Monthly Archives: February 2018

Ransomware: Get ready for the next wave of destructive cyberattacks

It might look to be out of the limelight compared to 2017, but it would be foolish to write ransomware off yet, as more attacks using the file-encrypting malware are ahead.

High profile incidents like WannaCry, NotPetya and Bad Rabbit made ransomeware infamous last year. WannaCry and NotPetya have since both been attributed to be the work of nation-states – the former to North Korea and the latter to Russia – changing the perception of ransomware from something used by cybercriminals attempting to make a quick buck, to it becoming a tool of cyberwarfare.

That’s especially the case for NotPetya, which took down the networks of businesses around the world and causing billions of dollars in damages and lost income.

So while some cybercriminal operations have pivoted towards cryptocurrency mining as means of making money, don’t expect ransomware to be any less effective – or destructive.

The company’s newly released 2018 Global Threat Report suggests that rather than fading into the background, ransomware could become an even more prominent tool of cyberwarfare – especially as the likes of WannaCry have demonstrated the large amounts of damage which can be done.

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW

Next Generation Firewall or NGFW is an integrated network platform that combines a traditional firewall with other security system functionalities like an application firewall, Intrusion Prevention System or IPS, SSL/SSH interception, QoS/bandwidth management, malware inspection etc. An NGFW includes the typical functionalities of a traditional firewall, yet it is much more powerful than a traditional firewall in detecting and preventing attacks and enforcing security.

Traditional Firewall and how it works

A traditional firewall monitors incoming and outgoing network packets of a system and prevents unauthorized access depending on some pre-configured rules.
A traditional firewall filters traffic based on mainly the following parameters :
  • Source IP address and destination IP address of the network packets.
  • Source port and destination port of the inbound and outbound traffic.
  • Current stage of connection.
  • Filtering rules based on per process basis.
  • Protocols used.
  • Routing features.
So, though a traditional firewall is good in ensuring security, it is not sufficient. One has to rely on other security solutions like IPS, anti-malware products, content filtering packages etc to ensure proper security.
The disadvantage of using different network security techniologies separately is it increases administrative cost and degrades network performance. An NGFW combines multiple network security technologies to provide better security mechanism while taking care of most of the disadvantages of using seperate security solutions at a time.

Next Generation Firewalls

An NGFW typically includes :
  • Intrusion Prevention System
  • Malware protection
  • Filtering traffic per application basis.
  • QoS or Quality of Service to guarantee network throughput
  • VPN
  • SSL/SSH interception
An NGFW uses Deep Packet Inspection or DPI using which it can examine the data part of the network packets and search for protocol non-compliance, virus, spam, intrusions and other statistical information to filter the traffic and enforce security in a better way.
An NGFW can monitor and filter traffic per application basis instead of port basis, which enables it to troubleshoot network problems in a better way. It can also associate network traffic with specific user or group of users, which helps in enforcing better acceptable-use policies.
NGFW can intercept the encrypted SSL and SSH traffic to look for any malicious traffic concealed in the encrypted traffic. And, this enables it to detect advanced threats and attacks.
And, as NGFW integrates multiple security technologies in an efficient manner, it improves network performance over using different security technologies separately.

Advantages of Next Generation Firewalls

An NGFW has a number of advantages over traditional firewalls. Some of the most important ones are listed below :

Lower Administrative Cost

In an NGFW, all the above mentioned security technologies are installed and configured as a unit. As a result, it reduces administrative cost significantly.

Easier to identify threats

An NGFW monitors the network traffic and reports all the events through a single reporting system, which is much more convenient than using different security techniologies separately.

Inspection of SSL/SSH traffic

Malware can be concealed in an encrypted SSL/SSH communication. For example, botnets and Advanced Persistent Threats often create SSL tunnels and exchange communication with the attackers. But, traditional firewalls cannot decrypt SSL/SSH traffic. As a result, the attackers can take advantage of that to make attacks.
NGFW can decrypt and inspect SSL/SSH traffic using Deep Packet Inspection and filter network traffic based upon that.

