- Hacking Techniques -

Last update 09.10.2017 13:52:27

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8  Hacker techniques



Grey Heron, the new Co in the surveillance industry that promises to spy on Signal and Telegram
27.3.2018 securityaffairs
Hacker techniques

Who is behind the newborn Grey Heron surveillance company? According to an investigation conducted by Motherboard, the firm is linked to the Italian surveillance firm Hacking Team.
The development and sale of surveillance software is a profitable business, many government agencies use spyware for different purposes, in some their involvement is very questionable.

Early this month, the journalist Joseph Cox from Motherboard wrote an interesting post on a mysterious surveillance firm called Grey Heron.

The company was advertising a spyware that is able to spy on Signal and Telegram communications.

The name Grey Heron was unknown also among the security community, but the investigation conducted by Motherboard linked the company to the controversial Italian surveillance firm Hacking Team,

Motherboard obtained a brochure of the company that uses the following statement to describe its mission:

“Grey Heron’s mission is to provide to law enforcement the strong tools to balance the capabilities of those who wish to do harm,”

Grey Heron spyware
Source Motherboard

According to a source familiar with the company, Grey Heron was formed from several players surveillance industry.

In 2015, the company suffered a major data breach, the hacker known as Phineas Fisher exfiltrated more than 400 gigabytes of internal data from company servers.

The hackers stole company’s emails, customer records, and the source code for hacking tools and exploits.

In 2017, the company was bought by an entity linked to the Saudi Government bought.

A new post written by Joseph Cox along with the colleague Lorenzo Franceschi-Bicchierai, cited a former Hacking Team employee, who speaking on condition of anonymity, confirmed the link between Hacking Team and Grey Heron.

“[it would] make sense to use a different name to continue to sell to those clients who weren’t happy after the hack.” said the former employee.
“Except those customers who don’t care because they buy spyware without thinking twice,” “I imagine that there’s a lot of them who don’t see Hacking Team favorably anymore, including the reselling partners, perhaps even more so than the final customers.”

The interesting news is that Grey Heron has confirmed privately that the Italian Government has given it the permission to export its products throughout the European Union.

Grey Heron is looking with great interest at both the European and North American markets.


Avast releases open sources Machine-Code Decompiler (RetDec) to fight malware
16.12.2017 securityaffairs
Hacker techniques

RetDec is the retargetable machine-code decompiler (RetDec) released by the anti-malware firm Avast to boost the fight against malicious codes.
The anti-malware company Avast announced the release of retargetable machine-code decompiler (RetDec) as open source in an effort to boost the fight against malicious codes.

RetDec, short for Retargetable Decompiler, was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology and AVG Technologies. Avast acquired AVG Technologies in 2016.

RetDec is now available for anyone on GitHub under the MIT license, this means that security experts can modify its source code and redistribute it.

RetDec is a retargetable machine-code decompiler based on LLVM that could be used by the experts to perform platform-independent analysis of executable files.

Avast decided to open-source the Retargetable Decompiler to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The utility includes support for multiple platforms, different architectures, file formats, and compilers.

“The decompiler is not limited to any particular target architecture, operating system, or executable file format:

Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.”
The tool currently supports only Windows (7 or later) and Linux, but pre-built packages are available only for Windows.

RetDec

RetDec features are:

Static analysis of executable files with detailed information.
Compiler and packer detection.
Loading and instruction decoding.
Signature-based removal of statically linked library code.
Extraction and utilization of debugging information (DWARF, PDB).
Reconstruction of instruction idioms.
Detection and reconstruction of C++ class hierarchies (RTTI, vtables).
Demangling of symbols from C++ binaries (GCC, MSVC, Borland).
Reconstruction of functions, types, and high-level constructs.
Integrated disassembler.
Output in two high-level languages: C and a Python-like language.
Generation of call graphs, control-flow graphs, and various statistics.
Courtesy of an IDA (Interactive Disassembler) plugin, the utility is able to decompile files directly from the IDA disassembler.

RetDec is a powerful utility that allows optimizing reconstruction of original source code “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

Avast also provides web service for decompilation in browser, an IDA plugin and REST API that allows the creation of apps that can interact with RetDec through HTTP requests.

