A newly discovered an unprotected MongoDB database contains a large volume of data which belongs to California state voters information that Contains Every Registered Voter Data same as many of voter database leaked incidentshave been reported in last year.
Leaked Database publicly available in online that can be accessed by anyone without any password or log in and this incident received by a Shodan-based breach report.Also, it was open to view, edit and modifying the entire database by anyone.
Data volume contains 95.1GB that was leaked in public on Jan 19th. Later Database has gone offline but we can access the related documents through offline.
The Sacramento Bee digital media department are holding these sample in the database and other attributes that pointed to their own internal system.
A leaked Database contains an information about, Legislation data (bills, committees, voting results etc.), Letters to editor, readers’ opinions, restaurant reviews and info, the SacBee internal systems info (URLs, internal keys, user agents info, admin credentials etc), Data visualization info ,the SacBee API info (incl. subscribers and clients info), State pay info.
In this database contains all the registered votor’s data for the entire state of California 19,501,258 records.
Same attack has been discovered in 2017 with same set of confidentials data but past attack was targetted for ransomware attack and this attack aslo for the same motivation by hackers.
According to Kromtech Security ,The database has been labeled as ‘compromised’ shortly after it become publicly available and now not accessible but according to Shodan report it contained a “Warning” and ‘Readme’ note- which is usually a ransomware note.
Russian Scientists arrested for using All-Russian Research Institute of Experimental Physics supercomputers to mine bitcoins secretly. The institute was located in the city of Sarov, Nizhny Novgorod region.
Now the crypto miners are detained by authorities and a criminal charge was filed against the researchers involved in mining. They were handed over to the authorities and their names are not disclosed in public.
“Indeed, there was an attempt to unauthorized use of office computing capacities for personal purposes, including for so-called mining,” Tatyana Zalesskaya, head of the research institute press service, told to Russian Media Interfax on Friday.
It is one of the oldest facility in Russia and nuclear researchers are carried out here starting from 1946.The facility has more than 20,000 employees and the supercomputer that is capable of performing 1,000 trillion calculations per second.
Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises, this is technically a hopeless and criminal offense,” Zalesskaya noted.
Russia is one of the largest resources of electric power producer and exporters in the world, low-cost energy may make the mining more attractive in Russia.Couple of Aleksey Kolesnik a Russian Bussiness man bought two power plants for mining cryptocurrency.
Bloomberg reported that Young Russians now prefer to give as gifts server farms rather than diamonds, Deputy Finance Minister Alexey Moiseev said earlier this year.
Last week a 17-year-old schoolboy was arrested by Japanese police expecting to be the author of a Malware that steals Cryptocurrency Monacoin wallet Private key passwords.
Burp is one of the most famous tool used by pentesters, which incorporates a full static code investigation engine to discover vulnerabilities. PortSwigger Security released a new Burp Extension Replicator.
The graphical tool is composed in Java and it was Created PortSwigger Security. Burp use to receive frequent updates and it scanning logic is persistently refreshed time to time to ensure it can detect new vulnerabilities.
The BApp Store holds the Burp Suite extensions that developed by the users of Burp suite to extend its capabilities. By having Burp suite you can install the tool directly via the BApp Store feature in the Burp Extender tool.
Also, it is available for offline download from here.
Burp suite extension replicator helps developers to reproduce the issue that detected by the pentesters. The replicator file holds the findings in the report.
It includes the logic or macros or the session rules that associated in finding the vulnerability, the Pentester can send the replicator file along with the report and the developer can load the file in Burp and replicate the issues.
Once the issue fixed the replicator reports the vulnerability is now fixed and also it recommends retest if the vulnerability exists.
Issues can have the following status
Vulnerable – The application is still vulnerable.
Resolved (tentative) – The vulnerability appears to be resolved. The replicator cannot confirm this with certainty; a retest is required for that.
Unable to replicate – It wasn’t possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.
Developer workflow – Burp Extension Replicator
Load the Replicator file.
If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance.
Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue.
Save the file. This is important for confirming fixes later.
Identify an issue to work on. Consult the pen test report for a full description.
