Dec 05 2023

Hackers Use Weaponized Documents To Attack U.S. Aerospace Industry

Category: Cyberweapon,Cyberweapons,Hackingdisc7 @ 12:33 pm

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed AeroBlade, which appears to be aimed at carrying out both competitive and commercial cyberespionage.

The threat actor employed spear-phishing as the means of distribution mechanism.

A weaponized document that was delivered as an email attachment reportedly has a malicious VBA macro code embedded in it as well as a remote template injection mechanism to provide the next stage of the payload execution, according to the BlackBerry Threat Research and Intelligence team.

AeroBlade Execution Chain

The network infrastructure and weaponization of the attacker appear to have gone active around September 2022, based on the evidence. 

Researchers estimate that the attack’s offensive phase took place in July 2023 with medium to high confidence. The network infrastructure stayed the same during that period, but the attacker’s toolset increased, making it stealthier.

There were two campaigns found, and there were a few similarities between them, such as:

  • Both lure documents were named “[redacted].docx.”
  • The final payload is a reverse shell.
  • The command-and-control (C2) server IP address is the same.

There were a few differences between the two campaigns, such as:

  • The final payload of the attack is stealthier and uses more obfuscation and anti-analysis techniques.
  • The campaign’s final payload includes an option to list directories from infected victims.
https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig01.png
AeroBlade execution chain

A targeted email containing a malicious document attachment with the filename [redacted].docx is the first sign of an infection.

When the document is opened, it shows text in a purposefully jumbled font and a “lure” message requesting that the potential victim click on it to activate the content in Microsoft Office.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig02.png
Malicious document displays text in a scrambled font

The next-stage information is saved in an XML (eXtensible Markup Language) file inside a .dotm file. A.dotm file is a Microsoft Word document template that contains the default layout, settings, and macros for a document.

When the victim manually clicks the “Enable Content” lure message and opens the file, the [redacted].dotm document drops a new file to the system and opens it.

“The newly downloaded document is readable, leading the victim to believe that the file initially received by email is legitimate. In fact, it’s a classic cyber bait-and-switch, performed invisibly right under the victim’s nose”, researchers said.

An executable file that is run on the system via the macro will be the final stage of execution. The final payload is a DLL that connects to a hard-coded C2 server and functions as a reverse shell.  With the use of reverse shells, attackers can force communication and gain total control of the target machine by open ports.

https://blogs.blackberry.com/content/dam/blogs-blackberry-com/images/blogs/2023/11/aeroblade-fig14.png
Example of information collected from infected system

An American aerospace organization was the targeted target of both campaigns, based on the content of the lure message. Its goal was probably to obtain insight into its target’s internal resources to assess its vulnerability to a potential ransom demand.

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber weapon


Nov 10 2023


Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique

Category: Hacking,Information Securitydisc7 @ 11:10 am

In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine. 

The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).

Unraveling Russia’s Cyber-Physical Capabilities

The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine. 

Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.

The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine. 

The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.

Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures. 

The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.

Concerns Over Sandworm’s Adaptive Capabilities

Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months. 

This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.

Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide. 

Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.

The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities. 

As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.

In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally. 

The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Power station, Sandworm


Nov 01 2023

Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files

Category: Hacking,Information Securitydisc7 @ 9:31 am

Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.

This can give them unauthorized access and control over a system or application, enabling various types of attacks like:- 

  • Privilege escalation
  • Data theft
  • System compromise

An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.

The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.

Malicious DLL With Legitimate EXE Files

Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.

Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.

Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.

Distribution of the malware via webpages (Source - ASEC)
Distribution of the malware via webpages (Source – ASEC)

Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.

For malware to work, the following elements are required to be placed in the same folder:-

  • Data
  • EXE
  • Modified DLL

Unzipping the password-protected file with the code “2023” gives you the following files:-

Contents of compressed file (Source - ASEC)
Contents of compressed file (Source – ASEC)

The following two files are genuine VLC files with valid signatures:-

  • Setup.exe
  • libvlc.dll

The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.

Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.

It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it. 

A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.

Process tree of malware execution (Source - ASEC)

LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2. 

The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.

IOCs

IOCs (Source - ASEC)
IOCs (Source – ASEC)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Malicious DLL


Oct 26 2023

PWN2OWN TORONTO 2023 DAY 1 – ORGANIZERS AWARDED $438,750 IN PRIZES

Category: HackingDISC @ 7:13 am

During the Day 1 of the Pwn2Own Toronto 2023 hacking contest, the organization has awarded a total of $438,750 in prizes!

Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.

Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.

The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.

Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).

Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.

Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.

Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.

Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.

Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.

https://x.com/thezdi/status/1717319411688747052?s=20

Tags: pwn2own


Oct 23 2023

10 Best Hacker-Friendly Search Engines Of 2023

Category: Hacking,Information Security,Web Search Enginedisc7 @ 8:33 am

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

The search engines allow users to find any content via the world wide web.

It helps to find any information easily and is a web-based tool that allows someone to discover or detect any data.

Here are the best Hackers’ Search Engines.

There are various search engines that are available online, hackers use. So we are describing here in this article the top search engines for hackers.

