PowerShell Cheat Sheet
Mastering PowerShell Scripting: Automate and manage your environment using PowerShell
Infosec books | InfoSec tools | InfoSec services
Jan 02 2023
Windows PowerShell Tutorial and Cheat Sheet
Jan 02 2023
3 important changes in how data will be used and treated
Regula has presented their vision of the developments that will shape the industry’s landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.
While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.
Still, the security of the digital IDV process is the number one concern that is forming the industry’s landscape and driving the majority of significant changes.
Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudsters’ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:
- Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
- This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
- Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.
When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.
Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.
Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.
“The good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of how many resources fraudsters will be willing to invest. At the moment, when they’re ready to spend significant amounts of money per deepfake, it’s a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,” notes Ihar Kliashchou, CTO at Regula.
In relation to this year’s trending topics — digital identity and decentralized identity — the company’s experts have their own take on that:
- In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, we’re already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
- The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in people’s minds with crypto, and the FTX crash that has happened in the last couple of months has undermined people’s trust in it.
Infosec books | InfoSec tools | InfoSec services
Jan 02 2023
Google Home Vulnerability: Eavesdropping on Conversations
Matt Kunze, an ethical hacker, reported wiretapping bugs in Google Home Smart Speakers, for which he received a bug bounty worth $107,500.
Google Assistant is currently more popular among smart homeowners than Amazon Alexa and Apple Siri, given its superior intuitiveness and capability to conduct lengthy conversations. However, according to the latest research, a vulnerability in Google Home Smart speakers could allow attackers to control the smart device and eavesdrop on user conversations indoors
Findings Details
The vulnerability was identified by Matt Kunze, a security researcher using the moniker DownrightNifty Matt. The researchers revealed that if exploited, the vulnerability could allow the installation of backdoors and convert Google Home Smart speakers into wiretapping devices. Moreover, Google fixed the issue in April 2021 following responsible disclosure on 8 January 2021 and developing a Proof-of-Concept for the company.
Possible Dangers
The vulnerability could let an adversary present within the device’s wireless proximity install a backdoor account on the device and start sending remote commands, access the microphone feed, and initiate arbitrary HTTP requests. All of this could be possible if the attacker is within the user’s LAN range because making malicious requests exposes the Wi-Fi password of the device and provides the attacker direct access to all devices connected to the network.
What Caused the Issue?
Matt discovered that the problem was caused by the software architecture used in Google Home devices as it let an adversary add a rogue Google user account to their target’s smart home devices.
A threat actor would trick the individual into installing a malicious Android application to make the attack work. It will detect a Google Home automation device connected to the network and stealthily start issuing HTTP requests to link the threat actor’s account to the victim’s device.
In addition, the attacker could stage a Wi-Fi de-authentication attack to disconnect the Google Home device from the network and force the appliance to initiate a setup mode and create an open Wi-Fi network. Subsequently, the attacker can connect to this network and request additional details such as device name, certificate, and cloud_device_id. They could use the information and connect their account to the victim’s device.
According to Matt’s blog post, the attacker could perform a range of functions, such as turning the speaker’s volume down to zero and making calls to any phone number apart from spying on the victim via the microphone. The victim won’t suspect anything because just the device’s LED turns blue when the exploitation happens, and the user would think the firmware is being updated.
Matt successfully connected an unknown user account to a Google Home speaker. He created a backdoor account on the targeted device and obtained unprecedented privileges that let him send remote commands to the Home mini smart speaker, access its microphone feed, etc. Watch the demo shared by the researcher:
It is worth noting that there’s no evidence this security loophole was misused since its detection in 2021. Being an ethical hacker, the researcher notified Google about the issue, and it was patched. Matt received a bug bounty worth $107,500 for detecting this security flaw.
Dec 31 2022
Windows event log analysis
Dec 31 2022
Triple Extortion Ransomware: How to Protect Your Organization?
Ransomware strikes businesses every 11 seconds. The ransomware attack volume is already at record levels, but we’re hearing it’s only getting worse.
As some victims managed to take precautions and refused to pay the ransom, attackers began to add more layers to their attacks.
Double extortion ransomware became a common tactic in 2021. But in 2022, the attackers presented an innovation in their attacking technique called triple extortion.
What is triple extortion ransomware attack, and how to protect your business? Read on to find out.
What is Double extortion ransomware?
It is becoming increasingly common for attackers to use ransomware to extort money from businesses and individuals. This type of cybercrime is called “double extortion.”
Here the criminals encrypt the victim’s data and threaten to release it publicly if a ransom is not paid.
As soon as the attacker exfiltrates the data they wish to leverage, they launch the encryption attack. Next, the attacker threatens to expose the data, possibly selling personal data about customers.
In most cases, even organizations that have paid the ransom have found their data to be leaked.
In September 2022, SunCrypt ransomware used DDoS as an additional attack layer. Attackers threaten to overwhelm the victim’s server with traffic if the ransom is not paid.
Malicious actors like Avaddon and REvil soon started to follow the same tactic. Adding DDoS extortion attacksis expected to continue, given the increased use of IoT devices and the surge in bitcoins.
What is Triple Extortion Ransomware Attack?
In triple extortion, attackers demand payment from the company that was initially compromised and those whose information was stolen.
The first case of triple extortion was observed when Vastaamo, a Finland-based psychotherapy clinic, was breached. Even after the clinic paid the ransom, attackers threatened the therapy patients with releasing their session notes.
Another instance of triple extortion occurred last year when the attacker targeted Apple after their first victim, hardware supplier Quanta, refused to pay.