When the application has been updated, click Test to see if it’s still vulnerable.
You can find the Tested Workflow and download the extension from bappstore.The extension was developed by Paul Johnston and PortSwigger.
Lenovo published a security advisory for Critical Arbitrary code execution vulnerability that affects Lenovo Thinkpad Series Laptop.
The two code execution vulnerabilities (CVE-2017-11120, CVE-2017-11121) resides with Broadcom WiFi controllers that used in ThinkPad products.
The critical buffer overflow flaws resides with the adapter used by Broadcom’s wireless LAN driver and it can be remotely exploited by an attacker. Both the vulnerabilities have Exploitability Subscore of 10.
By installing the backdoor attacker can gain R/W access to the firmware and no user interaction is needed.
CVE-2017-11120 – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.
Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).Beniamini added.
CVE-2017-11121 also discovered by Beniamini – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to a denial of service or other effects, aka B-V2017061205.
A new unique PoS malware disguised as a LogMeIn service pack steals magnetic tape payment card data from a wide variety of companies starting from retailers to hotel groups.
Security researchers from Forcepoint spotted an unusual heavy use of UDP-based DNS traffic requests generated by LogMeIn service pack leads to the discovery of UDPoS malware that designed to steal magnetic stripe payment card data. Forcepoint researchers reached out to LogMeIn.
LogMeIn published an advisory states that file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.
Researchers said, “it’s unclear whether the malware is currently being used in campaigns in the wild, although the coordinated use of LogMeIn-themed filenames and C2 URLs, coupled with evidence of an earlier Intel-themed variant, suggest that it may well be”.
Inflection Flow – PoS malware
The malware named as logmeinumon.exe and once it installed it communicates with C&C server and downloads the dropper archive which contains the dropper file update.exe, LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe.
Upon executing update.exe it extracts and sits in temp folder LogmeinServicePack_5.115.22.001.exe which is responsible for placing malware files is automatically triggered.
Once the malware set up is completed it passes over the execution to the monitoring component by launching logmeinumon.exe which is compiled in Visual Studio build and uses string encoding technique.
The monitoring component is a multi-threaded application and the code is mainly code is mainly responsible for decrypting and decoding the malware’s internal strings.
Once installation completed it obtains the external IP of the infected machine by using an HTTP request. Once malware executed it generates a batch file called infobat.bat, uses a number of standard Windows commands to create a comprehensive fingerprint of the infected machine Forcepoint published a complete analysis report.
Researchers said “The coding style and techniques seen within the malware can hardly be described as outstanding. Beyond the faulty evasion code noted above, using data files written to disk instead of working predominantly in memory – besides leaving unnecessary trails – is rarely the trademark of bleeding edge malware and, equally, there are more advanced ways of fingerprinting a PC and generating a report.”
A Patched remote code execution Microsoft Office Vulnerability ( CVE-2017-11882) abusing again and using it for spreading a variety of Malware such as FAREIT, Ursnif and a Keylogger Loki info stealer that is used for stealing Crypto wallet password.
In this case, some of the uncommon methods has been reused by helping of Windows Installer service Windows.
Previous Exploitation did using the Windows executable mshta.exe to run a Powershell script. but this attack using uses msiexec.exe Exploit this Vulnerability.
Various other methods such as Wscript, Powershell, Mshta.exe, Winword.exe is very common methods and security software are easily monitoring these methods if other malware is abusing these function.
But use of msiexec.exe to download malware is not something regular way to abuse the victims.
The initial level of infection spreading via spam email Campaign that contains a malicious attachment file that claimed as a payment copy with order confirmation body content.
Body content is Written in Korean language and given fake warning as,” please check if your PC may be infected by a virus or malicious codes”.
An attacked Document file which claimed as payment copy is an actual exploit of CVE-2017-11882.
Later it uses the command that will instruct to Exploit this vulnerability and it leads to download and install the malicious MSI package labeled zus.msi through Windows Installer.
According to Trend Micro, Later MSIL or Delphi binary will be installed by Windows Installer (msiexec.exe) and some time based on the MSI package it may contain either a heavily obfuscated Microsoft Intermediate Language (MSIL) or Delphi binary file, which then acts as a loader for the actual payload.
