Researchers discovered two of such apps on the Google play when launched they load malicious websites through chrome and it performs several redirects to pages of various affiliated programs.
Each of the visited pages prompts users for notifications and inform the users it is for verification purposes; in this way, attackers increase the number of successful subscriptions. . .
Israeli forensics firm and well-known Law enforcement contractor Cellebrite released a public statement that they can hack any iOS and High-end Android devices for law enforcement agencies.
Cellebrite Mobile Synchronization is an Israeli company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices.
Last year Cellebrite claimed that it’s engineer’s have the ability to unlock any iPhone including the most expected iPhone X in 2018.
Cellebrite claims the UFED has the ability to extract data from nearly 8,200 devices as of June 2012. include smartphones, PDA devices, cell phones, GPS devices, and tablet computers. The UFED can extract, decrypt, parse and analyze phonebook contacts, all types of multimedia content, SMS and MMS messages, call logs, electronic serial numbers (ESN), Universal Forensic Extraction Device or UFED, A new premium product of Cellebrite released in the market can unlock and extract the data from iOS and Android.
Shockingly, they claim to unlock the iPhone including those running iOS 12.3, released just a month ago and the exploit that they are using to break the phone is completely unknown.
Cellebrite made a public statement in twitter says, “Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices,” The decryption about the premium tool in Cellebrite website says, “Bypass or determine locks and perform a full file system extraction on any iOS device, or a physical extraction or full file system (File-Based Encryption) extraction on many high-end Android devices, to get much more data than what is possible through logical extractions and other conventional means.” The new premium tool let law enforcement agencies to gain access to 3rd party app data, chat conversations, downloaded emails and email attachments, deleted content, and more. .
The campaign targets all the regions, highly targeted countries are China and India. It targets across a wide range of business industries that include education, communication and media, banking, manufacturing, and technology.
Read more on ➡ https://cybernews001.blogspot.com
[Link in bio]👈 .
Follow @cybernews001 👈 Share and Support Us. 🙏 .
Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack
Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.
Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application allowed to trust. Instead of relying on the certificate store. .
Academic researchers Andrew Kwong and Daniel Genkin from the University of Michigan, Daniel Gruss form Graz University and Yuval Yarom from University of Adelaide and Data 61 disclosed the attack method.
PenTest+ training in action. In my lab environment. Exploited a SMB vulnerability with MS17_010_eternalblue on a WinSrv 2008 R2 and executed a NET USER /add command to create the user UGotHacked and password BananasIsGood! Captured the traffic in Wireshark for a deep dive analysis. 👨💻
4 5813 June, 2019
FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.
Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.” .
Messaging Service Telegram Hit by a Powerful DDoS Attack
The secure messaging app Telegram hit by a powerful DDoS attack and the users in united states and other countries may experience connection issues with Telegram.
Telegram is a free instant messaging app like WhatsApp, well-known for its encryption, privacy, and self-destructive private messages. With Telegram, you can access your messages across multiple devices. . “A DDoS is a “Distributed Denial of Service attack”: your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper.” . “The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order,” telegram tweeted. “To generate these garbage requests, bad guys use “botnets” made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa.” .
Telegram confirms that your data is safe, “There’s a bright side: All of these lemmings are there just to overload the servers with extra work – they can’t take away your BigMac and coke. Your data is safe. . ” DDoS is a type of attack in which hackers use multiple compromised systems, which are often infested with a Trojan, are used to target a single system producing a Denial of Service (DoS) attack.
Later Telegram confirmed everything is stabilized, “for the moment, things seem to have stabilized.” .
#Karrieren bei Porsche Informatik: Peter Klinger leitet seit 2013 die Abteilung ICP Security & Network Services. 🔒🌐 Mit seinen Teams betreut er alle Netzwerkverbindungen der Porsche Holding inklusive Anbindung an die Volkswagen-Welt. Die IT-Sicherheit ist dabei sein oberstes Ziel – nicht nur in Österreich, sondern international. 🌍 Begonnen hat Peter im Jahr 2000 bei Porsche Austria. Dort war er 4 Jahre lang als IT-Koordinator für Osteuropa tätig, um neue Importeursstandorte in neuen Ländern auf- und auszubauen. 📈 2004 wechselte er zu Porsche Informatik (zunächst im Server-Bereich), um mehr Zeit für seine Familie zu haben. 👨👩👧👦 „Es gibt einfach keinen besseren Arbeitgeber als Porsche Informatik“, schwärmt Peter. 😊 Künftig wird seine Abteilung die zentrale Security-Drehscheibe der Firma sein. Wenn also irgendwo in der Porsche-Welt Sicherheits-Schwachstellen auftreten, dann richten es Peters Teams. 🚓 🚒 Polizei und Feuerwehr in einem, sozusagen! 😄
Microsoft Security Updates Fixes for 88 Vulnerabilities Including 4 SandboxEscaper Leaked Zero-day’s
Microsoft released a new security update for June 2016 under patch Tuesday that fixes of 88 vulnerabilities including that affected different Microsoft products.
In this June update, Microsoft fixed the vulnerabilities that affected the following software, ⚪Microsoft Windows
⚪Microsoft Office and Microsoft Office Services and Web Apps
⚪Skype for Business and Microsoft Lync
⚪Microsoft Exchange Server
Microsoft also fixed 4 previous unknown zero-day vulnerabilities that leaked by SandboxEscaper, but none of those vulnerabilities contains neither active exploits nor incorporate the malware.
CVE-2019-0973 – Windows Installer Elevation of Privilege Vulnerability
CVE-2019-1053 – Windows Shell Elevation of Privilege Vulnerability
CVE-2019-1064 – Windows Elevation of Privilege Vulnerability
CVE-2019-1069 – Task Scheduler Elevation of Privilege Vulnerability
SandboxEscaper posted all the vulnerability details with PoC Exploits in her GitHub over a month, at this moment, out of five, four zero-day bugs are fixed and the remaining one isn’t ready yet since it leaked very recently.
Total of 88 vulnerabilities that were patched by Microsoft this month, 21 vulnerabilities are rated critical, 66 rated important and one moderate.