In this case, criminals proved they could compromise key suppliers if they gained leverage over the initial victim.
Remember, such an assault can cause irreparable damage to the reputation of any company, regardless of the industry.
Leading Causes of Double and Triple Extortions
The main factors that contribute to the increase in double and triple extortions include:
- The proliferation of ransomware-as-a-service (RaaS) platforms has made it easier for attackers to launch these attacks.
- Using cryptocurrency has made it more difficult for law enforcement to trace and track payments.
- The emergence of new ransomware strains specifically designed for double and triple extortions.
Who is vulnerable to Triple extortion ransomware?
Attackers targets companies with inadequate cybersecurity solutions and less mature security teams. They also prey on companies that can pay the ransom demands.
The most obvious targets for ransomware operations are companies and organizations that store client or customer data.
Whenever a corporation owns or controls important data or is connected to one, they risk triple extortion.
How to prevent triple extortion ransomware attacks?
Many ransomware attacks remain undetected and unreported until they reach the domain controller. A detection-centric approach will only warn businesses of attacks that are already underway. The most effective course of action is prevention.
Here are effective ways to prepare against triple extortion attacks:
Keep your network secure
Double extortion ransomware uses the same methods to access your network as traditional ransomware. To prevent initial access to a network, train employees on security awareness, establish password policies and implement multi-factor authentication.
Run vulnerability assessments and patch known vulnerabilities regularly to avoid compromise.
Back up Data
If an attacker infiltrates your network, an offline backup can protect you from the first part of a ransomware attack: data recovery.
Furthermore, encrypt your data to prevent a double extortion attack. It ensures that, if stolen, the ransomware group cannot read it.
Cyber Threat Intelligence
Threat Intelligence is a key pillar in the cyber security stack. Gathering information related to cyber threats provides insights into threat actors and methodologies that could impact your business.
Stay ahead of the latest threat intelligence to detect and analyze threats. Hunt for signs of compromise that lead to a ransomware attack.
Proper DDoS Protection
The DDoS attack is now on the list of services the RaaS operator offers. You should protect your company’s network and server with a DDoS security solution. It tracks the incoming traffic, identifies the malicious requests, and diverts them away from your network and server.
With sophisticated techniques, attackers are dispersing their DDoS attacks. Indusface offers DDoS protection solutions, enabling you to customize mitigation thresholds to isolate and block attacks.
Conclusion
Cybercriminals continue to evolve their attack techniques; you can’t fall behind and expose your assets.
If you are at risk of a triple extortion attack, paying the ransom is not the way out. Focus on preventing and mitigating attacks as they happen.
The best solution would be to prevent the attack from happening in the first place. A comprehensive ransomware resilience plan is essential for preparation, prevention, and response.
Infosec books | InfoSec tools | InfoSec services
Dec 30 2022
Cybercriminals create new methods to evade legacy DDoS defenses
The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks.
“DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to target higher transaction processing to overwhelm a target. Those with responsibility for network health and internet service uptime should be taking note of this trend,” explained Corero CTO, Ashley Stephenson.
Legal responsibility
Corero also predicts that 2023 will see more breaches being reported, because of the increasing trend for transparency in data protection regulations. Regulations such as the UK Government’s Telecoms Security Bill will compel organizations to disclose more cyber-incidents publicly.
We are also likely to see the legal responsibility for bad corporate behaviour when dealing with breaches being linked to individual executives. Examples such as Joe Sullivan, the former head of security at Uber, who was recently found guilty of hiding a 2016 breach, could set a precedent for linking data protection decisions to the personal legal accountability of senior executives.
Evading DDoS defenses
Attackers will continue to make their mark in 2023 by trying to develop new ways to evade legacy DDoS defenses. We saw Carpet Bomb attacks rearing their head in 2022 by leveraging the aggregate power of multiple small attacks, designed specifically to circumvent legacy detect-and-redirect DDoS protections or neutralize ‘black hole’ sacrifice-the-victim mitigation tactics. This kind of cunning will be on display as DDoS attackers look for new ways of wreaking havoc across the internet and attempt to outsmart existing thinking around DDoS protection.
In 2023, the cyberwarfare that we have witnessed with the conflict in Ukraine will undoubtedly continue. DDoS will continue to be a key weapon in the Ukrainian and other conflicts both to paralyse key services and to drive political propaganda objectives. DDoS attack numbers rose significantly after the Russian invasion in February and DDoS continues to be used as an asymmetric weapon in the ongoing struggle.
Earlier this year, in other incidents related to the conflict, DDoS attackers attempted to disrupt the Eurovision song contest in an attempt to frustrate the victory of the Ukrainian contestants. Similarly, when Elon Musk showed support for Ukraine by providing Starlink satellite broadband services, DDoS attackers tried to take the satellite systems offline and deny Ukraine much needed internet services.
“Throughout 2022 we observed DDoS attacks becoming increasingly sophisticated while at the same time the DDoS attack surface is expanding. With the number of recorded attacks on the rise and significant shifts in attackers’ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,” said Lionel Chmilewsky, CEO at Corero Network Security.
AWS Best Practices for DDoS Resiliency
DDoS Defense Standard Requirements
Infosec books | InfoSec tools | InfoSec services
Dec 30 2022
EarSpy – A New Attack on Android Devices Use Motion Sensors to Steal Sensitive Data
There has been a new eavesdropping attack developed by a team of security experts for Android devices which has been dubbed “EarSpy.” With the help of this attack, attackers can detect the following things:-
- Caller’s gender
- Caller’s identity to various degrees
- Speech content
As part of its exploratory purpose, EarSpy aims to capture motion sensor data readings generated by the reverberations from the ear speaker in mobile devices in order to create new methods of eavesdropping.
