Apr 15 2024

THE PATH TO A PENTESTING CAREER (A BLUEPRINT FOR ASPIRING WHITE HATS)

Category: Hacking,Pen Test,Security Toolsdisc7 @ 7:22 am

Security analysis of web applications is, first of all, a search and investigation of cases of incorrect functioning of program code and vulnerabilities. Those who choose a penetration tester’s profession should keep in mind that it requires continuous learning and the ability to use a library of resources for self-education. A common situation is that while you are studying vulnerabilities in one framework, a dozen new reports are published. To quickly understand the potential vulnerabilities associated with previously unknown technologies, you need to be well-versed in the sources of information. When working in a team on an actual pentest project, there is usually no time for a thoughtful search. So, if your skills are combined with a strong foundational education, you are looking at promising career opportunities.

Your initial understanding of the subject can be developed through cybersecurity analysis courses at the university. These courses can also help you decide if this career path is right for you. It is good to receive foundational training in software development and networking, including web applications, while you are at university. Afterward, you can gain hands-on experience by practicing infrastructure penetration testing.

Usually, your initial attempts to secure a job as a web penetration tester might reveal gaps in your knowledge. Seeking employment at companies like VentureDive, where the work could help fill these educational gaps and offer valuable experience, is a smart approach. For instance, you could start as a technical support specialist in information security at a large company. After about two to four months, you might go for your first interview for a security analyst position, during which you could identify any weak points you might still have. With a few more months of work under the guidance of a mentor and diving into training materials, you could successfully land a position as a penetration tester.

Choosing where to work in the future is not as straightforward as it may appear. In a large, well-known company, you will be surrounded by a high level of expertise and likely assigned a mentor. However, the opportunity to find truly interesting vulnerabilities in real projects might be limited. This is because such organizations often have costly services, and their clients are usually not willing to skimp on development and security. Consequently, you will be working with quality products that have undergone thorough security testing, reducing the likelihood of encountering situations that provide valuable experience.

In a small company, you should not expect to find a mentor, a high level of expertise, or an impressive salary. However, these companies often get orders to pentest applications with many vulnerabilities, providing invaluable experience for those new to the profession. With this experience under your belt, you could eventually transition to a larger company.

Mastering Interview Techniques

Given that we cannot cover everything, let’s go over the essential knowledge and skills you need to analyze vulnerabilities in web applications.

  • A pentester needs to understand how applications function on the network level, which includes knowing about TCP handshakes, domain names, IPs, proxies, etc. It is also important to grasp the basics of how HTTP and HTTPS protocols work. Being prepared to answer questions like “What is the difference between HTTP methods?” “When should PATCH be used as opposed to POST?” and “How do HTTP 0.9/1.1 differ from HTTP/2?” is a part of this foundational knowledge.
  • Vulnerabilities are not always tucked away in a web application’s code; sometimes, they are embedded in its architecture, like within the web server itself. Often, a pentester might not have a direct view of the application’s architecture but can infer how it functions. Therefore, having knowledge in this area is incredibly useful.
  • As vulnerabilities become more complex, it is important to grasp the basics. This foundational understanding allows you to tackle more complex issues as they arise.
  • Developing the ability to search for answers to your questions using open sources is vital, even if you have someone to ask. Always start by seeking out information and attempting to solve problems on your own before seeking help.
  • Being able to write and read code in various languages, including PHP, Python, JavaScript, Java, and C#, is essential. When it comes to analyzing web applications, you will encounter different approaches, such as white box, gray box, and black box testing. For example, if you are doing white box testing and have access to the application’s source code, having development experience is a big plus. Additionally, the ability to write automation scripts and tailor third-party tools to fit your needs is a valuable skill.
  • Pentest projects frequently require examining the application from the outside in. You need the ability to scan the network and identify vulnerable services to ensure no obvious security flaws are overlooked.
  • In your work, you will often need to theoretically explain the nature of a vulnerability. This requires understanding basic concepts, such as how databases operate, the properties of information, and what constitutes vulnerability and exploitation. Essential skills also include system administration for both Windows and Linux.

Simply studying a vast number of vulnerabilities will turn you into a top-tier professional because it does not cultivate the skill of discovering them. During actual pentest projects, the toughest part is often identifying vulnerabilities. It is advised to search for vulnerable applications and analyze them without peeking at the technology stack or hints about the vulnerabilities. This practice offers foundational experience and insights into how things operate in an actual project.

For those lacking a basic education in security analysis, paid penetration testing courses are an option to consider. Unfortunately, the better courses tend to be expensive, and it is difficult to recommend any budget-friendly options that are truly effective. It is crucial to realize that these courses will not turn you into an expert overnight, as some might claim, but they will provide you with a solid understanding of the profession.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: ASPIRING WHITE HATS


Apr 10 2024

New SharePoint Technique Lets Hackers Bypass Security Measures

Category: Hacking,Security controlsdisc7 @ 9:36 am

Two new techniques uncovered in SharePoint enable malicious actors to bypass traditional security measures and exfiltrate sensitive data without triggering standard detection mechanisms.

Illicit file downloads can be disguised as harmless activities, making it difficult for cybersecurity defenses to detect them. To accomplish this, the system’s features are manipulated in various ways.

Security researchers from Varonis Threat Labs discovered two SharePoint techniques.

Open-In-App Method

The first technique dubbed the “Open in App Method,” takes advantage of the SharePoint feature, which allows users to open documents directly in their associated applications.

While this feature is designed for user convenience, it has inadvertently created a loophole for data breaches.

Attackers can use this feature’s underlying code to access and download files, leaving behind only an access event in the file’s audit log.

This subtle footprint can easily be overlooked, as it does not resemble a typical download event.

The exploitation of this method can be carried out manually or automated through a PowerShell script.

When automated, the script can rapidly exfiltrate many files, significantly amplifying the potential damage.

The script leverages the SharePoint client object model (CSOM) to fetch files from the cloud and save them to a local computer, avoiding creating a download log entry.

SkyDriveSync User-Agent

The second technique involves the manipulation of the User-Agent string for Microsoft SkyDriveSync, now known as OneDrive, Varonis said.

By masquerading as the sync client, attackers can download files or even entire SharePoint sites.

These downloads are mislabeled as file synchronization events rather than actual downloads, thus slipping past security measures that are designed to detect and log file downloads.

This method is particularly insidious because it can be used to exfiltrate data on a massive scale, and the sync disguise makes it even harder for security tools to distinguish between legitimate and malicious activities.

The use of this technique suggests a sophisticated understanding of SharePoint and OneDrive’s synchronization mechanisms, which could be exploited to systematically drain data from an organization without raising alarms.

Microsoft’s Response And Security Patch Backlog

Upon discovery, Varonis researchers promptly reported these vulnerabilities to Microsoft in November 2023. Microsoft has acknowledged the issue and categorized these vulnerabilities as “moderate” security risks.

They have been added to Microsoft’s patch backlog program, indicating that a fix is in the pipeline but may not be immediately available.

The discovery of these techniques underscores the risks associated with SharePoint and OneDrive, especially when permissions are misconfigured or overly permissive.

Organizations relying on these services for file sharing and collaboration must be vigilant and proactive in managing access rights to minimize the risk of unauthorized data access.

To combat these vulnerabilities, organizations are advised to implement additional detection strategies.

Monitoring for unusual patterns of access events, especially those that could indicate the use of the “Open in App Method,” is crucial.

Similarly, keeping an eye on sync activities and verifying that they match expected user behavior can help identify misuse of the SkyDriveSync User-Agent technique.

Furthermore, organizations should prioritize the review and tightening of permissions across their SharePoint and OneDrive environments.

Regular audits and updates to security policies can help prevent threat actors from exploiting such vulnerabilities in the first place.

Permissions Management in SharePoint Online – A Practical Guide

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: SharePoint


Apr 05 2024

Hackers Hijack Facebook Pages To Mimic AI Brands & Inject Malware

Category: AI,Hacking,Malwaredisc7 @ 8:08 am

Hackers have been found hijacking Facebook pages to impersonate popular AI brands, thereby injecting malware into the devices of unsuspecting users.

This revelation comes from a detailed investigation by Bitdefender Labs, which has been closely monitoring these malicious campaigns since June 2023.

Recent analyses of malvertising campaigns have revealed a disturbing trend.

Ads are distributing an assortment of malicious software, which poses severe risks to consumers’ devices, data, and identity.

Unwitting interactions with these malware-serving ads could lead to downloading and deploying harmful files, including Rilide Stealer, Vidar Stealer, IceRAT, and Nova Stealer, onto users’ devices.

Rilide Stealer V4: A Closer Look

Bitdefender Labs has spotlighted an updated version of the Rilide Stealer (V4) lurking within sponsored ad campaigns that impersonate popular AI-based software and photo editors such as Sora, CapCut, Gemini AI, Photo Effects Pro, and CapCut Pro.

