Yesterday at #FIRSTCON19 our Patrick Ventuzelo hold his presentation "Analyze & Detect #WebAssembly#Cryptominer ". His slides are available here: https://www.first.org/resources/papers/conf2019/FIRST2019_wasm_cryptominer_full_Patrick-Ventuzelo.pdf
Many thanks for your talk and representing #QuoScient , Pat!
Israeli forensics firm and well-known Law enforcement contractor Cellebrite released a public statement that they can hack any iOS and High-end Android devices for law enforcement agencies.
Cellebrite Mobile Synchronization is an Israeli company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices.
Last year Cellebrite claimed that it’s engineer’s have the ability to unlock any iPhone including the most expected iPhone X in 2018.
Cellebrite claims the UFED has the ability to extract data from nearly 8,200 devices as of June 2012. include smartphones, PDA devices, cell phones, GPS devices, and tablet computers. The UFED can extract, decrypt, parse and analyze phonebook contacts, all types of multimedia content, SMS and MMS messages, call logs, electronic serial numbers (ESN), Universal Forensic Extraction Device or UFED, A new premium product of Cellebrite released in the market can unlock and extract the data from iOS and Android.
Shockingly, they claim to unlock the iPhone including those running iOS 12.3, released just a month ago and the exploit that they are using to break the phone is completely unknown.
Cellebrite made a public statement in twitter says, “Cellebrite is proud to introduce #UFED Premium! An exclusive solution for law enforcement to unlock and extract data from all iOS and high-end Android devices,” The decryption about the premium tool in Cellebrite website says, “Bypass or determine locks and perform a full file system extraction on any iOS device, or a physical extraction or full file system (File-Based Encryption) extraction on many high-end Android devices, to get much more data than what is possible through logical extractions and other conventional means.” The new premium tool let law enforcement agencies to gain access to 3rd party app data, chat conversations, downloaded emails and email attachments, deleted content, and more. .
Free Open Source Penetration Testing Distro BackBox Linux 6 Released with new Hacking Tools
BackBox Linux is a free Open Source penetration testing and security assessment oriented Linux distribution providing a network and systems analysis toolkit.
It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment
BackBox Linux includes some of the most commonly known/used security and analysis tools, aiming for a wide spread of goals, ranging from web application analysis to network analysis, stress tests, sniffing, vulnerability assessment, computer forensic analysis, automotive and exploitation.
It has been built on Ubuntu core system yet fully customized, designed to be one of the best Penetration testing and security distribution and more.
As usual, this major release includes many updates. These include new kernel, updated tools and some structural changes with a focus on maintaining stability and compatibility with Ubuntu 18.04 LTS.
What’s new: BackBox Linux
Updated Linux Kernel 4.18Updated desktop environmentUpdated hacking toolsUpdated ISO Hybrid with UEFI support
32-bit or 64-bit processor1024 MB of system memory (RAM)10 GB of disk space for installationGraphics card capable of 800×600 resolutionDVD-ROM drive or USB port (3 GB)
The ISO images for both 32bit & 64bit can be downloaded from the official web site download section.
BackBox Linux is now available on Amazon Web Services cloud platform. Just within a few clicks, you can now have access to BackBox official AMI. .
The campaign targets all the regions, highly targeted countries are China and India. It targets across a wide range of business industries that include education, communication and media, banking, manufacturing, and technology.
Read more on ➡ https://cybernews001.blogspot.com
[Link in bio]👈 .
Follow @cybernews001 👈 Share and Support Us. 🙏 .
Bypassing and Disabling SSL Pinning on Android to Perform Man-in-the-Middle Attack
Certificate Pinning is an extra layer of security to achieve protection against man-in-the-middle. It ensures only certified Certificate Authorities (CA) can sign certificates for your domain, and not any CA in your browser store.
Application developers implement Certificate pinning to avoid reverse engineering, it allows developers to specify which certificate the application allowed to trust. Instead of relying on the certificate store. .
POST: PRET- Printer Exploitation Toolkit.
Join Us @firstname.lastname@example.org
JOIN US ON DISCORD
PRET available on Github.
Printers Hacking Tutorials available in Discord Sever.
Academic researchers Andrew Kwong and Daniel Genkin from the University of Michigan, Daniel Gruss form Graz University and Yuval Yarom from University of Adelaide and Data 61 disclosed the attack method.
FIN8 hacker group is back with a new highly sophisticated variant of the ShellTea malware and carried out attacks against hotel and entertainment industry. This would be the first attack by FIN8 hacker group in 2019, and it is believed that malware was deployed as a result of a phishing attack.
