A Mis-configured Database that Stored more than 198 million American Voters personal information has been leaked which is consider as Majority of peoples personal information among the all US Citizens.
All the data that contains voter personal information leaked in the Internet and Republican National Committee (RNC) firm which is responsible for this data breach.
Stored Data server owned by Republic firm Deep Root Analytics where all the Voters data stored in publicly accessible cloud server included 1.1 terabytes of entirely unsecured personal information.
Leaked data belongs to Various Voters who is from all the political parties in America and Leaked voters approximately 61 percent of the US population.
Exposed data contains home addresses, birth dates, and phone numbers, the records include advanced sentiment analyses used by political groups, gun ownership, stem cell research, and the right to abortion, as well as suspected religious affiliation and ethnicity.
“According to UpGaurd ,The RNC data repository would ultimately acquire roughly 9.5 billion data points regarding three out of every five Americans, scoring 198 million potential US voters on their likely political preferences using advanced algorithmic modeling across forty-eight different categories.”
This open access leads to anyone with an internet connection could have accessed the Republican data operation used to power Donald Trump’s presidential victory, simply by navigating to a six-character Amazon subdomain: “dra-dw” Upgaurd said.
Deep Root Analytics Data Warehouse stored almost 500 hours of video among 1.1 terabytes that contains political importance which indicate clearly.
UpGaurd found a Folder called “data_trust” in dra-dw Directory stored two massive stores of personal information collectively representing up to 198 million potential voters.
A spreadsheet forecasting specific voters 0-1 Scale -UpGaurd
According to UpGaurd “The spreadsheet is an impressive deployment of analytical might. However, while each potential voter is signified by their 32-character RNC internal ID, it is a one-step process to determine the real name associated with the modeled policy preferences, as the aforementioned “Contact File” also exposed in the database links the RNC ID to the potential voter’s actual identity.“
Previous Electoral Data breach was in Mexico where almost 100 Million Voters data were Revealed in Public.
In the past, we came through a number of Phishing campaigns where the attackers using Valid TLD itself for phishing and the Punycode attack demonstrated by Xudong Zheng.
Now hackers find a new way innovative method to create believable URL’s and targeting mobile users, specifically Facebook users.Security experts from Phishlabs came through this new campaign targeting mobile users.
Security expert Crane Hassold says “Instead of attempting to make genuine looking URLs, threat actors have begun including genuine, legitimate domains within a longer URL, and padding it with hyphens to hide the real target“.
You can see the URL starts with m.facebook.com but the real destination URL here is rickytaylk.com, not m.facebook.com.
Source: PHISHLABS
You can see the screenshot, where you can see only the m.facebook.com and an endless stream which hides the original target address.This smart addition of the Facebook favicon in the address bar looks like the site is exceptionally genuine.
Lack of attention
Inattentive mobile users easily fall into the trap and give away their valuable credentials to the attackers. Generally, these phishing URL’s are transferred through SMS, Chats, and Emails.
Crane Hassold says “it’s highly likely that this tactic is being distributed via SMS phishing or through the social messenger, rather than email”.
One can easily identify the Phishing URL that sent through email by just hovering our the link, but that is not possible if the URL provided through SMS.
Security researchers said they have spotted more than 50 attacks of this type and has a rapid growth from last March.
Hackers not using this method for credential harvesting alone, they use to send more phishing URL’s via status updates or private messages.
Common Defence’s against phishing
We know logically the organizations like Facebook will not send the login URL through SMS. You should think that before opening.
Always make sure that you entering Login credentials and Card details on a HTTPS page.
Don’t open the attachments that you are not expecting.
Hover the URL to find the URL’s Integrity.
It is always better to type the URL directly in the address bar.
One of the biggest Retailer in US Buckle, Inc under Cyber Attack in their Payment card Data systems where hacker inject a Malware to steal the Customers Credit card data and company operates 465 stores in 44 U.S .