This malicious extension, targeting Chromium-based browsers, is designed to monitor browsing history, capture login credentials, and even facilitate the withdrawal of crypto funds by bypassing two-factor authentication through script injections.

Sora Ad campaign
Gemini Ad Campaign

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

Key Updates in Rilide V4:

  • Targeting of Facebook cookies
  • Masquerading as a Google Translate Extension
  • Enhanced obfuscation techniques to conceal the software’s true intent

Indicators Of Compromise

Malicious hashes

  • 2d6829e8a2f48fff5348244ce0eaa35bcd4b26eac0f36063b9ff888e664310db – OpenAI Sora official version setup.msi – Sora
  • a7c07d2c8893c30d766f383be0dd78bc6a5fd578efaea4afc3229cd0610ab0cf – OpenAI Sora Setup.zip – Sora
  • e394f4192c2a3e01e6c1165ed1a483603b411fd12d417bfb0dc72bd6e18e9e9d – Setup.msi – Sora
  • 021657f82c94511e97771739e550d63600c4d76cef79a686aa44cdca668814e0 – Setup.msi – Sora
  • 92751fd15f4d0b495e2b83d14461d22d6b74beaf51d73d9ae2b86e2232894d7b – Setup.msi – Sora
  • 32a097b510ae830626209206c815bbbed1c36c0d2df7a9d8252909c604a9c1f1 – Setup.msi – Sora
  • c665ff2206c9d4e50861f493f8e7beca8353b37671d633fe4b6e084c62e58ed9 – Setup.msi – Sora
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – Capcut Pro For PC.setup.msi – Capcut
  • 757855fcd47f843739b9a330f1ecb28d339be41eed4ae25220dc888e57f2ec51 – OpenAI ChatGPT-4.5 Version Free.msi – ChatGPT
  • 3686204361bf6bf8db68fd81e08c91abcbf215844f0119a458c319e92a396ecf – Google Gemini AI Ultra Version Updata.msi – Gemini AI
  • d60ea266c4e0f0e8d56d98472a91dd5c37e8eeeca13bf53e0381f0affc68e78a – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • bb7c3b78f2784a7ac3c090331326279476c748087188aeb69f431bbd70ac6407 – Photo Effects Pro v3.1.3 Setup.msi – Photo Effects
  • 0ed3b92fda104ac62cc3dc0a5ed0f400c6958d7034e3855cad5474fca253125e – AISora.setup.msi – Sora

Vidar Stealer: Evolving Threats

Vidar Stealer, another prolific info stealer, is marketed through the same MaaS model via dark web ads, forums, and Telegram groups.

Capable of exfiltrating personal information and crypto from compromised devices, Vidar’s distribution has evolved from spam campaigns and cracked software to malicious Google Search ads and social media platforms, mainly through sponsored ads on Meta’s platform.

Indicators Of Compromise

Malicious hashes

  • 6396ac7b1524bb9759f434fe956a15f5364284a04acd5fc0ef4b625de35d766b- g2m.dll – MidJourney
  • 76ed62a335ac225a2b7e6dade4235a83668630a9c1e727cf4ddb0167ab2202f6- Midjourney.7z – MidJourney

IceRAT: More Than Just A Trojan

Despite its name, IceRAT functions more as a backdoor on compromised devices. It acts as a gateway for secondary infections, such as crypto miners and information stealers that target login credentials and other sensitive data.

Indicators Of Compromise

Malicious hashes

  • aab585b75e868fb542e6dfcd643f97d1c5ee410ca5c4c5ffe1112b49c4851f47- Midjourneyv6.exe – MidJourney
  • b5f740c0c1ac60fa008a1a7bd6ea77e0fc1d5aa55e6856d8edcb71487368c37c- Midjourneyv6ai.exe – MidJourney
  • cc15e96ec1e27c01bd81d2347f4ded173dfc93df673c4300faac5a932180caeb- Mid_Setup.exe – MidJourney
  • d2f12dec801000fbd5ccc8c0e8ed4cf8cc27a37e1dca9e25afc0bcb2287fbb9a- Midjourney_v6.exe – MidJourney
  • f2fc27b96a4a487f39afad47c17d948282145894652485f9b6483bec64932614-Midjourneyv6.1_ins.exe – MidJourney
  • f99aa62ee34877b1cd02cfd7e8406b664ae30c5843f49c7e89d2a4db56262c2e – Midjourneys_Setup.exe – MidJourney
  • 54a992a4c1c25a923463865c43ecafe0466da5c1735096ba0c3c3996da25ffb7 – Mid_Setup.exe – MidJourney
  • 4a71a8c0488687e0bb60a2d0199b34362021adc300541dd106486e326d1ea09b- Mid_Setup.exe – MidJourney

Nova Stealer: The New Kid On The Block

Nova Stealer emerges as a highly proficient info stealer with capabilities including password exfiltration, screen recordings, discord injections, and crypto wallet hijacking.

Nova Stealer, offered as MaaS by the threat actor known as Sordeal, represents a significant threat to digital security.

Indicators Of Compromise

Malicious hashes

  • fb3fbee5372e5050c17f72dbe0eb7b3afd3a57bd034b6c2ac931ad93b695d2d9- Instructions_for_using_today_s_AI.pdf.rar – AI and Life
  • 6a36f1f1821de7f80cc9f8da66e6ce5916ac1c2607df3402b8dd56da8ebcc5e2- Instructions_for_using_today_s_AI.xlsx_rar.rar – AI and Life
  • fe7e6b41766d91fbc23d31573c75989a2b0f0111c351bed9e2096cc6d747794b- Instructions for using today’s AI.pdf.exe – AI and Life
  • ce0e41e907cab657cc7ad460a5f459c27973e9346b5adc8e64272f47026d333d- Instructions for using today’s AI.xlsx.exe – AI and Life
  • a214bc2025584af8c38df36b08eb964e561a016722cd383f8877b684bff9e83d- 20 digital marketing tips for 2024.xlsx.exe – Google Digital Marketing
  • 53714612af006b06ca51cc47abf0522f7762ecb1300e5538485662b1c64d6f55 – Premium advertising course registration form from Oxford.exe – Google Digital Marketing
  • 728953a3ebb0c25bcde85fd1a83903c7b4b814f91b39d181f0fc610b243c98d4- New Microsoft Excel Worksheet.exe – Google Digital Marketing

The Midjourney Saga: AI’s Dark Side

The addition of AI tools on the internet, from free offerings and trials to subscription-based services, has not gone unnoticed by cybercriminals.

Midjourney, a leading generative AI tool with a user base exceeding 16 million as of November 2023, has become a favored tool among cyber gangs over the past year, highlighting the intersection of cutting-edge technology and cybercrime.

Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.
Midjourney has been a fan-favorite among cybercriminal gangs as well over the past year.

Indicators Of Compromise

  • 159.89.120.191
  • 159.89.98.241

As the digital landscape continues to evolve, so does the nature of the threats it maintains.

The rise of Malware-as-a-Service represents a significant shift in the cyber threat paradigm that requires vigilant and proactive measures to combat.

The Complete Guide to Software as a Service: Everything you need to know about SaaS

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Hijack Facebook Pages


Mar 25 2024

170K+ Python Developers GitHub Accounts Hacked In Supply Chain Attack

Category: Cyber Attack,Hacking,Pythondisc7 @ 8:38 am

Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain.

The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organizations.

This article delves into the attack campaign, its impact on victims, the tactics, techniques, and procedures (TTPs) employed by the threat actors, and the critical findings from Checkmarx’s investigation.

Attack Campaign Description

The core of this malicious campaign revolves around an attacker’s ability to combine several TTPs to launch a silent attack on the software supply chain, specifically targeting the Python ecosystem.

By creating multiple malicious open-source tools with enticing descriptions, the attackers lured victims into their trap, primarily through search engines.

Python mirror -files.pythonhosted.org

The campaign’s sophistication is evident in distributing a malicious dependency hosted on a fake Python infrastructure, which was then linked to popular projects on GitHub and legitimate Python packages.

A chilling account from Mohammed Dief, a Python developer and one of the campaign’s victims, highlights the stealth and impact of the attack.

Dief encountered a suspicious error message while working on his laptop, the first sign of the compromise, leading to the realization that his system had been hacked.

Victims And Impact

Among the notable victims of this campaign is the Top.gg GitHub organization, a community boasting over 170,000 members.

The attackers managed to hijack GitHub accounts with high reputations, including that of “editor-syntax,” a maintainer with write permissions to Top.gg’s repositories.

The Top.gg community (which boasts over 170K members) was also a victim of  this attack
The Top.gg community (which boasts over 170K members) was also a victim of  this attack

This allowed them to commit malicious acts and increase the visibility and credibility of their malicious repositories.

The attack’s impact is far-reaching, affecting individual developers and larger communities alike.

Social engineering schemes, account takeovers, and malicious packages published on the PyPi registry have underscored the software supply chain’s vulnerability to such sophisticated attacks.