Moreover, it using obfuscation to evade the antivirus scanners and being detected by an anti-malware scanner is more difficult since its using heavily obfuscated MSIL or Delphi binary.
In this analyse it usually download and install the LokiBot Keylogger variant but it capable to download and execute other malware as well.
Mitigation
— Always keep your OS and software updated — Train staff never open attachments or click on a URL in unsolicited e-mails — Use Anti Spam Gateway such as Comodo Anti spam Gateway for defense against spam, phishing emails, and virus-infected attachments — Turn on Your Firewall — Limit the user Privilege — Use caution when clicking on links to web pages
Security Firm FireEye Released a new Phishing tool called ReelPhish to simplifies the real-time Phishing attack that is designed to be run on the attacker’s system and control it by navigating the Attacker web browser.
A phishing attack is one of the dangerous social engineering attacks that leads to capture a victim’s username and password that will be store it to an attacker machine and reuse it later.
So We can Minimize the attack possibility by using Two-Factor Authentication and multi-factor authentication.
In terms of Two Factor authentication, users can get the one time password that has been generated by a secondary device, such as a hard token that can be used for 30 to 60 seconds which can’t be reused again.
This can eliminate the risk from traditional Phishing Attack and this scenario will Protect only when attacker trying to capture the username and password combinations.
In this case, Two Factor Authentication can be compromised by Real-time Phishing Attacks by an interaction between the attacker and victims in real time.
According to FireEye, a phishing website that prompts a user for their one-time password in addition to their username and password. Once a user completes authentication on the phishing website, they are presented with a generic “Login Successful” page and the one-time password remains unused but captured.
Later Attacker will reuse the victim’s credentials before expiration that leads to compromise the Victim.
ReelPhish Phishing Phishing Tool Tool
To perform the social engineering Mitigation, FireEye developed a new tool called ReelPhish – that clarifying the real-time phishing technique. The primary component of the phishing tool is designed to be run on the attacker’s system.
The secondary component is the code embedded on the Phishing site will send the victims credentials to the phishing tool running on the attacker’s machine.
once it received an information then it launches an original website (Legitimate site of a phishing site that developed by attacker) and authenticates with the credentials and all the communication over an encrypted SSH tunnel.
Also Performing Social Engineering Attack, FireEye makes a copy of the real VPN portal’s HTML, JavaScript, and CSS and they use this code to create a phishing site that appears to function like the original.
Later Phishing site will be communicating with the tool that is running on the attacker machine and researchers embedded a server-side code into the phishing site for testing purpose along with SSL Tunnel.
According to FireEye, We have seen numerous variations of two-factor authentication on VPN portals. In some instances, a token is passed in a “secondary password” field of the authentication form itself. In other cases, the user must respond to a push request on a mobile phone. A user is likely to accept an incoming push request after submitting credentials if the phishing site behaved identically to the real site.
Also FireEye Testing this scenario with more advanced phishing sites that can handle multiple authentication pages and also pass information back and forth between the phishing web server and the tool running on the attacking machine.
“Configure all services protected by 2FA to minimize attacker impact if the attacker successfully bypasses the 2FA protections. it is not a perfect solution, but it does add a layer of security. 2FA is a security mechanism that may fail like any other, and organizations must be prepared to mitigate the impact of such a failure. FireEye Said.”
You can Download this Tool from FireEye GitHub Repository Here.
Intel issued security patches for infamous security bugs that issued by Google Project Zero and the update is only for Skylake processors to address Spectre vulnerability.
Intel initially released patches for Spectre and Meltdown on Jan 15 which covers 90% of the modern CPUs, but it results in higher system reboots after applying firmware updates.
Most affected ones are the systems running Intel Broadwell and Haswell CPUs for both client and data center. Later Intel said now they have identified the root cause of the reboot issue that affected Broadwell and Haswell CPUs and they are preparing a solution to address the issue and asks to hold off applying patches for Spectre and Meltdown.
Spectre Patches
Now after a week, Intel released microcode updates to Skylake chips, and these updates are made available via OEM firmware updates.Intel said we expect to do the same for more platforms in the coming days.