10 Best Hackers Search Engines

Best Hackers Search EnginesKey Features
ShodanIt is very useful and easy to use
Freely available
GreyNoise VisualizerTargeted scan and attack traffic.
WiGLEWireless network mapping
It has web applications
CensysEnhance general security
It helps to find open ports
HunterThis is the most dynamic
It is also accessible along with their API
PiplThis is the world’s largest people search engine.
PublicWWWIt has API  also for developers for integration
Shows millions of results for any search request
Zoom EyeIt is very useful for investigators
It is used in cyberspace as wayfinding
HIBPIt is one of the most powerful tools
OSINT FrameworkOpen Source Intelligence framework
Easy to use

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Hacker-Friendly Search Engines


Oct 20 2023

Hackers Using Secure USB Drives To Attack Government Entities

Category: Cyber Attack,Hacking,Information Securitydisc7 @ 9:36 am

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.

The nation’s government agencies utilize these safe USB devices to transfer and save data between computer systems.

The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.

Cyber Espionage Via Secure USBs

According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives. 

On the infected computers, the attacks can also carry out additional harmful files.

The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.

BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actor’s main objective, it has demonstrated interest in obtaining financial data.

BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.

The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victim’s computer and take over by executing arbitrary commands.

APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.

Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.

Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.

“It is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,” reads the report.

https://gbhackers.com/hackers-using-secure-usb-attack-government-entities/

Kingston Ironkey Locker+ 50 16GB Encrypted USB Flash Drive | USB 3.2 Gen 1 | XTS-AES Protection | Multi-Password Security Options | Automatic Cloud Backup

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: encrypted usb drive, USB Drives To Attack


Oct 14 2023

HackerGPT: A ChatGPT Empowered Penetration Testing Tool

Category: ChatGPT,Hackingdisc7 @ 4:59 pm

HackerGPT is a ChatGPT-enabled penetrating testing tool that can help with network hacking, mobile hacking, different hacking tactics, and other specific tasks.

The main foundation of HackerGPT is the training data that has been offered. It does not use a jailbreak technique. Particularly, it generates replies using ChatGPT with a specified request while conforming to ethical rules.

Obtaining a 14-day trial is an option available. With this trial, you get access to GPT-4, an unlimited amount of messages for HackerGPT, quicker answers, and other advantages.

“No logs, no cost, anonymous login. Trained on a ton of hacking reports”, the company said.

“HackerGPT is only available in your web browser. Making it into an app will take some time, but with your feedback, we can make progress faster”.

Responses of HackerGPT

For instance, what if we asked HackerGPT to provide a step-by-step tutorial on conducting ARP spoofing? 

Threat Sentry Security, the Cyber Security Analyst, said, “Hacker-GPT. This is a pentester dream, my job just became 100 times easier. I told it to create an XSS payload & it did it without hesitation”.

https://twitter.com/thehackergpt/status/1710744412932698151?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1710744412932698151%7Ctwgr%5E8bcab3fa288fb6ab273c757b4583ff1d7199dda5%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fcybersecuritynews.com%2Fhackergpt%2F

According to users, HackerGPT is provided with numerous bug bounty reports and might be helpful to you in your job. A big-time saver.

It utilizes GPT-3 and GPT-4 and is aware of most attack routes and methodologies.

As of this writing, the company provides the users with the following:

  • Plus, the subscription is now at HALF the price!
  • Free users: 1.5x more messages with HackerGPT.
  • Plus users: 2.5x more messages with GPT4.
  • Plus bonus: Unlimited messages with HackerGPT.

Ethical hacking may use this tool to improve security evaluation and mitigation elements. The difficulty of communicating complicated technological results to both technical and non-technical audiences is a problem ethical hackers frequently face. 

ChatGPT’s capacity to produce logical and understandable explanations may make the communication of vulnerabilities simpler, hence facilitating organizations’ comprehension of possible risks and the adoption of the necessary countermeasures.

A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: A Hacker's Mind, HackerGPT


Sep 27 2023

The Rise of Automotive Hacking: How to Secure Your Vehicles Against Hacking

Category: Hackingdisc7 @ 9:16 am

Though we can’t see it, the world brims with more technology than ever. These days, devices with internet connectivity live within the ever-growing Internet of Things (IoT)—a worldwide “web” where wireless communication and information technology work together. Since the early 2000s, smart cars have appeared within the IoT, sporting more comfortable, efficient, and safer rides. Despite their advancements, they remain constant targets for cyberattacks and hacking.

What is Automotive Hacking?

Functionally, automotive hacking is like traditional cyberattacks; the actor breaks into the system, gaining abilities to change files, open doors to other networks, or harvest unused resources. Automotive hacking occurs similarly, but the target is a car rather than a home computer or business database.

The target is the car’s electronic control unit (ECU), which connects to many communication channels and networks. The ECU is also intimately related to the car itself; hackers can do anything with this access, from changing the radio to steering takeovers. Some may outright steal the vehicle.

What are the Risks of Automotive Hacking?

A stolen car is a problem, but hackers aren’t typically interested in committing glaring crime sprees. They’re more concerned with insidious results. For example, a hacker could break into a car’s ECU to jump to another network. Then, they could access databases or servers as they please. Before jumping to a better vantage point, they could unleash a long list of problems for the car owner:

  • Broken or destroyed cybersecurity functions: making the car even more vulnerable.
  • Programmed behaviors: some may remove alarms and notifications from activation.
  • Data and personal information theft: opening owners to financial issues and fraud.
  • Forced temperature conditions: causing cars to shut down in high-temp states.

How Hackers Can Gain Access to Vehicles?