The Checkmarx Research team has uncovered an attack campaign aimed at the software supply chain.

The campaign appears to have successfully exploited multiple victims.

Threat Actors And TTPs

The threat actors behind this campaign demonstrated high sophistication and planning.

They employed a range of TTPs, including:

  • Account Takeover via Stolen Cookies: The attackers gained access to high-reputation GitHub accounts by stealing session cookies, bypassing the need for passwords.
  • Publishing Malicious Packages: By setting up a custom Python mirror and publishing malicious packages to the PyPi registry, they could distribute malware under the guise of legitimate software.
  • Social Engineering: The attackers used social engineering to trick users into downloading malicious dependencies, further spreading the malware.

By deploying a fake Python package mirror and utilizing typosquatting techniques, the attackers could deceive users and systems into downloading poisoned versions of popular packages like “Colorama.

“The malicious payload delivered through these packages is designed to harvest sensitive information, including passwords, credentials, and data from various software applications.

Malicious Package

The malware targets web browsers, Discord, cryptocurrency wallets, and Telegram, and even includes a keylogging component to capture victims’ keystrokes.

The final stage of the malware reveals its data-stealing capabilities, targeting not only personal and financial information but also attempting to gain unauthorized access to victims’ social media and communication platforms.

This attack campaign highlights the critical vulnerabilities within the software supply chain, particularly in open-source ecosystems like Python’s.

The sophistication and success of the attackers in exploiting these vulnerabilities underscore the need for heightened vigilance and robust security practices among developers and organizations.

Through continuous monitoring, collaboration, and information sharing, the cybersecurity community can mitigate risks and protect the integrity of open-source software.

Python for Cybersecurity: Using Python for Cyber Offense and Defense 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: supply chain attack


Feb 26 2024

HackerGPT – A ChatGPT-Powered AI Tool for Ethical Hackers & Cyber Security Community

Category: ChatGPT,Hackingdisc7 @ 8:20 am

HackerGPT is a cutting-edge AI tool designed explicitly for the cybersecurity sector, particularly beneficial for individuals involved in ethical hacking, such as bug bounty hunters.

This advanced assistant is at the cutting edge of cyber intelligence, offering a vast repository of hacking methods, tools, and tactics. More than a mere repository of information, HackerGPT actively engages with users, aiding them through the complexities of cybersecurity.

There are several ChatGPT-powered tools, such as OSINVGPTPentestGPTWormGPTand BurpGPT, that have already been developed for the cyber security community, and HackerGPT is writing a new chapter for the same.

What is the Purpose of HackerGPT:

It leverages the capabilities of ChatGPT, enhanced with specialized training data, to assist in various cybersecurity tasks, including network and mobile hacking, and understand different hacking tactics without resorting to unethical practices like jailbreaking.

HackerGPT generates responses to user queries in real-time, adhering to ethical guidelines. It supports both GPT-3 and GPT-4 models, providing users with access to a wide range of hacking techniques and methodologies.

The tool is available for use via a web browser, with plans to develop an app version in the future. It offers a 14-day trial with unlimited messages and faster response times.

HackerGPT aims to streamline the hacking process, making it significantly easier for cybersecurity professionals to generate payloads, understand attack vectors, and communicate complex technical results effectively.

This AI-powered assistant is seen as a valuable resource for enhancing security evaluations and facilitating the understanding of potential risks and countermeasures among both technical and non-technical stakeholders

Recently, HackerGPT released 2.0, and the beta is now available here.

Upon posing a query to HackerGPT, the process begins with authentication of the user and management of query allowances, which differ for free and premium users.

The system then probes its extensive database to find the most relevant information to the query. For non-English inquiries, translation is employed to ensure the database search is effective.

If a suitable match is discovered, it is integrated into the AI’s response mechanism. The query is securely transmitted to OpenAI or OpenRouter for processing, ensuring no personal data is included. The response you receive depends on the module in use:

  • HackerGPT Module: A customized version of Mixtral 8x7B with semantic search capabilities tailored to our database.
  • GPT-4 Turbo: The most recent innovation from OpenAI, enhanced with our specialized prompts.

Guidelines for Issues:
The “Issues” section is strictly for problems directly related to the codebase. We’ve noticed an influx of non-codebase-related issues, such as feature requests or cloud provider problems. Please consult the “Help” section under the “Discussions” tab for setup-related queries. Issues not pertinent to the codebase are typically closed promptly.

Engagement in Discussions:
We strongly encourage active participation in the “Discussions” tab! It’s an excellent platform for asking questions, exchanging ideas, and seeking assistance. Chances are, others might have the same question if you have a question.

Updating Process:
To update your local Chatbot UI repository, navigate to the root directory in your terminal and execute:

npm run update

For hosted instances, you’ll also need to run:

npm run db-push

This will apply the latest migrations to your live database.

Setting Up Locally:
To set up your own instance of Chatbot UI locally, follow these steps:

  1. Clone the Repository:
git clone https://github.com/mckaywrigley/chatbot-ui.git
  1. Install Dependencies:

Navigate to the root directory of your local Chatbot UI repository and run:

npm install
  1. Install Supabase & Run Locally:

Supabase is chosen for its ease of use, open-source nature, and free tier for hosted instances. It replaces local browser storage, addressing security concerns, storage limitations, and enabling multi-modal use cases.

  • Install Docker: Necessary for running Supabase locally. Download it for free from the official site.
  • Install Supabase CLI: Use Homebrew for macOS/Linux or Scoop for Windows.
  • Start Supabase: Execute supabase start in your terminal at the root of the Chatbot UI repository.
  • Fill in Secrets: Copy the .env.local.example file to .env.local and populate it with values obtained from supabase status.
  1. Optional Local Model Installation:

For local models, follow the instructions provided for Ollama installation.

  1. Run the App Locally:

Finally, run npm run chat in your terminal. Your local instance should now be accessible at http://localhost:3000.

Setting Up a Hosted Instance:

To deploy your Chatbot UI instance in the cloud, follow the local setup steps here . Then, create a separate repository for your hosted instance and push your code to GitHub.

Set up the backend with Supabase by creating a new project and configuring authentication. Connect to the hosted database and configure the frontend with Vercel, adding necessary environment variables. Deploy, and your hosted Chatbot UI instance should be live and accessible through the Vercel-provided URL. You can read the complete GitHub repository here.

ChatGPT para Hackers y Programadores: Domina el arte del Prompt Engineering y aumenta tu productividad

Mastering Cybersecurity with ChatGPT: Harnessing AI to Empower Your Cyber CareerTable of Contents

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HackerGPT


Feb 20 2024

Israeli Aircraft Survive “Cyber-Hijacking” Attempts

Category: Hackingdisc7 @ 8:29 am
https://www.infosecurity-magazine.com/news/israeli-aircraft-survive/

wo flights bound for Israel over the past week have suffered attempts to hijack their communications and divert the aircraft, according to local reports.

The El Al flights were both travelling from Thailand to Israel’s Ben Gurion international airport and apparently encountered “hostile elements” while flying over the Middle East.

Citing a report from national broadcaster Kan Reshet B, The Jerusalem Post claimed that hackers attempted to hijack the planes’ communications networks in order to divert them from their pre-programmed route.

No group has claimed responsibility. Although the aircraft were flying over an area in which Iranian-backed Houthis are active, sources have claimed it could be the work of a group operating from Somaliland – an unrecognized state in the Horn of Africa.

Read more on in-flight hacking: FBI Claims Hacker Made Plane Fly Sideways

Fortunately, the pilots reportedly became suspicious about the sudden change in instructions and ignored them, switching to another communications channel and double-checking their route with air traffic controllers.  

An El Al source revealed that pilots are trained to spot and mitigate such threats whilst in the air.

“The disturbances are not aimed at El Al planes and this is not a security incident,” a statement from the airline noted.

“The disruption did not affect the normal course of the flight thanks to the professionalism of the pilots who used the alternative means of communication and allowed the flight to continue on the planned route.”

The EU’s aviation safety agency EASA recently revamped its cybersecurity regulations for the sector with the release of the first Easy Access Rules (EAR) for Information Security (Part IS).

They’re designed to enforce best practice security across the industry, covering an exhaustive range of suppliers as well as airlines, airports, communication infrastructure providers and air towers.

Next Level Cybersecurity: Detect the Signals, Stop the Hack

Tags: Cyber-Hijacking


Feb 13 2024

New Azure Hacking Campaign Steals Senior Executive Accounts

Category: Hacking,Information Securitydisc7 @ 7:25 am

An ongoing campaign of cloud account takeover has affected hundreds of user accounts, including those of senior executives, and impacted dozens of Microsoft Azure environments.

Threat actors attack users with customized phishing lures inside shared documents as part of this ongoing effort.

Some documents that have been weaponized have embedded links to “View document,” which, when clicked, take users to a malicious phishing webpage to steal sensitive information and commit financial fraud.

