A newly discovered unprotected MongoDB database contains a large volume of data which belongs to California state voters information that Contains Every Registered Voter Data same as many of voter database leaked incidentshave been reported in this year.
Leaked Database publicly available in online that can be accessed by anyone by having the just simple internet connection and the database named as ‘cool_db’.
Also, it was open to view, edit and modifying the entire database by anyone which contains 2 collections of the database. one collection contains set of voter registration data and other collections contain entire California state voters that are holding 19,264,123 records, all open for public access.
This Database used by unknown cyber criminals and they already demanded some Ransom amount via bitcoin and later it was deleted.
According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.
According to Kromtech securityWe were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared.
Cyber criminals have used this database for demanding the ransom amount which is around 0.2 bitcoin ($2,325.01 at the time of discovery).
A Leaked contains 4 GB of data which including the following level of sensitive information.
The 4GB collection contained data structured with the following rows of Voter Database:
City:
Zip:
StreetType:
LastName:
HouseFractionNumber
RegistrationMethodCode
State: CA
Phone4Exchng:
MailingState: CA
Email:
Phone3Area:
Phone3NumPart:
Status: A
Phone4Area:
StreetName:
FirstName:
StreetDirSuffix:
RegistrantId:
Phone1NumPart:
UnitType:
Phone2NumPart:
VoterStatusReasonCodeDesc: Voter Requested
Precinct:
PrecinctNumber:
PlaceOfBirth:
Phone1Exchng:
AddressNumberSuffix:
ExtractDate: 2017-05-31
Language: ENG
Dob:
Gender:
MailingCountry:
AssistanceRequestFlag
MailingCity:
MiddleName:
AddressNumber:
StreetDirPrefix:
RegistrationDate:
PartyCode:
Phone1Area:
Suffix:
NonStandardAddress:
Phone4NumPart:
CountyCode:
MailingAdd3:
MailingAdd2:
MailingAdd1:
UnitNumber:
Phone2Exchng:
NamePrefix:
_id: ObjectId
MailingZip5:
Phone2Area:
The information extracted from Data appears to have been created on May 31st, 2017 and second database contains a large amount of data which contains a massive 409,449,416 records in total.
In this case, this incident not only publicly leaked online but also cybercriminals sell this database information in Darkweb market for ransom.
It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (“cool_db”), but this is only a suspicion and The database has been taken down since the initial discovery.Kromtech said.
A dangerous malware family called “TRITON” distributing to attack Industrial control systems that leads to Perform an emergency shutdown the industrial processes.
Researchers believe that this malware has capable to cause physical damage and inadvertently shut down operations.
A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an industrial process. It is a computerized control system consisting of computers, software applications and controllers.
Further investigation revealed that this malware designed to interact with Triconex Safety Instrumented System (SIS) controllers.
This Malware Mainly contains Two module that is trilog.exe, library.zip . trilog.exe used for Main executable leveraging libraries.zip and it will later perform Custom communication library for interaction with Triconex controllers.
The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors.
Initially, attacker gained a remote access the SIS engineering workstation and later deployed the Triton Malware that will perform reprogram activity on the SIS controllers.
While this incident, SIS controllers entered a failed safe state and it leads to automatically shut down the process.
Later investigation revealed that SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check.
ICS Reference Architecture
According to FireEye, There is some reason that believed by researchers which behind the reason for Causing physical damage.
Functioning correctly method failed when Modifying the SIS so failures will constantly happen and it leads to cause physical damage.
Validation check will be failed due to TRITON ability to modify application memory on SIS controllers in the environment.
The failure occurred during the time period when TRITON was used.
It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.
In this case, Attacker using specific pre-built and tested the tool require access to hardware and software that is not widely available.
TRITON Malware using TriStation protocol to maintain the high-level secure communication which is not something that publically documented.
The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller.FireEye said.
Worlds Leading IT Security firm Fox-IT hitting by Man-in-the-Middle Cyber Attack and an attacker accessed the DNS records for the Fox-IT.com at their 3 rd party domain register.