This Malicious Software was identified Buckle retail store location point-of-sale (POS) system.according to the forensic report, this Malware silently record the customers Credit card information including Account number, account holder’s name, and expiration date .
Malware installed on cash registers at Buckle retail stores Point of sale and purchases made on its online store were not affected.
Buckle believes that certain payment cards used in its stores between October 28, 2016 and April 14, 2017 may have been affected.
This Malware only affected in certain period of time in a day at point of sale and malware did not collect data from all transactions or all POS systems.
EMV-capable card terminals,has been equipped in all the stores.Point of sale machine accessed with secure chip-based credit and debit cards .
Once card has been inserted ,Malware copied the information from the magnetic stripe which leads to hackers clone the card with the stolen information .
According to Buckle, There is no indication that other guest information was collected and no indication that any information submitted through Buckle.com was affected.
After Finding the Malicious Code and external IP addresses, It has been removed from the Buckle, Inc Network and potentially compromised systems were isolated, and malware-related files residing on Buckle’s systems were eradicated ,Buckle said.
Buckle Advised to their Customer that if there is any unauthorized activities found in their Bank account, individuals closely monitor their payment card account statements, then Contact the bank immediately and make sure that they are safe.
A Fileless Ransomware “SOREBRECT” Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.
SOREBRECT developed with more stealthy and self-destruct routine capability make it as Fileless Malware. Before terminating the main Binary it executes the encryption routine to inject the code into legitimate process called svchost.exe
It’s Evasion Technique Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.
These stealthy functions help to SOREBRECT activities from being tracked.
Windows command-line helps to execute commands or run executable files on the remote system by the administrator which is Performed by SOREBRECT’s legitimate attack chain involves the abuse of PsExec.
SOREBRECT’s attack chain {Credit: Trend Micro}
Once PsExec performs to execute the code into the victim’s machine, it indicates that the administrator account has been already compromised and brute force the remote Target credentials.
According to Trend Micro Report, SOREBRECT is not a first threat Family that misuses the psExec to inject and execute the legitimate code. Before this ransomware, SAMSAM, Petya Ransomware family already misuses this Function.
“Once the deployed ransomware binary finishes execution and self-termination, the injected svchost.exe—a legitimate Windows service hosting system process—resumes the execution of the payload (file encryption).”
It’s self-terminating capability help to makes this Ransomware into Fileless after injecting the code into the memory.
RDP vs PsExec Performance
The attacker uses both Remote Desktop Protocol and PsExec to inject the SOREBRECT into affected target.
Compare to RDP, PsExec is simpler and can take advantage of SOREBRECT’s Fileless and code injection capabilities.
This attack performs more evasive by its code injection capability.
“PsExec can enable attackers to run remotely executed commands, instead of providing and using an entire interactive log-in session, or manually transferring the malware into a remote machine, like in RDPs.”
Finally, SOREBRECTencrypting the files on the local machine and network shares by inject the svhost.exe process and execute the payload by using TOR anonymously communicate with Command & Control server (C&C Server).
According to Trend Micro Investigation, SOREBRECT Distributed across Middle Eastern countries like Kuwait and Lebanon, Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S.
Also Affected industries include manufacturing, technology, and telecommunications.
English Computer Hacker Sean Caffrey who admitted stealing several online records from US military communications system pleaded guilty on Thursday at Birmingham Crown Court.
25 years old Sean Caffrey from Sutton Coldfield(UK), managed to steal the usernames and email address of more than 800 clients of a satellite communications system, and additionally, of around 30,000 satellite telephones says NCA.
Caffrey was arrested in March of 2015, as per the NCA. At the time, the NCA said a hacker stole data from “an international satellite message dissemination system”.UK National Crime Agency officers found the stolen information on his hard drives after forensic examinations of his seized PCs.
NCA said the hacker also posted the proof of hack in Pastebin website in name LizardSquad (Blackhat group well known for DDOS attacks).
“We smite the Lizards, LizardSquad your time is near. We’re in your bases, we
control your satellites. The missiles shall rein upon thy who claim alliance,
watch your heads, ** T-47:59:59 until lift off. We're one, we're many, we lurk in
the dark, EMSS: we're everywhere and anywhere. Live Free Die Hard!