A smart car is under threat from many angles. Depending on the end goal of the assailant, the attack may take various forms, from over the internet to physical interaction with the car. Those wanting to access the ECU to jump away are less likely to come in contact with the vehicle. The hacker’s available technology limits their access gateways:

Forced Access

Hackers can break into an ECU by plugging an infected USB data port into the car. Like other computers, cars can suffer from malware and viruses, but their consequences may be more deadly. For this reason, owners of modern cars must be vigilant of what and who is plugging things into their cars.

Extended Key Fob Range

Although fobs are a common feature of many cars, they are also a significant system weakness in smart cars. The more utility the car fob has, the more access the hacker could gain by breaking into it. A hacker’s access lets them start or stop the car, open the windows and doors, and even trigger alarms.

Smartphone Access

Hackers can get smartphone access in many ways; regarding vehicles, hackers can attack from the internet, over applications, or through a network. A corrupt smartphone exposes more than personal and financial information; it also opens any connected devices and networks to the threat. Connected automotive applications are another common access point for skilled hackers.

Telematics

Another weakness is the technology used to gather and analyze data from fleet vehicles. Telematic tech allows for seamless information interaction from any location but is readily exploitable for hackers. Those with a successful attack have network access, organization data, and personal client or consumer information.

How to Prevent Automotive Hacking?

Smart cars, despite being giant, rolling targets, have come a long way since their inception. Car manufacturers invest in more cybersecurity every year. The manufacturers and application developers are only part of the solution, however. Car owners must take proactive steps to help defend their property and network.

Manufacturer-Endorsed Software Only

One can rarely trust third-party applications. Devices that connect to them (or accept their Terms and Conditions) can quickly become infected with problems. Only use reputable applications; Google and Apple Maps are good examples, though cautious consumers may want to read their policies before agreeing.

Smart cars and internet connectivity will further entwine in the coming decades. As fast as cybersecurity tech advances, the faster hackers evolve their attacks. Smart cars and everything they interact with are at risk of falling victim to cyber threats. Taking necessary precautions on time can protect against identity theft and prevent becoming a victim of cyberattacks.

Up-to-Date Software

Gone are the days when consumers could ignore their system updates for weeks (or years). These days, software updates are the most significant protection individuals have against cyber threats. Car owners should check their systems regularly for compliance.

Password Protect

Like cellphones, many smart cars have “About” information that may provide access to the ECU. The only way to prevent its use is by routinely monitoring the accounts and properly configuring access. Administration passwords are not permanent solutions.

Internet Access via VPN

Virtual private networks (VPNs) mask a device’s IP address with an alternative. It allows consumers to have another layer of protection between themselves and the internet. VPNs are crucial to securing vehicle gadgets, engines, and internal components.

Strictly Need-Basis GPS

The Global Positioning System (GPS) of a modern car is one of the car’s most significant weaknesses. GPS opens the system to transmissions, which can lead to direct attacks. Hackers could also target their internal connections if the GPS works through a third party.

Install a Firewall

Removing the connectivity from a modern car is impossible. Consumers must protect the connection to prevent successful cyberattacks. Installing the proper firewall will do more than alert the owner to threats; it will also restrict communications from all unauthorized parties. Firewalls are considered a necessary line of defense.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Automotive Hacking


Sep 18 2023

FBI HACKER USDOD LEAKS HIGHLY SENSITIVE TRANSUNION DATA

Category: Data Breach,data security,Hackingdisc7 @ 11:36 am

Researchers from vx-underground reported that FBI hacker ‘USDoD‘ leaked sensitive data from consumer credit reporting agency TransUnion.

TransUnion is an American consumer credit reporting agency. TransUnion collects and aggregates information on over one billion individual consumers in over thirty countries, including “200 million files profiling nearly every credit-active consumer in the United States”.

A threat actor who goes by the moniker “USDoD” announced the leak of highly sensitive data allegedly stolen from the credit reporting agency. The leaked database, over 3GB in size, contains sensitive PII of about 58,505 people, all across the globe, including the America and Europe

According to researchers vx-underground who reported the leak, the archive contains data that dates back to March 2nd, 2022, which could be the data of the data breach.

This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe

vx-underground states that leaked data includes individual first name, last name, Internal TransUnion identifiers, sex, passport information, place of birth, date of birth, civil status, age, current employer, information on their employer, a summary of financial transactions, credit score, loans in their name, remaining balances on the loans, where they got the loan from, when TransUnion first began monitoring their information.

The name USDoD is well known in the cyber security sector, it was also listed in the indictment for the notorious owner of the BreachForums cybercrime forum Pompompurin. vx-underground pointed out that they are believed to be behind many other high-profile security breaches.

Recently, The multinational aerospace corporation Airbus announced that it is investigating a data leak after cybersecurity firm Hudson Rock reported that a hacker posted information on thousands of the company’s vendors to the dark web.

“USDoD” announced he had gained access to an Airbus web portal by compromising the account of a Turkish airline employee.

The hacker claimed to have details on thousands of Airbus vendors. The threat actors obtained the personal information of 3,200 individuals associated with Airbus vendors, exposed data include names, job titles, addresses, email addresses, and phone numbers. 

In December 2022, the FBI’s InfraGard US Critical Infrastructure Intelligence portal was hacked and a database containing the contact details of more than 80,000 high-profile private sector individuals was offered for sale by USDoD on the Breached cybercrime forum.

After the law enforcement shutdown of “Breached” forum, its members, including “USDoD,” moved to other platforms such as “BreachForums.”

“USDoD” posted two threads on this new forum, one to announce they have joined the notorious ransomware group Ransomed. In the second threat, the hacker exposed the personal information of 3,200 sensitive Airbus vendors. USDoD also warned that Lockheed Martin and Raytheon might be the next targets.