Attackers Targeting Wide Range Of Individuals

Threat actors appear to target a broad spectrum of people with varying titles from various organizations, affecting hundreds of users worldwide.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers,” Proofpoint researchers shared with Cyber Security News.

“Individuals holding executive positions such as “Vice President, Operations,” “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted.”

Threat actors have a realistic approach, as seen by the variety of positions they have targeted, intending to compromise accounts that have varying degrees of access to important resources and responsibilities across organizational activities. 

In this campaign, researchers observed the usage of a particular Linux user agent that attackers employed during the attack chain’s access phase.

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 

The ‘OfficeHome’ sign-in application is primarily accessed by attackers using this user-agent, along with other native Microsoft365 apps, like:

  • ‘Office365 Shell WCSS-Client’ (indicative of browser access to Office365 applications) 
  • ‘Office 365 Exchange Online’ (indicative of post-compromise mailbox abuse, data exfiltration, and email threats proliferation) 
  • ‘My Signins’ (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) 
  • ‘My Apps’ 
  • ‘My Profile’

Attackers use their own MFA techniques to keep accessing systems permanently. Attackers choose various authentication techniques, such as registering additional phone numbers to authenticate via SMS or phone calls.

MFA manipulation events executed by attackers in a compromised cloud tenant
MFA manipulation events executed by attackers in a compromised cloud tenant

Criminals get access to and download confidential data such as user credentials, internal security protocols, and financial assets.

Mailbox access is also used to target individual user accounts with phishing threats and migrate laterally across compromised organizations.

Internal emails are sent to the impacted companies’ finance and human resources departments to commit financial fraud.

Attackers design specialized obfuscation rules to hide their activities and erase any proof of malicious activity from the inboxes of their victims.

Obfuscation mailbox rules created by attackers following successful account takeover
Obfuscation mailbox rules created by attackers following successful account takeover

“Attackers were observed employing proxy services to align the apparent geographical origin of unauthorized activities with that of targeted victims, evading geo-fencing policies,” researchers said.

Thus, in your cloud environment, be aware of account takeover (ATO) and possible illegal access to key resources. Security solutions must offer precise and prompt identification of both initial account compromise and post-compromise actions, together with insight into services and applications that have been misused.

Hacking Executive Leadership

A Leader’s Guide to Cybersecurity: Why Boards Need to Lead–and How to Do It

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Azure Hacking


Feb 03 2024

HACKING DEBIAN, UBUNTU, REDHAT& FEDORA SERVERS USING A SINGLE VULNERABILITY IN 2024

Category: Hacking,Linux Security,Security vulnerabilitiesdisc7 @ 11:47 am

The recent discovery of a significant flaw in the GNU C Library (glibc), a fundamental component of major Linux distributions, has raised serious security concerns. This flaw grants attackers root access, posing a critical threat to the security of Linux systems.

  • Vulnerability in GNU C Library (glibc): The GNU C Library, commonly known as glibc, is an essential part of Linux distributions. It provides the core libraries for the system, including those used for file handling, mathematical computations, and system calls.
  • Root Access Granted: The flaw discovered in glibc allows attackers to gain full root access to Linux machines. Root access means having complete control over the system, enabling an attacker to perform any action, including installing software, accessing all files, and modifying system configurations.

CVE ID: CVE-2023-6246

  • Description: This vulnerability is related to a dynamic memory buffer overflow and is classified as a Local Privilege Escalation (LPE) issue. It was found in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog and vsyslog functions.
  • Impact: The flaw allows unprivileged attackers to gain root access on various major Linux distributions in their default configurations. This level of access can enable attackers to take complete control over the affected system.
  • Severity: Given its potential for granting root access, this vulnerability is considered highly severe.

HOW THE FLAW WORKS

  • Local Privilege Escalation: The vulnerability is a local privilege escalation (LPE) issue. This means that an attacker who already has access to the system (even with limited privileges) can exploit this flaw to gain root-level access.
  • Exploitation Requirements: To exploit this flaw, attackers need a Set-User-ID (SUID) binary. SUID is a special type of file permission that allows users to execute a program with the permissions of the file owner, which in many cases is the root user.

IMPACT AND SEVERITY

  • Widespread Impact: Given the ubiquitous use of glibc in Linux distributions, the impact of this vulnerability is widespread, affecting a vast number of systems and applications.
  • High Severity: The flaw is considered high severity due to its potential to grant attackers complete control over the affected systems.

MITIGATION AND RESPONSE

  • Disabling SUID Binaries: One suggested mitigation is to disable SUID binaries using “no new privileges” mode, which can be implemented with tools like systemd or bwrap.
  • Patch and Update: Users and administrators are urged to apply patches and updates provided by their Linux distribution as soon as they become available. Staying updated is crucial in preventing the exploitation of this vulnerability.

The discovery of the glibc flaw that grants root access to major Linux distributions is a stark reminder of the importance of system security and the need for constant vigilance. Users and administrators must take immediate action to mitigate the risk by applying patches and employing security best practices. As Linux continues to be a backbone for many systems and networks, ensuring its security is paramount for the integrity of countless applications and services.

Linux Basics for Hackers: Getting Started with Networking, Scripting, and Security in Kali

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: HACKING DEBIAN, REDHAT& FEDORA, UBUNTU


Feb 01 2024

7 hacking tools that look harmless but can do real damage

Category: Hacking,Security Toolsdisc7 @ 8:52 am

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

One of the best ways to stay safe and secure when using your computers and other electronic devices is to be aware of the risks. For the past decade, that’s precisely what I’ve been doing.

Most risks are obvious: use strong passwords, don’t download and install software from untrustworthy websites, or hand your unlocked device to a third party.

However, there are less obvious — yet equally dangerous — risks that can result in device or network intrusion, or even device destruction.

Watch out: Some of the most effective and dangerous hacking tools are hard to tell apart from benign devices. They can even be cute.

1. Flipper Zero

2. O.MG cables

3. USBKill

4. USB Nugget

5. Wi-Fi Pineapple

6. USB Rubber Ducky

7. LAN Turtle

for more details:

https://www.zdnet.com/article/7-hacking-tools-that-look-harmless-but-can-do-real-damage/

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: hacking tools


Jan 24 2024

SYSTEM HACKING, SCRIPTING, AND OTHER CONTRONYMS IN CYBERSECURITY

Category: cyber security,Hackingdisc7 @ 8:49 am

The cybersecurity field continuously generates new terms and concepts as it evolves with time. It also repurposes words to describe new concepts. There’s a never-ending flow of jargon that some refer to as an alphabet soup of complexity. From  NGAV to XDR, it appears unlikely for cybersecurity to run out of new acronyms and terminologies.

Meanwhile, some popular terms used in cybersecurity can have contradicting meanings. These are the so-called contronyms, which may add some spice to the insipidity of tech terms. Here’s a list of some famous cybersecurity words or phrases many would probably think they are already familiar with but are likely to be surprised to learn about their other meanings. 

HACKING

Most people tend to equate hacking to cybercrime, an attempt to illegally access, damage, or take over a computer system. This is not surprising given that most news articles that mention hacking use the term in its negative connotation, referring to cyber attacks aimed at bypassing access controls or security measures to prevent the unauthorized use of IT resources.

However, hacking can mean something positive or useful. In cybersecurity, system hacking can refer to an authorized effort to break existing security measures to test their effectiveness and spot weaknesses. The term often used for this action is “ethical hacking,” but hacking by itself is neither good nor bad. It’s how it is used that spells the difference.

Hacking in both its malicious and ethical instances follows the same stages. Also, they use similar techniques, from password cracking to phishing, the deployment of rootkits and trojans, exploitation of buffer overflows, privilege escalation, and the use of keyloggers. These steps and techniques are observed in attempts to exploit vulnerabilities and detect security weaknesses so that they can be plugged or resolved.

PATCHING 

In contrast to hacking, patching is often perceived as a positive term. It is mostly known as the application of a software patch to address a vulnerability or add new functions. Software publishers regularly release patches for their software in response to developments in the cyber threat landscape and to provide improvements in their software products.

Negatively, patching refers to the unauthorized modification of a software or system by taking advantage of system vulnerabilities. Cybercriminals can infiltrate or corrupt software pipelines, allowing them to send out malicious software patches to unsuspecting users. This works because many tend to excessively trust their automated software pipelines or they carelessly obtain their software updates from unofficial sources.

SNIFFING 

Among those involved in network administration, sniffing is a legitimate process that entails the tracking and analysis of network traffic. This is done to undertake a troubleshooting task, monitor network performance, or facilitate network security-related actions. It is one of the vital actions in Intrusion Detection Systems (IDS).

However, sniffing can also refer to malicious packet sniffing, wherein an attacker intercepts the packets transmitted through a network. Sniffing allows bad actors to steal login credentials and other sensitive information. It can help them gain access to online accounts or steal crucial data. Sniffing is often used as a form of cyber attack on devices that connect to the internet through public WiFi networks. 

