The scariest piece of malware since Stuxnet (Podcast)

Back in April, cybersecurity officials discovered the notorious “Industroyer” malware in the Ukrainian electrical grid. It might have been the scariest infrastructure hack since malware destroyed centrifuges at an Iranian uranium enrichment plant in 2010 – were it not for a TGIF miracle. Plus, a visit with the IT Army of Ukraine and a different kind of information operation.

https://podcasts.apple.com/us/podcast/30-the-scariest-piece-of-malware-since-stuxnet/id1225077306

#industroyer #podcast
🎙@cRyPtHoN_INFOSEC_IT
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv

Samsung recently discovered a cybersecurity incident

At Samsung, security is a top priority. We are reaching out to inform you that Samsung recently discovered a cybersecurity incident that affected some of your information.

In late July 2022, an unauthorized third party acquired information from some of Samsung's U.S. systems. On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected.

We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement. We want to assure our customers that the issue did not impact Social Security numbers or credit and debit card numbers, but in some cases, may have affected information such as name, contact and demographic information, date of birth, and product registration information. The information affected for each relevant customer may vary.

At Samsung, we value the trust our customers place in our products and services ‑ trust that we have built up over many years. By working with industry ‑ leading experts, we will further enhance the security of our systems ‑ and your personal information ‑ and work to maintain the trust you have put into the Samsung brand for more than 40 years.

We regret any inconvenience this may cause you and appreciate your trust in us. We have set up an FAQ page on our website for additional questions and answers along with recommended actions.

If you'd like to check your credit report, you are entitled under U.S. law to one free credit report annually from each of the three major nationwide credit reporting agencies. More information can be found below.

If you have any questions regarding this issue, please visit our website at www.samsung.com/us/support/securityresponsecenter.

#samsung #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Wi-Fi Hacking: Using wifite for Multiple Attack Strategies against Wi-Fi AP's

Often, when doing a pentest, we have multiple Wi-Fi access points to test for security. Rather than testing each one individually with tools such as aircrack-ng, Reaver, pyrit, and hcxdumptool, and others, we can automate that testing with a single tool such as wifite. Wifite enables us to test all of the Wi-Fi AP's with a single tool automatically using multiple strategies against different security protocols.

‼️ only for educational purposes ‼️

https://www.hackers-arise.com/post/wi-fi-hacking-using-wifite-for-multiple-attack-strategies-against-wi-fi-ap-s

#wifi #hacking
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

James Webb JPEG With Malware

Tools: jpegdump.py, base64dump.py, pecheck.py, headtail.py

ISC diary entry: James Webb JPEG With Malware

Sample: 3bdf6d9f0f35be75d8345d897ec838ae231ba01ae898f6d0c8f920ff4061fc22, MalwareBazaar

Video: https://youtu.be/_JHYGpYAuAQ

#jameswebb #jpeg #malware
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Malware dev open-sources CodeRAT after being exposed

The source code of a remote access trojan (RAT) dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.

The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.

The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.

More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-coderat-after-being-exposed/

#CodeRAT
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

I ran the worlds largest DDoS-for-Hire empire and CloudFlare helped

Today CloudFlare is in the spotlight for their decision to revoke access to a website behind their network, the timing comes just 3 days after they published a blog post discussing their abuse policies and making the following statement:

"Some argue that we should terminate these services to content we find reprehensible so that others can launch attacks to knock it offline. That is the equivalent argument in the physical world that the fire department shouldn't respond to fires in the homes of people who do not possess sufficient moral character"

I agree with CloudFlare's analogy, the fire department should respond to a fire at any home regardless of who lives in it. However this real world example is not an accurate representation of the situation CloudFlare is presenting. As the operator of the largest DDoS-for-Hire empire in the history of the internet, I have a unique perspective on the situation CloudFlare finds themselves in.

https://rasbora.dev/blog/I-ran-the-worlds-largest-ddos-for-hire-empire-and-cloudflare-helped

#cloudflare #ddos
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

After self-hosting my email for twenty-three years I have thrown in the towel.