“Threat actors typically refrain from revealing their intrusion techniques, however in this exceptionally rare leak, “USDoD” revealed they gained access to Airbus’s data by exploiting “employee access from a Turkish Airline”.” reported Hudson Rock. “Using this information, Hudson Rock researchers succeeded to trace the mentioned employee access — a Turkish computer infected with an info-stealing malware in August 2023.”

According to the researchers, the computer of the victim was likely infected with the RedLine stealer after he attempted to download a pirated version of the Microsoft .NET framework.

A Business Guide for Protecting Sensitive Information

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: SENSITIVE TRANSUNION DATA


Aug 31 2023

THIS CODE ALLOW TO HACK INTO JUNIPER SRX FIREWALLS AND EX SWITCHES

Category: Hackingdisc7 @ 8:04 am

Juniper Networks, a company that manufactures widely used networking equipment as well as security solutions, has issued a warning about vulnerabilities that are present in the operating systems of many of its devices.

The business has acknowledged in not one but two distinct security alerts that were either released or revised this week that the Junos OS and the Junos OS Evolved operating systems may be susceptible to attacks. Additionally, the corporation issued an updated warning about vulnerabilities that are present in the SRX firewalls and EX switches used by the company.

In a fresh warning it said that earlier versions of the operating systems might get stalled due to the processing of erroneous messages in the code known as the Border Gateway Protocol (BGP), which is responsible for directing all traffic on the internet.

To be more specific, a “UPDATE” message that is formatted in a particular manner “will eventually create a sustained Denial of Service (DoS) condition for impacted devices,” which would prevent such devices from carrying out their duties.

A security advisory that had been issued in June and was connected to BGP was also updated by the business on Wednesday. This issue also addressed the possibility of attacks that denied service to users.

In both instances, the corporation was providing workarounds as a means of resolving the problems “out of cycle” from its typical operating system update releases.

A third warning, issued on August 17 and most recently updated on Wednesday, refers to vulnerabilities in J-Web, which is an interface for the SRX firewalls and EX switches used by the firm, which researchers in the security field at Watchtower Labs investigated.

In such a scenario, “an unauthenticated, network-based attacker” has the ability to link together the exploitation of the vulnerabilities “to remotely execute code on the devices.”

In addition, the Cybersecurity and Infrastructure Security Agency (CISA) released a brief advisory on Wednesday about the vulnerabilities in the operating system.

In addition to that, researchers carried out extensive study, the results of which offered a comprehensive understanding about the exploitation of this weakness as well as the vulnerabilities associated to it.

In the course of their investigation, the researchers focused on two particular vulnerabilities in Juniper (CVE-2023-36846 and CVE-2023-36845), both of which were described in the company’s security advisory. Both of these vulnerabilities, Missing authentication for key functions and PHP External Variable Modification, have something in common: they both affect PHP.

After further investigation, it was found that the J-Web was totally developed in PHP, and that the authentication process is handled by a user class. In addition, a PHP file called webauth_operation.php was found.

In addition, a total of 150 distinct functions, which served a variety of purposes ranging from basic aids to the formatting of IP addresses, were found to be in use. These functions ranged in complexity from simple to complicated. Every one of these tasks required interaction with the command line interface (CLI) of the appliance.

Researchers from Watchtwr have produced a comprehensive analysis, which can be seen on their website. The report contains in-depth information on these vulnerabilities as well as the techniques used to attack them.

It has been announced that a repository on GitHub containing the Proof-of-concept for this vulnerability has been made available. Security professionals may utilize this repository to test and repair their susceptible environments using the Proof-of-concept.

Future Crimes Everything Is Connected Everyone Is Vulnerable and What We Can Do About It

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: JUNIPER SRX FIREWALLS


Aug 24 2023

HACKING TP-LINK SMART BULBS TO CONTROL SMART HOME AND YOUR LIFE

Category: Cyber Attack,Hackingdisc7 @ 10:19 am

The Internet of Things (IoT) is currently at its peak, with a rapid expansion of capabilities. This involves converting everyday items like light bulbs and plugs into smart devices controlled via smartphones. The number of IoT devices exceeded 13.8 billion in 2021, expected to quadruple by 2025, but this growth also introduces security risks exploited by cybercriminals. Researchers have discovered that even smart light bulbs, like the Tp-Link Tapo Smart Wi-Fi Multicolor Light Bulb, can be hacked to gather Wi-Fi credentials. They employed PETIoT, an IoT-focused Kill Chain, to assess vulnerabilities in these bulbs. This situation highlights challenges for cybersecurity experts dealing with the growing threats in the IoT landscape.

Because it is a cloud-enabled multicolor smart bulb, the Tapo L530E may be operated using the Tapo app on an Android or iOS device without the need for a hub. Instead, it connects directly to the home Wi-Fi network. According to the findings of the researchers, this particular kind of smart bulb is susceptible to each of the following four vulnerabilities:

LACK OF AUTHENTICATION OF THE SMART BULB WITH THE TAPO APP (8.8 CVSS SCORE, HIGH SEVERITY)

HARD-CODED, SHORT SHARED SECRET (7.6 CVSS SCORE, HIGH SEVERITY)

LACK OF RANDOMNESS DURING SYMMETRIC ENCRYPTION (4.6 CVSS SCORE, MEDIUM SEVERITY)

INSUFFICIENT MESSAGE FRESHNESS (5.7 CVSS SCORE, MEDIUM SEVERITY)

The examination and testing carried out by the security experts indicate the proximity-based attacks that were carried out on the smart bulb that was the target.The attack scenario that causes the greatest concern is one in which an attacker impersonates a bulb and retrieves information about a Tapo user account by exploiting vulnerabilities.