DoD,EMSS: Enhanced Mobile Satellite Services is not all, Department of Defense has
no Defenses.”
Message Posted By Caffrey
NCA officers additionally found that an online messaging account connected to the attack had been opened and worked under an alias Caffrey’s PCs.
The DoD said it cost roughly $628,000 to repair the destruction caused by the hacker’s interruption.
After strong partnership working between the NCA, the FBI and the DoD’s Defense Criminal Investigative Service there was very clear, very compelling evidence against Sean Caffrey.Said investigations manager at the NCA Janey Young.
She also said,“No one should think that cyber crime is victimless or that they can
get away with it.“The NCA has people with skills like Caffrey’s, but they’re doing
the opposite to him in detecting cyber criminals and bringing them to justice.
“We’re working to keep the internet a safe space for people who use it
legitimately.”
Wikileaks Revealed another CIA Cyber weapon called “CherryBlossom” which is Specially Developed to compromise the Wireless Network Devices including wireless routers and access points (APs) by helping of Stanford Research Institute (SRI International).
Wikileaks Vault 7 leads earlier Released Hacking tool wasPandemic, that has ability to Replaced Target files where remote users use SMB to Download
“CherryBlossom” is capable of performing exploits in software and Monitoring the Internet Activities in the Targeting Victims such as commonly used WIFI Devices in private and public places including small and medium-sized companies as well as enterprise offices.
This Tool Compromise the wireless devices using Man-in-the-Middle Attack to monitor, control and manipulate the Internet traffic of connected users.
Once devices have successfully infected, this tool can inject the malicious content via streaming to exploit the Vulnerabilities in the target.
It Doesn’t Require any physical access to compromise the target since it’s used implanting a customized CherryBlossom firmware in wireless devices itself and some devices allow upgrading their firmware over a wireless link.
According toWikileaks revealed CIA Secret Document, This Released document is for CBlossom version 5.0. CBlossom version 5.0 will include new releases of the CBlossom Flytrap and Cherry Tree products, each being referred to as version 5.0.
Once target compromised by the CherryBlossom, Router access point will become called Flytrap.
Flytrap – a wireless access point (AP), router, or other devices that have been implanted with Cherry Blossom firmware.
Flytrap will communicate over the Internet to a Command & Control server referred to as the CherryTree.
According to CIA SecretDocument, The key element of the Cherry Blossom system is the Flytrap
“In typical operation, a wireless device of interest is implanted with Cherry Blossom firmware, either using the Claymore tool or via a supply chain operation. After implanting has occurred, the wireless device is known as a Flytrap.”
CherryBlossom Architecture
This Architecture indicated Red boxes are Cherry Blossom components.
Flytrap act as a wireless access point (AP), router, or other devices that have been implanted with Cherry Blossom firmware. Flytraps execute Missions to detect and exploit Targets
Command post “Cherry Tree” – Handling and storage of Flytrap Missions, status, and distribution of Flytrap Alerts.
Remote Terminal (CherryWeb or CW) – browser-based interface that allows Sponsor users to view system status, configure the system, view target activity, and plan/assign Missions
CherryBlossom Architecture
User– a person with access to the Cherry Web Remote Terminal
Point of Presence (PoP) or Listening Post (LP)– relay that forwards communication
between a Flytrap and the Cherry Tree.
Main Tasks of CherryBlossom
Main tasks including Monitor the target, actions/exploits to perform on a Target and performing the instructions regarding the communication and stealing the victim’s data.
Based on the Wikileaks DocumentReport, it has the ability to scan foremail addresses,chat user names, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, the copying of the full network traffic of a Target, the redirection of a Target’s browser.
CherryBlossom Exploit the Vulnerabilities in many Wireless Router Vendors including Hsing Tech, Orinoco,Apple Airport Express, Allied Telesyn,LANET Technology, RPT Int, Senao, D-Link, Linksys, and Etc.
