protocol resembles telnet and is not considered DNS spoofing, which typically occurs within the DNS network. Although the servers requested by GuptiMiner exist, it’s likely an evasion tactic.

In the second-stage the shellcode from the PNG file extracts and executes the Gzip loader. This loader is a simple PE that decompresses another shellcode using Gzip and executes it in a separate thread that kiads the Stage 3 malware Puppeteer.

Puppeteer orchestrates the core functionality of the malware, including the cryptocurrency mining as well as the backdoor deployment.

Surprisingly, the ultimate payload disseminated by GuptiMiner can be also XMRig, which was somewhat unexpected given the level of sophistication of this campaign.

The researchers speculate that using the miner could be a diversionary tactic.

“During our research, we’ve also found an information stealer which holds a rather similar PDB path as was used across the whole GuptiMiner campaign.” concludes the report. “What is truly interesting, however, is that this information stealer might come from Kimsuky operations.”

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ESCAN ANTIVIRUS


Apr 15 2024

THE PATH TO A PENTESTING CAREER (A BLUEPRINT FOR ASPIRING WHITE HATS)

Category: Hacking,Pen Test,Security Toolsdisc7 @ 7:22 am

Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.

Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.

Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.

Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.

In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.

Mastering Interview Techniques

Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.

  • A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
  • Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
  • As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
  • Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
  • Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
  • Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
  • In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.

Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.

For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ASPIRING WHITE HATS


Apr 10 2024

New SharePoint Technique Lets Hackers Bypass Security Measures

Category: Hacking,Security controlsdisc7 @ 9:36 am

Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

Open-In-App Method

The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

The exploitation of this method can be carried out manually or automated through a PowerShell script.

When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

SkyDriveSync User-Agent

The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

Microsoft’s Response And Security Patch Backlog

Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

Permissions Management in SharePoint Online – A Practical Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: SharePoint


Apr 05 2024

Hackers Hijack Facebook Pages To Mimic AI Brands & Inject Malware

Category: AI,Hacking,Malwaredisc7 @ 8:08 am

Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.

This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.

Recent analyses of malvertising campaigns have revealed a disturbing trend.

Ads are distributing an assortment of malicious software, which poses severe risks to consumers’ devices, data, and identity.

Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto users’ devices.

Rilide Stealer V4: A Closer Look

Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.

This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, capture login credentials, and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.

Sora Ad campaign
Gemini Ad Campaign

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db â€“ OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf â€“ OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d â€“ Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 â€“ Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b â€“ Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 â€“ Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 â€“ Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e â€“ Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 â€“ OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf â€“ Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a â€“ Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 â€“ Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e â€“ AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e â€“ Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 â€“ Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 â€“ Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db â€“ OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf â€“ OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d â€“ Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 â€“ Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b â€“ Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 â€“ Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 â€“ Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e â€“ Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 â€“ OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf â€“ Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a â€“ Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 â€“ Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e â€“ AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e â€“ Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 â€“ Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 â€“ Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

The Complete Guide to Software as a Service: Everything you need to know about SaaS

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Hijack Facebook Pages


Mar 25 2024

170K+ Python Developers GitHub Accounts Hacked In Supply Chain Attack

Category: Cyber Attack,Hacking,Pythondisc7 @ 8:38 am

Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.

The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.

This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.

Attack Campaign Description

The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.

By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.

Python mirror -files.pythonhosted.org

The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.

Victims And Impact

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

The Top.gg community (which boasts over 170K members) was also a victim of  this attack
The Top.gg community (which boasts over 170K members) was also a victim of  this attack

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs

The threat actors behind this campaign demonstrated high sophistication and planning.

They employed a range of TTPs, including:

  • Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
  • Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
  • Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.

“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.

Malicious Package

The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.

The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.

This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.

The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.

Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.

Python for Cybersecurity: Using Python for Cyber Offense and Defense 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attack


Feb 26 2024

HackerGPT – A ChatGPT-Powered AI Tool for Ethical Hackers & Cyber Security Community

Category: ChatGPT,Hackingdisc7 @ 8:20 am

HackerGPT is a cutting-edge AI tool designed explicitly for the cybersecurity sector, particularly beneficial for individuals involved in ethical hacking, such as bug bounty hunters.

This advanced assistant is at the cutting edge of cyber intelligence, offering a vast repository of hacking methods, tools, and tactics. More than a mere repository of information, HackerGPT actively engages with users, aiding them through the complexities of cybersecurity.