This attack leads to spying some small amount of their customer’s activities and this incident has been active the total effective MitM time to 10 hours and 24 minutes.
A man-in-the-middle attack is a form of eavesdropping in which an attacker intercepts and relays messages between two parties who are communicating directly with each other.
In this case, Attacker has modified the Fox-IT DNS record and point out to their own server and to intercept and forward the traffic to the original server that belongs to Fox-IT.
Fox-IT client portal was the specific aim for the attacker where Fox-IT used it for an exchange of files with customers, suppliers and other organizations.
First unusual activities triggered on Sept 16, 2017, which contains a reconnaissance with Fox-IT infrastructure including port scans, vulnerability scans, and other scanning activities.
later attacker gain the access to the Fox-IT network and modified the DNS record of the fox-it.com domain.
In this case, Fox-IT believes that client portal still pointed out to Fox-IT legitimate Client portal server but attacker temporarily reroutes the attack and intercepted Fox-IT email for the specific purpose of proving that they owned Fox-IT domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Sept 19 2017, Fox-IT Experts realized that real MITM attack starts against their server. during this time the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.
According to Fox-IT investigation, name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar
Later Fox-IT disables the two-factor authentication for their client portal to preventing users of ClientPortal from successfully logging in.
Also, Fox-IT kept the portal open to access for the attacker and they concern about not to disclose this activity to the attacker for taking time to investigate more.
“During the meantime of Sept 19 – Sept 20 2017, A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority Fox-IT said.
A vulnerability that discovered in APNs Server Leads to an attacker in a privileged network position can track a user which has been identified in the use of client certificates with help of revised protocol.
A team(FURIOUSMAC ) from United States Naval Academy has reported this vulnerability to apple and CVE-2017-13864 has been Assigned.
Also, another critical vulnerability Discovered that performs maliciously crafted web content may lead to arbitrary code execution.
This vulnerability has been patched and adds into common vulnerability database.
Hackers pleaded guilty in creating and Operating the most dangerous Mirai Botnet that immobilize some popular websites and colleges.
Miraiis malware which turns computer systems running Linux into remotely controlled “bots”, that can be used as part of a botnet in large-scale network attacks.
The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS)attacks. Paras Jha, 21, Josiah White, 20, Dalton Norman, 21, pleaded guilty is District court of Alaska for Computer fraud and act in Operating the Mirai Botnet.
When theMirai botnet created
In 2016 summer White, Jha, and Norman created this powerful bot by installing malicious backdoors on victim’s computer.
Mirai primarily targetted IoT devices such as wireless cameras, routers, and digital video recorders consist of hundreds and thousands of compromised devices.
The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or “DDOS” attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers, reads a statement.
On Dec. 8, Paras Jha and Dalton Norman likewise conceded to criminal Informations in the District of Alaska accusing each of intrigue to disregard the Computer Fraud and Abuse Act.
From December 2016 to February 2017, the respondents effectively tainted more than 100,000 essentially U.S.- based computing devices, for example, home Internet routers, with malicious software.
According to KrebsOnSecurity That malware caused the seized home Internet routers and different gadgets to shape an effective botnet. On Dec. 13, Paras Jha conceded in the District of New Jersey to damaging the Computer Fraud and Abuse Act.
Between November 2014 to September 2016, Jha executed a progression of attacks on the systems of Rutgers University. Jha’s attacks viably shut down Rutgers University’s focal validation server, which kept up, in addition to other things, the gateway through which staff, workforce, and students conveyed assignments and evaluations.
“Our world has become increasingly digital, and increasingly complex,” said U.S. Attorney Schroder.“
These cases illustrate how the FBI works tirelessly against the actions of criminals who use malicious code to cause widespread damage and disruptions to the general population,” said FBI Assistant Director Smith.
“Paras Jha has conceded his obligation regarding different hacks of the Rutgers University PC framework,” said Acting U.S. Attorney Fitzpatrick.”
These PC assaults close down the server utilized for all correspondences among faculty, staff and students, including assignment of course work to students, and students’ accommodation of their work to professors to be reviewed.