The decompiler can be used via the API through retdec-python.


DitM Dog In The Middle – New Hacking Technique to Eavesdropping
16.8.2017 securityaffairs
Hacker techniques

During Defcon 25 hacking conference held in Las Vegas on July, a new eavesdropping attack technique was introduced, it was dubbed DitM (Dog In The Middle).
During Defcon 25 one of the biggest information security event that took place in Las Vegas on July 27-30 this year, a new eavesdropping attack technique was introduced.

At the BioHacking Village’s Pisa Room, the Brazilian information security researcher and senior security consultant at CIPHER, Rafael Fontes Souza presented a proof-of-concept demonstrating a new exploitation technique that can be used to hack user credentials and to intercept sensitive data.

The ‘Dog in the Middle’ technique, aka DitM, used man’s best friend as an attack tool. Rafael adapted a chest collar to carry a mobile phone and wireless network adapter.

DitM

The most noticeable feature of this technique is that the attack vectors are triggered automatically without any human interaction and include near field attacks such as fake access point, cellular base stations or local user attacks on a network.

A comprehensive set of exploitations can be implemented using DitM, like DNS hijacking, packet injection, evil twin, rogue router or ISP, among others.

How that’s done?

The targeted device will connect to a rogue wi-fi access point generated by the dog collar and clever DHCP configurations can push rules to allow IP allocation by the fake AP and traffic forwarding to fake and/or malicious websites.

“Information and user data can be easily stored and malicious files can also be injected remotely to control the compromised device”, explain Rafael.

DitM

The video demonstrating how the chest collar was assembled can be seen at Vimeo through the following link https://vimeo.com/227596613

and Rafael’s presentation can also be accessed through Slideshare here https://pt.slideshare.net/rafa_el_souza/my-dog-is-a-hacker-and-will-still-your-data.

This technique is as very good example of how rather conventional technology can be used to social engineering to compromise users. Who’d think man’s best friend could be used as an attack tool?

Article by Pedro Silveira (Marketing Director at Cipher)


Rapid7 warns of Remote Desktop Protocol (RDP) exposure for millions of endpoints
15.8.2017 securityaffairs
Hacker techniques

According to a new research conducted by experts at Rapid7, there are 4.1 million Windows endpoints exposed online via Remote Desktop Protocol (RDP).
The researchers discovered that there are 11 million open 3389/TCP endpoints, and that 4.1 million of them are RDP.

“We analyzed the responses, tallying any that appeared to be from RDP speaking endpoints, counting both error messages indicating possible client or server-side configuration issues as well as success messages.” states the analysis from Rapid7.

“11 million open 3389/TCP endpoints, and 4.1 million responded in such a way that they were RDP speaking of some manner or another. This number is shockingly high when you remember that this protocol is effectively a way to expose keyboard, mouse and ultimately a Windows desktop over the network.”

In May, Rapid7 published another study that revealed millions of devices exposed to cyber attacks via SMB, Telnet, RDP, and other types of improper configurations.

The study reported 10.8 million supposedly open RDP endpoints in early 2016, and 7.2 million such endpoints in the first quarter of this year.

The researchers pointed out that even if RDP is disabled by default on Windows, it is commonly exposed in internal networks for administration and maintenance purposes. The protocol poses serious risks, Microsoft addressed dozens of vulnerabilities in the Remote Desktop Protocol over the past fifteen years.

“The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default. If you are interested in reading more about securing RDP, UC Berkeley has put together a helpful guide, and Tom Sellers, prior to joining Rapid7, wrote about specific risks related to RDP and how to address them.”

“RDP’s history from a security perspective is varied. Since at least 2002 there have been 20 Microsoft security updates specifically related to RDP and at least 24 separate CVEs”

ShadowBrokers revealed the existence of an NSA exploit, dubbed EsteemAudit exploit that targets Remote Desktop Protocol service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.

It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit, for this reason, Microsoft released security updates for Windows XP to address ShadowBrokers vulnerabilities, including CVE-2017-0176 exploited by EsteemAudit.

Remote Desktop Protocol attacks are a privileged attack vector for malware distribution, especially ransomware.