There are several ChatGPT-powered tools, such as OSINVGPT, PentestGPT, WormGPT, and BurpGPT, that have already been developed for the cyber security community, and HackerGPT is writing a new chapter for the same.

What is the Purpose of HackerGPT:

It leverages the capabilities of ChatGPT, enhanced with specialized training data, to assist in various cybersecurity tasks, including network and mobile hacking, and understand different hacking tactics without resorting to unethical practices like jailbreaking.

HackerGPT generates responses to user queries in real-time, adhering to ethical guidelines. It supports both GPT-3 and GPT-4 models, providing users with access to a wide range of hacking techniques and methodologies.

The tool is available for use via a web browser, with plans to develop an app version in the future. It offers a 14-day trial with unlimited messages and faster response times.

HackerGPT aims to streamline the hacking process, making it significantly easier for cybersecurity professionals to generate payloads, understand attack vectors, and communicate complex technical results effectively.

This AI-powered assistant is seen as a valuable resource for enhancing security evaluations and facilitating the understanding of potential risks and countermeasures among both technical and non-technical stakeholders

Recently, HackerGPT released 2.0, and the beta is now available here.

Upon posing a query to HackerGPT, the process begins with authentication of the user and management of query allowances, which differ for free and premium users.

The system then probes its extensive database to find the most relevant information to the query. For non-English inquiries, translation is employed to ensure the database search is effective.

If a suitable match is discovered, it is integrated into the AI’s response mechanism. The query is securely transmitted to OpenAI or OpenRouter for processing, ensuring no personal data is included. The response you receive depends on the module in use:

  • HackerGPT Module: A customized version of Mixtral 8x7B with semantic search capabilities tailored to our database.
  • GPT-4 Turbo: The most recent innovation from OpenAI, enhanced with our specialized prompts.

Guidelines for Issues:
The “Issues” section is strictly for problems directly related to the codebase. We’ve noticed an influx of non-codebase-related issues, such as feature requests or cloud provider problems. Please consult the “Help” section under the “Discussions” tab for setup-related queries. Issues not pertinent to the codebase are typically closed promptly.

Engagement in Discussions:
We strongly encourage active participation in the “Discussions” tab! It’s an excellent platform for asking questions, exchanging ideas, and seeking assistance. Chances are, others might have the same question if you have a question.

Updating Process:
To update your local Chatbot UI repository, navigate to the root directory in your terminal and execute:

npm run update

For hosted instances, you’ll also need to run:

npm run db-push

This will apply the latest migrations to your live database.

Setting Up Locally:
To set up your own instance of Chatbot UI locally, follow these steps:

  1. Clone the Repository:
git clone https://github.com/mckaywrigley/chatbot-ui.git
  1. Install Dependencies:

Navigate to the root directory of your local Chatbot UI repository and run:

npm install
  1. Install Supabase & Run Locally:

Supabase is chosen for its ease of use, open-source nature, and free tier for hosted instances. It replaces local browser storage, addressing security concerns, storage limitations, and enabling multi-modal use cases.

  • Install Docker: Necessary for running Supabase locally. Download it for free from the official site.
  • Install Supabase CLI: Use Homebrew for macOS/Linux or Scoop for Windows.
  • Start Supabase: Execute supabase start in your terminal at the root of the Chatbot UI repository.
  • Fill in Secrets: Copy the .env.local.example file to .env.local and populate it with values obtained from supabase status.
  1. Optional Local Model Installation:

For local models, follow the instructions provided for Ollama installation.

  1. Run the App Locally:

Finally, run npm run chat in your terminal. Your local instance should now be accessible at http://localhost:3000.

Setting Up a Hosted Instance:

To deploy your Chatbot UI instance in the cloud, follow the local setup steps here . Then, create a separate repository for your hosted instance and push your code to GitHub.

Set up the backend with Supabase by creating a new project and configuring authentication. Connect to the hosted database and configure the frontend with Vercel, adding necessary environment variables. Deploy, and your hosted Chatbot UI instance should be live and accessible through the Vercel-provided URL. You can read the complete GitHub repository here.