Microsoft released an advisory for third-party vulnerabilities fixes including Adobe Flash Player, Microsoft Devices, Servicing Stack Updates.
The Advisory including the Bluetooth Low Energy vulnerability that was disclosed in May. “Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key.” Google and Feitian have issued advisories for customers of these keys and Google issued CVE-2019-2102 for this vulnerability.
There are two moderate vulnerabilities CVE-2019-1040 and CVE-2019-1019 were patched by Microsoft that allowed attackers to remotely execute malicious code on any Windows machine or authenticate to any web server.
2 10912 June, 2019
Adobe Security Update fixes Critical Vulnerabilities in Flash Player, Campaign and ColdFusion
Abode released security updates that fixes code execution vulnerability in Flash Player, Campaign and ColdFusion. The security updates for Windows, macOS, Linux, and Chrome OS.
Adobe Flash Player
The Security updates addressed a critical vulnerability in Adobe Flash Player that allows an attacker to execute arbitrary code on the vulnerable machine with the context of the current user. The Flash Player update is for Windows, macOS, Linux and Chrome OS.
The vulnerability can be tracked as CVE-2019-7845.
Adobe Flash Player Desktop Runtime 22.214.171.124 and earlier
Adobe Flash Player for Google Chrome 126.96.36.199 and earlier
Adobe Flash Player for Microsoft Edge 188.8.131.52 and earlier
and Internet Explorer 11
Adobe Flash Player Desktop Runtime 184.108.40.206
Adobe Flash Player for Google Chrome 220.127.116.11
Adobe Flash Player for Microsoft Edge 18.104.22.168
and Internet Explorer 11
Adobe Flash Player Desktop Runtime 22.214.171.124
Adobe Campaign Classic
Adobe addresses seven vulnerabilities with Campaign Classic, successful exploitation of the vulnerability results in arbitrary code execution.
While phishing and spear phishing attacks are similar, there are many key differences to be aware of. A phishing campaign is very broad and automated, think 'spray and pray'. It doesn't take a lot of skill to execute a massive phishing campaign. Most phishing attempts are after things like credit card data, usernames and passwords, etc. and are usually a one-and-done attack. .
On the other hand, spear phishing is highly targeted, going after a specific employee, company, or individuals within that company. This approach requires advanced hacking techniques and a great amount of research on their targets. Spear phishers are after more valuable data like confidential information, business secrets, and things of that nature. That is why a more targeted approach is required; they find out who has the information they seek and go after that particular person. A spear phishing email is really just the beginning of the attack as the bad guys attempt to get access to the larger network.
Protect Yourself from Phishing attempts, Malware & ads Trackers Using Surfshark VPN’s CleanWeb
Nowadays all our activities highly depend on the Internet that includes shopping financial services, communication, entertainment and number of other services. The Internet empowers several techniques; on the other hand, it poses certain dangers.
According to the recent reports, we can see a massive increase in various threats and the sophistication method followed by the attackers. Anyone can fall victim to the cyber attacks starting from tech giants to individuals.
Using a VPN could enhance your overall Internet security by creating a private connection between your device and the server, from the server, the traffic is routed anonymously.
Before choosing a VPN, there are several factors to be considered that includes speed, Security, server location, and costs. Premium VPN services such as Surfshark provides you CleanWeb features that block phishing attempts, malware, ads, or trackers that bother you.
By using a VPN, all your file transfers from your computer or mobile phones will be encrypted using AES-256-GCM algorithm and it also hides your IP address, which makes difficult for trackers to extract your location or identity.
CleanWeb is available for all popular platforms that include Windows, macOS, iOS, Android, and for browsers Firefox and Chrome.
Using a public WiFi is not recommended, if you are supposed to use the public WiFi then the best way is to with the VPN, which gives you stable connection and enables you to secure the data from prying eyes. Also, you can switch between the VPN servers as many times as you want.
How CleanWeb Protects You from Cybersecurity Threats
Scammers users various stealth methods to deliver you phishing email that appears to be coming from a bank, tax returns, and in different forms. With these methods, hackers can loot barrage of personal and financial data, which results in high impact attacks. .
India’s Biggest Star Amitabh Bachchan’s Twitter Account Hacked
Indian Bollywood megastar Amitabh Bachchan’s Twitter account compromised by a pro-Pakistan Turkish hacker group called Ayyildiz Tim.
Cyber Criminals posted multiple tweets against India and replace the Amitabh Bachchan images with a photo of Pakistan Prime Minister Imran Khan.
Hackers quoted a statement that “This is an important call to the whole world! We do condemn the irrespective behaviors of Iceland republic towards Turkish footballers. We speak softly but carry a big stick and inform you about the big Cyber attack here. As Ayyıldız Tim Turkish Cyber Armny +++”. “
In the second post, “The Indian State, who mercilessly attacks the Muslims fasting in the month of Ramadan, is attacking the Ummah Muhammad in this age! Indian Muslims are entrusted to us by Abdulhamid.” Hackers also change the Amitabh Bachchan Twitter account’s cover images with Ayyildiz Tim hackers groups logo.
Maharashtra Cyber Crime unit were informed after the matter was brought to their notice and they said ” We have informed our cyber unit and Maharashtra Cyber about the hacked Twitter account of Mr. Bachchan. They are investigating the matter. Further updates awaited,” Mumbai Police spokesperson DCP Manjunath Singe said.” The same group was previously hacked Twitter accounts of actors Shahid Kapoor and Anupam Kher among others.
The Twitter account was seemed to have been restored within half-an-hour. .
Hackers Exploit Critical Oracle WebLogic Server Vulnerability by Hiding Malware in Certificate Files(.cer)
Hackers abuse Oracle WebLogic Server Vulnerability CVE-2019-2725 to deliver Monero Miner. The vulnerability is easily exploitable, any unauthenticated attacker with HTTP access to the server can attack without authentication.
Trend Micro observed a new cryptocurrency-mining activity involving the vulnerability and to hide the malicious code they used certificate files.
Malware exploits CVE-2019-2725 to execute a PowerShell command to download the malicious code obfuscated in the .cer file. The PowerShell scripts download the encoded certificate file from the attacker’s server.