There are many malware in the wild that already infects systems using as attack vector the Remote Desktop Protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

According to the Rapid7 report, most of the exposed Remote Desktop Protocol endpoints (28.8%, or over 1.1 million) are in the United States. China is at the second place for exposed RDP endpoints (17.7%, or around 730,000), followed by Germany (4.3%, ~ 177,000), Brazil (3.3%, ~ 137,000), and Korea (3.0%, ~ 123,000).

Rapid7 RDP Exposure

Giving a look at the organizations that own the IP addresses associated with exposed Remote Desktop Protocol endpoints the experts noticed that most of them belong to Amazon (7.73% of exposed endpoints), Alibaba (6.8%), Microsoft (4.96%), China Telecom (4.32%), and Comcast (2.07%).

Rapid7 reported that more than 83% of the Remote Desktop Protocol endpoints identified were willing to proceed with CredSSP as the security protocol, meaning that the RDP session was highly secured. Over 15% of the exposed endpoints indicated that they didn’t support SSL/TLS.

“Amazingly, over 83% of the RDP endpoints we identified indicated that they were willing to proceed with CredSSP as the security protocol, implying that the endpoint is willing to use one of the most secure protocols to authenticate and protect the RDP session. A small handful in the few thousand range selected SSL/TLS. Just over 15% indicated that they didn’t support SSL/TLS (despite our also proposing CredSSP…) or that they only supported the legacy “Standard RDP Security”, which is susceptible to man-in-the-middle attacks. Over 80% of exposed endpoints supporting common means for securing RDP sessions is rather impressive. ” Rapid7 points out.


Millions of Endpoints Exposed via RDP: Report

14.8.2017 securityweek Hacker techniques
There are 4.1 million Windows endpoints online that would accept communication via the Remote Desktop Protocol (RDP) in one way or another, a recent Rapid7 report reveals.

As part of a study focused on the overall RDP exposure of Windows endpoints, the security firm discovered that there are 11 million open 3389/TCP endpoints, and that 4.1 million of them are “RDP speaking of some manner or another.”

The research follows previous reports from the company, which revealed 10.8 million supposedly open RDP endpoints in early 2016, and 7.2 million such endpoints in the first quarter of this year. According to Rapid7, however, the actual risk doesn’t come from exposing the endpoint, but from exposing the protocol.

While RDP is disabled by default on Windows, it is commonly exposed in internal networks to enable easy access for administration and support. From a security perspective, however, the protocol poses great many risks, especially with Microsoft addressing two dozen vulnerabilities in it over the past fifteen years.

“The default RDP configuration on older versions of Windows left it vulnerable to several attacks when enabled; however, newer versions have upped the game considerably by requiring Network Level Authentication (NLA) by default,” Rapid7 notes.

Earlier this year, the EsteemAudit exploit that the ShadowBrokers made public after supposedly stealing it from the National Security Agency-related Equation Group was targeting RDP on Windows 2003 and XP systems. Microsoft released security updates for Windows XP to address ShadowBrokers vulnerabilities, including CVE-2017-0176, the bug EsteemAudit was exploiting.

In March this year, a security report revealed that RDP had surpassed email for ransomware distribution. After RDP was associated with the delivery of various ransomware variants, researchers concluded that attackers were increasingly relying on brute-forcing RDP credentials for the deployment of this type of malware.

“RDP finds itself exposed on the public internet more often than you might think. Depending on how RDP is configured, exposing it on the public internet ranges from suicidal on the weak end to not-too-unreasonable on the other. […] There are all manner of ways that RDP could end up exposed on the public internet, deliberately or otherwise,” Rapid7 notes.

According to their report, most of the exposed RDP endpoints (28.8%, or over 1.1 million) are located in the United States. China has a great deal of exposed RDP endpoints as well (17.7%, or around 730,000), followed by Germany (4.3%, ~ 177,000), Brazil (3.3%, ~ 137,000), and Korea (3.0%, ~ 123,000).

The security researchers also had a look at the organizations that own the IPs with exposed RDP endpoints: Amazon (7.73% of exposed endpoints), Alibaba (6.8%), Microsoft (4.96%), China Telecom (4.32%), and Comcast (2.07%).