Sniffing in the negative context is not new. It has been used as an attack for decades. Cybersecurity advocates pointed out the threat of sniffing more than a decade ago amid the proliferation of businesses that offer free public WiFi connection without strong security. 

SCRIPTING 

Scripting refers to the writing and deployment of scripts for the automation of repetitive tasks. It is used to automate routine actions, which enables the efficient management of systems. Scripting is also employed in penetration testing to simulate cyber attacks on a system. Similarly, it is used in log analysis and monitoring, day-to-day security operations, forensics and incident response, and cross-platform compatibility testing.

However, scripting can also be malicious, as used by threat actors. Cybercriminals can turn to malicious scripting to automate the execution of files that have been successfully introduced into a system. Successfully deceiving a computer user into downloading a file is not enough for the malicious file to inflict damage. Scripts are necessary to unleash the effects of malicious files and detect security vulnerabilities.

BACKDOOR 

The term backdoor is usually known for its negative implication. Most news and articles refer to backdoors in an unfavorable context. This should not come as a surprise since backdoors are often used by cybercriminals. They serve as a way to bypass normal authentication for any computer-related system, facilitating unauthorized access or the introduction of malicious files to a computer or network.

However, backdoors can be a feature intentionally added to the software. They can be deliberately put in an app to provide an optional means of access in cases when conventional access methods are unavailable. This “necessary” version of a backdoor was in the spotlight some years ago when the US FBI asked Apple to purposely build a backdoor on their iPhones. 

KILL CHAIN

The cyber kill chain is a framework developed by Lockheed Martin as part of its patented Intelligence Driven Defense model for cyber attack identification and prevention. It consists of a series of steps that represent the different stages of a cyber attack, from early reconnaissance to command and control and “actions on objectives.” This model helps organizations visualize and comprehend the different stages of an attack, focusing on critical points in the attack, developing strategies to mitigate threats, and boosting incident response capabilities.

Essentially, the kill chain is a process that is supposed to help organizations prepare for cyber attacks, successfully fend off an assault, and mitigate problems that emerge in the wake of a cyber attack. However, the phrase kill chain, in colloquial use, may refer to a successful cyber attack.

AN EXERCISE IN CYBERSECURITY JARGON COMPLEXITY

It may sound confusing, but contronyms exist everywhere. Interestingly, these words still make sense despite the auto-contradiction. In cybersecurity, contronyms reflect the complexity and flexibility of language, showing how words can change in meaning depending on their context and usage.

Isn’t it counterintuitive for cybersecurity terms to bear contradicting meanings? Possibly. However, what is ultimately important is the understanding that cybersecurity terms are far from straightforward. It is a must to properly get acquainted with them to understand what they really mean, especially with the rise of a plethora of acronyms and jargon introduced by security solution providers. Many of which tend to be marketing-speak or misnomers.

The Language of Cybersecurity

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: CONTRONYMS, The Language of Cybersecurity


Jan 23 2024

North Korean Weaponize Fake Research

Category: Backdoor,Hackingdisc7 @ 8:26 am

North Korean Hackers Weaponize Fake Research to Deliver RokRAT Backdoor

Media organizations and high-profile experts in North Korean affairs have been at the receiving end of a new campaign orchestrated by a threat actor known as ScarCruft in December 2023.

“ScarCruft has been experimenting with new infection chains, including the use of a technical threat research report as a decoy, likely targeting consumers of threat intelligence like cybersecurity professionals,” SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report shared with The Hacker News.

The North Korea-linked adversary, also known by the name APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is assessed to be part of the Ministry of State Security (MSS), placing it apart from Lazarus Group and Kimsuky, which are elements within the Reconnaissance General Bureau (RGB).

Earlier this week, North Korean state media reported that the country had carried out a test of its “underwater nuclear weapons system” in response to drills by the U.S., South Korea, and Japan, describing the exercises as a threat to its national security.

The latest attack chain observed by SentinelOne targeted an expert in North Korean affairs by posing as a member of the North Korea Research Institute, urging the recipient to open a ZIP archive file containing presentation materials.

While seven of the nine files in the archive are benign, two of them are malicious Windows shortcut (LNK) files, mirroring a multi-stage infection sequence previously disclosed by Check Point in May 2023 to distribute the RokRAT backdoor.

There is evidence to suggest that some of the individuals who were targeted around December 13, 2023, were also previously singled out a month prior on November 16, 2023.

SentinelOne said its investigation also uncovered malware – two LNK files (“inteligence.lnk” and “news.lnk”) as well as shellcode variants delivering RokRAT – that’s said to be part of the threat actor’s planning and testing processes.

While the former shortcut file just opens the legitimate Notepad application, the shellcode executed via news.lnk paves the way for the deployment of RokRAT, although this infection procedure is yet to be observed in the wild, indicating its likely use for future campaigns.

Both LNK files have been observed deploying the same decoy document, a legitimate threat intelligence report about the Kimsuky threat group published by South Korean cybersecurity company Genians in late October 2023, in a move that implies an attempt to expand its target list.

This has raised the possibility that the adversary could be looking to gather information that could help it refine its operational playbook and also target or mimic cybersecurity professionals to infiltrate specific targets via brand impersonation techniques.

The development is a sign that the nation-state hacking crew is actively tweaking its modus operandi in an apparent effort to circumvent detection in response to public disclosure about its tactics and techniques.

“ScarCruft remains committed to acquiring strategic intelligence and possibly intends to gain insights into non-public cyber threat intelligence and defense strategies,” the researchers said.

“This enables the adversary to gain a better understanding of how the international community perceives developments in North Korea, thereby contributing to North Korea’s decision-making processes.”

source: https://thehackernews.com/2024/01/north-korean-hackers-weaponize-fake.html

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: RokRAT Backdoor, The Hacker and the State


Jan 08 2024

11 WAYS OF HACKING INTO CHATGPT LIKE GENERATIVE AI SYSTEMS

Category: ChatGPT,Hackingdisc7 @ 9:41 pm

In the rapidly evolving landscape of artificial intelligence, generative AI systems have become a cornerstone of innovation, driving advancements in fields ranging from language processing to creative content generation. However, a recent report by the National Institute of Standards and Technology (NIST) sheds light on the increasing vulnerability of these systems to a range of sophisticated cyber attacks. The report, provides a comprehensive taxonomy of attacks targeting Generative AI (GenAI) systems, revealing the intricate ways in which these technologies can be exploited. The findings are particularly relevant as AI continues to integrate deeper into various sectors, raising concerns about the integrity and privacy implications of these systems.

INTEGRITY ATTACKS: A THREAT TO AI’S CORE

Integrity attacks affecting Generative AI systems are a type of security threat where the goal is to manipulate or corrupt the functioning of the AI system. These attacks can have significant implications, especially as Generative AI systems are increasingly used in various fields. Here are some key aspects of integrity attacks on Generative AI systems:

  1. Data Poisoning:
    • Detail: This attack targets the training phase of an AI model. Attackers inject false or misleading data into the training set, which can subtly or significantly alter the model’s learning. This can result in a model that generates biased or incorrect outputs.
    • Example: Consider a facial recognition system being trained with a dataset that has been poisoned with subtly altered images. These images might contain small, imperceptible changes that cause the system to incorrectly recognize certain faces or objects.
  2. Model Tampering:
    • Detail: In this attack, the internal parameters or architecture of the AI model are altered. This could be done by an insider with access to the model or by exploiting a vulnerability in the system.
    • Example: An attacker could alter the weightings in a sentiment analysis model, causing it to interpret negative sentiments as positive, which could be particularly damaging in contexts like customer feedback analysis.
  3. Output Manipulation:
    • Detail: This occurs post-processing, where the AI’s output is intercepted and altered before it reaches the end-user. This can be done without directly tampering with the AI model itself.
    • Example: If a Generative AI system is used to generate financial reports, an attacker could intercept and manipulate the output to show incorrect financial health, affecting stock prices or investor decisions.
  4. Adversarial Attacks:
    • Detail: These attacks use inputs that are specifically designed to confuse the AI model. These inputs are often indistinguishable from normal inputs to the human eye but cause the AI to make errors.
    • Example: A stop sign with subtle stickers or graffiti might be recognized as a speed limit sign by an autonomous vehicle’s AI system, leading to potential traffic violations or accidents.
  5. Backdoor Attacks:
    • Detail: A backdoor is embedded into the AI model during its training. This backdoor is activated by certain inputs, causing the model to behave unexpectedly or maliciously.
    • Example: A language translation model could have a backdoor that, when triggered by a specific phrase, starts inserting or altering words in a translation, potentially changing the message’s meaning.
  6. Exploitation of Biases:
    • Detail: This attack leverages existing biases within the AI model. AI systems can inherit biases from their training data, and these biases can be exploited to produce skewed or harmful outputs.
    • Example: If an AI model used for resume screening has an inherent gender bias, attackers can submit resumes that are tailored to exploit this bias, increasing the likelihood of certain candidates being selected or rejected unfairly.
  7. Evasion Attacks:
    • Detail: In this scenario, the input data is manipulated in such a way that the AI system fails to recognize it as something it is trained to detect or categorize correctly.
    • Example: Malware could be designed to evade detection by an AI-powered security system by altering its code signature slightly, making it appear benign to the system while still carrying out malicious functions.