ChatGPT para Hackers y Programadores: Domina el arte del Prompt Engineering y aumenta tu productividad

Mastering Cybersecurity with ChatGPT: Harnessing AI to Empower Your Cyber CareerTable of Contents

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HackerGPT


Feb 20 2024

Israeli Aircraft Survive “Cyber-Hijacking” Attempts

Category: Hackingdisc7 @ 8:29 am
https://www.infosecurity-magazine.com/news/israeli-aircraft-survive/

wo flights bound for Israel over the past week have suffered attempts to hijack their communications and divert the aircraft, according to local reports.

The El Al flights were both travelling from Thailand to Israel’s Ben Gurion international airport and apparently encountered “hostile elements” while flying over the Middle East.

Citing a report from national broadcaster Kan Reshet B, The Jerusalem Post claimed that hackers attempted to hijack the planes’ communications networks in order to divert them from their pre-programmed route.

No group has claimed responsibility. Although the aircraft were flying over an area in which Iranian-backed Houthis are active, sources have claimed it could be the work of a group operating from Somaliland – an unrecognized state in the Horn of Africa.

Read more on in-flight hacking: FBI Claims Hacker Made Plane Fly Sideways

Fortunately, the pilots reportedly became suspicious about the sudden change in instructions and ignored them, switching to another communications channel and double-checking their route with air traffic controllers.  

An El Al source revealed that pilots are trained to spot and mitigate such threats whilst in the air.

“The disturbances are not aimed at El Al planes and this is not a security incident,” a statement from the airline noted.

“The disruption did not affect the normal course of the flight thanks to the professionalism of the pilots who used the alternative means of communication and allowed the flight to continue on the planned route.”

The EU’s aviation safety agency EASA recently revamped its cybersecurity regulations for the sector with the release of the first Easy Access Rules (EAR) for Information Security (Part IS).

They’re designed to enforce best practice security across the industry, covering an exhaustive range of suppliers as well as airlines, airports, communication infrastructure providers and air towers.

Next Level Cybersecurity: Detect the Signals, Stop the Hack

Tags: Cyber-Hijacking


Feb 13 2024

New Azure Hacking Campaign Steals Senior Executive Accounts

Category: Hacking,Information Securitydisc7 @ 7:25 am

An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.

Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.

Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.

Attackers Targeting Wide Range Of Individuals

Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.

“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”

Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities. 

In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications) 
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation) 
  • ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) 
  • ‘My Apps’ 
  • ‘My Profile’

Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.

MFA manipulation events executed by attackers in a compromised cloud tenant
MFA manipulation events executed by attackers in a compromised cloud tenant

Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.

Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.

Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.

Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.

Obfuscation mailbox rules created by attackers following successful account takeover
Obfuscation mailbox rules created by attackers following successful account takeover

“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.

Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.

Hacking Executive Leadership

A Leader’s Guide to Cybersecurity: Why Boards Need to Lead–and How to Do It

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Azure Hacking


Feb 03 2024

HACKING DEBIAN, UBUNTU, REDHAT& FEDORA SERVERS USING A SINGLE VULNERABILITY IN 2024

Category: Hacking,Linux Security,Security vulnerabilitiesdisc7 @ 11:47 am

The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.

  • Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
  • Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.

CVE ID: CVE-2023-6246

  • Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
  • Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
  • Severity: Given its potential for granting root access, this vulnerability is considered highly severe.

HOW THE FLAW WORKS

  • Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
  • Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.

IMPACT AND SEVERITY

  • Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
  • High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.

MITIGATION AND RESPONSE

  • Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using “no new privileges” mode, which can be implemented with tools like systemd or bwrap.
  • Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.

The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACKING DEBIAN, REDHAT& FEDORA, UBUNTU


Feb 01 2024

7 hacking tools that look harmless but can do real damage

Category: Hacking,Security Toolsdisc7 @ 8:52 am

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.

Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.

However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.

Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.

1. Flipper Zero

2. O.MG cables

3. USBKill

4. USB Nugget

5. Wi-Fi Pineapple

6. USB Rubber Ducky

7. LAN Turtle

for more details:

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: hacking tools


Jan 24 2024

SYSTEM HACKING, SCRIPTING, AND OTHER CONTRONYMS IN CYBERSECURITY

Category: cyber security,Hackingdisc7 @ 8:49 am

The cybersecurity field continuously generates new terms and concepts as it evolves with time. It also repurposes words to describe new concepts. There’s a never-ending flow of jargon that some refer to as an alphabet soup of complexity. From  NGAV to XDR, it appears unlikely for cybersecurity to run out of new acronyms and terminologies.