Firefox has between 9% and 16% of worldwide usage as a “desktop” browser and 2nd Most Popular Web Browser in the Globe. The latest version of the “Firefox 54.0” Released with 32 Patched Critical and High Critical Vulnerabilities and some of the Vulnerabilities Leads to Crash the Browser.
This vulnerability was Reported by Many individual Security Researchers and some of the Vulnerabilities Discovered by Mozilla developers and community.
Firefox 54.0
Mozilla is calling Firefox 54.0 “the best Firefox ever,” since new version Release with Futures of multiple content processes, a UI process, and a GPU acceleration process.
This New version contains multiple content processes will improve stability and performance (one bad tab won’t slow down the rest of your computer)
New futures added including, Simplified the download button and download status panel and Added support for multiple content processes.
New Version changes, Moved the mobile bookmarks folder to the main bookmarks menu for easier access
To Run even complex sites faster, Mozilla changed multiples Operating system Processing.
The old Firefox used a single process to run all the tabs in a browser. Modern browsers split the load into several independent processes.
Resulted in a crash Browser
These Vulnerabilities lead to Crash the Entire Browser.
CVE-2017-5472:
A Frame loader Vulnerabilities has leads to Crash the Browser while regenerating CSS layout when access nonexisting Tree Node.
CVE-2017-7749:
A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash.
CVE-2017-7750:
This Vulnerability also leads to Crash, During Video Control Operation old window Referred by <Track> element when old window replaced by Document object model.
CVE-2017-7751
A use-after-free vulnerability with content viewer-listeners that results in a potentially exploitable crash.
CVE-2017-7756
logging errors from headers for XML HTTP Requests (XHR). This could result in a potentially exploitable crash.
CVE-2017-7757
IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed.
These are critical privilege escalation vulnerabilities that have been fixed by Mozilla.
CVE-2017-7760
This Vulnerability indicates manipulation of files in the installation directory and privilege escalation by manipulating the Mozilla Maintenance Service. This Vulnerability affected only Windows OS since this need local privilege to access.
CVE-2017-7761:
This High critical vulnerability leads to deleted the files and escalates the privilege using helper.exe Mozilla maintenance service.
CVE-2017-7766:
An attack using manipulation of updater.ini contents, used by the Mozilla Windows Updater, and privilege escalation through the Mozilla Maintenance Service to allow for arbitrary file execution
CVE-2017-7767
To overwrite arbitrary files with junk data using the Mozilla Windows Updater using Maintenance invoked by an unprivileged user which only affected by Windows user.
CVE-2017-7768
Maintenance Service executes with privileged access, bypassing system protections against unprivileged by the user to read 32 bytes of any arbitrary file on the local system by convincing the service that it is reading a status file provided by the Mozilla Windows Updater.
BlackArch Linux based Arch Linux. Lightweight Penetration Testing Distro designed for Professional & Elite Hackers who have the ability to work with Linux like a Pro.
Used to use Fluxbox & OpenBox as a Desktop Environment with other DE’s. It has huge tools in the repository more than 1500+ hacking tool included in the Distro & Repo.
The first release was on 2013 and on 2017.06.13 new version was released which includes more than 1800 tools now.
New ISOs (2017.06.13) released! Over 1800 tools, newest kernel, … and more! Get it while it's hot: https://t.co/gCWhQ9rBJR#blackarch
– add more than 100 new tools – update blackarch installer to version 0.5.1 (bugfixes + features) – fix several tools (dependencies, installs) – include linux kernel 4.11.3 – updated all blackarch tools – updated all system packages – update all window manager menus (awesome, fluxbox, openbox)
– Support for i686, x86_64, armv6h, armv7h and aarch64 architectures – Over 1800 tools (constantly increasing) – Modular package groups – A live ISO with multiple window managers, including dwm, fluxbox, openbox, awesome, wmii, i3 and spectrwm. – An 64bit OVA image ready to use with Virtualbox and VMware – An optional installer with the ability to build from source.