PRIVACY ATTACKS ON GENERATIVE AI

Privacy attacks on Generative AI systems are a serious concern, especially given the increasing use of these systems in handling sensitive data. These attacks aim to compromise the confidentiality and privacy of the data used by or generated from these systems. Here are some common types of privacy attacks, explained in detail with examples:

  1. Model Inversion Attacks:
    • Detail: In this type of attack, the attacker tries to reconstruct the input data from the model’s output. This is particularly concerning if the AI model outputs something that indirectly reveals sensitive information about the input data.
    • Example: Consider a facial recognition system that outputs the likelihood of certain attributes (like age or ethnicity). An attacker could use this output information to reconstruct the faces of individuals in the training data, thereby invading their privacy.
  2. Membership Inference Attacks:
    • Detail: These attacks aim to determine whether a particular data record was used in the training dataset of a machine learning model. This can be a privacy concern if the training data contains sensitive information.
    • Example: An attacker might test an AI health diagnostic tool with specific patient data. If the model’s predictions are unusually accurate or certain, it might indicate that the patient’s data was part of the training set, potentially revealing sensitive health information.
  3. Training Data Extraction:
    • Detail: Here, the attacker aims to extract actual data points from the training dataset of the AI model. This can be achieved by analyzing the model’s responses to various inputs.
    • Example: An attacker could interact with a language model trained on confidential documents and, through carefully crafted queries, could cause the model to regurgitate snippets of these confidential texts.
  4. Reconstruction Attacks:
    • Detail: Similar to model inversion, this attack focuses on reconstructing the input data, often in a detailed and high-fidelity manner. This is particularly feasible in models that retain a lot of information about their training data.
    • Example: In a generative model trained to produce images based on descriptions, an attacker might find a way to input specific prompts that cause the model to generate images closely resembling those in the training set, potentially revealing private or sensitive imagery.
  5. Property Inference Attacks:
    • Detail: These attacks aim to infer properties or characteristics of the training data that the model was not intended to reveal. This could expose sensitive attributes or trends in the data.
    • Example: An attacker might analyze the output of a model used for employee performance evaluations to infer unprotected characteristics of the employees (like gender or race), which could be used for discriminatory purposes.
  6. Model Stealing or Extraction:
    • Detail: In this case, the attacker aims to replicate the functionality of a proprietary AI model. By querying the model extensively and observing its outputs, the attacker can create a similar model without access to the original training data.
    • Example: A competitor could use the public API of a machine learning model to systematically query it and use the responses to train a new model that mimics the original, effectively stealing the intellectual property.

SEGMENTING ATTACKS

Attacks on AI systems, including ChatGPT and other generative AI models, can be further categorized based on the stage of the learning process they target (training or inference) and the attacker’s knowledge and access level (white-box or black-box). Here’s a breakdown:

BY LEARNING STAGE:

  1. Attacks during Training Phase:
    • Data Poisoning: Injecting malicious data into the training set to compromise the model’s learning process.
    • Backdoor Attacks: Embedding hidden functionalities in the model during training that can be activated by specific inputs.
  2. Attacks during Inference Phase:
    • Adversarial Attacks: Presenting misleading inputs to trick the model into making errors during its operation.
    • Model Inversion and Reconstruction Attacks: Attempting to infer or reconstruct input data from the model’s outputs.
    • Membership Inference Attacks: Determining whether specific data was used in the training set by observing the model’s behavior.
    • Property Inference Attacks: Inferring properties of the training data not intended to be disclosed.
    • Output Manipulation: Altering the model’s output after it has been generated but before it reaches the intended recipient.

BY ATTACKER’S KNOWLEDGE AND ACCESS:

  1. White-Box Attacks (Attacker has full knowledge and access):
    • Model Tampering: Directly altering the model’s parameters or structure.
    • Backdoor Attacks: Implanting a backdoor during the model’s development, which the attacker can later exploit.
    • These attacks require deep knowledge of the model’s architecture, parameters, and potentially access to the training process.
  2. Black-Box Attacks (Attacker has limited or no knowledge and access):
    • Adversarial Attacks: Creating input samples designed to be misclassified or misinterpreted by the model.
    • Model Inversion and Reconstruction Attacks: These do not require knowledge of the model’s internal workings.
    • Membership and Property Inference Attacks: Based on the model’s output to certain inputs, without knowledge of its internal structure.
    • Training Data Extraction: Extracting information about the training data through extensive interaction with the model.
    • Model Stealing or Extraction: Replicating the model’s functionality by observing its inputs and outputs.

IMPLICATIONS:

  • Training Phase Attacks often require insider access or a significant breach in the data pipeline, making them less common but potentially more devastating.
  • Inference Phase Attacks are more accessible to external attackers as they can often be executed with minimal access to the model.
  • White-Box Attacks are typically more sophisticated and require a higher level of access and knowledge, often limited to insiders or through major security breaches.
  • Black-Box Attacks are more common in real-world scenarios, as they can be executed with limited knowledge about the model and without direct access to its internals.

Understanding these categories helps in devising targeted defense strategies for each type of attack, depending on the specific vulnerabilities and operational stages of the AI system.

HACKING CHATGPT

The ChatGPT AI model, like any advanced machine learning system, is potentially vulnerable to various attacks, including privacy and integrity attacks. Let’s explore how these attacks could be or have been used against ChatGPT, focusing on the privacy attacks mentioned earlier:

  1. Model Inversion Attacks:
    • Potential Use Against ChatGPT: An attacker might attempt to use ChatGPT’s responses to infer details about the data it was trained on. For example, if ChatGPT consistently provides detailed and accurate information about a specific, less-known topic, it could indicate the presence of substantial training data on that topic, potentially revealing the nature of the data sources used.
  2. Membership Inference Attacks:
    • Potential Use Against ChatGPT: This type of attack could try to determine if a particular text or type of text was part of ChatGPT’s training data. By analyzing the model’s responses to specific queries, an attacker might guess whether certain data was included in the training set, which could be a concern if the training data included sensitive or private information.
  3. Training Data Extraction:
    • Potential Use Against ChatGPT: Since ChatGPT generates text based on patterns learned from its training data, there’s a theoretical risk that an attacker could manipulate the model to output segments of text that closely resemble or replicate parts of its training data. This is particularly sensitive if the training data contained confidential or proprietary information.
  4. Reconstruction Attacks:
    • Potential Use Against ChatGPT: Similar to model inversion, attackers might try to reconstruct input data (like specific text examples) that the model was trained on, based on the information the model provides in its outputs. However, given the vast and diverse dataset ChatGPT is trained on, reconstructing specific training data can be challenging.
  5. Property Inference Attacks:
    • Potential Use Against ChatGPT: Attackers could analyze responses from ChatGPT to infer properties about its training data that aren’t explicitly modeled. For instance, if the model shows biases or tendencies in certain responses, it might reveal unintended information about the composition or nature of the training data.
  6. Model Stealing or Extraction:
    • Potential Use Against ChatGPT: This involves querying ChatGPT extensively to understand its underlying mechanisms and then using this information to create a similar model. Such an attack would be an attempt to replicate ChatGPT’s capabilities without access to the original model or training data.


Integrity attacks on AI models like ChatGPT aim to compromise the accuracy and reliability of the model’s outputs. Let’s examine how these attacks could be or have been used against the ChatGPT model, categorized by the learning stage and attacker’s knowledge:

ATTACKS DURING TRAINING PHASE (WHITE-BOX):

  • Data Poisoning: If an attacker gains access to the training pipeline, they could introduce malicious data into ChatGPT’s training set. This could skew the model’s understanding and responses, leading it to generate biased, incorrect, or harmful content.
  • Backdoor Attacks: An insider or someone with access to the training process could implant a backdoor into ChatGPT. This backdoor might trigger specific responses when certain inputs are detected, which could be used to spread misinformation or other harmful content.

ATTACKS DURING INFERENCE PHASE (BLACK-BOX):

  • Adversarial Attacks: These involve presenting ChatGPT with specially crafted inputs that cause it to produce erroneous outputs. For instance, an attacker could find a way to phrase questions or prompts that consistently mislead the model into giving incorrect or nonsensical answers.
  • Output Manipulation: This would involve intercepting and altering ChatGPT’s responses after they are generated but before they reach the user. While this is more of an attack on the communication channel rather than the model itself, it can still undermine the integrity of ChatGPT’s outputs.