Meanwhile, some popular terms used in cybersecurity can have contradicting meanings. These are the so-called contronyms, which may add some spice to the insipidity of tech terms. Here’s a list of some famous cybersecurity words or phrases many would probably think they are already familiar with but are likely to be surprised to learn about their other meanings. 

HACKING

Most people tend to equate hacking to cybercrime, an attempt to illegally access, damage, or take over a computer system. This is not surprising given that most news articles that mention hacking use the term in its negative connotation, referring to cyber attacks aimed at bypassing access controls or security measures to prevent the unauthorized use of IT resources.

However, hacking can mean something positive or useful. In cybersecurity, system hacking can refer to an authorized effort to break existing security measures to test their effectiveness and spot weaknesses. The term often used for this action is “ethical hacking,” but hacking by itself is neither good nor bad. It’s how it is used that spells the difference.

Hacking in both its malicious and ethical instances follows the same stages. Also, they use similar techniques, from password cracking to phishing, the deployment of rootkits and trojans, exploitation of buffer overflows, privilege escalation, and the use of keyloggers. These steps and techniques are observed in attempts to exploit vulnerabilities and detect security weaknesses so that they can be plugged or resolved.

PATCHING 

In contrast to hacking, patching is often perceived as a positive term. It is mostly known as the application of a software patch to address a vulnerability or add new functions. Software publishers regularly release patches for their software in response to developments in the cyber threat landscape and to provide improvements in their software products.

Negatively, patching refers to the unauthorized modification of a software or system by taking advantage of system vulnerabilities. Cybercriminals can infiltrate or corrupt software pipelines, allowing them to send out malicious software patches to unsuspecting users. This works because many tend to excessively trust their automated software pipelines or they carelessly obtain their software updates from unofficial sources.

SNIFFING 

Among those involved in network administration, sniffing is a legitimate process that entails the tracking and analysis of network traffic. This is done to undertake a troubleshooting task, monitor network performance, or facilitate network security-related actions. It is one of the vital actions in Intrusion Detection Systems (IDS).

However, sniffing can also refer to malicious packet sniffing, wherein an attacker intercepts the packets transmitted through a network. Sniffing allows bad actors to steal login credentials and other sensitive information. It can help them gain access to online accounts or steal crucial data. Sniffing is often used as a form of cyber attack on devices that connect to the internet through public WiFi networks. 

Sniffing in the negative context is not new. It has been used as an attack for decades. Cybersecurity advocates pointed out the threat of sniffing more than a decade ago amid the proliferation of businesses that offer free public WiFi connection without strong security. 

SCRIPTING 

Scripting refers to the writing and deployment of scripts for the automation of repetitive tasks. It is used to automate routine actions, which enables the efficient management of systems. Scripting is also employed in penetration testing to simulate cyber attacks on a system. Similarly, it is used in log analysis and monitoring, day-to-day security operations, forensics and incident response, and cross-platform compatibility testing.

However, scripting can also be malicious, as used by threat actors. Cybercriminals can turn to malicious scripting to automate the execution of files that have been successfully introduced into a system. Successfully deceiving a computer user into downloading a file is not enough for the malicious file to inflict damage. Scripts are necessary to unleash the effects of malicious files and detect security vulnerabilities.

BACKDOOR 

The term backdoor is usually known for its negative implication. Most news and articles refer to backdoors in an unfavorable context. This should not come as a surprise since backdoors are often used by cybercriminals. They serve as a way to bypass normal authentication for any computer-related system, facilitating unauthorized access or the introduction of malicious files to a computer or network.

However, backdoors can be a feature intentionally added to the software. They can be deliberately put in an app to provide an optional means of access in cases when conventional access methods are unavailable. This “necessary” version of a backdoor was in the spotlight some years ago when the US FBI asked Apple to purposely build a backdoor on their iPhones. 

KILL CHAIN

The cyber kill chain is a framework developed by Lockheed Martin as part of its patented Intelligence Driven Defense model for cyber attack identification and prevention. It consists of a series of steps that represent the different stages of a cyber attack, from early reconnaissance to command and control and “actions on objectives.” This model helps organizations visualize and comprehend the different stages of an attack, focusing on critical points in the attack, developing strategies to mitigate threats, and boosting incident response capabilities.