Filtering based on application

Traditional firewalls can filter traffic based on port, but that may prove to be inconvenient at times.
NGFW can associate traffic based on application, which enables it to block or monitor network traffic per application and troubleshoot problems based on that.

Identifying network traffic by users

Traditional firewalls cannot associate network traffic to users easily. One has to laboriously look at the log files for that purpose.
But, as NGFW can easily associate network traffic to specific users, it helps in enforcing better acceptable use policies.
For example, in a company marketing and Human Resource group may need to access some social networking sites, but others need not. Using NGFW one can easily set proper acceptable-use policy for that purpose.
Similarly, a company may allow its employees to access some social networking sites to make posts or comments, but may not allow them to play games. Using NGFW the company can set required policies easily.

Improved Network Performance

Using different network security technologies separately often causes degradation of network performance. Administrators often need to respond to that by disabling monitoring of certain ports, disabling some firewall rules or limiting Deep Packet Inspection which compromise network securities.
But, as NGFW integrates multiple network technologies together efficiently, it improves network throughput without having to trade off security for performance.
So, be informed about various security technologies so that you can protect your systems in a better way. And, stay safe, stay protected.

BootStomp – Find Android Bootloader Vulnerabilities

BootStomp is a Python-based tool, with Docker support that helps you find two different classes of Android bootloader vulnerabilities and bugs. It looks for memory corruption and state storage vulnerabilities.

BootStomp - Find Bootloader Vulnerabilities

 

Note that BootStomp works with boot-loaders compiled for ARM architectures (32 and 64 bits both) and that results might slightly vary depending on angr and Z3’s versions. This is because of the time angr takes to analyze basic blocks and to Z3’s expression concretization results.

How does BootStomp find Android Bootloader Vulnerabilities?

BootStomp implements a multi-tag taint analysis resulting from a novel combination of static analyses and dynamic symbolic execution, designed to locate problematic areas where input from an attacker in control of the OS can compromise the bootloader’s execution or its security features.

Using the tool the team found six previously-unknown vulnerabilities (of which five have been confirmed by the respective vendors), as well as rediscovered one that had been previously reported. Some of these vulnerabilities would allow an attacker to execute arbitrary code as part of the bootloader (thus compromising the entire chain of trust), or to perform permanent denial-of-service attacks.

The vulnerabilities impact the Trusted Boot or Verified Boot mechanisms implemented by vendors to establish a Chain of Trust (CoT). The team using BootStomp discovered vulnerabilities in the bootloaders used by Huawei, Qualcomm, MediaTek, and NVIDIA.

The team analyzed bootloader implementations in many platforms, including Huawei P8 ALE-L23 (Huawei / HiSilicon chipset), Sony Xperia XA (MediaTek chipset), Nexus 9 (NVIDIA Tegra chipset), and two versions of the LK-based bootloader (Qualcomm).

 

How to use BootStomp

The easiest way to use BootStomp is to run it in a docker container. The folder docker contains an appropriate Dockerfile, these are the commands to use it:

 

You can download BootStomp here:

BootStomp-master.zip

Mr.SIP – SIP Attack And Audit Tool

Mr.SIP was developed in Python as a SIP Attack and audit tool which can emulate SIP-based attacks. Originally it was developed to be used in academic work to help developing novel SIP-based DDoS attacks and defence approaches and then as an idea to convert it to a fully functional SIP-based penetration testing tool, it has been redeveloped into the current version.

Mr.SIP - SIP Attack And Audit Tool

 

Mr.SIP – SIP Attack Features

Mr.SIP currently comprises of four sub-modules named SIP-NES, SIP-ENUM, SIP-DAS and SIP-ASP. Since it provides a modular structure to developers, more modules will continue to be added by the authors and it is open to being contributed to by the open-source developer community.

