Wednesday, May 21, 2025
Home Blog Page 933

Telegram Zero day Flaw Abused by Attackers in Wild to Install Malware and Cryptominers

Telegram Zero day Flaw Abused by Attackers in Wild to Install Malware and Cryptominers

Security researchers from Kaspersky revealed a Zero-day vulnerability in Telegram Windows client that abused by attackers in wild for installing malware and cryptocurrency miners. This Telegram Zero day vulnerability was notified to telegram and the vulnerability no longer occurs in Telegram’s products.

What is the Vulnerability?

The vulnerability resides in with how the windows telegram client handles the RLO Unicode character that used to manage with the languages written from left to right “Right to left override”.

With this vulnerability, attackers can send as js file and make the recipient sees an incoming PNG image file instead of a JS file.

According to Alexey Firsh Attackers can sent malware in a message, the JS file renamed as evil.js -> photo_high_re*U+202E*gnp.js and the *U+202E* is the RLO character.

While the file rendered in the extension remains same as .js but rendered in a screen as photo_high_resj.png.

Telegram Zero day Vulnerability Exploitation to install Malware and Miners

Attackers use this vulnerability in wide to take control of the victim’s system, they push downloader and uses the Telegram API as command protocol to control systems.

Researchers said loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Now the cryptomining attacks are in the boom, attackers using it to make money from their victims and all they need to do is running a mining client on victim computer.

Cryptomining attacks and the Cryptocurrency exchange attacks are at it’s peak, in the recent massive attack, the hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov.

Researchers concluded saying it appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017

IoC

MD5

First stage
650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads

B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4

BitGrail Cryptocurrency Exchange Hacked & Stolen $170 Million in Nano

BitGrail Cryptocurrency Exchange Hacked & Stolen 0 Million in Nano

BitGrail – A Popular cryptocurrency exchange Hacked and hackers stolen 17 million Nano which costs around $170 Million by unauthorized transactions.

Italian baed  BitGrail exchange was one of the largest trading hubs for the RaiBlocks cryptocurrency, which has since rebranded to “Nano.”.

According to Coinmarketcap, Nano currently boasts a market capitalization of $1,287,013,24, the 24th largest of any cryptocurrency.

A stolen amount is a part of the vault which is handled by the BitGrail and to proceed the further investigation, all activities will be temporarily suspended.

Also Read: California Voter Database Leaked – 19 Million Voters Records Under Risk

In this case, other currencies deposited have not been affected by this unauthorized withdrawals.

Later that statement was released, Nano price quickly dropped from the $18 dollar range to a low of $12.89 before a quick recovery.

As indicated by a Medium post from the Nano group, Firano offered a questionable answer for his $170 million issues. “An option suggested by Firano was to modify the ledger in order to cover his losses — which is not possible, nor is it a direction we would ever pursue,” the Nano dev team writes.

According to BitGrail, To carry out further checks on what happened, as a precautionary measure and to protect users, all the functionalities of the site, including withdrawals and deposits, will be temporarily suspended.

A statement from the Nano Core team reveals that the issue didn’t exist on the protocol layer, but rather was focused directly on the BitGrail exchange.

Nano prices dipped as BitGrail informed users of the hack, but the coin appears to have perked up over the weekend.

Before KuCoin and Binance added Nano to their stages, Bitgrail was by a wide margin the most well known trade for XRB exchanging. XRB was exchanging at well underneath $1 for the dominant part of 2017 preceding detonating to a $34.97 unequaled high in December.

Beware!! 230 Million Necurs Botnet Sending as Valentine’s Day Dating Spam Messages With Malware

Beware!! 230 Million Necurs Botnet Sending as Valentine’s Day Dating Spam Messages With Malware

Necurs bot which is one of the biggest bot and well know for distributing Ransomware, spam emails and bank bots. In the past, it is responsible for spreading various ransomware like JAFF Ransomware, banking trojan. In the current campaign, it sends Valentine’s Day Spam Messages.

With its current campaign Necurs sents more than 230 million dating spam messages and it started in the mid of January 2018 and ended on Feb. 3.

Security researchers from IBM X-Force tracked the spam campaign, it sents more than 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.

The first campaign started on Jan. 16 and ran up to Jan. 18, next wave from Jan. 27 and died on Feb 3.

Also read Necurs Spam Botnet Back in Business Spreading Scarab Ransomware

Researchers said the campaign targetting the users of Facebook or Badoo, based on the messages indicated. The bot uses more than 950,000 IP’s to deliver Valentine’s Day Spam messages.

Valentine's Day Spam

Spam emails contain only the basic text, which may not convince many people. The top spam-sending IP is hosted via a Pakistani-based ISP and it sents more than 655 times.