The respondent’s activities viably incapacitated the framework for quite a long time at any given moment and noxiously upset the instructive procedure for a huge number of Rutgers’ students.
Today, the respondent has conceded his part in this criminal offense and will confront the legitimate results for it.”
For the click fraud conspiracy charges, Jha, White and Norman each face up to five years in Jail and a $250,000 fine.For the conspiracy charges related to their initiation and utilization of Mirai, Jha and White likewise face up to five years in prison, a $250,000 fine, and three years of supervised release.
Popular Attacks Conducted with Mirai
Mirai Botnet attacks in South America and North Africa countries that were detected by increasing the huge Traffic on ports 2323 and 23. Mirai Variant Launches 54 Hours DDoS Attack Generated 2.8 Billion Requests in US college.
One Million Organisations hit in under a Month with a Massive IoT botnet Millions of IoT Devices Infected with “Devil’s Ivy” Remote Code Execution Vulnerability Including Internet-Connected Cameras IoT Botnet is Spreading over HTTP Port 81 and Exploit the Vulnerability in Security Cameras
A Newly discovered Spider Ransomware widely spreading around the world which delivery through decoy Office documents that usually spreading via the malspam campaign.
This Spider Ransomware using Email is a medium to spreading across to the victims machine and an email attachment contains bogus office document which actually comes with VB Script agent.
In this year, some of the very big ransomware attacks such as wannacry, Petya, Lockywere infected around the world and it makes the very worst impact on many organization and individuals.
In this case, Spider Ransomware spreading via the Bosnian language which indicates that initial level of threat actor infection started from Bosnia and Herzegovina regions.
This was detected as “VB:Trojan.VBA.Agent.QP” and it will later download a payload Trojan.GenericKD.12668779” and “Trojan.GenericKD.6290916”.
Initially, Victims will be received an email that contains attacked document of malicious VB Script agent which claimed as bills or invoice related legitimate document.
Malicious decoy Office document contains an obfuscated macro code and it’s using Powershell code to download an original Spider Ransomware paylaod.
These related payloads are Base64 encoded and it using yourjavascript.com website for hosting to establish a proper communication.
To performing a decode operator, it uses XOR operation with the key ‘AlberTI’ to decode the final level of payload.
Once it is decoded then it saved as a .exe file and copied into APPDATA% /Spider’ directory with the name of ‘dec.exe’ and ‘enc.exe’.
These 2 files are using performing different operations, enc.exe performs as a Spider Ransomeware decrypter and dec.exe performing to displays the user interface for warning message and to decrypt the files using a decryption key.
“Also Spider ransomware also copies two text files ‘files.txt’ and ‘id.txt’ respectively inside the ‘%APPDATA% /Spider’ directory”
According to netskope, PowerShell launches the ransomware decryptor, dec.exe with ‘spider’ argument and enc.exe file with ‘spider ktn 100’ arguments. Spider ransomware decryptor monitors the system processes and prevents opening of windows utility tools like taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess
Later, The payload enc.exe helps to encrypt the user’s files and adds the ‘.spider’ extension and also maintain the list of files in files.txt that has been encrypted by this Spider Ransomware.
Once it has successfully performed its operation, a warning message will be displayed that contains the complete information to the victims and so it contains an information about the decryption procedure.
Also, a Warning message contains an information about the decryption procedure for the victims.
Fileless malware are types of malicious code used in cyber attacks that don’t use files to launch the attack and carry on the infection on the affected device or network.
The infection is run in the RAM memory of the device, so traditional antivirus and antimalware solutions can’t detect it at all.
Malicious hackers use fileless malware to achieve stealth, privilege escalation, to gather sensitive information and achieve persistence in the system, so the malware infection can continue to carry on its effect for a longer period of time.
Creating Obstacles To Forensics
Malware Researcher’s Published a Researcher paper Under Proof of Concepts(PoC) in EForensics Magazine, Infection attack is very simple: the request made by the victim’s machine goes through a channel in which there is an attacker’s proxy that will capture the requests made by the target machine. For example, assuming that the victim visits a website that contains n1n3 (here disguised as an image for the WhatsApp application).