IMPLICATIONS AND DEFENSE STRATEGIES:

  • During Training: Ensuring the security and integrity of the training data and process is crucial. Regular audits, anomaly detection, and secure data handling practices are essential to mitigate these risks.
  • During Inference: Robust model design to resist adversarial inputs, continuous monitoring of responses, and secure deployment architectures can help in defending against these attacks.

REAL-WORLD EXAMPLES AND CONCERNS:

  • To date, there haven’t been publicly disclosed instances of successful integrity attacks specifically against ChatGPT. However, the potential for such attacks exists, as demonstrated in academic and industry research on AI vulnerabilities.
  • OpenAI, the creator of ChatGPT, employs various countermeasures like input sanitization, monitoring model outputs, and continuously updating the model to address new threats and vulnerabilities.

In conclusion, while integrity attacks pose a significant threat to AI models like ChatGPT, a combination of proactive defense strategies and ongoing vigilance is key to mitigating these risks.

While these attack types broadly apply to all generative AI systems, the report notes that some vulnerabilities are particularly pertinent to specific AI architectures, like Large Language Models (LLMs) and Retrieval Augmented Generation (RAG) systems. These models, which are at the forefront of natural language processing, are susceptible to unique threats due to their complex data processing and generation capabilities.

The implications of these vulnerabilities are vast and varied, affecting industries from healthcare to finance, and even national security. As AI systems become more integrated into critical infrastructure and everyday applications, the need for robust cybersecurity measures becomes increasingly urgent.

The NIST report serves as a clarion call for the AI industry, cybersecurity professionals, and policymakers to prioritize the development of stronger defense mechanisms against these emerging threats. This includes not only technological solutions but also regulatory frameworks and ethical guidelines to govern the use of AI.

In conclusion, the report is a timely reminder of the double-edged nature of AI technology. While it offers immense potential for progress and innovation, it also brings with it new challenges and threats that must be addressed with vigilance and foresight. As we continue to push the boundaries of what AI can achieve, ensuring the security and integrity of these systems remains a paramount concern for a future where technology and humanity can coexist in harmony.

ChatGPT FOR CYBERSECUITY: The Ultimate Weapon Against Hackers


Jan 02 2024

Hackers Attack UK’s Nuclear Waste Services Through LinkedIn

Category: Cyber Attack,Hackingdisc7 @ 10:48 am

Fortunately for Radioactive Waste Management (RWM), the first-of-its-kind hacker attack on the project was unsuccessful.

The United Kingdom’s Radioactive Waste Management (RWM) company overseeing the nation’s radioactive waste has revealed a recent cyberattack attempt through LinkedIn. While the attack was reportedly unsuccessful, it has raised eyebrows in the nuclear sector, sparking concerns about the security of critical nuclear infrastructure.

As reported by The Guardian, the hackers directed their attack at the company through LinkedIn. However, whether it was a phishing attack or an attempt to trick employees into installing malware on the system, the modus operandi remains unknown.

Typically, LinkedIn is exploited for phishing scams targeting employees of specific companies. An example from last year involves ESET researchers reporting a cyberespionage campaign by North Korean government-backed hackers from the Lazarus group. The campaign specifically targeted employees at a Spanish aerospace firm.

The RWM is spearheading the £50bn Geological Disposal Facility (GDF) project, aimed at constructing a substantial underground nuclear waste repository in Britain. As a government-owned entity, RWM facilitated the merger of three nuclear bodies—the GDF project, the Low-Level Waste Repository, and another waste management entity—to establish Nuclear Waste Services (NWS).

“NWS has seen, like many other UK businesses, that LinkedIn has been used as a source to identify the people who work within our business. These attempts were detected and denied through our multi-layered defences,” stated an NWS spokesperson.

However, the incident raises concerns, as experts warn that social media platforms such as LinkedIn are becoming preferred playgrounds for hackers. These platforms provide multiple avenues for infiltration, including the creation of fake accounts, phishing messages, and direct credential theft.

The FBI’s special agent in charge of the San Francisco and Sacramento field offices, Sean Ragan, has emphasized the ‘significant threat’ of fraudsters exploiting LinkedIn to lure users into cryptocurrency investment schemes, citing numerous potential victims and past and current cases.

In October 2023, email security firm Cofense discovered a phishing campaign abusing Smart Links, part of the LinkedIn Sales Navigator and Enterprise service, to send authentic-looking emails, steal payment data, and bypass email protection mechanisms.

In November 2023, a LinkedIn database containing over 35 million users’ personal information was leaked by a hacker named USDoD, who previously breached the FBI’s InfraGard platform. The database was obtained through web scraping, an automated process to extract data from websites.

Social engineering attacks, such as deceptive emails and malicious links, offer hackers a gateway to sensitive information. LinkedIn has taken steps to warn users about potential scams and provide resources for staying safe online. Still, concerns about digital security remain prevalent in the nuclear industry, especially after the Guardian exposé of cybersecurity vulnerabilities at the Sellafield plant. 

In 2023, the Sellafield nuclear site in Cumbria experienced cybersecurity issues, indicating a need for improved safeguards and tighter regulations. The RWM incident highlights the growing interest of cybercrime syndicates to target nuclear sites.

The NWS acknowledges the need for continuous improvement to strengthen cybersecurity measures, highlighting that emergency response plans must match evolving business needs.

Cyber Threats and Nuclear Weapons

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Threats and Nuclear Weapons, UK’s Nuclear Waste Services


Dec 18 2023

8220 Hacker Group Attacking Windows & Linux Web Servers

Category: Cyber Attack,Hacking,Linux Security,Windows Securitydisc7 @ 1:40 pm

The 8220 hacker group, which was first identified in 2017 by Cisco Talos, is exploiting both Windows and Linux web servers with crypto-jacking malware. One of their recent activities involved the exploitation of Oracle WebLogic vulnerability (CVE-2017-3506) and Log4Shell (CVE-2021-44228).

However, the history of this threat group had several exploited vulnerabilities such as Confluence, Log4j, Drupal, Hadoop YARN, and Apache Struts2 applications. Their TTPs are evolved with different publicly released exploits.

8220 Hacker Group

In addition to this, the group was also discovered to be exploiting (CVE-2020-14883), a Remote code execution vulnerability in Oracle WebLogic Server. This exploitation chain is combined with another authentication bypass vulnerability (CVE-2020-14882) in the Oracle WebLogic server.

The exploitation methods of these two vulnerabilities are publicly available, making it relatively easy for the threat actor to modify and exploit them for malicious purposes. 

Two different exploit chains were discovered, and one of them enables the loading of an XML file used for further phases of execution of commands on the OS, whereas the other one executes Java code without the use of an XML file.

Infection Chains

The first infection chain uses different XML files that depend on the target OS. In the case of Linux, the downloading of other files is performed via cURL, wget, lwp-download, and python urllib along with a custom bash function that encodes it to base64.

Custom bash function (Source: Imperva)

The method injects a Java code which also initially evaluates the OS and executes the same command strings executed in the first method. Once the download and execution process takes place, the compromised hosts are infected with AgentTesla, rhajk, and nasqa malware variants.

complete report has been published, which provides detailed information about the exploitation, command used, encoding, and other information.

Indicators Of Compromise

URL

URL

Source IPs

Source IPs
Malicious File Hashes

Common Windows, Linux and Web Server Systems Hacking Techniques

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Windows & Linux Web Servers


Dec 14 2023

BYPASSING PFSENSE FIREWALL AND HACKING INTO APPLICATION SERVER AND FIREWALL ITSELF

Category: Firewall,Hackingdisc7 @ 9:22 am

New findings in cybersecurity research have brought to light a severe vulnerability affecting more than 1,450 pfSense servers. This flaw puts them at risk of potential remote code execution (RCE) attacks, resulting from a combination of command injection and cross-site scripting weaknesses. This poses a substantial threat to the security of these extensively utilized network appliances.