Universities Involved in this Project
Cybersecurity researchers from five American universities have undertaken this academic project called EarSpy. These are all the names of the universities that are affiliated with this project:-
- Texas A&M University
- New Jersey Institute of Technology
- Temple University
- University of Dayton
- Rutgers University
Evolution of Smartphone Tech
Smartphone loudspeakers have been explored as a potential target for such attacks. As a result of this, the ear speakers are incapable of generating enough vibration to allow eavesdropping to be executed properly for the side-channel attack.
While the audio quality and vibrations of modern smartphones have improved greatly as a result of more powerful stereo speakers.
Even the tiniest resonance from a speaker can be measured by a modern device because it has more sensitive motion sensors and gyroscopes.
It is remarkable how little data is recorded on the spectrogram from the earphones of a 2016 OnePlus 3T, while a stereo ear speaker on the 2019 OnePlus 7T produces a significant amount of information.
As part of their experiments, the researchers used a OnePlus 7T device as well as a OnePlus 9 device. Both of these devices were used by the researchers to play pre-recorded audio through their ear speakers only using a variety of pre-recorded audio sets.
Although the results of the tests varied according to the dataset and device, they indicated that eavesdropping via ear speakers can be accomplished successfully.
To Check more on Detection Performance & Recommendation:
Infosec books | InfoSec tools | InfoSec services
Dec 29 2022
Active Directory Exploitation Cheat Sheet
https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory
Active Directory is a Microsoft service run in the Server that predominantly used to manage various permission and resources around the network, also it performs an authenticates and authorizes all users and computers in a Windows domain type networks.
Recent cyber-attacks are frequently targeting the vulnerable active directory services used in enterprise networks where the organization handling the 1000’s of computers in the single point of control called “Domain controller” which is one of the main targeted services by the APT Hackers.
Though exploiting Active directory is a challenging task, It is certain to activate directory exploitation Cheat Sheet which contains common enumeration and attack methods which including the several following phases to make it simple.
- Recon
- Domain Enum
- Local Privilege Escalation
- User Hunting
- Domain Admin Privileges
- Database Hunting
- Data Exfiltration
- Active Directory Exploitation Tools
Reconnaissance
Recon Phase contains various modules, including Port scan that performs the following operations.
PORT SCAN
Import-Module Invoke-Portscan.ps1 <# Invoke-Portscan -Hosts "websrv.domain.local,wsus.domain.local,apps.domain.local" -TopPorts 50 echo websrv.domain.local | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Invoke-Portscan -Hosts 172.16.0.0/24 -T 4 -TopPorts 25 -oA localnet #>
AD MODULE WITHOUT RSAT
The secret to being able to run AD enumeration commands from the AD Powershell module on a system without RSAT installed, is the DLL located in C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management on a system that has the RSAT installed.
Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to enumerate the active directory.
Import-Module .\Microsoft.ActiveDirectory.Management.dll Get-Command get-adcom*
Domain Enumeration
DOMAIN
- Get current domain
Get-NetDomain (PowerView) Get-ADDomain (ActiveDirectory Module)
- Get object of another domain
Get-NetDomain -Domain domain.local Get-ADDomain -Identity domain.local
- Get domain SID for the current domain
Get-DomainSID (Get-ADDomain).DomainSID
- Get domain policy for the current domain
Get-DomainPolicy (Get-DomainPolicy)."system access"
- Get domain policy for another domain
(Get-DomainPolicy -domain domain.local)."system access"
- Get domain controllers for the current domain
Get-NetDomainController Get-ADDomainController
- Get domain controllers for another domain
Get-NetDomainController -Domain domain.local Get-ADDomainController -DomainName domain.local -Discover NETUSER More on: To Get a list of users in the current domain Infosec books | InfoSec tools | InfoSec services
Dec 29 2022
INDUSTRIAL CYBERSECURITY USB THREAT REPORT 2022
OT, ICS & SCADA Security
Infosec books | InfoSec tools | InfoSec services
Dec 29 2022
GuLoader Malware Uses Advanced Anti-Analysis Techniques to Evade Detection
An advanced malware downloader named GuLoader has recently been exposed by cybersecurity researchers at CrowdStrike. This advanced downloader has the capability to evade the detection of security software by adopting a variety of techniques.
While analyzing the shellcode of GuLoader, a brand-new anti-analysis technique was discovered by CrowdStrike through which researchers would be able to identify if the malware is operating in an adversarial environment or not. While this is done by examining the whole process memory for any VM-related strings.
Evolution of GuLoader Malware
On infected machines, GuLoader (aka CloudEyE) distributes remote access trojans like AgentTesla, FormBook, Nanocore, NETWIRE, Remcos, and the Parallax RAT using the VBS downloader.
GuLoader has been active since at least 2019 and has undergone several changes in its functionality and delivery methods. Over time, the malware has become more sophisticated, using various methods to evade detection and avoid being removed from infected systems.
It has also been distributed through other channels, such as exploit kits and hacked websites. While it has evolved over time and has been used in various campaigns to deliver a range of malware, including ransomware, banking Trojans, and other types of malware.
A strong anti-analysis technique was also deployed by GuLoader in order to avoid detection in order to remain undetected.