To decode the certificate file CertUtil is used, CertUtil is a command-line program that is installed along with Certificate Services.
The extracted file update.ps1 is executed using PowerShell command, and the downloaded certificate is deleted using command. “When we downloaded the certificate file, we noticed that it looked like a normal Privacy-Enhanced Mail (PEM) format certificate. However, upon decoding the base64 content, we found that, instead of the commonly used X.509 TLS file format, it comes in the form of the PS command,” reads Trend Micro report.
Last month another campaign leveraged the vulnerability to download Sodinokibi ransomware and to encrypt the customer’s systems.
It is recommended to patch the CVE-2019-2725 vulnerability; you can find the security alert published by Oracle and the Patch Availability here. (https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html)
Link in my bio 👈
RCE Vulnerability in Millions of Exim Email Server Let Hackers Execute Arbitrary Command & Control the Server Remotely
Critical Remote command execution vulnerability that affected Exim Email Server versions 4.87 to 4.91 let a local attacker or a remote attacker(with limited boundary) can execute an arbitrary command and exploit the server.
Exim is a mail transfer agent which is used on Unix-like operating systems for sending, receiving and routing the email messages. also, it is free software distributed under the terms of the General Public License (GNU)
Both local and remote attacker could exploit this vulnerability, but there are certain non-default configurations restriction take place for the remote attacker in order to execute the arbitrary commands.
RCE means Remote Command Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root and there is no memory corruption or ROP (Return-Oriented Programming) is involved in this flaw.
In order to exploit this vulnerability remotely in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days which can be possible by transmitting one byte every few minutes.
But the complexity of the Exim code, researcher not guaranteed that, it take longer time to exploit but there may be alternative fast method exist.
Exim Email Server are vulnerable by default since its older version 4.87 that was released on April 6, 2016), and the vulnerability was fixed in version 4.92 on Feb 2019.
According to Qualys research, It was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory. “We believe that it makes no sense to delay this any longer than that: this vulnerability is trivially exploitable in the local and non-default cases (attackers will have working exploits before that, public or not); and in the default case, a remote attack takes a long time to succeed” OpenWall reported.
This vulnerability referred as “The Return of the WIZard”, is a reference to Sendmail’s ancient WIZ and DEBUG vulnerabilities. .
2 9510 June, 2019
VLC 3.0.7 Released With the fix for 43 Security Vulnerabilities & Other Functions
VLC released security updates that address several security issues than any other release of the VLC player. VLC 3.0.7 released with a fix for 43 security issues that include 2 high-security issues, 21 medium security issues, and 20 low-security issues.
The two high-security issues are an Out-of-Bound Write and a Stack Buffer Overflow. The Out-of-Bound Write resides in the faad2 library, a dependency of VLC and the Stack Buffer Overflow in the new RIST module.
The medium-security issues are mostly out-of-band reads, heap overflows, NULL-dereference, and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.
The low-security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable, reads Jean-Baptiste Kempf blog post.
The highest number of vulnerabilities fixed as the European Commission included open source tools with EU-Free and Open Source Software Auditing (EU-FOSSA) project to improve the security of free software. .
Q1 2019 Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]
Every quarter, KnowBe4 reports on the top-clicked phishing emails by subject lines in three categories: Social, General, and 'In the Wild'. The latter category results come from the millions of users that click on our Phish Alert Button to report real phishing emails and allow our team to analyze the results.
Full Report: https://blog.knowbe4.com/q1-2019-top-clicked-phishing-email-subjects-from-knowbe4-infographic . (Link in my bio) 👈 . 🔹Follow @cybernews001 👈 .
GoldBrute Botnet Trying to Hack more than 1.5 Million RDP Servers that Exposed to Internet
A new botnet dubbed GoldBrute attacks more than 1.5 million RDP servers that are exposed to the Internet. The botnet scans for random IP addresses to detect windows machines with RDP exposed.
Like other botnets GoldBrute is not using weak passwords or reusing the passwords form data breaches, instead, it uses its own list of usernames and passwords to launch brute force attacks.
Security researchers from Morphus labs detected the ongoing malicious campaign which is controlled from a single C&C server and the communication exchanges between the bots are encrypted with the symmetric algorithm AES through port 8333.
GoldBrute Botnet Attack
The bot starts by scanning the Internet to find Windows hosts with Remote desktop protocol services exposed. Once it finds a host, it reports to C&C server, if the bot reported 80 victims then C&C server will assign a set a target to launch brute force attack.
It is worth noting that each bot will try only one username and password against the target to avoid detections. “This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses,” reads the blog post.
Once the attack successful, it downloads the zip archive which is GoldBrute Java code on targeted RDP server along with the Java runtime. It uncompresses and then runs a jar file called “bitcoin.dll.
Then the new bot starts scanning the Internet for open RDP servers. If it finds any new IP, then it reports to the C&C server.
Once it reaches 80 brutable RDP servers, then C&C server will assign a set of targets to the new bot.
In the brute-force phase, the bot will continuously get username & password combinations from the C&C server.
Researchers tested the bot under lab environments, “after 6 hours; we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase.” The heatmap reveals that GoldBrute targets exposed RDP machines around the globe. .
Hacker Leaked New Windows 10 Zero-day Exploit Online To Bypass Already Patched Bug
SanboxEscaper, an anonymous hacker came back and leaked an another Windows zero-day PoC that exploits already patched (CVE-2019-0841) local privilege escalation vulnerability that resides in Windows 10.
This is a second zero-day that bypass CVE-2019-0841, An elevation of privilege vulnerability exists when Windows AppX Deployment Service improperly handles hard links. and the vulnerability has been already patched by Microsoft in April.
SandboxEscaper, a pseudonym of a widely known anonymous hacker who has actively leak windows based zero-day exploit online since August 2018 (1, 2, 3, 4, 5, 6), and this is ninth zero-day leak since August 2018.
An attacker who successfully exploited this vulnerability (CVE-2019-0841) could run processes in an elevated context., In result, threat actor installs malicious programs view, change or delete data.