The attack scenario
How does it work?
Once downloaded, the n1n3 will run on the target machine, releasing the doors of this machine for data capture.Once its role in the victim machine is completed, the n1n3 self-destructs. The attack is the drive-by-download type and the appeal is the availability of images to the messaging application.
Attacks of this nature are common and are made daily in search of an unsuspecting user. The victim views a website with an image that it downloads (one n1n3 container is the image). The n1n3 runs and connects to the proxy and the attacker exploits the victim machine.
In our scenario, the proxy server was set to be the intermediary between the victim and the attacker.
The proxy scenario simulating a server of the attacker already configured on the victim machine, starting this moment all shipping this victim will pass the attacker’s server, and this full facility to collect the most relevant information, the passwords banks, email, and social networks, but also can make connections and kidnap a victim using this machine to make more complex attacks.
The attacker’s proxy is configured with packet capture tools (like sniffers), causing all traffic to be diverted so it can be captured .
Proxy simulation
The structure of n1n3.exe is a small malicious artifact with size 182kb in a binary file. Once running on the victim machine its size becomes little more than being 184kb .
We can clearly see in the figure below that n1n3 is presented under a Whatsapp icon, forcing an attractive social engineering to the careless user.
1. Structure of n1n3.exe
Below image shows ,Your script has instructions for variants that directly affect the registry W10, disabling vital registry system functions, such as the firewall, changing the port connection and the Defender’s defense properties and changing important key features of the system
2. The structure of n1n3.exe
The features that the script n1n3 has shown below: access to important libraries like USER32.dll and LoadLibraryAGetProcAddress is evidence that malware needs these libraries to work.
“Another important function of n1n3 is to operate at the level of Kernel32, calling procedures in free memory (VirtualFree) and allocation (VirtualAlloc), respectively, at the addresses 0x00410F50 and 0x00410F4C, both at the operating level of the Kernel.”
3. The library’s requisition of n1n3.exe
Up to this point of the research, we can identify the address where n1n3.exe begins the execution on the victim machine at the address 0x0040F390
4. Start pointer address of n1n3.exe
The Sysinternals can detect the process n1n3.exe, in this case, the PID is 3320. But then the process disappears as if it had been finished. Initially, the PID 3320 appears in green, then marked in red.
Researcher’s said “This is the forensic challenge of our research. The processes marked in a green color are processes that starton the machine. When it is marked in a red color this means that the process (jobs and handles) has finished, but n1n3 is still in an operating state.”
5. The “Narnia realm” of n1n3 malware
Evidence of malicious artifacts
As if we are archaeologists looking for evidence of malicious artifacts on the victim machine basically using Sysinternals as an ally in this quest, we chose a dynamic analysis and run the n1n3 the second time, now with PID 2688.
What did we find?
First of all, the distribution of the n1n3 memory requests shows that the area destined for the own memory heap 1488k with a stack of 3072K against a paging table with only 336k. This shows us that the n1n3 has an interesting fragmentation.
6. In the depths of HD
Despite the process being identified as finalized, it is observed that the file’s timeline shows that it is possible to identify the mapped the n1n3.exe files with a high fragmentation distributed in various ways of the W10 system.
7. Mapped file of n1n3.exe
The offsets of ntdll.dll libraries point to the addresses 0x5008d 0x72e50 (Figure 13). All other offsets point to the location of the file on the C drive in the “Users” folder where the careless user installed n1n3.
This feature of Sysinternals, called Call Tree, is extremely important when we are looking for evidence that the malicious artifact is still running in the background and was not finalized. An inattentive user could interpret this signal as if the file was inactive in the system.
8. Offsets and ntdll.dll libraries
Some other evidence that n1n3 is still in the system and making requests even with low intensity of use of themachine memory may be observed in the figures below.
The malicious file is still requesting the rpcrt4.dll services at 0x4036a1 address with the clear intention of causing collateral fault system (known vulnerability and released for part of Windows systems [6]).