Essentially, the kill chain is a process that is supposed to help organizations prepare for cyber attacks, successfully fend off an assault, and mitigate problems that emerge in the wake of a cyber attack. However, the phrase kill chain, in colloquial use, may refer to a successful cyber attack.

AN EXERCISE IN CYBERSECURITY JARGON COMPLEXITY

It may sound confusing, but contronyms exist everywhere. Interestingly, these words still make sense despite the auto-contradiction. In cybersecurity, contronyms reflect the complexity and flexibility of language, showing how words can change in meaning depending on their context and usage.

Isn’t it counterintuitive for cybersecurity terms to bear contradicting meanings? Possibly. However, what is ultimately important is the understanding that cybersecurity terms are far from straightforward. It is a must to properly get acquainted with them to understand what they really mean, especially with the rise of a plethora of acronyms and jargon introduced by security solution providers. Many of which tend to be marketing-speak or misnomers.

The Language of Cybersecurity

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CONTRONYMS, The Language of Cybersecurity


Jan 23 2024

North Korean Weaponize Fake Research

Category: Backdoor,Hackingdisc7 @ 8:26 am

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.

This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

source: https://thehackernews.com/2024/01/north-korean-hackers-weaponize-fake.html

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: RokRAT Backdoor, The Hacker and the State


Jan 08 2024

11 WAYS OF HACKING INTO CHATGPT LIKE GENERATIVE AI SYSTEMS

Category: ChatGPT,Hackingdisc7 @ 9:41 pm

In the rapidly evolving landscape of artificial intelligence, generative AI systems have become a cornerstone of innovation, driving advancements in fields ranging from language processing to creative content generation. However, a recent report by the National Institute of Standards and Technology (NIST) sheds light on the increasing vulnerability of these systems to a range of sophisticated cyber attacks. The report, provides a comprehensive taxonomy of attacks targeting Generative AI (GenAI) systems, revealing the intricate ways in which these technologies can be exploited. The findings are particularly relevant as AI continues to integrate deeper into various sectors, raising concerns about the integrity and privacy implications of these systems.

INTEGRITY ATTACKS: A THREAT TO AI’S CORE

Integrity attacks affecting Generative AI systems are a type of security threat where the goal is to manipulate or corrupt the functioning of the AI system. These attacks can have significant implications, especially as Generative AI systems are increasingly used in various fields. Here are some key aspects of integrity attacks on Generative AI systems:

  1. Data Poisoning:
    • Detail: This attack targets the training phase of an AI model. Attackers inject false or misleading data into the training set, which can subtly or significantly alter the model’s learning. This can result in a model that generates biased or incorrect outputs.
    • Example: Consider a facial recognition system being trained with a dataset that has been poisoned with subtly altered images. These images might contain small, imperceptible changes that cause the system to incorrectly recognize certain faces or objects.
  2. Model Tampering:
    • Detail: In this attack, the internal parameters or architecture of the AI model are altered. This could be done by an insider with access to the model or by exploiting a vulnerability in the system.
    • Example: An attacker could alter the weightings in a sentiment analysis model, causing it to interpret negative sentiments as positive, which could be particularly damaging in contexts like customer feedback analysis.
  3. Output Manipulation:
    • Detail: This occurs post-processing, where the AI’s output is intercepted and altered before it reaches the end-user. This can be done without directly tampering with the AI model itself.
    • Example: If a Generative AI system is used to generate financial reports, an attacker could intercept and manipulate the output to show incorrect financial health, affecting stock prices or investor decisions.
  4. Adversarial Attacks:
    • Detail: These attacks use inputs that are specifically designed to confuse the AI model. These inputs are often indistinguishable from normal inputs to the human eye but cause the AI to make errors.
    • Example: A stop sign with subtle stickers or graffiti might be recognized as a speed limit sign by an autonomous vehicle’s AI system, leading to potential traffic violations or accidents.
  5. Backdoor Attacks:
    • Detail: A backdoor is embedded into the AI model during its training. This backdoor is activated by certain inputs, causing the model to behave unexpectedly or maliciously.
    • Example: A language translation model could have a backdoor that, when triggered by a specific phrase, starts inserting or altering words in a translation, potentially changing the message’s meaning.
  6. Exploitation of Biases:
    • Detail: This attack leverages existing biases within the AI model. AI systems can inherit biases from their training data, and these biases can be exploited to produce skewed or harmful outputs.
    • Example: If an AI model used for resume screening has an inherent gender bias, attackers can submit resumes that are tailored to exploit this bias, increasing the likelihood of certain candidates being selected or rejected unfairly.
  7. Evasion Attacks:
    • Detail: In this scenario, the input data is manipulated in such a way that the AI system fails to recognize it as something it is trained to detect or categorize correctly.
    • Example: Malware could be designed to evade detection by an AI-powered security system by altering its code signature slightly, making it appear benign to the system while still carrying out malicious functions.