Exploit The 0day with Edge
SanboxEscaper explains (GitHub repository removed now), the vulnerability can be triggered by deleting all files and subfolders within the location of Edge browser where she pointed below. "c:\\users\\%username%\\appdata\\local\\packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\" Firstly, we need to perform the deleting process as a local user account. so, when user launch the Edge, it will end up to crash the browser. but, when a local user launches it a second time, it causes to write the Discretionary Access Control List (DACL) while impersonating “SYSTEM.” Arbitrary DACL writes allow a low-privileged user to change the system permissions, eventually gains complete control of the systems admin access.
SandboxEscaper explains the following process via her GitHub repository.
The trick here is to launch edge by clicking it on the taskbar or desktop, using “start microsoft-edge:” seems to result in correct impersonation.\par
You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.\par \b Another note, this bug is most definitely not restricted to edge. .
Hacker on Underground Forum Claims to have an RDP and Network Access of Anti Virus Giants Comodo & Symantec
A threat actor goes by name “Achilles” selling Internal accounts of multinational corporate networks data on various underground hacking forums. His primary targets include private companies and government organizations.
His recent posts show that he has access to corporate networks of popular organizations such as UNICEF, Transat, and access to Cybersecurity Companies that includes Comodo Group & Symantec.
Achilles uses living-off-the land tactics to gain access within the organization’s network; they use to compromise Remote Desktop Protocol (RDP) or use stolen credentials to connect with the victim network using VPN.
The threat actor gains access to the network through brute-force attacks targeting remote services and external portal, later the actor tries to elevate privileges.
Threat Actor ActivitiesTargeting Corporate Networks
According to AdvIntel, Achilles posted On May 4, 2019, claimed to have access to UNICEF network and two other private sector companies. UNICEF data was priced for $ 4,000, and later the price was dropped o $2,000. “The majority of Achilles offers are related to breaches into multinational corporate networks via external VPN and compromised RDPs. Targets include private companies and government organizations, primarily in the British Commonwealth.” Achilles found to be active on underground forums for the last seven months, and he attempted to sell access to several multinational companies.
In April 2019, he posted another set of records that includes 600 GB of data from UK companies, RDP & network access.
On May 15, 2019, Achilles posted that he had access to following organizations, but have not provided any evidence proving that they had access to these networks.
High-profile Security Companies 🔹Transat (Transat[.]com)
The threat actor gains high reputation within the underground community, by offering highly sensitive data and the evidence provided. .
3 2117 June, 2019
Iranian MuddyWater APT Hackers Adds New Exploits in Their Hacking Arsenal to Attack Government Networks
Threat actors from MuddyWater APT groups now add a new set of latest exploits to their hacking arsenal and tactics, techniques and procedures (TTPs) to target government entities and telecommunication sectors.
Iran sponsored MuddyWater group operating by advanced persistent threat actors and this APT group was initially spotted in 2017, they are mainly targeting the middle east and Asia based victims using the variety of malicious components.
In the recent past, researchers from Clear Sky observed that these groups actively targeting the wide range of victims including governmental, military, telecommunication, and academia.
One of the malicious documents that detected with embedded macro drops the payload once the victim opens the files, eventually its exploit the vulnerability CVE-2017-0199, a remote code execution vulnerability that allows attackers to use a flaw that exists within the Windows Object Linking and Embedding (OLE). Ministry of Intelligence and Security from Iran divided the two branches of hackers team for a different team.
1. The first team is specialized in hacking the target systems.
2. Another Team will perform social engineering operation using spearphishing methods.
MuddyWater APT Attack vectors
Based on the recent campaign observation, threat actors attached a malicious file with a spear phishing email that posed as an official document of a UN development plan in Tajikistan.
The second stage of this malware download from IP address 185.244.149[.]218 then it communicates with several malicious files and drops one of them into victims device.
After victims click the file, an error message will appear, in which, victims required to approve then another error message let victims recover the content of the document. .
Cisco Security Updates – RCE Flaw in Cisco Industrial Network Director Let Hackers Gain Admin Level Access
Cisco released a security update to address multiple vulnerabilities that reside in Cisco utilities includes a remote code execution flaw that affected Cisco Industrial Network Director.
This new Cisco security updates release with the fixes for 9 vulnerabilities, in which, two vulnerabilities marked as high severity and rest of the 7 vulnerabilities are categorized under medium severity.
Remote code execution resides in software update feature of Cisco Industrial Network Director let remote attacker authenticate the system remotely to execute the arbitrary code and take full control of the vulnerable system. “The vulnerability ( CVE-2019-1861) is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system”
Cisco fixed this vulnerability in its new software releases 1.6.0 for Cisco Industrial Network Director.
Another high severity vulnerability ( CVE-2019-1845) that affected Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco Expressway let attackers perform Denial of Service.
According to Cisco, This vulnerability affects the Cisco following products if users are running a vulnerable release: 🔹Expressway Series configured for Mobile and Remote Access with IM&P Service (Releases X8.1 to X12.5.2)
🔹TelePresence VCS configured for Mobile and Remote Access with IM&P Service (Releases X8.1 to X12.5.2)
🔹Unified Communications Manager IM&P Service (multiple releases)
Cisco advised affected users to apply these patches immediately to keep the network safe and secure. .
BlackSquid Malware Uses Eight Exploits to Attack Web Servers, Network Drives, and Removable Drives
A new malware dubbed BlackSquid bags eight notorious exploits to drop XMRig Monero cryptocurrency miner targeting web servers, network drives, and removable drives.
The malware employs several anti-virtualization, anti-debugging, and anti-sandboxing methods to avoid detection. If the malware detects any sandboxes, it immediately cancels the infection process to avoid detections.
Trend Micro observed that BlackSquid targets Thailand and the U.S., based on the samples observed by researchers now it downloads and installs an XMRig Monero cryptocurrency miner, but can be utilized with other payloads in future.
The malware enters into the system through three different initial entry points that include infected webpages, compromised servers, or via removable or network drives.
If the malware doesn’t meet the conditions, then it drops the XMRig Monero malware and processes the malicious cryptocurrency-mining malware routines. It also uses EternalBlue-DoublePulsar exploits for further network propagations.
