Posts Tagged ‘hacking’

Immediately Patch Microsoft 0 day vulnerabilities being used to spread SPYWARE!

Thursday, September 14th, 2017

 

Windows 0-Day Flaw

Get ready to install a fairly large batch of security patches onto your Windows computers.

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.

 The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

.NET 0-Day Flaw Under Active Attack

According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild.

Here’s the list of publically known flaws and their impact:

Windows .NET Framework RCE (CVE-2017-8759)—A zero-day flaw, discovered by researchers at cybersecurity firm FireEye and privately reported it to Microsoft, resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

The flaw could even allow an attacker to create new accounts with full user rights. Therefore users with fewer user rights on the system are less impacted than users who operate with admin rights.

According to FireEye, this zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Three Publicly Disclosed Vulnerabilities

The remaining three publicly known vulnerabilities affecting the Windows 10 platform include:

  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

BlueBorne Attack: Another Reason to Install Patches Immediately

Also, the recently disclosed Bluetooth vulnerabilities known as “BlueBorne” (that affected more than 5 Million Bluetooth-enabled devices, including Windows, was silently patched by Microsoft in July, but details of this flaw have only been released now.

BlueBorne is a series of flaws in the implementation of Bluetooth that could allow attackers to take over Bluetooth-enabled devices, spread malware completely, or even establish a “man-in-the-middle” connection to gain access to devices’ critical data and networks without requiring any victim interaction.

So, users have another important reason to apply September security patches as soon as possible in order to keep hackers and cyber criminals away from taking control over their computers.

Other flaws patched this month include five information disclosure and one denial of service flaws in Windows Hyper-V, two cross-site scripting (XSS) flaws in SharePoint, as well as four memory corruption and two remote code execution vulnerabilities in MS Office.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Source:
Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

Carbanak hacking group steal $1 billion from banks worldwide | ZDNet

Monday, February 16th, 2015

Since 2013, the cybergang have attempted to attack banks, e-payment systems and financial institutions using the Carbanak malware. The criminal operation has struck banks in approximately 30 countries.What makes this crime unusual is the fact individual end users were not targeted; rather, banks themselves were the victims.Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team told attendees at the Kaspersky Lab Security Analyst Summit that tracking the operation began when he was shown a video of a criminal taking money from an ATM without touching the machine.A bank then requested help from the security company to tackle the problem — as every ATM in a specific area had been taken from. Originally, Golovanov and colleagues searched for malware in the ATM network itself but came up short — finding instead “terrible” misconfiguration in network configuration. This led to the discovery of Carberp and Anunak malware code — open-source malicious code used in Carbanak.

via Carbanak hacking group steal $1 billion from banks worldwide | ZDNet.

Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking

Wednesday, January 21st, 2015

 

Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking

2015 will be a year more smarter than 2014 with smarter mobile devices, smarter home appliances, and yes Smarter Automobiles. Nowadays, there are a number of automobiles companies offering vehicles that run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled, from instrument cluster to steering, brakes, and accelerator as well.

No doubt these systems makes your driving experience better, but at the same time they also increase the risk of getting hacked.

According to a recent research, an electronic dongle used to plugged into the on-board diagnostic port of more than two million cars and trucks contains few security weaknesses that makes them vulnerable to wireless attacks, resulting in taking control of the entire vehicle.

Since 2008, US-based Progressive Insurance has used the SnapShot device in more than two million vehicles. The little device monitors and tracks users’ driving behavior by collecting vehicle location and speed records, in order to help determine if they qualify for lower rates.

However, the security researcher Corey Thuen has revealed that the dongle is insecure and performs no validation or signing of firmware updates. It has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols, possibly putting the lives of people inside the vehicle in danger.

“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies … basically it uses no security technologies whatsoever,” Thuen told Forbes.