The oligopoly has won.

Many companies have been trying to disrupt email by making it proprietary.

Many companies have been trying to disrupt email by making it proprietary. So far, they have failed. Email keeps being an open protocol. Hurray?

No hurray. Email is not distributed anymore. You just cannot create another first-class node of this network.

Email is now an oligopoly, a service gatekept by a few big companies which does not follow the principles of net neutrality.

I have been self-hosting my email since I got my first broadband connection at home in 1999. I absolutely loved having a personal web+email server at home, paid extra for a static IP and a real router so people could connect from the outside. I felt like a first-class citizen of the Internet and I learned so much.

Over time I realized that residential IP blocks were banned on most servers. I moved my email server to a VPS. No luck. I quickly understood that self-hosting email was a lost cause. Nevertheless, I have been fighting back out of pure spite, obstinacy, and activism. In other words, because it was the right thing to do.

But my emails are just not delivered anymore. I might as well not have an email server.

https://cfenollosa.com/blog/after-self-hosting-my-email-for-twenty-three-years-i-have-thrown-in-the-towel-the-oligopoly-has-won.html

#email
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

E-Mail Done My Way, Part 0 - The journey

Warning. This whole series is not a simple HOWTO. This series is about how I run my mail server. I go through the configuration, line by line and explain. It’s not going to be a simple Copy/Paste to run your own mail server. You have been warned.

This will be at least a three part series. Maybe more. We will see.

E-Mail, while being one of the oldest services on the internet, is a complex beast to tame. You have to be careful at every step of setting it up. Failure can cost you dearly. Open relays, blacklists, Denial of Service. There be dragons. These are the building blocks I use and will explain:

https://jan.wildeboer.net/2022/08/Email-0-The-Journey-2022/

💡 Read as well:
After self-hosting my email for twenty-three years I have thrown in the towel
https://t.iss.one/BlackBox_Archiv/3017

#email
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

The entire Irish healthcare system was impacted by ransomware, restoration took months even with decryption key, required the army being called in (!)...

...and they put the entire major incident report public, all 157 pages:
https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf

#irland #ransomware #pdf
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

TikTok Data Breach

This is your forewarning. #TikTok has reportedly suffered a #data #breach, and if true there may be fallout from it in the coming days. We recommend you change your TikTok #password and enable Two-Factor Authentication, if you have not done so already.

https://nitter.pussthecat.org/BeeHiveCyberSec/status/1566340883959746562

https://gist.github.com/troyhunt/d238ded80353cce53bea4545545ed172

💡read as well (German)
https://tarnkappe.info/artikel/hacking/bluehornet-sicherheitsforscher-hackt-tiktok-255255.html

#TikTok #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

NHS 111 software outage confirmed as cyber-attack

The problems are reported to have impacted referrals from the NHS 111 helpline to out-of-hours GPs.

A software outage affecting the NHS 111 service was caused by a cyber-attack, it has been confirmed.

Advanced, a firm providing digital services for NHS 111, said the attack was spotted at 07:00 BST on Thursday.

The attack targeted the system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions.

But the NHS said disruption was minimal.

The National Crime Agency said it was "aware of a cyber incident" and was working with Advanced.

"A security issue was identified yesterday, which resulted in loss of service," said Advanced boss Simon Short.

"We can confirm that the incident is related to a cyber-attack and as a precaution, we immediately isolated all our health and care environments."

He said the issue had been contained "to a small number of servers".