After that, the attacker may extract the victim’s WiFi SSID and password by using the Tapo app, allowing them to obtain access to any and all other devices that are connected to the victim’s network.

In order for the attack to be successful, the device in question must first be put into setup mode. However, the attacker has the ability to deauthenticate the bulb, which will need the user to re-configure it in order to get the light to work again.The researchers also investigated an MITM (Man-In-The-Middle) attack using a configured Tapo L530E device. This form of attack takes advantage of a vulnerability to intercept and control the connection between the app and the bulb, as well as to capture the RSA encryption keys that are used for further data transmission.

MITM attacks are also possible with unconfigured Tapo devices by leveraging a vulnerability once again by connecting to the WiFi during the setup process, bridging two networks, and routing discovery messages. This will eventually allow the attacker to retrieve Tapo passwords, SSIDs, and WiFi passwords in an easily decipherable base64 encoded form. Last but not least, a further flaw enables attackers to conduct what are known as “replay attacks.” These attacks involve recreating communications that have been sniffed in the past in order to bring about functional changes in the device.

In response, TP-Link gave the researchers their assurance that the issues that were found in their software as well as the firmware of the bulb will be fixed.

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Smart home, TP-Link Smart Bulb


Aug 15 2023

Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software

Category: Hackingdisc7 @ 1:08 pm

Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. 

Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs. 

ScrutisWeb software is developed by Lagona, it allows to remotely manage ATMs fleets. Operators can use the software to send and receive files to a device, modifying data, reboot a device or shut down a terminal.

The researchers discovered multiple vulnerabilities, including Absolute Path Traversal and Authorization Bypass Through User-Controlled Key issues, Hardcoded Cryptographic Key, and Unrestricted Upload of File with Dangerous Type.

Lagona addressed the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38. 

The CVE-2023-33871 is an Absolute Path Traversal that an allow to download configurations, logs and databases from the server.

The CVE-2023-35189 is a Remote Code Execution that could be chained with the other issues to gain user access to the ATM controller.

The CVE-2023-38257 is an Insecure Direct Object Reference that can be exploited to retrieve information about all users on the system.ĂŹ, including administrators.

The CVE-2023-35763 is Hardcoded encryption key that can allow to retrieve Plaintext administrator credentials.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory for these vulnerabilities, the agency also provides the following recommendations:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

Tags: ATM


Aug 12 2023

THIS CODE LETS HACKERS REMOTELY PLAY MUSIC ON LEXMARK PRINTERS AND SPY ON USERS

Category: Cyber Spy,Hacking,Printer securitydisc7 @ 2:52 pm

Researchers in the field of information security at Horizon3 have made public the proof-of-concept (PoC) code for a major privilege escalation vulnerability (CVE-2023-26067) found in Lexmark printers. On a device that has not been patched, this vulnerability, which has a CVSS score of 8.0, might enable an attacker to get elevated access if the device is not updated.

Incorrect validation of user-supplied information is what led to the vulnerability in the system. This vulnerability might be exploited by the attacker by having the attacker make a specially crafted request to the printer. Once the vulnerability has been exploited, the attacker has the potential to get escalated rights on the device, which might give them the ability to execute arbitrary code, spill credentials, or obtain a reverse shell.

Configurations prone to vulnerability
An initial Setup Wizard is shown on the display of the user’s Lexmark printer the very first time it is turned on by the user. This wizard walks the user through the process of configuring several system settings, such as the language, as well as giving them the opportunity to setup an administrative user.
If the user makes the selection “Set Up Later,” the printer will provide “Guest” users access to all of the features and pages available through the web interface of the printer. If the user selects “Set up Now,” the printer will prevent them from accessing a significant portion of their accessible capability until they have authenticated themselves.

Even if the user chooses to “Set Up Later,” they still have the option of configuring their credentials using the web interface if they so want. On the other hand, a credential that is set up in this way will not, by default, impose any limits on the “Guest” account. This indicates that several critical functions, such as access to the vulnerable endpoint /cgi-bin/fax_change_faxtrace_settings, are still available to the public.

He looked at devices that were listed on Shodan as well as those that were in our client base when we were trying to determine what configuration was the one that was used in the real world the most. When you search “Lexmark 3224” on Shodan, it will display all of the printers that have the online interface accessible. The vast majority of these accessible printers were configured in a way that made them susceptible to attack. The similar pattern was seen with each of  customers that integrate Lexmark printers into their own corporate networks.

Horizon3 has conducted extensive research on this vulnerability and discovered many different ways that it may be chained by cunning and smart adversaries. A article on Horizon3’s blog that was written on Friday and published on Friday gives insight on the layered complexity of this vulnerability. Take a look at the following to get an idea of what prospective attackers may do:

  • Credential Dumping: By exploiting this weakness, attackers are able to obtain sensitive credentials, which is the first step that might lead to more extensive and destructive breaches.
  • Gain Access to Reverse Shells Attackers are able to build a reverse shell after they have gained control of a device. This allows them to further extend the extent of their control and access inside a network.
  • Surprisingly, this vulnerability even gives attackers the ability to play music on the devices that are afflicted by the issue. Despite the fact that this may appear little, it serves to highlight the degree of power that might be achieved by exploiting this vulnerability.