This also revealed why some countries had significantly more exposed endpoints than others: most of the providers are known for their cloud, virtual, or physical hosting services, “where remote access to a Windows machine is a frequent necessity,” Rapid7 notes.

The security researchers also discovered that over 83% of the RDP endpoints identified were willing to proceed with CredSSP as the security protocol, meaning that the RDP session was highly secured. However, while some selected SSL/TLS, over 15% of the exposed endpoints indicated that they didn’t support SSL/TLS.

“While 83% of the RDP speaking endpoints support CredSSP, this does not mean that they don’t also support less secure options; it just means that if a client is willing, they can take the more secure route,” Rapid7 points out. However, the company also underlines that it’s highly impressive that over 80% of exposed endpoints include support for common means for securing RDP sessions.


A fresh massive AdGholas Malvertising campaign infects millions
4.7.2017 securityaffairs
Hacker techniques

Researchers at Proofpoint discovered a massive AdGholas Malvertising Campaign infecting as many as 1 million computers per day with several banking trojans.
A new massive AdGholas malvertising network discovered by experts at Proofpoint has been infecting as many as 1 million computers per day with several banking trojans.

AdGholas operators have been active since 2015, the threat actors behind the AdGholas malvertising campaign was notable for its use of steganography and careful targeting of the massive volume of malicious ads and impressions and its ability to avoid detection of researchers.

“Proofpoint researchers have discovered and analyzed a massive malvertising network operating since 2015. Run by a threat actor we designated as AdGholas and pulling in as many as 1 million client machines per day” states the analysis from Proofpoint.

According to Proofpoint researchers “This campaign represents the first documented use of steganography in a drive-by malware campaign, and attacks employed ‘informational disclosure’ bugs perceived to be low-risk in order to stay below the radar of vendors and researchers.”

The campaign was receiving high-quality traffic from a variety of high-rank referrers, from more than twenty different AdAgency/AdExchange platforms. According to the experts, the AdGholas was clocking one to five million hits every day, unfortunately, roughly 10-20% of the hits were redirected to domains hosting exploit kits.

Cyber criminals were using domains that appear as clones of legitimate websites belonging to Hotel Merovinjo in Paris, Ec-centre and Mamaniaca.

The experts at Proofpoint observed that hackers served different malware depending on user and geography.

adgholas malvertising campaign

“Our analysis with colleagues from Trend Micro found that AdGholas campaigns do not all work the same way, but all do have the same multi-layered filtering and obfuscation,” continues the analysis. “For instance, the redirect tag is being sent in several ways. We saw the xhr-sid sent as response header to a POST to GIF, but it is sometimes hidden at the end of an ‘addStat hash in the initial landing.”

AdGholas gang went silent for two weeks after the Angler exploit kit disappearance from the threat landscape, it then returned using the same domains at the end of June in campaign leveraging the Neutrino EK.

Malware researchers observed the gang delivering geo-focused banking Trojans, such as Gozi ISFB in Canada, Terdot.A (aka DELoader) in Australia, Godzilla loaded Terdot.A in Great Britain, and Gootkit in Spain. The experts observed four different Neutrino threads, as Neutrino is not including an internal TDS while Blackhole, Angler and Nuclear were.

Recently the AdGholas gang or close distribution partners was operating reverse proxies serving the involved instance of exploit kit at the end of April.

AdGholas demonstrates that malvertising campaigns are becoming increasingly sophisticated to remain stealthy and effective.

Below key findings from Proofpoint analysis:

Massive scale: The AdGholas network drew traffic of 1-5 million high quality client hits per day.
Stealthy innovation: This campaign represents the first documented use of steganography in a drive-by malware campaign, and attacks employed “informational disclosure” bugs perceived to be low-risk in order to stay below the radar of vendors and researchers.
Sophisticated filtering: AdGholas employs ‘smart,’ multi-step filtering techniques to more precisely target client systems, including avoiding non-OEM and non-Nvidia/ATI-powered systems.
Convincing: Redirected sites avoid suspicion and improve effectiveness by closely mimicking the appearance of the legitimate site expected by the ad agencies.