GuLoader exhibits a three-stage process, the VBScript script will first inject the shellcode embedded within it into the memory, then the next stage of the process will execute anti-analysis checks that will protect the code from being analyzed.
Furthermore, the shellcode also incorporates the same anti-analysis methods in order to avoid detection by third parties. It is through this shellcode that an attacker is able to download a final payload of their choice and execute it with the same anti-analysis methods as the original shellcode on the host that is compromised.
Detecting breakpoints used for code analysis is done with anti-debugging and anti-disassembling checks in the malware.
There is also a redundant code injection mechanism that can be used to avoid the use of a NTDLL.dll hook that is commonly used by antivirus programs and EDRs.
In order to detect and flag processes on Windows that may be suspicious, anti-malware engines use NTDLL.dll API hooking.
Anti-Analysis Techniques
Here below we have mentioned the anti-analysis techniques used:-
- Anti-Debugging
- Anti-Virtual Machine
- Process Hollowing
It was pointed out by experts that GuLoader remains a treacherous threat that is constantly evolving as it continues to develop. Furthermore, experts also provided indicators of compromise for the latest version of the downloader, as well as other key information.
Malware Analysis
Infosec books | InfoSec tools | InfoSec services
Dec 28 2022
CISO roles continue to expand beyond technical expertise
The research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today’s CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.
“Today’s CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace,” said James Larkin, Managing Partner at Marlin Hawk.
“This widening scope requires CISOs to be adept communicators to the board, the broader business, and the marketplace of shareholders and customers. By thriving in the ‘softer’ skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow.”
Key findings from the report include:
- CISO profiles have changed dramatically—36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
- More CISOs are being hired internally—Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
- CISO turnover rates have declined—but still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.
CISO roles continue to become more complex
“I would say that you shouldn’t have the CISO title if you’re not actively defending your organization; you have to be in the trenches,” said Yonesy Núñez, CISO, Jack Henry Associates. “I also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we’ve seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function.”
Kevin Brown, a seasoned cybersecurity executive, added, “We have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations we’re seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policies—it’s a more complex job than it ever used to be.”
More organizations are appointing CISOs from within
The research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organization’s next CISO already operating inside the business.
Larkin went on to say, “As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO position—organizations can look for risk and control focused talent in more places than just the office of the CISO.”
“Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others,” Larkin added. “Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future-proof the information security industry as a whole.”
CISO turnover rates are still high for several reasons
“The not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons,” shares Shamoun Siddiqui, CISO at Neiman Marcus Group.
“First, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs.”
Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.
Infosec books | InfoSec tools | InfoSec services
Dec 28 2022
400 Million Twitter Users’ Scraped Info Goes on Sale!
The sample data seen by Hackread.com shows that the sold information also includes records on top celebrities and political figures, such as Democratic Rep. Alexandria Ocasio-Cortez and Bollywood’s Salman Khan.
On December 23, 2022, a threat actor going by the handle “Ryushi” claimed to sell more than 400 million Twitter users’ personal details on BreachedForums, a cybercrime and hacking forum that surfaced as an alternative to the now-seized Raidforums.
As seen by Hackread.com, the sample data attached to the post contains private email addresses, usernames, follower counts, creation dates, and, in certain cases, the user’s phone numbers.
The sample data also contains a variety of well-known user accounts including New York Democratic Rep. Alexandria Ocasio Cortez, Ethereum cryptocurrency founder Buterin, Indian actor Salman Khan and cybersecurity reporter Brian Krebs.
It is worth mentioning that the latest data leak came just one month after a hacker leaked the contact and personal details of over 5.3 million Twitter users online. Both the earlier and latest incidents are now being investigated by Irish authorities.
The threat actor stated in the post that the data had been “scraped via a vulnerability” but did not specify any further details.
Further, they openly advised the CEO of the social media giant, Elon Musk, that he should buy this data directly from the hacker instead of “paying $276 million USD in GDPR breach fines like Facebook did” but does not specify a price at which the data is being sold.
Offering to conduct the “deal” through a middleman, the threat actor states, “After that, I will remove this thread and will not sell this info again. And data won’t be sold to anyone else, which will stop a lot of celebrities and politicians from Phishing, Crypto scams, Sim swapping, Doxxing, and other things that will make your users lose trust in you as a company and thus stunt the current growth and hype.”
Researchers who have seen the sample data believe that this alleged data leak is the result of an API flaw which allowed the threat actor to search any email addresses or phone numbers and return a Twitter profile.
This attack followed only months after Twitter entered into a consent order with the US Federal Trade Commission binding it to maintain a privacy and information security program for the next two decades.
The agreement ended a federal investigation into Twitter’s use of phone numbers and email addresses for advertising purposes when they were collected to be used for multi-factor authentication. Twitter also paid a $150 million civil penalty.
Therefore, if this data breach is verified, the impact on Twitter would be drastic both financially and socially. At the time of writing, the data was still up for grabs.
Dec 27 2022
Critical “10-out-of-10” Linux kernel SMB hole – should you worry?
Just before the Christmas weekend – in fact, at about the same time that beleaguered password management service LastPass was admitting that, yes, your password vaults were stolen by criminals after all – we noticed a serious-sounding Linux kernel vulnerability that hit the news.
The alerts came from Trend Micro’s Zero Day Initiative (ZDI), probably best known for buying up zero-day security bugs via the popular Pwn2Own competitions, where bug-bounty hunting teams compete live on stage for potentially large cash prizes.