Horizon3 has taken things a step further by posting a Proof-of-Concept (PoC) code on their website, which illustrates how the CVE-2023-26067 vulnerability may be exploited maliciously. The disclosure of the proof-of-concept code is a double-edged sword, despite the fact that there have been no efforts made publically known or reported to exploit this in the wild.

Firmware upgrades have been made available by Lexmark in order to fix this issue. If you own a Lexmark printer, you need to check the firmware version and make sure it is updated to the most recent version as soon as you can. On the Lexmark website, you’ll be able to discover the most recent firmware update for your printer. The vulnerability posed by this issue poses a significant risk to Lexmark printers. It is quite possible that threat actors who are resourceful and motivated will move fast to exploit this vulnerability. If you want to keep your printers safe from harm, it is essential to keep the firmware on them up to date as quickly as possible.

Printer Security The Ultimate Step-By-Step Guide 

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: LEXMARK PRINTERS


Aug 02 2023

HOW TO EASILY HACK TP-LINK ARCHER AX21 WI-FI ROUTER

Category: Hacking,Wi-Fi Securitydisc7 @ 7:21 am

TP-Link has released a fix for a severe vulnerability in its Archer AX21 router. This vulnerability might have allowed attackers to take control of the device and carry out arbitrary operations.

This vulnerability, which has been assigned the identifier CVE-2023-31710, was discovered after a heap-based buffer overflow bug was discovered in the TP-Link Archer AX21 router’s /usr/lib/libtmpv2.so component. Xiaobye, an adept security researcher, is the one who discovered this security weakness and exposed it in full, which made it possible for TP-Link to quickly devise a solution to the problem. The absence of input sanitization in relation to the variable content_length is at the heart of the problem that we are now facing. A clever adversary might potentially alter this variable, which provides information on the length of the data included in the TMP packet. This vulnerability may be exploited by a  hacker by submitting a request to the router that was painstakingly designed, which would then cause the router to carry out the commands. Archer routers only allow ‘admin’ users, who are endowed with full root access. This exacerbates the severity of the problem. Therefore, in the event that a threat actor is successful in getting command execution, that actor would therefore take control of the router and acquire administrative capabilities.

This security flaw affects particular router versions, including Archer AX21(US)_V3_1.1.4 Build 20230219 and Archer AX21(US)_V3.6_1.1.4 Build 20230219, among others. Nevertheless, TP-Link has released patches for these versions, which may be found under the names Archer AX21(US)_V3.6_230621 and Archer AX21(US)_V3_230621, respectively. It is recommended that consumers who are affected get their routers up to date as soon as they can.

Xiaobye has continued his commendable efforts to shed light on this matter by publishing a compelling video presentation of exploiting the CVE-2023-31710 vulnerability on his Github repository.

In order to strengthen the safety of your router, you should take additional precautions in addition to updating the firmware on it.

Hacking Exposed Wireless, Third Edition: Wireless Security Secrets & Solutions (Hacking Exposed)

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: TP-LINK ARCHER AX21


Jul 29 2023

My Adventures as the World’s Most Wanted Hacker 

Category: Hackingdisc7 @ 4:12 pm

Ghost in the Wires” is an autobiography written by Kevin Mitnick, co-authored by William L. Simon, published in 2011. The book details the life and adventures of Kevin Mitnick, one of the most famous and notorious hackers in computer history. Mitnick’s story is not only a thrilling tale of hacking, intrigue, and escapes but also provides valuable insights into the world of cybersecurity, privacy, and the vulnerabilities of information systems.

The book showcases Mitnick’s skills as a hacker, which allowed him to gain unauthorized access to computer networks and systems of major companies during the 1980s and 1990s. He used various techniques to exploit security weaknesses and evade detection by law enforcement agencies. Mitnick’s activities led to a high-profile chase by the FBI and other authorities as they tried to capture him.

The “Ghost in the Wires” title alludes to Mitnick’s ability to remain elusive and undetected, much like a ghost haunting the digital realm. The book delves into the tactics he used to cloak his identity, manipulate phone switches, and navigate through complex computer and cellular networks, staying one step ahead of the authorities.

Throughout the story, Mitnick shares the mindset and strategies he employed, giving readers an insight into the mind of a hacker and how cybersecurity measures were inadequate in that era. It also highlights the need for companies to reevaluate their security protocols and protect their sensitive information from cyber threats.

As a hacker turned cybersecurity consultant, Mitnick ultimately uses his experiences to shed light on the importance of improved security practices, awareness, and the dangers of social engineering. The book serves as a cautionary tale for individuals and organizations alike, emphasizing the need to stay vigilant and proactive in the face of evolving cyber threats.

Overall, “Ghost in the Wires” is not only an enthralling tale of a skilled hacker’s escapades but also a valuable resource for understanding cybersecurity and the significance of protecting digital information in the age of Big Data and pervasive surveillance.

“Mitnick manages to make breaking computer code sound as action-packed as robbing a bank.” — NPR

Tags: Kevin Mitnick, World's Most Wanted Hacker


Jul 29 2023

NEW ATTACK TECHNIQUE TO HACK APACHE TOMCAT SERVERS

Category: Cyber Attack,Hacking,Web Securitydisc7 @ 11:56 am

The article discusses a new cyberattack targeting Apache Tomcat servers, a popular open-source web server environment written in Java. Apache Tomcat supports various technologies and is widely used by developers.