Researchers from Morphisec Labs observed a new campaign between March to May 2019, and it “attempted to infiltrate machines several machines within the network of a customer in the hotel-entertainment industry.” .
Messaging Service Telegram Hit by a Powerful DDoS Attack
The secure messaging app Telegram hit by a powerful DDoS attack and the users in united states and other countries may experience connection issues with Telegram.
Telegram is a free instant messaging app like WhatsApp, well-known for its encryption, privacy, and self-destructive private messages. With Telegram, you can access your messages across multiple devices. . “A DDoS is a “Distributed Denial of Service attack”: your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper.” . “The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order,” telegram tweeted. “To generate these garbage requests, bad guys use “botnets” made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa.” .
Telegram confirms that your data is safe, “There’s a bright side: All of these lemmings are there just to overload the servers with extra work – they can’t take away your BigMac and coke. Your data is safe. . ” DDoS is a type of attack in which hackers use multiple compromised systems, which are often infested with a Trojan, are used to target a single system producing a Denial of Service (DoS) attack.
Later Telegram confirmed everything is stabilized, “for the moment, things seem to have stabilized.” .
Microsoft Security Updates Fixes for 88 Vulnerabilities Including 4 SandboxEscaper Leaked Zero-day’s
Microsoft released a new security update for June 2016 under patch Tuesday that fixes of 88 vulnerabilities including that affected different Microsoft products.
In this June update, Microsoft fixed the vulnerabilities that affected the following software, ⚪Microsoft Windows
⚪Microsoft Office and Microsoft Office Services and Web Apps
⚪Skype for Business and Microsoft Lync
⚪Microsoft Exchange Server
Microsoft also fixed 4 previous unknown zero-day vulnerabilities that leaked by SandboxEscaper, but none of those vulnerabilities contains neither active exploits nor incorporate the malware.
CVE-2019-0973 – Windows Installer Elevation of Privilege Vulnerability
CVE-2019-1053 – Windows Shell Elevation of Privilege Vulnerability
CVE-2019-1064 – Windows Elevation of Privilege Vulnerability
CVE-2019-1069 – Task Scheduler Elevation of Privilege Vulnerability
SandboxEscaper posted all the vulnerability details with PoC Exploits in her GitHub over a month, at this moment, out of five, four zero-day bugs are fixed and the remaining one isn’t ready yet since it leaked very recently.
Total of 88 vulnerabilities that were patched by Microsoft this month, 21 vulnerabilities are rated critical, 66 rated important and one moderate.
Microsoft released an advisory for third-party vulnerabilities fixes including Adobe Flash Player, Microsoft Devices, Servicing Stack Updates.
The Advisory including the Bluetooth Low Energy vulnerability that was disclosed in May. “Due to a misconfiguration in the Bluetooth pairing protocols, it is possible for an attacker who is physically close to a user at the moment he/she uses the security key to communicate with the security key.” Google and Feitian have issued advisories for customers of these keys and Google issued CVE-2019-2102 for this vulnerability.
There are two moderate vulnerabilities CVE-2019-1040 and CVE-2019-1019 were patched by Microsoft that allowed attackers to remotely execute malicious code on any Windows machine or authenticate to any web server.
Adobe Security Update fixes Critical Vulnerabilities in Flash Player, Campaign and ColdFusion
Abode released security updates that fixes code execution vulnerability in Flash Player, Campaign and ColdFusion. The security updates for Windows, macOS, Linux, and Chrome OS.
Adobe Flash Player
The Security updates addressed a critical vulnerability in Adobe Flash Player that allows an attacker to execute arbitrary code on the vulnerable machine with the context of the current user. The Flash Player update is for Windows, macOS, Linux and Chrome OS.
The vulnerability can be tracked as CVE-2019-7845.
Adobe Flash Player Desktop Runtime 126.96.36.199 and earlier
Adobe Flash Player for Google Chrome 188.8.131.52 and earlier
Adobe Flash Player for Microsoft Edge 184.108.40.206 and earlier
and Internet Explorer 11
Adobe Flash Player Desktop Runtime 220.127.116.11
Adobe Flash Player for Google Chrome 18.104.22.168
Adobe Flash Player for Microsoft Edge 22.214.171.124
and Internet Explorer 11
Adobe Flash Player Desktop Runtime 126.96.36.199
Adobe Campaign Classic
Adobe addresses seven vulnerabilities with Campaign Classic, successful exploitation of the vulnerability results in arbitrary code execution.