  • SIP-NES needs to enter the IP range or IP subnet information. It sends SIP OPTIONS message to each IP addresses in the subnet and according to the responses outputs the potential SIP clients and servers on that subnet.
  • SIP-ENUM outputs which SIP users are valid according to the responses in that network by sending REGISTER messages to each client IP addresses on the output of SIP-NES.
  • SIP-DAS (DoS Attack Simulator) is a module developed to simulate SIP-based DoS attacks. It comprises four components: spoofed IP address generator, SIP message generator, message sender and scenario player. It needs outputs of SIP-NES (Network Scanner) and SIP-ENUM (Enumerator) along with some pre-defined files.
  • SIP-DAS basically generates legitimate SIP INVITE message and sends it to the target SIP component via TCP or UDP. It has three different options for spoofed IP address generation, i.e., manual, random and by selecting spoofed IP address from subnet. IP addresses could be specified manually or generated randomly. Furthermore, in order to bypass URPF filtering, which is used to block IP addresses that do not belong to the subnet from passing onto the Internet, we designed a spoofed IP address generation module. Spoofed IP generation module calculated the subnet used and randomly generated spoofed IP addresses that appeared to come from within the subnet.

 

 

You can download Mr.SIP here:

Mr.SIP-master.zip

Or read more here.

Hackers are selling legitimate code-signing certificates to evade malware detection

Security researchers have found that hackers are using code-signing certificates more to make it easier to bypass security appliances and infect their victims.

New research by Recorded Future’s Insikt Group found that hackers and malicious actors are obtaining legitimate certificates from issuing authorities in order to sign malicious code.

That’s contrary to the view that in most cases certificates are stolen from companies and developers and repurposed by hackers to make malware look more legitimate.

Code-signing certificates are designed to give your desktop or mobile app a level of assurance by making apps look authentic. Whenever you open a code-signed app, it tells you who the developer is and provides a high level of integrity to the app that it hasn’t been tampered with in some way. Most modern operating systems, including Macs, only run code-signed apps by default.

But not only does code-signing have an affect on users who inadvertently install malware, code-signed apps are also harder to detect by network security appliances. The research said that hardware that uses deep packet inspection to scan for network traffic “become less effective when legitimate certificate traffic is initiated by a malicious implant.”

That’s been picked up by some hackers, who are selling code-signing certificates for as little as $299. Extended validation certificates which are meant to go through a rigorous vetting process can be sold for $1,599.

The certificates, the researchers say, were obtained by reputable certificate issuing authorities, like Comodo, and Symantec and Thawte — both of which are now owned by DigiCert.

Apple certificates were also available.

“In Apple’s world, you cannot execute a program which is not code-signed — there are plenty of ways around it though,” said Amit Serper, principal security researcher at Cybereason, and a specialist in Mac malware. “In order to get a program signed, you need to set up a developer account, pay Apple $99 and give them a reason to issue you a certificate. Since Apple’s goal is to make money and have more developers joining their developer program and generate revenue, getting a certificate is incredibly easy.”

“Many malware and adware for macs out there are signed with legitimate code signing certificates provided by Apple,” he said.

“We are confident that no help from insiders at these companies is being used,” he said.

According to the research, the hacker sold over 60 certificates in six months. But sales declined after malware writers opted for obfuscation techniques other than expensive code-signing certificates.

Hack whatsapp messages without access to phone

WhatsApp Tracker allows Hackers to Intercept and Read Your Encrypted Messages

This method is perhaps the most appealing of them all. In essence, it uses a “backdoor” flaw.

Some say it is a severe mistake, while others claim it is an additional feature.

Anyway, it allows to you to hack Whatsapp and to read, by intercepting the messages between users. Backdoor is used by Whatsapp, Telegram, and a few more apps.

First of all, we should explain the end-to-end encryption. It means that you, as a user will send an encrypted message to another person.