The malware also gets executed by utilizing the critical vulnerability CVE-2017-8464, that allows remote attackers to execute arbitrary code on the target machine as a local user.
BlackSquid also exploits the Apache Tomcat exploit CVE-2017-12615, which “enables any code to be executed by the server by uploading a JavaServer Pages (JSP) file via a specially crafted HTTP PUT request.” It also targets Rejetto HTTP File Server using CVE-2014-6287 “to run mshta.exe via a %00 sequence in a search action. Once abused, this allows attackers to execute arbitrary programs remotely.” “Among the vulnerabilities abused are three ThinkPHP exploits to support multiple versions of the said framework, using mshta.exe to download and execute the main component of the payload,” reads Trend Micro report.(Link in bio)
Google Released Chrome 75 for Windows, Mac, Linux and Android with Several Security Fixes
Google released Chrome 75 for Android and Stable Channel Update for Windows, Mac and Linux with the fixes of 42 security vulnerabilities that affected the old version of chrome.
In this Chrome 75 for Android, Google improved stability and performance along with Chrome’s built-in password manager to generate a strong and unique password.
Google added several new following features in Chrome 75.0.3770.80 along with security fixes, including two high severity vulnerability.
1. There’s a new way to reduce latency on canvaselements.
2. Web apps can now share files to other installed apps using the system level share sheet.
3. Numeric literals now allow underscores as separators to make them more readable.
4. Google I/O 2019 is a wrap and all of talksare on our YouTube channel.
In Chrome 75, the Web Share API now allows you to plug in the systems share service that provided by the Android OS making us easy to share the file of files including audio files, images, videos, and text documents with other installed apps on the user’s device, watch the video.
Developers can check out here(https://developers.google.com/web/updates/2019/06/nic75) about all the new features that have been added in this chrome 75 release.
Google already started rolling out, and the update reaches over the coming days/weeks for all desktop platforms Windows, Mac, Linux, and the Android Mobile platform.
Chrome 75 for Android become available on Google Play over the next few weeks and the desktop users now check for the update by going to Settings -> Help -> About Google Chrome in browser and check the auto update.
Out of 42 security vulnerabilities, Two (CVE-2019-5828 and CVE-2019-5829) marked as high severity vulnerabilities which was reported by Lucas Pinheiro, Microsoft Browser Vulnerability Research and Andrew Krasichkov, Yandex Security Team. “Chrome 75.0.3770.80 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcomingChrome and Chromium blog posts about new features and big efforts delivered in 75.” Google said. .
Quest Diagnostics Says Nearly 12 Million Patients Records Exposed in Data Breach
Quest Diagnostics has confirmed a data breach that exposes 11.9 million patients records that includes financial data, Social Security numbers, and medical information.
Quest Diagnostics is lab testing provider of diagnostic testing, information, and services that patients and doctors used to make better healthcare decisions.
The breach happened through a contractor of a contractor, Quest outsource billing services to Optum360, which in turn using American Medical Collection Agency(AMCA) to handle that service. ⏺ "AMCA has informed Quest Diagnostics that an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest.” According to Quest, the attackers gained unauthorized access to billing systems from August 1, 2018, to May 31, 2019. Quest said it doesn’t receive any other additional information about the security incident from AMCA. “
AMCA first notified Quest and Optum360 on May 14, 2019, of potential unauthorized activity on AMCA’s web payment page.” The leaked information includes the medical data and other personal data, Quest confirms the lab results were not exposed as it was not provided to AMCA. ⏺ “Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”
⏺ “Quest will be working with Optum360 to ensure that Quest patients are appropriately notified consistent with the law.” Quest said it was working with AMCA and Optum360, as well as the external forensic investigators to determine the potential impact of the damage. .
macOS Zero-Day Vulnerability Allows Hackers to Bypass Security Protections With Synthetic Clicks
A new zero-day vulnerability in macOS let hackers to bypass the system security warnings and to compromise easily with Synthetic Click. Security researcher Patrick Wardle revealed the critical vulnerability at his conference Objective By The Sea over this weekend.
Last year he showed that it is possible to createsynthetic clicks the with automation scripts in macOS High Sierra, later in macOS Mojave the privacy protections have been exported.
Now he found another way to bypass the security protections to perform Synthetic Clicks and to access the user’s data without the user’s consent.
The vulnerability resides in ‘Apple’s code that checks only for the existence of the certificate but not the integrity of the Trusted apps. An attacker can tamper an application from the list of trusted apps to generate synthetic clicks, which was normally allowed by the operating system.
Wardle demonstrated the attack with VLC media player to deliver his malicious plugin for generating a synthetic click on prompt’s without user consent. “”For VLC, I just dropped in a new plugin, VLC loads it, and because VLC loads plugins, my malicious plugin can generate a synthetic click — which is fully allowed because the system sees its VLC but ‘doesn’t validate that the bundle to make sure it ‘hasn’t been tampered with,” he explained to Techcrunch.
To execute the attack, the attacker should have physical access to the Laptop, but not required to have any elevated privileges.
Wardle reported the vulnerability to Apple before a week, and the company confirms the report, but it is unclear when it is scheduled to address the vulnerability. .
Top 5 ATM Malware Families Used By Hackers to Dispense Money from Targeted ATMs
ATM-Based cyber attacks are continually evolving with much more advanced methods and functions, attackers continuously employee the number of sophisticated malware families to trick the ATMs into dispensing cash.
The first ATM skimmer malware designed to launch an attack on ATMs was spotted 10 years before. From the time of discovery, it has evolved to include several different families and different actors behind them.
ATM-based malware can cause significant damage to end users; financial institutions, and targeted banks. “Over the past 10 years, we have seen a steady increase in the number of ATM malware samples discovered. Still, the number of discovered samples is minimal compared to almost any other malware category,” Talos reported.
Based on the functions, ATM-based malware classified into virtual skimmers and cash dispensers. The Skimmers card data, transaction details, and PINs, whereas the Cash-dispensing malware is used by attackers to dispense cash from ATMs.
The generic framework used by ATM developers is CEN/XFS framework, which allows them to compile and run the code regardless of the ATM model or manufacturer.