SnapShot plugs into the OBDII port of Thuen’s 2013 Toyota Tundra pickup truck. Thuen said that an attack on the adjacent modem, which handles the connection between Progressive’s servers and the dongle, was possible too, which could allow a potentially deadly takeover of the car’s acceleration and braking.

“What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle,” he added.

“A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.”

Mr. Thuen presented the detailed analysis of the research last week at the S4x15 Conference in Miami. The research highlighted the minimal protections included with many widely used car computer systems. While he focused on dongles from Progressive, he also warned that devices from other insurance companies could also be at risk.

Progressive officials has said they were confident SnapShot was secure and were not informed about the flaws by Mr Theun before he revealed them at a computer security conference. However the company said it welcomes input on identifying security weaknesses so that they could evaluate it and make any necessary improvements.

via Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking – Hacker News.

Victimized Celebs Blamed for Their Indecent Exposure | Hacking | TechNewsWorld

Wednesday, September 3rd, 2014

icloud iphone

The iBrute code on GitHub is "a garden-variety brute-force attack," said Andrew Jaquith, CTO of SilverSky.

The "fmipmobile.icloud.com" host that the iBrute code authenticated against is found in 76 other GitHub locations, which means the authentication vector "was clearly well-known to the broader programming community," he explained.

Apple "already has protections against brute force for most of their websites," Bob Doyle, security consultant at Neohapsis, told TechNewsWorld. "Reports now indicate they’ve restricted the number of incorrect guesses you can send to the "Find My iPhone" API, which should make it resistant to automated brute-forcing attacks like these."

Let’s Hear It for Fear and Loathing!

"When Scarlett Johansson’s account got hacked, that should have been a massive red flag for any celebrity who had any kind of compromising photographs in their accounts," KnowBe4’s Sjouwerman said. "If they had nude photos of themselves on the Internet, they should have deleted them."

Johansson’s account was hacked in 2011 and the hacker, Christopher Chaney, was jailed.

"This entire situation underscores the reality that today’s interconnected universe of networks is extremely complex and the potential access methods for criminals are many and varied," Steve Hultquist, chief evangelist at RedSeal Networks, told TechNewsWorld.

Protect Yourself at All Times

"Celebrities have, and always will be, easy targets simply due to the amount of information about their lives which can be gleaned from any gossip site," Evan Keiser, a security analyst at SilverSky, told TechNewsWorld.

via Victimized Celebs Blamed for Their Indecent Exposure | Hacking | TechNewsWorld.

Hacking Gmail App with 92 Percent Success Rate

Wednesday, August 27th, 2014
The team of researchers – Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan – will present its paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks” (PDF), at the USENIX Security Symposium in San Diego on August 23.
The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack – running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.

The team of researchers – Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan – will present its paper, “Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks” (PDF), at the USENIX Security Symposium in San Diego on August 23rd.
via Hacking Gmail App with 92 Percent Success Rate.

‘Kitteh’ finds all the unsecure Wi-Fi with new Cat Collar – Enterprise – | siliconrepublic.com

Monday, August 11th, 2014

war kitteh

A new hi-tech cat collar designed to sniff out unsecure Wi-Fi connections, known as the ‘War Kitteh’, has been showcased at one of the world’s largest hacking events.

Known as Def Con, the convention held in Las Vegas brings some of the world’s brightest and best hackers together and, in many cases, showcases unique and strange security tools.

The War Kitteh collar, while appearing entirely harmless, actually contains a Spark Core Wi-Fi development board which uses the Spark.io operating system to ‘sniff out’ any Wi-Fi broadcasting devices in people’s homes that might be unsecure. The cat’s location, meanwhile, is monitored using GPS and data stored on the device’s SD card, according to The Guardian.

However, the War Kitteh collar’s creators at Tenacity Solutions have emphasised they don’t intend to release an army of fluffy soldiers to harvest homeowners’ Wi-Fi information, but rather to raise awareness amongst them over the vulnerabilities that exist in their systems.