Valentine's Day Spam

More than 55% of IPs that involved in sending spam messages hosted in India and Vietnam. Attackers continuously changing IP address to avoid blacklists and blocking.

Botnets always keep on changing the methods they spread and always keep finding new ways by varying file types and email policies.

How to stay safe – Valentine’s Day Spam

1. Have a unique Email address.
2. Do not open any attachments without proper validation.
3. Don’t open emails voluntary emails.
4. Use Spam filters & Antispam gateways.
5. Never respond to any spam emails.

How Much a Data Breach Could Cost for Enterprises and what are the Risks Involved

How Much a Data Breach Could Cost for Enterprises and what are the Risks Involved

In the modern digital world data is a crucial component of an organization, data leaks pose a serious threat to company reputation, loss of critical information and temporary loss of ability to trade.

There is a drastic increase in the number of attacks and 2017 is the year for some worst data breaches, many of the 2017 data breach due to security misconfiguration, insecure data storage and overall inadequate solutions to protect data.

According to Breach Level Index (BLI), the average total loss of data records through the year 2017 is 5,076,479 and the global data breach cost is $3.62 million according to ponemon case study.

The data leaks classified as intentional leaks and accidental leaks. Intentional data leaks caused by Hackers and malicious insiders, whereas accidental leaks happen due to misconfigurations, lack of encryption or sharing information accidentally.

In the past, leading enterprises like Target, Sony, and Yahoo became the victim of data breach. In the year 2013, Target admitted that 40 million cards were likely skimmed in security breaches. In the year 2014, half a billion accounts were compromised at Yahoo.

Also Read Advantages of Bug Bounty Program Over Traditional Penetration Testing

2017 is a year for the data breach, some top giants like Equifax, Deloitte, Uber, Forever 21 suffered from data breaches.

Identity Theft Resource Center (ITRC) has been identifying data breaches based on industry sectors, around 45.2 percent was the health sector according to 2016 report.

data leaks

Also, ITRC tracking categories of data breach incidents based on hacking, skimming, phishing, Employee error, Insider attack.

data leaks

Web Applications Security becomes essential as more and more data gets stored in web applications and web application penetration service provides only a limited talent pool which they are heavily dependent upon.

It is important to have a Bug Bounty program as it employs crowdsource security researchers will diverse skill set covering a wide of vulnerability scenarios and advanced threats.

Safehats a bug bounty platform that Connects security conscious Enterprises, Financial Institutions and Governments with the whitehat hacker to have their products check against serious of vulnerabilities.

To avoid data breaches security testing through multiple attack vectors, such email, web browsing, lateral movement, social engineering, data exfiltration, WAF and more.

It is a genuine fact that the marketers and salespeople of your company must be using email tracking solutions to improve sales and get better engagement. Right? But, cybercriminals target the date and time when emails are opened, when they are forwarded, and much more.

The Insiders attack can directly cause the public and customers to lose the interest in business, lose the confidence in technology.These kinds of threats can happen knowingly or unknowingly, intentionally or unintentionally, but the result of this attack is catastrophic.

Winter Olympics Website Hacked & Downed About 12 Hours by Cyber Attack

Winter Olympics Website Hacked & Downed About 12 Hours by Cyber Attack

Pyeongchang 2018 Winter Olympics Website Hacked and the site was downed about 12 hours during the opening ceremony.

Paralympic Games confirming that they experienced a cyber attack that caused a malfunction of the internet protocol televisions (IPTVs) at the Main Press Centre.

Due to attack, Website cause customers who bought tickets were unable to print their reservations.There were also problems with wi-fi and televisions in the media centre.

Paralympic Games officials confirm that its servers had been hit during the even and Russian hackers may have been striking as revenge for bans.

Also Read: California Voter Database Leaked – 19 Million Voters Records Under Risk

Paralympic Games forced to shut down the system around 7.15 pm to stop the further attack and it took more than 12 hours to revert the normal state.

An Olympics spokesman admitted: “There were some issues that impacted some of our non-critical systems last night for a few hours.“We apologise for the inconvenience caused to all those affected.”

Also, officials said “All competitions are running as planned and the systems are working at the expected level. Our technology partners and our experienced team of ICT experts are working to maintain the systems”

A spokesman for the Russian ministry denied the country had anything to do with any attacks.

Notice by Paralympic Games for system outage 

Since the Attack motivation and source is unknown, McAfee senior analyst Ryan Sherstobitoff said, his teams found a new variant of the malicious documents targeting the Winter Games a few days prior to the opening ceremony.