ATMs are not available over the internet they will communicate to bank through special channels; however, they will be connected to the internal networks for administration & maintenance purposes, certain malware takes advantage of that by compromising the internal network first.
Top 5 ATM Malware Families
Ploutus malware used by several criminals to empty ATMs through an external keyboard attached to the machine or via SMS message.
The malware was observed since November 2016; it is a standard ATM-dispensing malware; attackers use this to empty ATM without a card.
Alice malware first detected in November 2016; it will simply empty the safe of ATMs. Alice directly connects with CurrencyDispenser1, upon entering correct PIN it opens operator panel which shows the cassettes were money loaded. . 👇👇👇👇👇👇👇
Check Comment box
4 2243 June, 2019
Hackers Abusing Microsoft Azure to Deploy Malware and C2 Servers Using Evasion Technique
Now Microsoft Azure becomes a sweet spot for hackers to hosting powerful malware and also operating it as a command and control servers for the malicious files.
Microsoft Azure is a cloud computing servicecreated by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.
Initially, this malicious operation uncovered and reported by @JayTHL & @malwrhunterteam via twitter where they provide the evidence that there is a malicious software being hosted in Microsoft Azure.
Researcher already reported this malicious operation to Microsoft However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.
This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.
Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.
According to appriver, However, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.
Based on the analysis report using the printer.exe file, Attackers uncompiled this malware with c# .net portable executable file.
Attackers cleverly using an uncompiled file as an attempt of evading the gateway and endpoint security detection by thoroughly examine the downloaded binaries. ” Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx” .
Dangerous GandCrab Ransomware Shutting Down its Operations after Earning $2 Billion in Ransom Payments
Gandcrab ransomware first spotted in January 2018, and it is the most sophisticated and continuously changing ransomware. The operators behind the ransomware have released five different ransomware versions in more than one year.
The ransomware was distributed through multiple vectors that include malicious spam emails, exploit kits, social Engineering methods, and other malware campaigns.
According to researchers Damian and David Montenegro, the Gandcrab operators have posted that they are to shut down the operations.
Based on the screenshot shared by researchers, it shows that the operators have earned more than $2 billion in ransom payments at an average of 2.5 million dollars per week.
The threat actors behind the ransomware have personally earned more than 150 million dollars per year, and they have cashed out money through legit sources.
The Announcement says they have stopped promoting the ransomware and asked affiliates to stop distribution of ransomware within 20 days.
Also, they urge victim’s to pay the ransom; else the key will get deleted. It is still unclear whether the operators would release the keys after they shut down the operation.
GandCrab Ransomware Versions
GandCrab v1 – Discovered in January 2018, distributed via exploit kits such as RIG EK and GrandSoft EK. Ransom payment collected in DASH crypto-currency. Encrypts files and appends .gdcb extension.
GandCrab v2 – The ransomware was distributed through spam emails, and it appends .CRAB extension to the encrypted files.
GandCrab v3 – Next version comes with the ability to change the desktop wallpaper with ransomware notes. This version of ransomware also appends .CRAB extension to the encrypted files.
GandCrab v4 – the Fourth version appends an extension .KRAB instead of CRAB and it uses the Tiny Encryption Algorithm to avoid detection. It was distributed through fake software crack sites.
GandCrab v5 – Appends 5 character extension on the encrypted files and after the encryption process, it creates an HTML ransom notes that shows files, documents, photos are encrypted. ⏺⏺⏺
4 1332 June, 2019
TA505 Hackers Group Modifies Remote Admin Tool as a Weaponized Hacking Tool To Attack Victims in the U.S, APAC, Europe
Threat actors from TA505 hacking group conducting new wave attack by modifying the legitimate remote admin tool to Weaponized hacking tool that targets retailers in the U.S, and various financial institutions from Europe, APAC and LATAM.
TA505 hacking group believed to reside in Russia and the threat actors from this group involved in various high profile cyber attacks including infamous Dridex, Locky ransomware, ServHelper malware, FlawedAmmyy, delivered through malicious email campaigns.
This organized cybercrime group is targeting victims mainly for financial motivation by gaining access to their system to perform fraudulent financial Transaction.
In order to achieve these goals, Threat actors abusing remote manipulator system, a Russian based legitimate remote admin tool which is available for the commercial version and free version for non-commercial purposes.
RMS Tool in Underground Market
The cracked version of RMS tool Selling in underground forums which are being obtained by TA505 threat actors and using its feature including a remote control with multi-monitor support, task manager, file transfer, command line interface, network mapping capabilities, webcam and microphone access which all are common traits of well developed Remote Access Trojan.
Most of the Remote Access Trojan is capable of communicating with its operator through the command & control server. Similarly, RMS included an “ID-Internet” feature that helps to communicate with the developer’s server to send a notification via email which is being used by less sophisticated threat actors.
Attacker linked these feature with an ability to install and operate the tool silently, that makes it as the best solution for both sophisticated and unsophisticated threat actors.
But it favors highly sophisticated threat actors like TA505 by supporting “self-hosting option” which allows them to configure their own Remote Utility (RU) server. .
Two Miners Purportedly Execute 51% Attack on Bitcoin Cash(BCH) Blockchain
A recent 51% attack which took place in the Bitcoin Cash network, the price of Bitcoin Cash has appreciated against both USD and BTC and the attack was coordinated by both the BTC.com and BTC.top mining pools.
A 51% attack happens when somebody controls most of the mining power on a Proof-of-Work having a network of blockchain. This implies the larger part square verifier can keep different clients from mining and switch exchanges.
While many have accepted that a 51% attack would be done with a noxious goal, the above case occurred as the two mining pools endeavored to keep an unidentified gathering from taking a few coins that because of a code update were basically “available for anyone.” Cryptocurrency trading is creating a hype as days are passing and millions of traders invest millions of dollars in bitcoin.
Types of an attack
The internal attackers of the mining pools’ attack are caught. Be that as it may, when one code change was expelled amid bitcoin money’s May 15 hard fork, these coins were abruptly spendable “essentially giving the coins to diggers,” he included. The obscure attacker done his best to take the coins. That is when BTC.top and BTC.com swooped in to turn around those exchanges.