While phishing and spear phishing attacks are similar, there are many key differences to be aware of. A phishing campaign is very broad and automated, think 'spray and pray'. It doesn't take a lot of skill to execute a massive phishing campaign. Most phishing attempts are after things like credit card data, usernames and passwords, etc. and are usually a one-and-done attack. .
On the other hand, spear phishing is highly targeted, going after a specific employee, company, or individuals within that company. This approach requires advanced hacking techniques and a great amount of research on their targets. Spear phishers are after more valuable data like confidential information, business secrets, and things of that nature. That is why a more targeted approach is required; they find out who has the information they seek and go after that particular person. A spear phishing email is really just the beginning of the attack as the bad guys attempt to get access to the larger network.
Protect Yourself from Phishing attempts, Malware & ads Trackers Using Surfshark VPN’s CleanWeb
Nowadays all our activities highly depend on the Internet that includes shopping financial services, communication, entertainment and number of other services. The Internet empowers several techniques; on the other hand, it poses certain dangers.
According to the recent reports, we can see a massive increase in various threats and the sophistication method followed by the attackers. Anyone can fall victim to the cyber attacks starting from tech giants to individuals.
Using a VPN could enhance your overall Internet security by creating a private connection between your device and the server, from the server, the traffic is routed anonymously.
Before choosing a VPN, there are several factors to be considered that includes speed, Security, server location, and costs. Premium VPN services such as Surfshark provides you CleanWeb features that block phishing attempts, malware, ads, or trackers that bother you.
By using a VPN, all your file transfers from your computer or mobile phones will be encrypted using AES-256-GCM algorithm and it also hides your IP address, which makes difficult for trackers to extract your location or identity.
CleanWeb is available for all popular platforms that include Windows, macOS, iOS, Android, and for browsers Firefox and Chrome.
Using a public WiFi is not recommended, if you are supposed to use the public WiFi then the best way is to with the VPN, which gives you stable connection and enables you to secure the data from prying eyes. Also, you can switch between the VPN servers as many times as you want.
How CleanWeb Protects You from Cybersecurity Threats
Scammers users various stealth methods to deliver you phishing email that appears to be coming from a bank, tax returns, and in different forms. With these methods, hackers can loot barrage of personal and financial data, which results in high impact attacks. .
India’s Biggest Star Amitabh Bachchan’s Twitter Account Hacked
Indian Bollywood megastar Amitabh Bachchan’s Twitter account compromised by a pro-Pakistan Turkish hacker group called Ayyildiz Tim.
Cyber Criminals posted multiple tweets against India and replace the Amitabh Bachchan images with a photo of Pakistan Prime Minister Imran Khan.
Hackers quoted a statement that “This is an important call to the whole world! We do condemn the irrespective behaviors of Iceland republic towards Turkish footballers. We speak softly but carry a big stick and inform you about the big Cyber attack here. As Ayyıldız Tim Turkish Cyber Armny +++”. “
In the second post, “The Indian State, who mercilessly attacks the Muslims fasting in the month of Ramadan, is attacking the Ummah Muhammad in this age! Indian Muslims are entrusted to us by Abdulhamid.” Hackers also change the Amitabh Bachchan Twitter account’s cover images with Ayyildiz Tim hackers groups logo.
Maharashtra Cyber Crime unit were informed after the matter was brought to their notice and they said ” We have informed our cyber unit and Maharashtra Cyber about the hacked Twitter account of Mr. Bachchan. They are investigating the matter. Further updates awaited,” Mumbai Police spokesperson DCP Manjunath Singe said.” The same group was previously hacked Twitter accounts of actors Shahid Kapoor and Anupam Kher among others.
The Twitter account was seemed to have been restored within half-an-hour. .
Hackers Exploit Critical Oracle WebLogic Server Vulnerability by Hiding Malware in Certificate Files(.cer)
Hackers abuse Oracle WebLogic Server Vulnerability CVE-2019-2725 to deliver Monero Miner. The vulnerability is easily exploitable, any unauthenticated attacker with HTTP access to the server can attack without authentication.
Trend Micro observed a new cryptocurrency-mining activity involving the vulnerability and to hide the malicious code they used certificate files.
Malware exploits CVE-2019-2725 to execute a PowerShell command to download the malicious code obfuscated in the .cer file. The PowerShell scripts download the encoded certificate file from the attacker’s server.
To decode the certificate file CertUtil is used, CertUtil is a command-line program that is installed along with Certificate Services.