Intel fixed the vulnerability only with Skylake, leaving Kaby Lake, Sandy Bridge, Ivy Bridge, Broadwell H, Haswell, Haswell Perf, Coffee Lake.
Crooks started trying to take advantage of the infamous bug Meltdown and Spectre which affects almost all the modern processors and pushes Smoke Loader malware as a patch.
On Wednesday US Department of Justice announced charges on 36 suspects who associated with the cybercriminal organization engaged in Identity theft, Financial frauds, carding and in other cybercrime activities.
The Infraud organization was set up in October 2010 and their primary focus of the Infraud organization is carding and they have built a dashboard for carding for stealing the stolen identity information, banking details, for selling debit and credit cards. By March 2017 the dashboard had 10,901 accounts. Reads Criminal incident.
Carding refers to the activity of purchasing retail products by using counterfeit or stolen credit cards, there are some well-known carding methods have also included ‘trashing’ for financial data, raiding mailboxes and working with insiders.
Infraud organization Hierarchy
The Infraud organization maintains a hierarchy of its operations as like the deep web market placed such as Hansa or Alpha. Administrators “4DMini57r470rz” are governing council of the Infraud Organization, Super Moderators “Super MODER470R5” subject-matter expert in specific areas.
Moderators “M0d3r470r2” have limited permissions, vendors sell the products of Infraud Organizations. Also, they have categorized their customers as premium and standard members.
Members of the enterprise utilize an online discussion forum called ”In-fraud,” with the slogan of “In Fraud We Trust,” controlled by Infraud Organization Administrators, to discuss, meet, and conduct criminal activities. Reads Criminal incident.
Such activities include the sale and purchase of stolen social security numbers, dates of birth, ad14 dresses, passwords, and· other personally identifying information and property, ad15 advertising services to facilitate such activity, and disseminating malware.
Members of the Infraud organization use reputed websites to advertise their websites and the transaction are handled through Bitcoin, Perfect Money, WebMoney, and other digital currencies.
The cybercrime investigation is a joint operation between Department of Homeland Security’s criminal investigations unit and the Justice Department’s criminal division with the help of officials in several other countries. The case is being prosecuted by U.S. attorneys in Nevada.
Prosecutors said the Infraud organization stole more than $530 million and could have taken as many as $2.2 billion if it had not been terminated.
CSS is a stylesheet language which provides a presentation for documents, all our modern websites heavily depend on the CSS. A new CSS vulnerability dubbed CSS Exfil can be used by attackers to steal data from the webpages using CSS.
With the vulnerability, attackers can steal sensitive data’s including usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers. Also, this method can de-anonymize Tor users.
Gualtieri says “By crafting targeted CSS selectors and injecting them into a web page, an attacker can trick the page into sending pieces of data to a remote server (e.g. usernames, passwords, and sensitive data such as date of birth, social security numbers, and credit card numbers).”
Attackers can inject CSS, take full control over the look and feel of the website and even steal the data. Also, the exfiltration is easy as they use only CSS.
Attack Methods
Attackers can launch various attack scenarios to leverage the CSS Exfil vulnerability
Reflected or stored code injection flaws.
Malicious third-party components.
Hijacked browser extensions.
DOM elements that added accidentally.
Researchers published PoC explaining CSS Exfil attack to leak page data, stealing password stealing username and date of birth.
A test page was published by the researcher to check your browser against the vulnerability and the test page attempts to load four remote images using CSS selectors which parse a hidden text field. If it is able to load any of those four images your browser is vulnerable to the CSS Exfil attack.
Also, another researcher detailed stealing CSRF token in 10 seconds with CSS injection, once the attacker has stolen the victim CSRF token, he can complete CSRF attack against the user.
Defense Suggested – CSS Exfil
Researchers suggested website owners to use Content Security Policy to limit the ability of an attacker to use the remote URL’s. Fixing code injection flaws and using a Web Application Firewall would help.
The best defense for the users is to disable the execution of that CSS in the browser, researchers submitted plugins for Chrome and Firefox to defend against the CSS Exfil attacks.