The implementation of n1n3 listed on Heap area is 0x405ef7 for addressing, but its location is 0x5ef7 and 0x4036a1 .
9. Heap Allocations for ntdll.dll
Researcher’s said , Finally, considering that we still have ongoing research, our next goal will be to explore the n1n3 by adding more code elements in the script becoming more evasive to the point of fragmentation and can apply “ Fileless Malware ” name.
Disclaimer
Malicious code created in the laboratory solely for research purposes. The last stage of the research will be the defenses proposition, based on the Windows platform.
Original Author’s & Credits :
PEREIRA, Paulo Henrique – Researcher at the University Nove de Julho
Microsoft released security updates for December to patch 34 security issues in different software category and some of the patch released under very critical list.
This Released fix categorized to different Microsoft products and most of the fixed bugs are belongs to servers and Windows 8 and 10 system based vulnerabilites.
Many of office vulnerabilities are catogoried as a defense-in-depth measure and the update disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word.
Microsoft Edge and Internet Explorer 11 having many bug fixes along with this security updates.
All the windows 10 bugs are fixed by security realsed and In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
Microsoft released security updates for following catogories
– Internet Explorer – Microsoft Edge – Microsoft Windows – Microsoft Office and Microsoft Office Services and Web Apps – Microsoft Exchange Server – ChakraCore – Microsoft Malware Protection Engine
Higly critical information disclouser vulneabities are exists when the Windows its:// protocol handler unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL.
According to Microsoft,This could potentially result in the disclosure of sensitive information to a malicious site.
To exploit the vulnerability an attacker would have to trick a user into browsing to a malicious website or to an SMB or UNC path destination. An attacker who successfully tricked a user into disclosing the user’s NTLM hash could attempt a brute-force attack to disclose the corresponding hash password.
The controversy has gone months, and finally, President Trump signs the law on Tuesday which imposes the ban on Kaspersky from Federal use.
Last September Department of Homeland Security (DHS) release immediate order to Federal executive branch departments and agencies to take actions related to the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.
Ban imposed due to a lot of spying activity Controversy against the Kaspersky Products.They are in use by all US Government Agencies including NSA.
This incident reported by The Wall Street Journal says Russian Government Hackers are using Kaspersky software to stole NSA advance cyber weapons such as secret spying tools from NSA contractor personal Home Computer who has been employed the Russian Based Kaspersky Security Products.
Kaspersky continues to deny that they have not tied up with any government and it would not help a government with cyber espionage.Also, the company said they could open source code for review.
On Tuesday, Christopher Krebs, a senior cybersecurity official at the Department of Homeland Security, told that nearly all government agencies had fully removed Kaspersky products from their networks in compliance with the September order, reported Reuters.
Ban imposed according to SEC. 1634. According to the ban No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part.
(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.
“The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems,” Shaheen wrote in a press release.
Burp Suite is a graphical tool for testing Web application security. The tool is composed in Java and created by PortSwigger Security.
Burp Scanner is composed of industry-driving penetration testers. Burp Scanner incorporates a full static code investigation engine for the discovery of security vulnerabilities.
Burp’s scanning logic is persistently refreshed with upgrades to guarantee it can locate the most recent vulnerabilities.
With the Burp Suite Version 1.7.30, they added granular configurations which allows to select scan type or individually and for Individual scan you can even select detection methods which make the job easier and saves time.
Burp Suite 1.7.30 released, with new granular control of scan issues. https://t.co/bWZIYL0YZr
For example, in scan type, before there be only option “server-side code injection” and now we can select individually (“PHP code injection,” “Perl code injection,” etc.).
Also with the new update issues are subdivided into the light, medium, and intrusive based upon the vulnerability nature.
If you select individual issues, then you have options to choose the detection methods, and it gives complete control and customization methods.
Minor Enhancements
1. Cancel Button for Long-running scans. 2. New option for SSL / TLS Negotiation to disable SSL session resume. 3. “Copy as curl command” function no longer ignores any request headers. 4. A bug that caused automatically added SSL pass-through entries not to appear in the UI config has been fixed.