According to Cryptoconomy Podcast host Swann, two attackers with greater part control of the system BTC.top and BTC.com played out the attack with an end goal to prevent an obscure digger from taking coins that were sent to an “anybody can spend” address following the first hard fork in May 2017.
51% attacks have commonly been viewed as an unfortunate and unfruitful alternative to take assets, as it would require a monstrous measure of figuring power, and once a system is considered traded off, clients would apparently escape.
Exposing of Blockchain attack
As indicated by measurements on Coin.Dance, BTC.top, and BTC.com control 43% of the bitcoin money mining pool. Digital currency exchanging is making a promotion as days are passing and a great many brokers put a huge number of dollars in bitcoin.
Unpatched Code Execution Zero-day Vulnerability Founds in Notepad – Google Security Researcher
A Well-Known Google security researcher Tavis Ormandy revealed that he discovered a critical Code execution zero-day vulnerability in Notepad.
Notepad is a simple text editor for Microsoft Windows and a basic text-editing program which enables computer users to create documents. It was first released as a mouse-based MS-DOS program in 1983.
Tavis already reported this vulnerability report to Microsoft and given them 90 days to fix it, a strict Google Project Zero’s vulnerability disclosure deadline policy defined by Google along with a publicly visible bugtracker where the vulnerability disclosure process is openly documented if the vendor failed to patch the reported vulnerability.
He reported the bug via his Twitter feed where he said, “this is a real bug,” It’s a real memory corruption exploit. Clearly, an attacker cannot right click dialogs, so that is not a security bug.” As he posted a screenshot, the vulnerability exploited the shell in the Notepad that spawns the windows command prompt in the Notepad process.
Since the bug is under 90 days disclosure policy, Tavis denied to share further details about this vulnerability, also confirmed that he developed a real exploit for this Code Execution Vulnerability in notepad.
Chaouki Bekrar, Founder of @Zerodium Said, he is not a first person who finds this flaw, but he is the first one who reported this vulnerability to Microsoft.
Tavis also answer the question about the details of this vulnerability, and he said, planning to write a blog post about the discovery along with exploitation.
We may expect the details after the security patch release by Microsoft will update you about the complete information about this vulnerability once he update this regards.
Tavis found many other vulnerabilities in various software and services including Ghostscript, Cloudflare, BitTorrent, keeperand more. .
Chinese Hackers Infect Over 50,000 Windows MS-SQL and PHPMyAdmin Servers Worldwide with 20 Different Payloads
A new China-based campaign dubbed Nansh0u targets Windows MS-SQL and PHPMyAdminservers worldwide. The attack campaign primarily targets servers belonging to the healthcare, telecommunications, media, and IT sectors.
Guardicore Labs detected the campaign at the beginning of April, but the attacks found dating back to February 26. Throughout the campaign threat actors used 20 different payloads, and they keep on creating at least one payload a week and used them immediately. “Hackers used a combined set of five attack servers, and six connect-back servers suggests an established process of continuous development which was well thought of by the attackers.” More than 50,000 servers breached in this campaign, once the targeted servers compromised they were infected with a malicious payload, which in turn drops a crypto-miner that mines TurtleCoin and sophisticated kernel-mode rootkit.
Nansh0u campaign is not just a crypto-miner attack; hackers behind the campaign used advanced techniques followed by APTS groups such as fake certificates and privilege escalation exploits.
Attack on MS-SQL and PHPMyAdmin servers
The attack starts with a serious of login attempts targeting MS-SQL servers to gain administrator privileges. Attackers infrastructure combines the following modules to launch an attack on MS-SQL servers.
Port scanner – Used to detect MS-SQL servers running by IP and to determine MS-SQL ports status.
MS-SQL brute-force tool – Brute-force tool attempts to log in the MS-SQL server using thousands of common credentials.
Remote Code Executor – If the attacker had success with Port scan & brute-force, then the next step is to breach the server.
A privilege escalation vulnerability CVE-2014-4113 was exploited to run the programs with SYSTEM privileges.
By analyzing the 20 payload samples from the attacker’s servers and Guardicore Global Sensor Network, each payload is a wrapper and has several functionalities.
1. Execute the crypto-currency miner;
2. Create persistency by writing registry run-keys;. .
6 11730 May, 2019
Chinese Military Preparing to Build a New Operating System to Replace Windows OS – Fear of U.S Hacking
Chinese Military is getting ready to build a new independent Operating system to replace Windows OS for its military operations.
By having a new custom Operating System, China believes that it would prevent from U.S hacking attempts into their Military network and protect their secrets.
According to a report published by Canada-based military magazine Kanwa Asian Defence,this massive task assigned to an “Internet Security Information Leadership Group”. but there is no official release from neither Chinese military nor other Chinese government media outlet.
Chinese Military wouldn’t choose to go for Linux; instead, they would prefer to go with a custom operating system with “Security through obscurity”, an approach in security engineering on the secrecy of the design or implementation as the primary goal of providing security for a system or component of a system.
China believes that developing a custom operating system will strongly prevent foreign threats, especially hacking attempts from the United States of America.
Massive leaks in the decade such as WikiLeaks Vault 7, Edward Snowden leaks and Shadow brokers leaks of NSA cyber weaponstransparently revealed the capacity of U.S, and they provide almost they can hack anything when it comes to hacking devices running Windows, Mac, and Linux.
The group does not trust the “UNIX” multi-user, multi-stroke operating system either, that uses in some of the servers within the People’s Liberation Army (PLA), Kanwa reported.
According to THE EPOCH TIMES who have initially reported this operation said, “The group also believes that the German-developed programmable logic controller (PLC), used in 70 percent of China’s industrial control system today, poses huge risks to China’s national security. In its opinion, China is not a “network superpower,” but merely a “network giant”
The internet information leadership group assigned to developing an operating system will directly report the Central Committee of the Chinese Communist Party (CCP). Report said. .
8 16130 May, 2019
Internet scans found Nearly One Million Systems being Vulnerable to Wormable BlueKeep Remote Desktop Protocol RCE Vulnerability.