The extracted file update.ps1 is executed using PowerShell command, and the downloaded certificate is deleted using command. “When we downloaded the certificate file, we noticed that it looked like a normal Privacy-Enhanced Mail (PEM) format certificate. However, upon decoding the base64 content, we found that, instead of the commonly used X.509 TLS file format, it comes in the form of the PS command,” reads Trend Micro report.
Last month another campaign leveraged the vulnerability to download Sodinokibi ransomware and to encrypt the customer’s systems.
It is recommended to patch the CVE-2019-2725 vulnerability; you can find the security alert published by Oracle and the Patch Availability here. (https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html)
Link in my bio 👈
📌Back by popular demand! We are reopening our Cyber Security & Advanced Programming track.
An intensive 10-month training course and paid internship for excellent STEM graduates. Gain expertise in three core areas of computer science, including R&D, Network Security, and Endpoint Security.
In the final stage, gain hands on experience working full-time with a paid internship in the cyber field.
Apply online now at www.itc.tech. "I never thought I'd be interested in Cyber Security, but ITC opened my eyes to this exciting world. I received in ITC a thorough training in various of fields - malware analysis, penetration testing, reverse engineering, etc. - which help me tackle my daily challenges at work a year after" - Ophir Harpaz, Security Researcher at Guardicore
1 3010 June, 2019
RCE Vulnerability in Millions of Exim Email Server Let Hackers Execute Arbitrary Command & Control the Server Remotely
Critical Remote command execution vulnerability that affected Exim Email Server versions 4.87 to 4.91 let a local attacker or a remote attacker(with limited boundary) can execute an arbitrary command and exploit the server.
Exim is a mail transfer agent which is used on Unix-like operating systems for sending, receiving and routing the email messages. also, it is free software distributed under the terms of the General Public License (GNU)
Both local and remote attacker could exploit this vulnerability, but there are certain non-default configurations restriction take place for the remote attacker in order to execute the arbitrary commands.
RCE means Remote Command Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root and there is no memory corruption or ROP (Return-Oriented Programming) is involved in this flaw.
In order to exploit this vulnerability remotely in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days which can be possible by transmitting one byte every few minutes.
But the complexity of the Exim code, researcher not guaranteed that, it take longer time to exploit but there may be alternative fast method exist.
Exim Email Server are vulnerable by default since its older version 4.87 that was released on April 6, 2016), and the vulnerability was fixed in version 4.92 on Feb 2019.
According to Qualys research, It was not identified as a security vulnerability, and most operating systems are therefore affected. For example, we exploit an up-to-date Debian distribution (9.9) in this advisory. “We believe that it makes no sense to delay this any longer than that: this vulnerability is trivially exploitable in the local and non-default cases (attackers will have working exploits before that, public or not); and in the default case, a remote attack takes a long time to succeed” OpenWall reported.
This vulnerability referred as “The Return of the WIZard”, is a reference to Sendmail’s ancient WIZ and DEBUG vulnerabilities. .
2 9510 June, 2019
VLC 3.0.7 Released With the fix for 43 Security Vulnerabilities & Other Functions
VLC released security updates that address several security issues than any other release of the VLC player. VLC 3.0.7 released with a fix for 43 security issues that include 2 high-security issues, 21 medium security issues, and 20 low-security issues.
The two high-security issues are an Out-of-Bound Write and a Stack Buffer Overflow. The Out-of-Bound Write resides in the faad2 library, a dependency of VLC and the Stack Buffer Overflow in the new RIST module.
The medium-security issues are mostly out-of-band reads, heap overflows, NULL-dereference, and use-after-free security issues. Those issues should not be exploitable with ASLR, but are important anyway, because they can crash VLC.
The low-security issues are mostly integer overflow, division by zero, and other out-of-band reads with no actual impact. Those issues are not exploitable, reads Jean-Baptiste Kempf blog post.
The highest number of vulnerabilities fixed as the European Commission included open source tools with EU-Free and Open Source Software Auditing (EU-FOSSA) project to improve the security of free software. .
Q1 2019 Top-Clicked Phishing Email Subjects from KnowBe4 [INFOGRAPHIC]
Every quarter, KnowBe4 reports on the top-clicked phishing emails by subject lines in three categories: Social, General, and 'In the Wild'. The latter category results come from the millions of users that click on our Phish Alert Button to report real phishing emails and allow our team to analyze the results.
Full Report: https://blog.knowbe4.com/q1-2019-top-clicked-phishing-email-subjects-from-knowbe4-infographic . (Link in my bio) 👈 . 🔹Follow @cybernews001 👈 .