“It is clear attacks are ongoing and are likely to continue throughout the duration of the games. What is yet to be determined is if actors are working simply to gain disruption, or if their motives are greater.”

Also, Security experts have warned that major international events such as the Olympics are major targets for hackers.

Attackers Hijacked 4275 Websites Including U.S. & UK Govt Sites to Run Cryptocurrency Mining Script

Attackers Hijacked 4275 Websites Including U.S. & UK Govt Sites to Run Cryptocurrency Mining Script

Attackers hijacked 4275 websites to inject Coinhive Monero miner including the websites of government authorities(ico.org.uk), NHS Foundation (nhs.uk), and uscourts.gov. Crypto-Mining Attacks are one of the biggest emerging threats for enterprises. And the recent trend is more mainstream and is done directly via web pages.

One thing in common for all the infected websites is Browsealoud plugin provided by texthelp that adds speech, reading, and translation to the website has been compromised and it’s host scripts was modified.

The mining script was first noticed by Information Security Consultant Scott HelmeIf you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the 1 website that they all load content from“Helme said.

Crypto-Mining Attacks

Attackers altered the ba.js file and include document.write call that adds Coinhive crypto miner to any number of the page that loaded in to.

What’s Coinhive?

Coinhive offers a JavaScript miner for the Monero Blockchain that can be embedded into other Web sites. The users run the miner directly in their Browser and mine XMR for the site owner in turn for an ad-free experience, in-game currency or whatever incentives they are availing to their users/visitors.

With further investigation, Helme identified a number of sites have been injected including the government websites of numerous countries.Here is the affected websites list.

Texthelp the plugin provider confirmed it was hacked on 11.14am on Sunday and the hack lasts for four hours. Now the plugin was temporarily taken down by Texthelp.

Texthelp data security officer Mr. McKay said: “Texthelp has in place continuously automated security tests for Browsealoud, and these detected the modified file and as a result, the product was taken offline”.

At GBHackers last November we identified a very popular torrent sharing fake site www.1337x.io added coinhive mining script.

Preventive Measures – Crypto-Mining Attacks

Helme suggested adding SRI Integrity attribute to the website which forces the browser to check the integrity, which allows it to reject the file. He has written an article explaining how to add SRI Integrity Attribute.

If you are a normal user, install AdGuard’s extension on your browser and you will be good to go.

If you are a geek, you would already probably know the trick. Hint: Use script blockers like uBlock Origin.

we suggest our users to be extra cautious while visiting sites on the internet from now on. And if you like some website or a blog and want to support them, you may allow them to mine crypto-currency using your computer’s energy.

California Voter Database Leaked – 19 Million Voters Records Under Risk

California Voter Database Leaked – 19 Million Voters  Records Under Risk

A newly discovered an unprotected MongoDB database contains a large volume of data which belongs to California state voters information that Contains Every Registered Voter Data same as many of voter database leaked incidents have been reported in last year.

Leaked Database publicly available in online that can be accessed by anyone without any password or log in and this incident received by a Shodan-based breach report.Also, it was open to view, edit and modifying the entire database by anyone.

Data volume contains 95.1GB that was leaked in public on Jan 19th. Later Database has gone offline but we can access the related documents through offline.

The Sacramento Bee digital media department are holding these sample in the database and other attributes that pointed to their own internal system.

A leaked Database contains an information about, Legislation data (bills, committees, voting results etc.), Letters to editor, readers’ opinions, restaurant reviews and info, the SacBee internal systems info (URLs, internal keys, user agents info, admin credentials etc), Data visualization info ,the SacBee API info (incl. subscribers and clients info), State pay info.

In this database contains all the registered votor’s data for the entire state of California  19,501,258 records.

Voter Database Leaked
Voter Database Leaked

Same attack has been discovered in 2017 with same set of confidentials data but past attack was targetted for ransomware attack and this attack aslo for the same motivation by hackers.

According to Kromtech Security ,The database has been labeled as ‘compromised’ shortly after it become publicly available and now not accessible but according to Shodan report it contained a “Warning” and ‘Readme’ note-  which is usually a ransomware note.

Russian Scientists arrested for using Secret Nuclear Weapons Lab Supercomputer to Mine Bitcoin

Russian Scientists arrested for using Secret Nuclear Weapons Lab Supercomputer to Mine Bitcoin

Russian Scientists arrested for using All-Russian Research Institute of Experimental Physics supercomputers to mine bitcoins secretly. The institute was located in the city of Sarov, Nizhny Novgorod region.

Now the crypto miners are detained by authorities and a criminal charge was filed against the researchers involved in mining. They were handed over to the authorities and their names are not disclosed in public.