Nearly one million PCs on the public internet are still vulnerable to wormable, BlueKeep RDP flaw. Even-though Microsoft fixed the vulnerability on May 14, 950,000 unpatched devices are still running with the older Windows operating systems.
We have reported about “Bluekeep vulnerability” earlier this week. Successful exploitation of this vulnerability, allows an attacker to execute arbitrary code on the windows machine and to install programs on the machine with elevated privileges.
The vulnerability can be tracked as CVE-2019-0708, and it affects multiple windows operating systems that includes both the supported and non-supported versions.
Robert Graham conducted an RDP scan looking for port 3389 used by Remote Desktop to find the possible vulnerable machines. He discovered that 923,671 machines are still vulnerable to BlueKeep bug.
In the scan, Graham used the “rdpscan”, which is a modified version of the port scanner tool “masscan” that scans the entire internet to detect the machines vulnerability against BlueKeep.
This result indicates that even after the patch was released, Organizations and individuals are not actively patching the vulnerability. “When the worm hits, it’ll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 — potentially worse.” said Graham.
Bad Packets Observed a scanning activity associated with BlueKeep vulnerability originating from Russia, Netherlands, and China.
Grey Noise intelligence observed a thread actor actively scanning for BlueKeep vulnerability via Tor exit nodes.
McAfee, Kaspersky, Check Point, and MalwareTech created a Proof-of-Concept (PoC) that would use the CVE-2019-0708 vulnerability that could remotely execute the code on the victim’s machine.
Mitigations ⏺Block Remote Desktop Services if they are not in use.
⏺Block TCP port 3389 at the Enterprise Perimeter Firewall.
⏺Apply the patch to the vulnerable Machines that have RDP Enabled.
World’s Most Dangerous Laptop With 6 Popular Malware Sold at $1.3 million
The Laptop loaded with six most dangerous pieces of malware all the time was sold at an auction. The malware present in the responsible for causing financial damages totaling $95 billion.
It is the most dangerous machine right now in the World with, and it is running the Windows XP operating system. Microsoft ended support for Windows XP on Apr. 8 2014.
Guo O Dong created the Persistence of Chaos with the deadliest malware in the World. The Laptop dubbed “Persistence of Chaos” is a regular 10.2-inch Samsung NC10-14GB laptop running on Windows XP (SP3). Guo O Dong said to verge that the “intention behind the laptop was to make physical the abstract threats posed by the digital world.” Cybersecurity firm DeepInstinct commissioned the project.
You can watch the live steaming of this laptop and the piece is isolated and airgapped to prevent against spread of the malware.
In 2000, ILOVEYOU, also known as the “Love Bug,” exploited human nature by disguising itself as a love letter and tricking recipients into opening it. It was only a matter of hours before computer systems across the World were tied up by this virus.
SoBig ($37.1 Billion)
In August of 2003, SoBig appeared, infections millions of computers across the World. SoBig evolved several times, making it hard to catch.
The MyDoom (or Novarg) virus is another worm that can create a backdoor in the victim computer’s operating system. The original MyDoom virus — there have been several variants — had two triggers. One trigger caused the virus to begin a denial of service (DoS) attack starting Feb. 1, 2004.
WannaCry Ransomware outbreak performs all over the World in many countries. Including Russia, Ukraine, India, and Taiwan are the countries which Faced Major Hit by Wanncry Ransomware.
BlackEnergy uses injection techniques, robust encryption, and a modular architecture known as a “dropper.” It was used in cyber attacks targeting Ukraine. .
Catfishing: a deceptive tactic where a fake identity on a social network account targets a specific victim for deception. The catfisher has developed a quick romance online, never shows their face and is always in need of financial assistance and their elaborate story has tugged on your heart strings. They seem so helpless...
Last tactic of this series: Helplessness
People are willing to help when approached:
🙋🏼♀️ I’m lost, can you help me find this location?
🙋🏾♂️ It’s my kid’s birthday and I need this to go through right away. .
🙍🏻♀️ My wife will kill me if I don’t get this done, is there a way to expedite this?.
🧔🏻 Starting a new venture/business but I can’t move forward w/o you. You’re my only hope. Please 🙏🏽.
💁🏽♀️ These boxes are so heavy, could you give me a hand?
True story: “I’m coming into a big contract. But I need your help in managing the business. It’s too much. I’m not in the business for having people work for me for free...so let me ask you: how much are you worth? Once we get the details of the business going, I can officially hire you your pay.” (You’d be working for free, mind you, until the contract gets signed. Hint: it never existed) .
It’s a tactic I heard all the time on the cases I worked on
This is a child support scam that we found. This person was building a business that was a front for another scam in the background. Funneling so called income through a “legit” business and turning around to fund the illegitimate business. Unfortunately, the children suffer the most in this type of scam.
When I was working for the government, I dealt with all types of CON-ARTISTS. Major frauds against people who were the most vulnerable: immigrants and senior citizens. Mortgage fraud, HUD fraud, IRS tax fraud, refinancing fraud are amongst the most common here in the USA 🇺🇸
How you can protect yourself and loved ones:
📵 never return their call
🏧 if it is too good to be true, IT IS!
📳 legitimate agency will never call and threaten you
✅ verify who you’re doing business with and never put forth money you aren’t ready to lose. .
🤭 if the CONMAN tells you don’t tell anyone, share with all
Have you ever rooted a server but didn't have any luck cracking the hashes in /etc/shadow?
What if I told you that you could read clear-text passwords from inbound ssh logons... using <40 lines of Bash?
I wrote this little POC named "leech", which sets a trap for system admins by attaching to the SSHD process (and subprocesses) and logging the relevant syscalls. When someone attempts to log in, their username and password will be logged in clear text.
Going to add features for logging SMB and FTP/SFTP credentials too, then just need to add an elegant exfil feature so this can run unattended.
My job wants me to "automate our soc", so I've been developing a "virtual analyst" that will integrate with our SIEM and automatically analyze the alert data it receives. Among other things, the virtual analyst uses IBM's x-force API and Virustotal's API to collect and compile analysis data (just like a real analyst would). Anyways, here is a peek at the interactive poc for the virustotal API.