In return for sponsoring the prize money, the vendors of products ranging from operating systems and browsers to networked printers and internet routers hope to buy up brand new security flaws, so they can fix the holes responsibly. (To collect their prizes, participants have to provide a proper write-up, and agree not to share any information about the flaw until the vendor has had a fair chance to fix it.)
But ZDI doesn’t just deal in competitive bug hunting in its twice-a-year contests, so it also regularly puts out vulnerability notices for zero-days that were disclosed in more conventional ways, like this one, entitled Linux Kernel ksmbd Use-After-Free Remote Code Execution Vulnerability.
Serving Windows computers via Linux
SMB is short for server message block, and it’s the protocol that underpins Windows networking, so almost any Linux server that provides network services to Windows computers will be running software to support SMB.
As you can therefore imagine, SMB-related security bugs, especially ones that can be exploited over the network without the attacker needing to logon first, as is the case here, are potentially serious issues for most large corporate networks.
SMB support is also generally needed in home and small-business NAS (network attached storage) devices, which generally run Linux internally, and provide easy-to-use, plug-it-in-and-go file server features for small networks.
No need to learn Linux yourself, or to set up a full-blown server, or to learn how to configure Linux networking – just plug-and-play with the NAS device, which has SMB support built-in and ready to go for you.
Why the holiday timing?
In this case, the bug wasn’t deliberately disclosed on the night before the night before the night before Christmas in a not-so-ho-ho-ho bid to spoil your festive season by freaking you out.
And it wasn’t reported just before the weekend in a bid to bury bad PR by hoping you’d be vacation-minded enough either to miss the story completely or to shrug it off until the New Year.
The good news is that, as usually happens under the umbrella of responsible disclosure, the date for ZDI’s report was agreeed in advance, presumably when the flaw was disclosed, thus giving the Linux kernel team sufficient time to fix the problem properly, while nevertheless not allowing them to put the issue off indefinitely.
In this case, the bug report is listed as having happened on 2022-07-26, and what ZDI refers to as the “co-ordinated public release of [the] advisory” was set for 2022-12-22, which turns out to be exactly 150 days, if you count old-school style and include the full day at each end.
So, even though this bug has had some dramatic coverage over the holiday weekend, given that it was a remote code execution (RCE) hole in the Linux kernel itself, and came with a so-called CVSS score of 10/10, considered Critical…
…it was patched in the Linux source code within just two days of disclosure, and the fix was accepted and packaged into the official Linux kernel source code in time for the release of Linux 5.15.61, back on 2022-08-17, just 23 days after the report first came in.
In other words, if you’ve updated your Linux kernel any time since then, you’re already safe, no matter what kernel compilation settings you or your distro used. (This includes 24 subsequent updates to the kernel 5.15 series, now at 5.15.85, along with any versions of kernel 6.0, kernel 6.1 and the still-in-candidate-stage kernel 6.2, all of which had their first releases after August 2022.)
Probably not the SMB software you suspect
Also, although it sounds at first glance as though this bug will inevitably affect any Linux server or device supporting Windows networking, that’s not true either.
Most sysadmins, and in our experience most NAS programmers, provide Windows SMB supprt via a long-running and well-respected open source toolkit called Samba, where the name Samba is simply the closest pronounceable word that the original developer, open-source luminary Andrew “Tridge” Tridgell OAM, could find to represent the abbreviation SMB.
Anyone who has used Samba will know that the software runs as a regular application, in what’s known as user space, in other words, without needing its own code running inside the kernel, where even modest bugs could have dangerous repercussions.
Indeed, the main Samba program file is called smbd, where the trailing -D is a typical Unixism standing for daemon, or background process – what Windows admins would call a service.
This bug, as you can see from the ZDI report, is in a kernel module called ksmbd, where the -D denotes a background service, the -SMB- denotes Windows networking support, and the K- means runs in kernel space, i.e. right inside the kernel itself.
At this point, you’re probably asking yourself, “Why bury the complexity of supporting SMB right into the kernel, given that we’ve already got a reliable and well-respected user-space product in the form of Samba, and given that the risks are much greater?”
Why, indeed?
As so often, there seem to be two main reasons: [A] because we can! and [B] because performance.
By pushing what are typically high-level software features down into the kernel, you can often improve performance, though you almost always pay the price of a corresponding, and possibly considerable, decrease in safety and security.
What to do?
- Check if you have a Linux kernel based on any release on or after 5.15.61 (dated 2022-08-17). If so, this bug is fixed in the source code. No matter what kernel compilation options you (or your distro maker) choose, the bug can’t and won’t exist on your system.
- Check if your Linux kernel build even includes
ksmbd. Most popular distros neither compile it in, nor build it as a module, so you can’t load it or activate it, even by mistake. - Check with your vendor if you are using an applicance such as a NAS box or other device that supports connections from Windows computers. Chances are that your NAS device won’t be using
ksmbd, even if it still has a kernel version that is vulnerable in theory. - If you’re using ksmbd out of choice, consider re-evaluating your risk. Make sure you measure the true increase in performance you’ve achieved, and decide whether the payoff is really worth it.
COMMANDS YOU CAN USE TO CHECK YOUR EXPOSURE
Any Linux from 5.15.61 on, or any 6.x, is already patched. To check your Linux version: $ uname -o -r 6.1.1 GNU/Linux
To see if this kernel feature is compiled in, you can dump the compile-time configuration of the running kernel: $ zcat /proc/config.gz | grep SMB_SERVER # CONFIG_SMB_SERVER is not set If this compile-time configuration setting is unset, or set to "n" for no, the feature wasn't built at all. If it says "y" for yes, then the kernel SMB server is compiled right into your kernel, so ensure you have a patched version. If it says "m" for module, then the kernel build probably includes a run-time module that can be loaded on demand.