How Do Update for latest version
It is really Simple we just need to run the command pacman -Syyu –needed –force blackarch , you should log in as a root user to do this.
BlackArch team said they are to release a new version of ISOs in few hours with the fix for perl issues and with kernel 4.11.4. To Download BlackArch Click here.
We will release another version of the new ISOs in few hours, which will fix the perl issues (rebuilt libraries) and includes kernel 4.11.4
In 2016 A power lockout in Ukraine’s capital Kiev last was caused by a cyber attack and this malware can do the same. Security specialists say it is highly feasible that Industroyer was utilized in the December 2016 attack on the Ukrainian power system.
This Dangerous malware, recognized by ESET security specialists and Dragons Inc named as Win32/Industroyer, this malware can do enormous damage to electric power systems and furthermore capable of targeting other Critical infrastructures.
Industroyer is proficient for controlling power substation switches and circuit breakers specifically. By having control over the switches they can dispatch scope of attacks beginning from turning of energy circulation to serious damages.
Credits: ESET
Industroyer not using any vulnerabilities or exploiting Zero days to do these malicious activities. It lies in the way that it utilizes protocols in the way they were intended to be used.
The issue is that these protocols were designed decades back and their correspondence protocols were not designed security as a primary concern.
What’s special with Industroyer apart from other infrastructure Malware’s
It consists of a backdoor utilized by attackers to speak with command and control servers and to manage the attack.
Security experts say “Industroyer installs four payloads to get direct control of switches and circuit breakers. Each of these components targets particular communication protocols specified in the following standards: IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OLE for Process Control Data Access (OPC DA)”.
Module overview Credits: ESET
These payloads objective is to map the network and then to attack specific industrial control devices. This shows the in-depth knowledge of the payload developer.
You can refer to the Whitepaper published by ESET for Technical Analysis.
This malware suspects to have some advanced features and experts suspect what happened is a trial run before a major attack.
The most attractive feature of this backdoor is that attackers can define a particular hour of the day when the backdoor will be active.
All the C&C servers utilized by this backdoor are running Tor Software to guarantee their Anonymity.This makes network analysis more complex.
Shodan founder John Matherly says More than 100,000 industrial control systems are connected to the Internet at the moment.
More than 100,000 industrial control systems are connected to the Internet at the moment – most of them in the US: https://t.co/V1UBZDGTeq
New Android Trojan Ad Library Called “Zavier” Infected more Than 800 Android Apps which is Estimated around more than million downloads in Google Play and distributed over a large number of people around the Globe.
Zavier Malwre Detected as “ANDROIDOS_XAVIER.AXM” that silently infect and steal the users information and leak the personal information.
This Malicious Ad Library Uses Remote server to Download codes that contain embedded Malicious Behavior loads into the infected Malware apps in Android phone.
Embedded Xavier ad library in Google Playstore{Image Credit :Trend Micro}
Its seems More evasive to being Detected by the Traditional Detection method which including String encryption, Internet data encryption, and emulator detection.
Maximum number of Downloads has been discover in Asian Countries such as Vietnam, Philippines, and Indonesia, with fewer downloads from the United States and Europe.
Stealing and leaking capabilities
According to the Trend Micro Research , This Malware Manipulate the users data including photo manipulators to wallpaper and ring tone changers..
Zavier’s Sophisticated self protecting Mechanism helps to avoid Detection by both static and Dynamic analysis.
“Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server.”
Xavier malware Variant Initially identified in earlier of 2015 and it was infected millions of devices that has 2,000 apps with similar behavior on Google Play.
Evalution of Xavier {Image Credit :Trend Micro}
First Version of Xavier Malware Ad library called joymobile had Remote code execution functionality that was Discovered on 2015 .
This ad library is capable of installing other APKs, and it can do this silently if the device is rooted.
Malware Authors using Command & Communication Server (C&C Server) for further communication for steal the information and specifically used without any encryption but constant strings were encrypted in the code.