Only after it is received, it will be decrypted and readable. Whatsapp introduced this feature in 2012 and then became the most secure app of them all. Sadly, it looks like it isn’t so secure.

Whatsapp is owned by Facebook, and if we know that this giant allows to the central intelligence agencies to spy on their users, we can deduce that Whatsapp shares the same flaw.

That’s why the backdoor feature exists. Originally, it has been developed for central intelligence agencies, but at the same time, it is something that hackers can use.

Furthermore, Whatsapp end-to-end encryption works on “trust”. The company uses a secure server to process the messages, but according to the user agreement, they can change any of the rules at any given moment.

Basically, Whatsapp can choose to share your messages with others and you won’t know about it!

How this actually works?

The vulnerability relies on the way WhatsApp behaves when an end user’s encryption key changes.

Basically, we have a scenario between users A and a person B.

When a person A sends a few messages to the person B, the Whatsapp on that device will decrypt the messages and allow for the user to read them.

But, when a user B replaces the device, he will also be able to get and read those messages.

This is possible due to the fact Whatsapp choose to update and modify the private keys, needed for decryption at any given moment, without informing the user.

Now, you as a hacker will be user C. You will modify the private key of a user B and insert your own.

By doing so, you will directly be able to read messages of user A. Whatsapp spy app that can do it for you isn’t so complicated to use, after all.

Here we have another advantage of this method. Facebook, which owns Whatsapp didn’t solve this issue since 2016. It is obvious that it will stay available in the future as well.

All of this means that you, as a hacker will be able to exploit this method in the near future. Using Whatsapp tracker online and using this method will give impressive results.

Some believe that backdoor feature is used as a feature to eliminate the need for constant privacy key verification, which is annoying. Instead, Whatsapp will do it instead of you.

But, Signal private messenger, which uses the same technology is immune to this issue, simply due to the fact it requires physical verification.

If you are a decent hacker, you will be able to exploit this method or better said this drawback of the Whatsapp.

After all, it is introduced to allow for agencies to spy on users, which means that hackers, including yourself, can use it for the same reason.

Hack Whatsapp messages and read them whenever you want.

Perhaps all of this spends complicated, but the real procedure is more than just simple. In essence, you will have to:

  • Step 2: Install it on targeted device
  • Step 3: Login to your control panel on a PC. Done

As you can see, the entire process takes no more than 5 minutes of your time.

It is specifically developed to be simple enough for average users and those who don’t even fully understand smartphones and how they work.

The bottom line is yes, you will be able to use it without a problem.

Here it should be mentioned that there is no risk of being detected!

The app works by connecting to the operating system and literally becoming part of it.

As such, the app has all the access to the OS on your phone, obviously.

The app cannot be detected by antivirus, malware software or on any other way.

Hard reset of a device won’t delete the app as well. At the end, we can add Copy9 is the safest app to use.

The hack Whatsapp online feature

Besides the hack Whatsapp online feature, Copy9 offers plenty of additional features!

  • Besides the fact you will be able to read Whatsapp messages, the app allows you to read messages and monitor calls performed via other apps. All messenger apps are supported.

  • Tracking the GPS location is possible as well. The app will determine the exact location of a smartphone within a matter of seconds.

  • Monitoring internet activities is just another feature. Although Whatsapp tracker option is associated with the internet, the feature here is a bit different.

  • Basically, it allows for the user to block access to the web, limit it or check out what has been visited via the targeted device.

The full list of features is significantly long. In general, you will be able to hack Whatsapp chat history, monitor call, all messages, internet activity, GPS, detecting when a SIM card is changed and many other features.

Customer support is guaranteed and also more than just decent, which isn’t a case with apps of this kind!

The best part, you get a free trial, without a need to enter your credit card. If you don’t like it, after 48 hours simply delete the app and you are done.

However, most users who tried the free trial, have been using Copy9 ever since.