PRIVACY ATTACKS ON GENERATIVE AI

Privacy attacks on Generative AI systems are a serious concern, especially given the increasing use of these systems in handling sensitive data. These attacks aim to compromise the confidentiality and privacy of the data used by or generated from these systems. Here are some common types of privacy attacks, explained in detail with examples:

  1. Model Inversion Attacks:
    • Detail: In this type of attack, the attacker tries to reconstruct the input data from the model’s output. This is particularly concerning if the AI model outputs something that indirectly reveals sensitive information about the input data.
    • Example: Consider a facial recognition system that outputs the likelihood of certain attributes (like age or ethnicity). An attacker could use this output information to reconstruct the faces of individuals in the training data, thereby invading their privacy.
  2. Membership Inference Attacks:
    • Detail: These attacks aim to determine whether a particular data record was used in the training dataset of a machine learning model. This can be a privacy concern if the training data contains sensitive information.
    • Example: An attacker might test an AI health diagnostic tool with specific patient data. If the model’s predictions are unusually accurate or certain, it might indicate that the patient’s data was part of the training set, potentially revealing sensitive health information.
  3. Training Data Extraction:
    • Detail: Here, the attacker aims to extract actual data points from the training dataset of the AI model. This can be achieved by analyzing the model’s responses to various inputs.
    • Example: An attacker could interact with a language model trained on confidential documents and, through carefully crafted queries, could cause the model to regurgitate snippets of these confidential texts.
  4. Reconstruction Attacks:
    • Detail: Similar to model inversion, this attack focuses on reconstructing the input data, often in a detailed and high-fidelity manner. This is particularly feasible in models that retain a lot of information about their training data.
    • Example: In a generative model trained to produce images based on descriptions, an attacker might find a way to input specific prompts that cause the model to generate images closely resembling those in the training set, potentially revealing private or sensitive imagery.
  5. Property Inference Attacks:
    • Detail: These attacks aim to infer properties or characteristics of the training data that the model was not intended to reveal. This could expose sensitive attributes or trends in the data.
    • Example: An attacker might analyze the output of a model used for employee performance evaluations to infer unprotected characteristics of the employees (like gender or race), which could be used for discriminatory purposes.
  6. Model Stealing or Extraction:
    • Detail: In this case, the attacker aims to replicate the functionality of a proprietary AI model. By querying the model extensively and observing its outputs, the attacker can create a similar model without access to the original training data.
    • Example: A competitor could use the public API of a machine learning model to systematically query it and use the responses to train a new model that mimics the original, effectively stealing the intellectual property.

SEGMENTING ATTACKS

Attacks on AI systems, including ChatGPT and other generative AI models, can be further categorized based on the stage of the learning process they target (training or inference) and the attacker’s knowledge and access level (white-box or black-box). Here’s a breakdown:

BY LEARNING STAGE:

  1. Attacks during Training Phase:
    • Data Poisoning: Injecting malicious data into the training set to compromise the model’s learning process.
    • Backdoor Attacks: Embedding hidden functionalities in the model during training that can be activated by specific inputs.
  2. Attacks during Inference Phase:
    • Adversarial Attacks: Presenting misleading inputs to trick the model into making errors during its operation.
    • Model Inversion and Reconstruction Attacks: Attempting to infer or reconstruct input data from the model’s outputs.
    • Membership Inference Attacks: Determining whether specific data was used in the training set by observing the model’s behavior.
    • Property Inference Attacks: Inferring properties of the training data not intended to be disclosed.
    • Output Manipulation: Altering the model’s output after it has been generated but before it reaches the intended recipient.