The attack is orchestrated by the Mirai botnet and bitcoin miners, specifically targeting improperly configured Apache Tomcat servers lacking sufficient security measures. The research, conducted by Aqua, involved setting up Tomcat server honeypots to monitor the attacks over a two-year period.

During the research, more than 800 attacks were recorded, with an overwhelming 96% of them linked to the Mirai botnet. Out of these attempts, 20% (152 attacks) utilized a web shell script named “neww,” originating from 24 different IP addresses. Interestingly, 68% of these attacks were attributed to a single IP address, 104.248.157[.]218. Fortunately, the attacks using the “neww” web shell script were unsuccessful in compromising the targeted servers.

A brute force attack was carried out by the threat actor against the scanned Tomcat servers in order to acquire access to the web application management using a variety of different credential combinations.

After successfully gaining entrance, threat actors will install a WAR file containing a web shell called ‘cmd.jsp’ on the Tomcat server that has been hacked. This will allow for remote command execution.

The “downloading and running” of the “neww” shell script is an integral part of the whole attack chain. The “rm -rf” command is then used to remove the script once it has been executed. The software then retrieves 12 binary files that are customized to the architecture of the system that is being attacked.

While all of these components work together to expedite the web app deployment on compromised Tomcat servers in an effective manner.

The last step of the malware is a variation of the Mirai botnet that uses infected systems for the purpose of coordinating distributed denial-of-service (DDoS) assaults.

Threat actor infiltrates web app manager by using legitimate credentials, uploads disguised web shell in WAR file, remotely executes commands, and starts the attack.The statistics shed light on the profitable expansion of cryptocurrency mining, which is projected to have a 399% increase and 332 million cryptojacking assaults worldwide in H1 2023.

Recommendation
In order to protect against attacks of this kind, specialists in the field of cybersecurity suggested the following measures:

Make sure that each of your environments has the appropriate configuration.
Be careful to do regular scans of your servers to look for any dangers.
Cloud-native tools that scan for vulnerabilities and misconfigurations should be made available to your development, DevOps, and security teams so that they can better do their jobs.
It is imperative that you use runtime detection and response technologies.

Web Security for Developers: Real Threats, Practical Defense

InfoSec books | InfoSec tools | InfoSec services

Tags: APACHE TOMCAT SERVERS, web security


Jul 28 2023

VERSIONS OF UBUNTU PRIOR TO 23.04 CAN BE HACKED THANKS TO THESE 2 SEVERE SECURITY FLAWS

Category: Hacking,Linux Securitydisc7 @ 9:43 am

Two vulnerabilities in the Linux operating system Ubuntu have been found by researchers. Both of these vulnerabilities have the ability to offer attackers elevated privileges.There have been indications that a vulnerability that allows for an increase in privilege may be detected in the OverlayFS module of Ubuntu operating systems.

A Linux filesystem known as OverlayFS has seen significant adoption in the container industry. OverlayFS makes it possible to deploy dynamic filesystems while maintaining compatibility with pre-built images.

CVE-2023-23629

When invoking the ovl_do_setxattr function on Ubuntu kernels, the ovl_copy_up_meta_inode_data module has the potential to bypass permission checks. This vulnerability occurs as a result. This vulnerability has been assigned a CVSS score of 7.8, which is considered to be High.

CVE-2023-2640

There is a flaw in Ubuntu known as SAUCE: overlayfs bypass permission checks for trusted that leads to this vulnerability.overlayfs. * xattrs. * xattrs.

This vulnerability may be exploited by an attacker who does not have rights by establishing privileged extended attributes on the mounted files and then setting them on the other files without necessary checks being performed. This vulnerability has been assigned a CVSS score of 7.8, which is considered to be High.

The Ubuntu Patch from 2018 is in Conflict with the Linux Kernel Project from 2019 and 2022.

Since the OverlayFS module may be used by non-privileged users via user namespaces, it is a perfect candidate for local privilege escalation. In 2018, Ubuntu released patches that addressed these security flaws.

Despite this, researchers working for Wix discovered that the Linux Kernel Project released many new versions in the years 2019 and 2022.

There was a problem between the older patches and the most recent version as a direct consequence of the changes that were made to the OverlayFS module.

These exploits are already accessible to the public in their exploitable forms. It is strongly advised that anyone using Ubuntu versions earlier than 23.04 update to the most recent release in order to prevent these vulnerabilities from being exploited. On the other hand, the majority of cloud security providers (CSPs) have been using insecure versions of the Ubuntu Operating System as their default system.

Researchers believe that around forty percent of computers running Ubuntu might have been affected by the issue, making the anticipated scope a large one. According to Canonical, the business that is responsible for Ubuntu and also operates for profit, the desktop version of the software was installed more than 20 million times in 2017. Ubuntu has issued a security alert that addresses many vulnerabilities and gives credit to the researchers who discovered them.

Mastering Linux Security and Hardening: Protect your Linux systems from intruders, malware attacks, and other cyber threats

InfoSec books | InfoSec tools | InfoSec services

Tags: Mastering Linux Security and Hardening, UBUNTU


Jul 21 2023

12 open-source penetration testing tools you might not know about

Category: Hacking,Pen Test,Security Toolsdisc7 @ 12:19 pm

Red Siege has developed and made available many open-source tools to help with your penetration testing work.

The company plans to continue to support the tools listed below, whether in the form of bug fixes or new features. Give them a try, they’re all available on GitHub for free.