Hacker on Underground Forum Claims to have an RDP and Network Access of Anti Virus Giants Comodo & Symantec
A threat actor goes by name “Achilles” selling Internal accounts of multinational corporate networks data on various underground hacking forums. His primary targets include private companies and government organizations.
His recent posts show that he has access to corporate networks of popular organizations such as UNICEF, Transat, and access to Cybersecurity Companies that includes Comodo Group & Symantec.
Achilles uses living-off-the land tactics to gain access within the organization’s network; they use to compromise Remote Desktop Protocol (RDP) or use stolen credentials to connect with the victim network using VPN.
The threat actor gains access to the network through brute-force attacks targeting remote services and external portal, later the actor tries to elevate privileges.
Threat Actor ActivitiesTargeting Corporate Networks
According to AdvIntel, Achilles posted On May 4, 2019, claimed to have access to UNICEF network and two other private sector companies. UNICEF data was priced for $ 4,000, and later the price was dropped o $2,000. “The majority of Achilles offers are related to breaches into multinational corporate networks via external VPN and compromised RDPs. Targets include private companies and government organizations, primarily in the British Commonwealth.” Achilles found to be active on underground forums for the last seven months, and he attempted to sell access to several multinational companies.
In April 2019, he posted another set of records that includes 600 GB of data from UK companies, RDP & network access.
On May 15, 2019, Achilles posted that he had access to following organizations, but have not provided any evidence proving that they had access to these networks.
High-profile Security Companies 🔹Transat (Transat[.]com)
The threat actor gains high reputation within the underground community, by offering highly sensitive data and the evidence provided. .
3 2117 June, 2019
Cisco Security Updates – RCE Flaw in Cisco Industrial Network Director Let Hackers Gain Admin Level Access
Cisco released a security update to address multiple vulnerabilities that reside in Cisco utilities includes a remote code execution flaw that affected Cisco Industrial Network Director.
This new Cisco security updates release with the fixes for 9 vulnerabilities, in which, two vulnerabilities marked as high severity and rest of the 7 vulnerabilities are categorized under medium severity.
Remote code execution resides in software update feature of Cisco Industrial Network Director let remote attacker authenticate the system remotely to execute the arbitrary code and take full control of the vulnerable system. “The vulnerability ( CVE-2019-1861) is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system”
Cisco fixed this vulnerability in its new software releases 1.6.0 for Cisco Industrial Network Director.
Another high severity vulnerability ( CVE-2019-1845) that affected Cisco Unified Communications Manager IM&P Service, Cisco TelePresence VCS, and Cisco Expressway let attackers perform Denial of Service.
According to Cisco, This vulnerability affects the Cisco following products if users are running a vulnerable release: 🔹Expressway Series configured for Mobile and Remote Access with IM&P Service (Releases X8.1 to X12.5.2)
🔹TelePresence VCS configured for Mobile and Remote Access with IM&P Service (Releases X8.1 to X12.5.2)
🔹Unified Communications Manager IM&P Service (multiple releases)
Cisco advised affected users to apply these patches immediately to keep the network safe and secure. .
macOS Zero-Day Vulnerability Allows Hackers to Bypass Security Protections With Synthetic Clicks
A new zero-day vulnerability in macOS let hackers to bypass the system security warnings and to compromise easily with Synthetic Click. Security researcher Patrick Wardle revealed the critical vulnerability at his conference Objective By The Sea over this weekend.
Last year he showed that it is possible to createsynthetic clicks the with automation scripts in macOS High Sierra, later in macOS Mojave the privacy protections have been exported.
Now he found another way to bypass the security protections to perform Synthetic Clicks and to access the user’s data without the user’s consent.
The vulnerability resides in ‘Apple’s code that checks only for the existence of the certificate but not the integrity of the Trusted apps. An attacker can tamper an application from the list of trusted apps to generate synthetic clicks, which was normally allowed by the operating system.
Wardle demonstrated the attack with VLC media player to deliver his malicious plugin for generating a synthetic click on prompt’s without user consent. “”For VLC, I just dropped in a new plugin, VLC loads it, and because VLC loads plugins, my malicious plugin can generate a synthetic click — which is fully allowed because the system sees its VLC but ‘doesn’t validate that the bundle to make sure it ‘hasn’t been tampered with,” he explained to Techcrunch.
To execute the attack, the attacker should have physical access to the Laptop, but not required to have any elevated privileges.
Wardle reported the vulnerability to Apple before a week, and the company confirms the report, but it is unclear when it is scheduled to address the vulnerability. .