BY ATTACKER’S KNOWLEDGE AND ACCESS:

  1. White-Box Attacks (Attacker has full knowledge and access):
    • Model Tampering: Directly altering the model’s parameters or structure.
    • Backdoor Attacks: Implanting a backdoor during the model’s development, which the attacker can later exploit.
    • These attacks require deep knowledge of the model’s architecture, parameters, and potentially access to the training process.
  2. Black-Box Attacks (Attacker has limited or no knowledge and access):
    • Adversarial Attacks: Creating input samples designed to be misclassified or misinterpreted by the model.
    • Model Inversion and Reconstruction Attacks: These do not require knowledge of the model’s internal workings.
    • Membership and Property Inference Attacks: Based on the model’s output to certain inputs, without knowledge of its internal structure.
    • Training Data Extraction: Extracting information about the training data through extensive interaction with the model.
    • Model Stealing or Extraction: Replicating the model’s functionality by observing its inputs and outputs.

IMPLICATIONS:

  • Training Phase Attacks often require insider access or a significant breach in the data pipeline, making them less common but potentially more devastating.
  • Inference Phase Attacks are more accessible to external attackers as they can often be executed with minimal access to the model.
  • White-Box Attacks are typically more sophisticated and require a higher level of access and knowledge, often limited to insiders or through major security breaches.
  • Black-Box Attacks are more common in real-world scenarios, as they can be executed with limited knowledge about the model and without direct access to its internals.

Understanding these categories helps in devising targeted defense strategies for each type of attack, depending on the specific vulnerabilities and operational stages of the AI system.

HACKING CHATGPT

The ChatGPT AI model, like any advanced machine learning system, is potentially vulnerable to various attacks, including privacy and integrity attacks. Let’s explore how these attacks could be or have been used against ChatGPT, focusing on the privacy attacks mentioned earlier:

  1. Model Inversion Attacks:
    • Potential Use Against ChatGPT: An attacker might attempt to use ChatGPT’s responses to infer details about the data it was trained on. For example, if ChatGPT consistently provides detailed and accurate information about a specific, less-known topic, it could indicate the presence of substantial training data on that topic, potentially revealing the nature of the data sources used.
  2. Membership Inference Attacks:
    • Potential Use Against ChatGPT: This type of attack could try to determine if a particular text or type of text was part of ChatGPT’s training data. By analyzing the model’s responses to specific queries, an attacker might guess whether certain data was included in the training set, which could be a concern if the training data included sensitive or private information.
  3. Training Data Extraction:
    • Potential Use Against ChatGPT: Since ChatGPT generates text based on patterns learned from its training data, there’s a theoretical risk that an attacker could manipulate the model to output segments of text that closely resemble or replicate parts of its training data. This is particularly sensitive if the training data contained confidential or proprietary information.
  4. Reconstruction Attacks:
    • Potential Use Against ChatGPT: Similar to model inversion, attackers might try to reconstruct input data (like specific text examples) that the model was trained on, based on the information the model provides in its outputs. However, given the vast and diverse dataset ChatGPT is trained on, reconstructing specific training data can be challenging.
  5. Property Inference Attacks:
    • Potential Use Against ChatGPT: Attackers could analyze responses from ChatGPT to infer properties about its training data that aren’t explicitly modeled. For instance, if the model shows biases or tendencies in certain responses, it might reveal unintended information about the composition or nature of the training data.
  6. Model Stealing or Extraction:
    • Potential Use Against ChatGPT: This involves querying ChatGPT extensively to understand its underlying mechanisms and then using this information to create a similar model. Such an attack would be an attempt to replicate ChatGPT’s capabilities without access to the original model or training data.


Integrity attacks on AI models like ChatGPT aim to compromise the accuracy and reliability of the model’s outputs. Let’s examine how these attacks could be or have been used against the ChatGPT model, categorized by the learning stage and attacker’s knowledge:

ATTACKS DURING TRAINING PHASE (WHITE-BOX):

  • Data Poisoning: If an attacker gains access to the training pipeline, they could introduce malicious data into ChatGPT’s training set. This could skew the model’s understanding and responses, leading it to generate biased, incorrect, or harmful content.
  • Backdoor Attacks: An insider or someone with access to the training process could implant a backdoor into ChatGPT. This backdoor might trigger specific responses when certain inputs are detected, which could be used to spread misinformation or other harmful content.