To see if your kernel has a loadable module available: $ /sbin/modprobe --show ksmbd modprobe: FATAL: Module ksmbd not found in directory /lib/modules/6.1.1 Note that "--show" means "do not actually do it, just show if loading it would actually work or not".
To see if your system has the ksmbd module already active: $ lsmod | grep ksmbd
If you see no output, the module wasn’t matched in the list.
To stop the module loading in case it ever shows up, add a file with a name such as ksmbd.conf to the directory /lib/modules.d or /etc/modules.d with this line in it: blacklist ksmbd
Infosec books | InfoSec tools | InfoSec services
Dec 27 2022
Hackers Deploy New Information Stealer Malware onto Python Developers’ Machines
Researchers at Phylum recently discovered that hackers had been injecting information stealer malware into Python developers’ machines in order to steal their information.
As they dug deeper, they discovered a new stealer variant with many different names. While apart from this, the source code of the program reveals that it is a straightforward copy of the old Stealer, W4SP.
Attack Chain to Deploy Malware
A stealer in this case dropped directly into the main.py file rather than obfuscating the code or being obvious about the attempts to escape detection.
Only one instance has been found in which multiple stages were used in order to obfuscate and obscure the attacker’s intentions. In this case, the attacker used a package called chazz to pull obfuscated code from the klgrth.io website, using a simple first stage to get it.
There is a great deal of similarity between the first stage of the stealer code and the injector code. While this has been obfuscated with BlankOBF, it’s an obfuscation program. As soon as it is de-obfuscated, it reveals the Leaf $tealer.
Malicious Packages
Listed below are packages that feature similar IOC and apart from this, what we can expect is this list will grow over the coming months and years:-
- modulesecurity – “Celestial Stealer”
- informmodule – “Leaf $tealer”
- chazz – first stage that pull from https://www.klgrth.io/paste/j2yvv/raw which contains the obfuscated code shown above
- randomtime – “ANGEL stealer”
- proxygeneratorbil – “@skid STEALER”
- easycordey – “@skid Stealer”
- easycordeyy – “@skid Stealer”
- tomproxies – “@skid STEALER”
- sys-ej – “Hyperion Obfuscated code”
- infosys – “@734 Stealer”
- sysuptoer – “BulkFA Stealer”
- nowsys – “ANGEL Stealer”
- upamonkws – “PURE Stealer”
- captchaboy – “@skid STEALER”
- proxybooster – “Fade Stealer”
W4SP Copies
W4SP’s original publication in loTus’s repository has been disabled by GitHub staff due to the violation of the T&C of GitHub, and as a result, it will be not found anymore.
It has been Phylum’s mission for some time to monitor the actions of these threat actors in an attempt to finally bring down their infrastructure, due to their persistent, pervasive, and egregious nature.
It was discovered that several copies of W4SP-Stealer started flashing under different names as soon as the repo for W4SP-Stealer was removed. This new stealer is even being distributed through PyPI by threat actors already, which is a sign that it is becoming a real threat.
It has been discovered that W4SP has been hosted in two GitHub repositories under two different aliases, each with its own purpose.
- Satan Stealer
- angel-stealer
There is a copy of the original source here, as well as the earlier versions of W4SP, hosted in an account titled aceeontop.
W4SP Stealer will likely remain part of the scene for quite some time to come, as will their imitations and other variants.
There will be a constant increase in their number of attempts, their persistence, and their sophistication as time passes. However, Phylum ensured that it would mitigate and block supply chain attacks since its platform is capable enough in doing so.
Dec 26 2022
Cybersecurity in 2022: It’s Not Getting Easier
Cybersecurity in 2022: It’s Not Getting Easier
As we wrap up the year, it always makes sense to take a look back and see what worked and what didn’t; what we can do better and what we have to accept. When 2021 ended, it was pretty bad. We were still trying to navigate COVID-19 and plan for a return to in-person work. But the markets were decent, the investment dollars kept flowing and while effective cybersecurity was hard, there was some optimism that it would get better.
Well, it didn’t. In hindsight, it should have been obvious that a recession was coming. Companies of all shapes and sizes tightened their belts, expecting security to do more with less. Yeah, you’ve heard that story before. Of course, you probably couldn’t have projected Russia’s attack on Ukraine nor planned for the cybergyrations necessary to determine if you were within the blast radius of the attack(s).
Data and workloads continued to move to the cloud unabated, putting pressure on data governance policies and visibility efforts to track the data. Many organizations now expect to run their environments (both development and infrastructure) using CI/CD pipelines, and they haven’t been proactive in understanding how to protect them.
So, yeah, things got harder for security professionals in 2022. But it wasn’t all bad. Security analytics continued to advance, improving detection. Organizations started making progress on deploying zero-trust architectures for both their perimeters and identity environments. Security budgets weren’t impacted until late in the year, as security tends to be one of the last expenditures to be impacted in a slowdown. Ultimately a couple of realities set in this year and for 2023 to improve, we’re going to have to address them.
- No juice: I was involved in a number of cloud and container security projects with enterprises this year. In each one, the security team had difficulty getting the dev teams and business influencers to care. To be clear, they said they cared, but their actions spoke louder. They don’t care about security until something bad happens. Then, they are happy to throw security under the bus. The mandate for change will need to come from the executive suite. That’s the only way to align the incentives toward protecting data.