On one of its test runs, the War Kitteh-wearing cat picked up 23 vulnerable premises, four of which had no password protection on them.

Gene Bransfield of Tenacity Solutions told The Guardian the hacking community has spent far too long abusing its position and knowledge, rather than sharing it with the wider public.

“It’s been a failure of the industry and of Def Con-like hackers to appropriately communicate this stuff to people,” he said. “We need to do a better job of communicating this stuff … You don’t want to scare the shit out of them. You want to effectively communicate to them what the issues are.”

via ‘Kitteh’ finds all the unsecure Wi-Fi with new collar – Enterprise – | siliconrepublic.com – Ireland's Technology News Service.

Hacking Cable TV Networks to Broadcast Your Own Video Channel (POC @ HITB)

Monday, May 26th, 2014

 

I was watching my favorite show on the television and it was just half over when I saw something which was definitely not a part of the show I was watching. My television screen gone blank for a couple of seconds and then what I saw was totally unbelievable for my eyes.It was my friend ‘Rahul Sasi’ on the television and I was still wondering that how did he interrupted in between a television show like happens in Sci-Fi movies, someone hijacks television or computer to deliver some kind of message or warning. Also like in some horror movies in which sometime ghostly images interrupts between the television and suddenly comes out. Oh my god!But, nothing happened like that in my case, my friend didn’t came out. Just few minutes later I was again redirected to the same show I was watching, only a part of it I missed, but never mind I’ll watch it on the YouTube later.I think you might be thinking as if I am kidding, but it’s true. My friend Rahul Sasi is a well known Indian security researcher, and founder of Garage4Hackers Forum. This was a surprise demonstration he gave me last weekend on “Hacking Your Cable TV Networks,” which he is going to present next week at Hack In The Box HITB Security Conference in Amsterdam.

A year back, similar attack was noticed by the Television viewers in Great Falls, Montana, when a hacker interrupted the television show by a message, warning the viewers that “dead bodies are rising from their graves and attacking the living”.  But, this is going to be the first time when someone will give a Live demonstration on Hacking the cable television networks. From last eight to nine months, Rahul is working with a local cable TV network provider, where he discovered insecure implementations and weak architecture of the Cable TV networks, that could be abused by any potential hacker to carry out large scale attacks.Unlike Internet, Television is one way medium, and if someone hijack any cable TV network service provider and display an emergency alert or a stream in a Video stating that a riot has started in your nearby city. Which in real is only a hoax, perpetrated by as-yet unknown hackers, but can cause enough panic among the people.In the presentation, Sasi will demonstrate how a potential attacker can leverage the weakness in the Cable TV networks to hack various standards for the broadcast transmissions including the Analogue Cable TV, DVB-C and IPTV.He will perform Man-in-the-Middle MITM attack on Cable TV networks to capture and modify the channels frequencies.

via Hacking Cable TV Networks to Broadcast Your Own Video Channel.

FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg

Wednesday, April 30th, 2014

The Obama administration is letting law enforcement keep computer-security flaws secret in order to further U.S. investigations of cyberspies and hackers.The White House has carved out an exception for the Federal Bureau of Investigation and other agencies to keep information about software vulnerabilities from manufacturers and the public. Until now, most debate has focused on how the National Security Agency stockpiles and uses new-found Internet weaknesses, known as zero-day exploits, for offensive purposes, such as attacking the networks of adversaries.The law enforcement operations expose a delicate and complicated balancing act when it comes to agencies using serious security flaws in investigations versus disclosing them to protect all Internet users, according to former government officials and privacy advocates.

The FBI also hacks into computers and networks of adversaries using what are known as remote access operations coordinated by a team at the bureau’s facility in Quantico, Virginia, said a former government official. Most of the malware and computer exploits used are available for purchase online and the operations are authorized by warrants specifying devices targeted, the official said in a phone interview.

via FBI Keeps Internet Flaws Secret to Defend Against Hackers – Bloomberg.