ATTACKS DURING INFERENCE PHASE (BLACK-BOX):

  • Adversarial Attacks: These involve presenting ChatGPT with specially crafted inputs that cause it to produce erroneous outputs. For instance, an attacker could find a way to phrase questions or prompts that consistently mislead the model into giving incorrect or nonsensical answers.
  • Output Manipulation: This would involve intercepting and altering ChatGPT’s responses after they are generated but before they reach the user. While this is more of an attack on the communication channel rather than the model itself, it can still undermine the integrity of ChatGPT’s outputs.

IMPLICATIONS AND DEFENSE STRATEGIES:

  • During Training: Ensuring the security and integrity of the training data and process is crucial. Regular audits, anomaly detection, and secure data handling practices are essential to mitigate these risks.
  • During Inference: Robust model design to resist adversarial inputs, continuous monitoring of responses, and secure deployment architectures can help in defending against these attacks.

REAL-WORLD EXAMPLES AND CONCERNS:

  • To date, there haven’t been publicly disclosed instances of successful integrity attacks specifically against ChatGPT. However, the potential for such attacks exists, as demonstrated in academic and industry research on AI vulnerabilities.
  • OpenAI, the creator of ChatGPT, employs various countermeasures like input sanitization, monitoring model outputs, and continuously updating the model to address new threats and vulnerabilities.

In conclusion, while integrity attacks pose a significant threat to AI models like ChatGPT, a combination of proactive defense strategies and ongoing vigilance is key to mitigating these risks.

While these attack types broadly apply to all generative AI systems, the report notes that some vulnerabilities are particularly pertinent to specific AI architectures, like Large Language Models (LLMs) and Retrieval Augmented Generation (RAG) systems. These models, which are at the forefront of natural language processing, are susceptible to unique threats due to their complex data processing and generation capabilities.

The implications of these vulnerabilities are vast and varied, affecting industries from healthcare to finance, and even national security. As AI systems become more integrated into critical infrastructure and everyday applications, the need for robust cybersecurity measures becomes increasingly urgent.

The NIST report serves as a clarion call for the AI industry, cybersecurity professionals, and policymakers to prioritize the development of stronger defense mechanisms against these emerging threats. This includes not only technological solutions but also regulatory frameworks and ethical guidelines to govern the use of AI.

In conclusion, the report is a timely reminder of the double-edged nature of AI technology. While it offers immense potential for progress and innovation, it also brings with it new challenges and threats that must be addressed with vigilance and foresight. As we continue to push the boundaries of what AI can achieve, ensuring the security and integrity of these systems remains a paramount concern for a future where technology and humanity can coexist in harmony.

ChatGPT FOR CYBERSECUITY: The Ultimate Weapon Against Hackers


Jan 02 2024

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Category: Cyber Attack,Hackingdisc7 @ 10:48 am

Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.

The United Kingdom’s Radioactive Waste Management (RWM) company overseeing the nation’s radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.

As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.

Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.

The RWM is spearheading the £50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodies—the GDF project, the Low-Level Waste Repository, and another waste management entity—to establish Nuclear Waste Services (NWS).

“NWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,” stated an NWS spokesperson.

However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.

The FBI’s special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the ‘significant threat’ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.

In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.

In November 2023, a LinkedIn database containing over 35 million users’ personal information was leaked by a hacker named USDoD, who previously breached the FBI’s InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.

Social engineering attacks, such as deceptive emails and malicious links, offer hackers a gateway to sensitive information. LinkedIn has taken steps to warn users about potential scams and provide resources for staying safe online. Still, concerns about digital security remain prevalent in the nuclear industry, especially after the Guardian exposĂ© of cybersecurity vulnerabilities at the Sellafield plant. 

In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.

The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.

Cyber Threats and Nuclear Weapons

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Threats and Nuclear Weapons, UK’s Nuclear Waste Services


Dec 18 2023

8220 Hacker Group Attacking Windows & Linux Web Servers

Category: Cyber Attack,Hacking,Linux Security,Windows Securitydisc7 @ 1:40 pm

The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).

However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.

8220 Hacker Group

In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.

The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes. 

Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.

Infection Chains

The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.

Custom bash function (Source: Imperva)

The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.

complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.

Indicators Of Compromise

URL

URL

Source IPs

Source IPs
Malicious File Hashes

Common Windows, Linux and Web Server Systems Hacking Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Windows & Linux Web Servers


Next Page »