“I find joy in writing code, turning it into a logic puzzle to create powerful software tools. The satisfaction of seeing my creations in action, like EyeWitness, brings a sense of pride and saves valuable time. Motivated by the possibility of filling a software gap, I open source my creations, hoping they’ll benefit others as they did for me,” Chris Truncer, Senior Security Consultant & Director of Training, Red Siege, told Help Net Security.

AutoFunkt

AutoFunkt is a Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.

DigDug

Dig Dug works by appending words from a dictionary to an executable. This dictionary is appended repeatedly until the final desired size of the executable is reached. Some AV & EDR engines may measure entropy to determine if an executable is trustworthy for execution. Other vendors inspect executables for signs of null byte padding.

dumpCake

dumpCake will dump password authentication attempts to the SSH daemon. Every SSHD child process will get attached to and at the completetion of the process, the attempted passwords and connection logs will be dumped to the script.

EyeWitness

EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites.

EDD – Enumerate Domain Data

Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers. Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. It is used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen.

ProxmarkWrapper

ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured.

Wappybird

Wappybird is a ultithreaded Wappalyzer CLI tool to find web technologies, with optional CSV output. You can also provide a directory and all scraped data will be saved with a subfolder per host.

WMImplant

WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant requires local administrator permissions on the targeted machine.

WMIOps

WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements.

Security Controls Evaluation, Testing, and Assessment Handbook

InfoSec books | InfoSec tools | InfoSec services

Tags: Open source, Penetration Testing tools


Jun 29 2023

HEAD OF NETWORK SECURITY OF A BIG CYBER SECURITY COMPANY ARRESTED FOR HACKING INTO A COMPANY

Category: Cyber crime,Hacking,Network securitydisc7 @ 12:23 pm

An specialist in Russian cybersecurity who was sought by the United States has been arrested by officials in Kazakhstan, according to his employer, who made the announcement on Wednesday. At the same time, authorities in Moscow said that they will also pursue his extradition.

According to a statement released by the business, Nikita Kislitsin, an employee of the Russian cybersecurity firm F.A.C.C.T., was arrested on June 22. The Kazakh authorities are now reviewing an extradition request from the United States of America. Nikita Kislitsin was arrested in 2012 and accused of selling the usernames and passwords of American clients of the social networking firm Formspring. The facts of the arrest and the motivation for it are not clear; nonetheless, the case against Kislitsin was filed. After Group-IB left Russia earlier this year, the spinoff business that was established there and was branded as F.A.C.C.T. had Kislitsin working as the head of network security for both companies.

According to a statement released by Group-IB on Telegram, the arrest of Kislitsin is not connected to his employment there in any way. The F.A.C.C.T. said that the allegations brought against Kislitsin originated from his time “as a journalist and independent researcher,” but they could not disclose any other information. Kislitsin served as the editor-in-chief of the Russian publication “Hacker,” which is primarily concerned with information security and hacking at one point in his career.

In a separate proceeding that took place on Wednesday, a Moscow court issued a warrant for Kislitsin’s arrest on allegations that are associated with the unlawful access of confidential computer information. Russia has indicated that it would demand his extradition from Kazakhstan as well.

InfoSec tools | InfoSec services | InfoSec books


Jun 14 2023

HACKING WOOCOMMERCE WEBSITES TO GET ORDER DETAILS AND CUSTOMER PERSONAL INFORMATION

Category: Hacking,Web Securitydisc7 @ 1:50 am

The ever-changing topography of cyberspace always results in the introduction of new security flaws and vulnerabilities. A major vulnerability, which is now known as CVE-2023-34000 and has a CVSS score of 7.5, has been discovered in the WooCommerce Stripe Gateway Plugin, which has prompted an urgent call to action for both site administrators and security specialists. This plugin, which was built by WooCommerce and is presently being used in over 900,000 active installs, is well-known for its efficient capabilities to take payments directly on online and mobile businesses. Customers are able to finish their purchases without ever leaving the environment of the online shop thanks to an inherent feature of this plugin. This eliminates the need for an externally hosted checkout page.

Nevertheless, an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability lies behind the plugin’s surface functionality. This vulnerability, in its unpatched condition, gives an unauthenticated user the potential to obtain extremely sensitive Personally Identifiable Information (PII) that is associated with any WooCommerce order. This data may contain sensitive information such as a user’s complete name, email address, and residence address in its exposed form.

Following the breadcrumb trail of this security hole leads to the ‘javascript_params’ function that is located inside the plugin. The ‘order_id’ variable is used by the code included inside this method in order to get an order object. This variable is derived from the query parameters, and it then gathers specific information from the order object, such as complete user details and addresses. Within this method, there is a noticeable lack of order ownership checks, which substantially increases the risk and makes it possible to return the ‘order’ as an object. Experts made the discovery that the ‘payment_scripts’ function might be used to activate the ‘javascript_params’ variable. This function then returns a JavaScript object variable to the front-end by way of the ‘wp_localize_script’ function. When a user visits the homepage of the website, the overall functionality causes the order’s personally identifiable information to be disclosed, which is then mirrored back into the page source.

After further examination, a second occurrence of the vulnerability was found to be placed inside the ‘payment_fields’ method. This vulnerability, like the one found in the ‘javascript_params’ function, stems from the fact that there is no order ownership verification taking place. The result is the same: the front-end has access to both the user’s billing email address and their complete name.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

InfoSec tools | InfoSec services | InfoSec books

Tags: web app security, WOOCOMMERCE WEBSITE


Next Page »