Ransomware: New free decryption key can save files locked with Cryakl

Victims of Cryakl ransomware are now able to get their files back without paying a ransom to cybercriminals, after the decryption key was released for free as part of the No More Ransom initiative.

Launched by Europol in 2016, the scheme brings law enforcement and private industry together in the fight against cybercrime and has helped thousands of ransomware victimsretrieve their encrypted files without lining the pockets of crooks.

Cryakl has been active since September 2015 and, like other forms of ransomware, it searches an infected system for files, encrypts them, then demands payment for providing the key needed to retrieve the files. It also threatens to delete the encrypted files if payment isn’t received within a week.

Unlike more recent forms of ransomware which ask for payments to be made into a cryptocurrency wallet, victims of Cryakl are asked to contact the attackers by email.

The ransomware is most prolific in Russia, but Cryakl has claimed victims across Europe. Kaspersky Lab told ZDNet there has been over 2,000 infections in Italy, over 2,000 in Germany, over 1,000 in Spain and hundreds across the UK, Belgium, France, Poland, and Austria.

Decryption tools for Cryakl ransomware have been added to the No More Ransom portalfollowing work by the Belgian National Police and Kaspersky Lab as part of an ongoing investigation.

 

“Free decryption keys for Cryakl ransomware can be considered as proof of this policy, and yet another reminder that there is always a chance of winning in the fight with criminals.”

The addition of keys for Cryakl brings the total number of ransomware decryption tools available on the No More Ransom portal to 52. They can be used to decrypt 84 forms of ransomware including MarsJoke, Teslacrypt, LamdaLocker, Wildfire, and CryptXXX.

According to Europol, over 35,000 people have used No More Ransom to decrypt their files for free, preventing cyber criminals from obtaining ransoms worth over €10m.

Initially launched by Europol, the Dutch National Police, McAfee, and Kaspersky Lab, the number of partners working on No More Ransom has now risen to over 120, including 75 cybersecurity companies.

The Belgium National Police’s role in helping to decrypt Cryakl has seen it promoted to become an associate partner in the scheme — the second law enforcement body to do so after founding member the Dutch National Police.

Europol has also announced new partners for No More Ransom: the Cypriot and Estonian police are the most recent law enforcements agencies to join, while KPN, Telenor, and the College of Professionals in Information and Computing (CPIC) have joined as new private sector partners.

Learn how to bypass MAC filtering on wireless networks

In this tutorial we will be looking at how to bypass MAC filtering on a wireless network. MAC filtering, or MAC white- or blacklisting, is often used as a security measure to prevent non-whitelisted or blacklisted MAC addresses from connecting to the wireless network.

MAC Address stands for media access control address and is a unique identifier assigned to your network interface. With MAC filtering you can specify MAC addresses which are allowed or not allowed to connect to the network. For many occasions MAC filtering can be sufficient as a security measure but in others it is certainly not.

MAC filtering is totally useless to protect company networks and data or to prevent networks from being hacked over WiFi because is it so easy to bypass. When MAC filtering is in place you can easily determine whitelisted MAC addresses by scanning for connected clients using a tool like airodump-ng.

In this case we can assume that every connected MAC address is part of the whitelist or not on the black list.

In this tutorial we will be bypass MAC filtering on a TP link WR-841N router by spoofing the MAC address of a connected client. The connected client’s MAC address is whitelisted, otherwise it would not have been able to connect to the wireless network. We will put our wifi adapter in monitoring mode and retrieve the MAC address of connected clients with Airodump-NG on Kali Linux.

Then we will be using the Macchanger tool to spoof our MAC address, bypass MAC filtering and connect to the wireless network. Hacking the WiFi network password is outside the scope of this tutorial. You can have a look at the following WiFi hacking tutorials and tools to learn how to retrieve the password (and prevent this from happening):

MAC filtering settings

First we will be configuring the MAC filtering functionality in the router settings. We will be adding one client to the whitelist which will be our connected client:

Bypass MAC Filtering on wireless network - MAC Filtering on TP-link router

We’ve added one MAC address to the whitelist.