Key Findings and Concerns:

  1. Vulnerabilities in pfSense CE: The vulnerabilities were identified in pfSense CE (Community Edition) version 2.7.0. Researchers discovered two critical flaws that, when exploited in tandem, could lead to remote code execution attacks, allowing attackers to gain control over the affected systems.
    • Dual Vulnerabilities Identified(CVE-2023-42325) (CVE-2023-42327)The research uncovered two distinct but related vulnerabilities in pfSense CE 2.7.0. These include a command injection flaw and a cross-site scripting (XSS) vulnerability. When exploited in combination, these vulnerabilities can lead to remote code execution (RCE) attacks.
    • Command Injection Flaw(CVE-2023-42326):: The command injection vulnerability allows an attacker to execute arbitrary commands on the system. This type of vulnerability is particularly dangerous as it can give attackers the same level of access to the system as the user running the vulnerable service.
    • Cross-Site Scripting (XSS) Vulnerability: The XSS vulnerability in pfSense CE can be exploited to run malicious scripts in the context of the user’s browser session. This can lead to a variety of malicious activities, including stealing session cookies, which can compromise the user’s session.
    • Remote Code Execution (RCE) Risk: The combination of these vulnerabilities creates a pathway for remote code execution. This means an attacker could potentially take full control of the pfSense device, leading to severe security breaches, including data theft, unauthorized network access, and disruption of services.
    • Exploitation Potential: The ease of exploitation of these vulnerabilities adds to the severity of the issue. Attackers with knowledge of these vulnerabilities can exploit them without needing sophisticated skills, making it a pressing concern for all pfSense CE users.
    • Patch Availability: Netgate, the company behind pfSense, has released patches to address these vulnerabilities. It is crucial for users and administrators to apply these updates as soon as possible to mitigate the risks associated with these security flaws.
    • Widespread Impact: Given the popularity of pfSense as a firewall and router solution, especially among small to medium-sized enterprises, the impact of these vulnerabilities is potentially widespread, affecting a large number of users and networks.
  2. Exposure of pfSense Instances: Investigations have revealed that around 1,450 pfSense instances, accessible online, are vulnerable to the identified security flaws. This number indicates a substantial portion of the pfSense user base that could be at risk. The fact that these pfSense instances are exposed online exacerbates the risk. Being accessible over the internet makes them potential targets for remote attackers who can exploit the vulnerabilities without needing physical access to the network. The combination of command injection and cross-site scripting vulnerabilities in these instances creates a potential for remote code execution (RCE). This means that an attacker could remotely execute arbitrary code on the affected pfSense device, leading to complete system compromise.
  3. Nature of the Security Flaws: The vulnerabilities involve dangerous command injection and cross-site scripting (XSS) flaws. These types of vulnerabilities are particularly alarming because they can be exploited to run malicious scripts or commands, leading to a full compromise of the server.
  4. Patch Management Lag: Despite the availability of patches released by Netgate, the company behind pfSense, a significant number of instances remain unpatched and vulnerable. This delay in applying critical updates leaves these systems exposed to potential cyber attacks.
  5. The Criticality of Timely Updates: This situation highlights the crucial importance of regular system updates and patch management in the realm of cybersecurity. Systems running outdated or unpatched software are often prime targets for cybercriminals looking to exploit known vulnerabilities.
  6. Potential Impact of Exploitation: If these vulnerabilities are exploited, the consequences could be severe. They range from unauthorized access to sensitive data and disruption of network services to the potential for widespread malware infection.
  7. Urgent Call to Action: Administrators and users of pfSense servers are strongly advised to update their systems to the latest version immediately. This action is necessary to mitigate these vulnerabilities and protect against potential exploitation by malicious actors.

The revelation of these vulnerabilities in pfSense servers serves as a stark reminder of the ever-present and evolving nature of cybersecurity threats. It underscores the need for constant vigilance, regular system updates, and robust security protocols to safeguard digital infrastructures.

Hacking: Hacking Firewalls & Bypassing Honeypots

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacking Firewalls, PFSENSE FIREWALL


Dec 08 2023

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Category: Hacking,Security vulnerabilitiesdisc7 @ 11:18 am

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets. 

Outlook vulnerabilities offer:-

  • Access to sensitive emails 
  • Access to sensitive information

WinRAR vulnerabilities provide an entry point to manipulate compressed files, potentially executing malicious code on a victim’s system.

Cybersecurity researchers at Proofpoint recently discovered that the TA422 APT Group is actively exploiting the Outlook and WinRAR vulnerabilities to attack organizations.

Exploiting Of Patched Vulnerabilities

Since March 2023, Proofpoint found Russian APT TA422 using patched vulnerabilities to target Europe and North America. The TA422 APT group is linked to the following groups and tied to the Russian GRU by the US Intelligence Community:-

While engaging in typical targeted actions, TA422 showed an unexpected surge in emails exploiting CVE-2023-23397, a Microsoft Outlook vulnerability, sending over 10,000 emails to diverse sectors. 

Besides this, the operators of the TA422 APT group also exploited a WinRAR vulnerability, CVE-2023-38831, in their campaigns.

TA422 launched massive campaigns in March 2023, exploiting CVE-2023-23397 against targets in:-

  • Europe
  • North America

Earlier, they targeted Ukrainian entities in April 2022 using the same exploit. Proofpoint noticed a significant surge in activity, with over 10,000 attempts to exploit a Microsoft Outlook vulnerability during late summer 2023. 

It’s unclear if this was a mistake or a deliberate effort to gather target credentials. TA422 re-targeted higher education and manufacturing users, suggesting these entities are priority targets. 

In the late summer campaign, TA422 used an appointment attachment with a fake file extension, leading to an SMB listener on a compromised Ubiquiti router. 

This router acted as an NTLM listener, recording inbound credential hashes without extensive network engagement when Outlook processed the attachment.

Late summer 2023 sample of TA422 phishing email. (Source – Proofpoint)

Proofpoint’s tracking of Portugalmail addresses revealed more TA422 activity. In September 2023, TA422 exploited WinRAR vulnerability CVE-2023-32231 in two campaigns, using different Portugalmail addresses and spoofing geopolitical entities. 

Emails with BRICS Summit and European Parliament meeting subjects contained RAR attachments dropping a .cmd file. 

The file modified proxy settings downloaded a lure document, and connected to an IP-literal Responder server. The server, likely a compromised Fortigate FortiOS Firewall, initiated the NTLM credential exchange.

Lure document from the September 1, 2023 campaign. (Source – Proofpoint)

Between September and November 2023, Proofpoint tracked TA422 campaigns using Portugalmail and Mockbin for redirection.

Mockbin campaign lure documents. (Source – Proofpoint)

Targeting government and defense sectors, TA422 employed Mockbin to lead victims to InfinityFree domains. After browser fingerprinting, victims were directed to InfinityFree, initiating a chain of activity.

Despite the exploitation of disclosed vulnerabilities like CVE-2023-23397 and CVE-2023-38831, TA422 persists, likely relying on unpatched systems for continued success.

IOCs

IOCs (Source – Proofpoint)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Outlook Vulnerabilities, WinRAR Vulnerabilities


Dec 05 2023

Hackers Use Weaponized Documents To Attack U.S. Aerospace Industry

Category: Cyberweapon,Cyberweapons,Hackingdisc7 @ 12:33 pm

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.

The threat actor employed spear-phishing as the means of distribution mechanism.

A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.

AeroBlade Execution Chain

The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence. 

Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.

There were two campaigns found, and there were a few similarities between them, such as:

  • Both lure documents were named “[redacted].docx.”
  • The final payload is a reverse shell.
  • The command-and-control (C2) server IP address is the same.

There were a few differences between the two campaigns, such as:

  • The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
  • The campaign’s final payload includes an option to list directories from infected victims.
https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig01.png
AeroBlade execution chain

A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.

When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig02.png
Malicious document displays text in a scrambled font

The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.

When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.

“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.

An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell.  With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig14.png
Example of information collected from infected system

An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber weapon


Nov 10 2023


Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique

Category: Hacking,Information Securitydisc7 @ 11:10 am

In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine. 

The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).

Unraveling Russia’s Cyber-Physical Capabilities

The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine. 

Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.

The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine. 

The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.

Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures. 

The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.

Concerns Over Sandworm’s Adaptive Capabilities

Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months. 

This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.

Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide. 

Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.

The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities. 

As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.

In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally. 

The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Power station, Sandworm


Nov 01 2023

Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

Category: Hacking,Information Securitydisc7 @ 9:31 am

Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.

This can give them unauthorized access and control over a system or application, enabling various types of attacks like:- 

  • Privilege escalation
  • Data theft
  • System compromise

An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.

The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.

Malicious DLL With Legitimate EXE Files

Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.

Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.

Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.

Distribution of the malware via webpages (Source - ASEC)
Distribution of the malware via webpages (Source – ASEC)

Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.

For malware to work, the following elements are required to be placed in the same folder:-

  • Data
  • EXE
  • Modified DLL

Unzipping the password-protected file with the code “2023” gives you the following files:-

Contents of compressed file (Source - ASEC)
Contents of compressed file (Source – ASEC)

The following two files are genuine VLC files with valid signatures:-

  • Setup.exe
  • libvlc.dll

The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.

Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.

It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it. 

A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.

Process tree of malware execution (Source - ASEC)

LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2. 

The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.

IOCs

IOCs (Source - ASEC)
IOCs (Source – ASEC)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Malicious DLL


Oct 26 2023

PWN2OWN TORONTO 2023 DAY 1 – ORGANIZERS AWARDED $438,750 IN PRIZES

Category: HackingDISC @ 7:13 am

During the Day 1 of the Pwn2Own Toronto 2023 hacking contest, the organization has awarded a total of $438,750 in prizes!

Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.

Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.

The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.

Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).

Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.

Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.

Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.

Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.

Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.

https://x.com/thezdi/status/1717319411688747052?s=20

Tags: pwn2own


Next Page »