- Identities run amok: As workloads and data move to the cloud, implementing an effective, enterprise-wide identity and access management (IAM) strategy is the critical arbiter of success. It’s also hard to retrofit an effective tenancy and IAM structure once workloads are deployed, so there isn’t a lot of time to waste to get your arms around IAM.
- AppSec still lags: As exciting as it is to think about having developers build secure code, they are neither trained nor incentivized to do so. Thus, they don’t. Yes, you can (and must) build security tests into the pipelines. You should push (hard!) to break builds that have critical security errors. But developers have been (and will continue to) push back on being responsible for application security, so we’ll need to find a middle ground.
- Skills upgrade: Sadly, with many companies reducing headcount, thousands of qualified security folks are looking for work. Yes, many of them get snapped up quickly, but not all. Now would be a great time to invest in your security skills, but too many organizations responded to the slowdown by freezing hiring and don’t use downturns as an opportunity to upgrade their personnel. The savviest managers buy when everyone else is selling; many organizations were selling in 2022 (and will continue to do so in 2023). If you can, add hard-to-find skills (like cloud security and AppSec) now.
- Regulatory uncertainty: Between the ongoing privacy litigation in Europe and the new software bill of materials (SBOM) mandate in the U.S., it remains hard to know what “compliance” really means and what it will take to pass assessments. Of course, an effective security program should address most compliance requirements, but there will continue to be uncertainty, so expect some unplanned work as we get clarity on the expectations.
I could go on, but that’s a pretty good overview. I alluded a bit to what’s coming in 2023, but we’ll dig into that in greater depth during our Predict 2023 virtual conference on January 12, 2023. You can register here. Have a happy and safe holiday season, and we’ll see you at Predict in a few weeks.
Cybersecurity Labor Shortage Grows Worse in U.S. And Worldwide: Report
Global Cyber Security Labor Shortage and International Business Risk
Infosec books | InfoSec tools | InfoSec services
Dec 26 2022
GuLoader implements new evasion techniques
Cybersecurity researchers exposed new evasion techniques adopted by an advanced malware downloader called GuLoader.
CrowdStrike researchers d a detailed multiple evasion techniques implemented by an advanced malware downloader called GuLoader (aka CloudEyE).
GuLoader uses a polymorphic shellcode loader to avoid traditional security solutions, the experts mapped all embedded DJB2 hash values for every API used by the malicious code.
The malware uses an anti-analysis technique to avoid execution in virtualized environments.
“In dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the malware is running in a hostile environment by scanning the entire process memory for any Virtual Machine (VM)-related strings.” reads the analysis published by CrowdStrike.
“New redundant code injection mechanism means to ensure code execution by using inline assembly to bypass user mode hooks from security solutions.”
GuLoader first appeared on the threat landscape in 2019, it was used by threat actors to download multiple remote access trojans (RATs) such as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.
Early versions of GuLoader were distributed via spam messages using attachments containing the malicious executable. Recent variants were delivered via a Visual Basic Script (VBS) file.
“GuLoader also started employing advanced anti-analysis techniques to evade detection, such as anti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.” reads the analysis.
A recent GuLoader variant analyzed by the experts exhibits a multistage deployment:
- The first stage uses a VBS dropper file to drop a second-stage packed payload into a registry key. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key within memory.
- The second stage payload performs all anti-analysis routines (described below), creates a Windows process (e.g., an ieinstal.exe) and injects the same shellcode into the new process.
- The third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote server and executes it on the victim’s machine.
The malware implements anti-debugging and anti-disassembling checks to detect the presence of breakpoints used for the analysis of code.
The researchers also noticed the use of a redundant code injection mechanism to avoid NTDLL.dll hooks used by antivirus and EDR solutions to detect malicious activities.
“It then maps that section via NtMapViewofSection on the suspended process.” continues the analysis. “If this injection technique fails, it uses the following redundancy method:
a. NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass AV/EDR User Mode hooks) of that function, using the following assembly stub:
mov eax,18
mov edx,ntdll.77178850
call edx
ret 18 It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address. It uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.”
Experts pointed out that GuLoader remains a dangerous threat that constantly evolves, they also shared Indicators of Compromise for the latest variant of the downloader.
Infosec books | InfoSec tools | InfoSec services
Dec 26 2022
Cybersecurity Awareness Training in Companies: Why You Can’t Do Without It
Cybersecurity awareness is no longer a “nice to have”; in fact, it has become a fundamental part of your corporate training process across all levels and aspects of your business.
Would you leave your business unlocked and open to all comers? Of course not – but if you don’t have solid cybersecurity in place, that’s effectively what you’re doing! As the business world becomes a digital space, security has also become a digital matter.
One cybercriminal can wreak havoc if unchecked, and our potential flashpoints for vulnerabilities are growing daily. Nor is this something you can achieve alone – a great IT security team is one thing, but if one of your other workers leaves the metaphorical door unlocked, you’ll still be in trouble.
With top-down training boosted with the power of video, however, security can become a simple matter.
A Growing Risk
The average cost-per-company of a data breach is over $4 million. Cybercrime currently costs companies globally $8.4 trillion a year- and that is expected to soar to $23 trillion (or more) by 2027. Fortunately, there’s a lot you can do to mitigate your risk and keep your company out of those stats.
Humans are and will remain, the weakest link in any business’s digital security. Just as a thoughtless individual can leave a door unlocked and bypass your multi-million dollar security system in a heartbeat, one wrong move from an employee and even the best cybersecurity comes tumbling down.