Let’s try to connect from another client in Kali Linux 2.0:

Bypass MAC Filtering on wireless network-2

Unable to connect from a non whitelisted MAC Address

Even if we use the right password is does not allow us to connect to the wireless network. We end up in an endless loop without authentication. This tells us the MAC filtering is active and working like a charm.

Bypass MAC Filtering

First we will have to put our WiFi adapter in monitoring mode using Airmon-ng and kill all the processes Kali Linux is complaining about:

airmon-ng start wlan0

kill [pid]

Then we launch Airodump-ng to locate the wireless network and the connected client(s) using the following command:

airodump-ng –c [channel]–bssid [target router MAC Address]–i wlan0mon

Airodump-ng now shows us a list of all connected clients at the bottom of the terminal. The second column lists the MAC Addresses of the connected client which we will be spoofing in order to authenticate with the wireless network.

Bypass MAC Filtering on wireless network-3

One connected client with a whitelisted MAC Address.

Spoofing the MAC Address with Macchanger

Now that we know a MAC address that is whitelisted in the TP Link router settings we can use it to spoof our own MAC address in order to authenticate with the network. Let’s spoof the MAC address of your wireless adapter but first we take need to take down the monitoring interface wlan0mon and the wlan0 interface in order to change the MAC address. We can do this by using the following command:

airmon-ng stop wlan0mon

Now we take down the wireless interface who’s MAC address we want to spoof with the following command:

ifconfig wlan0 down

Now we can use Macchanger to change the MAC address:

macchanger -m [New MAC Address] wlan0

And bring it up again:

ifconfig wlan0 up

Now that we have changed the MAC address of our wireless adapter to a whitelisted MAC address in the router we can try to authenticate with the network and see if we’re able to connect:

Bypass MAC Filtering on wireless network-4

Connected!

As you can see we have managed to connect to the wireless network using a spoofed MAC address of a connected client. This tutorial shows us that it was extremely easy to bypass MAC filtering on a wireless network and that MAC filtering is generally useless to protect your network from hackers.

ADB.Miner worm is rapidly spreading across Android devices

A fresh threat to Android devices has managed to infect thousands of devices in days, researchers warn.

The malware has similar capabilities to worms and uses the ADB debug interface,  on port 5555, to spread.

It is usually the case that port 5555 is kept closed; however, the ADB debug tool used to conduct diagnostic tests sometimes may open this port — potentially by accident.

Once a device is infected, it will continue to scan the 5555 port to propagate further and find other devices with the same port open, such as Android-based smartphones, tablets, or television sets.

According to the Chinese security firm, smartphones and smart TV set-top boxes are among most of the devices currently infected, but the company has not disclosed which models or vendors.

While the earliest time of infection has been traced back to 31 January, in only 24 hours, the researchers estimate ADB.Miner has been able to spread to upwards of 5,000 devices, mainly in China and South Korea.

“Overall, we believe malicious code based on the Android system ADB debug interface is now actively spreading in worms and infected over 5,000 devices in 24 hours,” the team says. “Affected devices are actively trying to deliver malicious code.”

The malware contains mining software which specifically focuses on Monero (XMR). ADB.Miner connects to two different mining pools which both share the same wallet address but is yet to deposit proceeds from the fraudulent mining operations.

Cybercriminals are exploring ways to utilize cryptocurrency miners, in themselves not malicious, for fraudulent purposes. A recent report from Cisco Talos has suggested that cyberattackers are turning away from ransomware in favor of this silent, and harder to detect, kind of scheme.

Malware based on the Mirai botnet, dubbed Satori, has been recently spotted targeting Ethereum mining rigs. A tailored version of Satori, called Satori.Coin.Robber, scans for devices through port 3333.

If old versions of Claymore Miner software which have not been patched against the malware are detected, the malicious code replaces user wallet addresses with others controlled by the malware operators.