“Indeed, there was an attempt to unauthorized use of office computing capacities for personal purposes, including for so-called mining,” Tatyana Zalesskaya, head of the research institute press service, told to Russian Media Interfax on Friday.

It is one of the oldest facility in Russia and nuclear researchers are carried out here starting from 1946.The facility has more than 20,000 employees and the supercomputer that is capable of performing 1,000 trillion calculations per second.

Similar attempts have recently been registered in a number of large companies with large computing capacities, which will be severely suppressed at our enterprises, this is technically a hopeless and criminal offense,” Zalesskaya noted.

Russia is one of the largest resources of electric power producer and exporters in the world, low-cost energy may make the mining more attractive in Russia.Couple of Aleksey Kolesnik a Russian Bussiness man bought two power plants for mining cryptocurrency.

Bloomberg reported that Young Russians now prefer to give as gifts server farms rather than diamonds, Deputy Finance Minister Alexey Moiseev said earlier this year.

Last week a 17-year-old schoolboy was arrested by Japanese police expecting to be the author of a Malware that steals Cryptocurrency Monacoin wallet Private key passwords.

New Valuable Burp Extension that helps Developers to Reproduce Issues Detected by Pentesters

New Valuable Burp Extension that helps Developers to Reproduce Issues Detected by Pentesters

Burp is one of the most famous tool used by pentesters, which incorporates a full static code investigation engine to discover vulnerabilities. PortSwigger Security released a new Burp Extension Replicator.

The graphical tool is composed in Java and it was Created PortSwigger Security. Burp use to receive frequent updates and it scanning logic is persistently refreshed time to time to ensure it can detect new vulnerabilities.

Also Read Web Application Penetration Testing Checklist – A Detailed Cheat Sheet

BApp Store

The BApp Store holds the Burp Suite extensions that developed by the users of Burp suite to extend its capabilities. By having Burp suite you can install the tool directly via the BApp Store feature in the Burp Extender tool.

Also, it is available for offline download from here.

New Burp Extension Replicator

Burp suite extension replicator helps developers to reproduce the issue that detected by the pentesters. The replicator file holds the findings in the report.

It includes the logic or macros or the session rules that associated in finding the vulnerability, the Pentester can send the replicator file along with the report and the developer can load the file in Burp and replicate the issues.

Once the issue fixed the replicator reports the vulnerability is now fixed and also it recommends retest if the vulnerability exists.

Issues can have the following status

  • Vulnerable – The application is still vulnerable.
  • Resolved (tentative) – The vulnerability appears to be resolved. The replicator cannot confirm this with certainty; a retest is required for that.
  • Unable to replicate – It wasn’t possible to determine if the application is vulnerable. This may be because credentials are invalid. Some fixes (e.g. removing the whole page) can cause this.

Developer workflow – Burp Extension Replicator

  1. Load the Replicator file.
  2. If you want to test a different application instance (perhaps a development instance) edit the Hosts section to point to the instance.
  3. Click Test all. All the vulnerabilities should get status Vulnerable. If any do not, you need to investigate why. You can use the Start Trace button to generate a trace file that may help the pen tester diagnose the issue.
  4. Save the file. This is important for confirming fixes later.
  5. Identify an issue to work on. Consult the pen test report for a full description.
  6. When the application has been updated, click Test to see if it’s still vulnerable.

You can find the Tested Workflow and download the extension from bappstore.The extension was developed by Paul Johnston and PortSwigger.

Critical WiFi Buffer Overflow Vulnerability Impacts Lenovo Thinkpad Series Laptops

Critical WiFi Buffer Overflow Vulnerability Impacts Lenovo Thinkpad Series Laptops

Lenovo published a security advisory for Critical Arbitrary code execution vulnerability that affects Lenovo Thinkpad Series Laptop.

The two code execution vulnerabilities (CVE-2017-11120, CVE-2017-11121) resides with Broadcom WiFi controllers that used in ThinkPad products.

The critical buffer overflow flaws resides with the adapter used by Broadcom’s wireless LAN driver and it can be remotely exploited by an attacker. Both the vulnerabilities have Exploitability Subscore of 10.

By installing the backdoor attacker can gain R/W access to the firmware and no user interaction is needed.

Also Read Most Important Network Security & Penetration Testing Tools for Hackers and Security Professionals

CVE-2017-11120 – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).Beniamini added.

CVE-2017-11121 also discovered by Beniamini – On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to a denial of service or other effects, aka B-V2017061205.

Lenovo Thinkpad vulnerabilities – Products Impacted

Following are the products impacted and Lenovo strongly recommends to update Wi-Fi driver’s in the affected versions.

ThinkPad 10, ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.