It’s critical that all people in your organization are aware of cybersecurity risks, know the best practices for data and network security, and understand the consequences of laziness leading to cybersecurity failures.
Cybersecurity Awareness Training
It’s a simple idea – using a technical approach to proactively educate employees, ensuring awareness of data privacy, identity, and digital assets permeates every level of your organization. This will immensely reduce your risk of cybersecurity breaches. In turn, that means fewer financial losses from this type of crime, making it a solid return on investment.
And being cybersecurity-aware will have knock-on positives in your reputation with consumers, making you seem more trustworthy and desirable. Prevention of security issues means no loss of brand reputation, too.
The Learning Gap
Of course, your training is only as good as its retention rate. Cybersecurity training for employees can’t be some dull, dusty lecture or 500-page word document that’s unengaging, boring, and packed with jargon, or you may as well not waste your time. It’s critical that staff feel both empowered with their new skills, and that it comes over as simple to understand and easy to implement.
We all know that video is one of the most powerful storytelling formats out there. From the power of video shorts and reels for marketing to the way a great TV program can unite us, it’s a format that delivers punchy messages in an engaging way.
Unlike text, where aspects like reading level can play a role, everyone can engage with video. Plus you have the benefit of being able to condense a lot of information into short, pithy, and easy-to-retain factoids. You can power that up further with the power of AI, making videos simple to create, engaging, and easy to update and adapt without a huge financial outlay.
Using a simple text-to-speech format, you can create compelling, entertaining, and educational content that will help keep every member of your organization aware of cybersecurity risks and qualified to prevent them from occurring.
Cybersecurity awareness is no longer a ‘nice to have’. It’s an absolutely essential part of your corporate training process, across all levels and aspects of your business. With the power of simple-to-use AI video on your side, creating engaging learning programs to keep staff informed and ahead of cyber criminals is a simple matter, so don’t delay in addressing this critical aspect of business security today.
Cybersecurity Fundamentals
Learn cybersecurity fundamentals, including how to detect threats, protect systems and networks, and anticipate potential cyber attacks.
Cybersecurity for Remote Workers Staff Awareness E-learning Course
Security Awareness Program Builder
Infosec books | InfoSec tools | InfoSec services
Dec 23 2022
WEB APPLICATION PENTESTING CHECKLIST
Web Pentesting Checklist Cyber Security News
PenTesting Titles
Pentesting Training
Penetration Testing – Exploitation
Penetration Testing – Post Exploitation
Infosec books | InfoSec tools | InfoSec services
Dec 23 2022
Cloud Security Best Practices
Cloud Security Titles
Cloud Security Training
MicroMasters® Program in Cloud Computing
Full Stack Cloud Application Development
AWS – Getting Started with Cloud Security
Infosec books | InfoSec tools | InfoSec services
Dec 23 2022
KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks
KmsdBot Botnet Leverages SSH to Compromise Systems and to Launch DDoS Attacks
Researchers from Akamai have continued to study the cryptomining botnet KmsdBot and have looked at its attack flow. It is believed that KmsdBot is a distributed denial of service (DDoS) for hire due to the wide range of companies and regions that were attacked.
“We have continued to analyze and play around with KmsdBot, including modifying the binary and pointing it at our own command and control (C2), which led to us watching the threat actor crash the botnet”, Akamai researchers
Among the major targets were luxury brands and security companies, as well as the game modifications Grand Theft Auto V and Red Dead Redemption 2 and FiveM and RedM.
Asia, North America, and Europe represent the majority of the victims, according to observed IPs and domains.
Launch DDoS Attacks
While analyzing the attack traffic, the first noteworthy attack is referred to as “bigdata” and makes 1 Mb POST requests to the designated port. The payload looks to be garbage even though the Content-Type header says it is URL-encoded.
Researchers say this attack attempts to increase the amount of bandwidth needed to process each request by sending a lot of data in the body of each request. Hence, this is one of the most often used functionalities for this botnet and is a fairly basic feature that almost all DDoS campaigns use.
Also, the TCP protocol’s three-way handshake can be abused by the attacker by utilizing an SYN flood to create half-open connections on several ports.
This makes it difficult for the target server to handle the volume of traffic and makes it much more difficult for it to discriminate between malicious and legitimate connection requests.
Instead of concentrating on the overall effect of the size of the single packet, there were also some standard HTTP(s) POST and traffic instructions that blend in with standard traffic by closely resembling a normal packet in both size and format.
Here the basic goal of HTTP-based attacks is to send out a lot of packets, which makes it difficult to identify them from legitimate traffic and block them while defending against an attack.
“After observing this traffic for some time, we can see that after hitting a certain specified packet size, it will start back at a smaller size and grow again, repeating this process over and over”, explains researchers.
Targets Gaming, Luxury Brands, and Even Security Companies
The platforms FiveM and RedM, which are used to host modified “Grand Theft Auto V” and “Red Dead Redemption 2” servers, let server owners make new rules and add new elements to the server that wasn’t in the standalone game.
“A large concentration of targets was located in Asia, North America, and Europe based on the observed IPs and domains”, Akamai
KmsdBot, was intriguing for a few notable reasons: It was written in Go, it had cryptomining functionality, and it had seemingly erratic targets.
Akamai researchers noticed that KmsdBot follows some of the general tendencies, especially in terms of the language used. Malicious code is rapidly being created in a variety of languages, including Go and even compiled Python.
Infosec books | InfoSec tools | InfoSec services
« Previous Page — Next Page »