Advanced has indicated the issue might not be fully resolved until next week.

https://www.bbc.co.uk/news/uk-wales-62442127

#cyberattack #advanced #nhs #uk
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Check out what online companies know about you

https://clario.co/blog/which-company-uses-most-data/

#bigdata #DeleteFacebook #DeleteMeta
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Legitimate SaaS Platforms Being Used to Host Phishing Attacks

Executive Summary

Instead of creating phishing pages from scratch, more and more cybercriminals are now abusing legitimate software-as-a-service (SaaS) platforms, including various website builders or form builders, to host their phishing pages. Since these URLs are hosted on legitimate domains, they can be especially difficult for many phishing detection engines to detect. Furthermore, these platforms typically require little to no coding experience, significantly lowering the barrier to entry for creating and launching phishing attacks.

From the beginning of 2020 to June 2022, Palo Alto Networks analyzed the URLs detected by our Advanced URL Filtering service, and discovered that the number of phishing URLs hosted on legitimate SaaS platforms has continued to increase at an alarming rate. In fact, from June 2021-June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased over 1100%.

The Palo Alto Networks Advanced URL Filtering uses deep learning to analyze the content of each webpage at the URL level instead of the domain level. Customers with an Advanced URL Filtering subscription therefore receive protections from these platform-abuse phishing attacks.

Table of Contents

- Introduction to Platform-Abuse Phishing Attacks
- Methodology
- Results: Platform-Abuse Phishing Is on the Rise
- Platform-Abuse Phishing Case Studies
- Conclusion
- Acknowledgements

https://unit42.paloaltonetworks.com/platform-abuse-phishing/

#phishing
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

In wake of EPIC data breach - Samsung forcing users to accept T&Cs or risk their data

Users attempting to take sensible precautions after a recent spate of data breaches at Korean techmonger, Samsung, are being forced to accept updated terms and conditions in order to do so.

Samsung has fallen prey to two data breaches in 2022 to date. The first orchestrated by the notorious Lapsus$ group, saw 190GB of data exfiltrated from the company, and included algorithms for all biometric unlocking operations, source code for the bootloader for newer Samsung products, and all the source code behind the process of authorizing and authenticating Samsung accounts.

The second affected users directly and saw Samsung wait a month before notifying customers that a huge trove of personally identifying information was now in the hands of criminals.

While the understated press release from Samsung reassured customers that there was no need for panic, prudent users - perhaps alarmed at Samsung’s lack of alarm - immediately logged into their Samsung account to change their password.

Many users create a Samsung account when they buy their phones and then immediately forget about it. Some read the terms and conditions, and some don’t. You should always read the terms and conditions.

And if you created your account before September 2021, Samsung is under no obligation to notify you when those terms change - unless you attempt to log into your online account, that is.

Samsung’s terms and conditions were last updated on 30 September 2021, in a change that went largely unnoticed by everyone.

While it’s technically possible to request a password reset without logging in and accepting the updated terms and conditions, you do need to accept them in order to access other security features of your Samsung account.

https://thecrow.uk/in-wake-of-epic-data-breach-samsung-forcing-users-to-accept-new-terms-or-risk-their-data/

#samsung #breach
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Kiwi Farms all but finished after bill comes due for years of trolling and harassment

There’s an old saying, “You play with the bull, you get the horns.” One of the most noxious corners of the tubes learned that the hard way this weekend. Kiwi Farms, a message board notorious for vicious and criminal harassment of vulnerable people—especially trans people—was essentially driven out of existence over the weekend. In the wake of heightened scrutiny over Kiwi Farms’ tactics, multiple companies cut ties with the site, rendering it all but inaccessible.

The beginning of the end came when Cloudflare, which protected Kiwi Farms from DDoS attacks, dropped Kiwi Farms (diaried here) after increasingly threatening posts led Cloudflare to reverse its initial decision to continue working with the site. In the last 24 hours, multiple companies, including its replacement DDoS protector, cut ties with the site as well. It as been offline since late Sunday night/early Monday morning, and the site’s founder and administrator suggests it may be awhile before it comes back—if it does come back.

https://www.dailykos.com/stories/2022/9/5/2120881/-Kiwi-Farms-all-but-finished-after-bill-comes-due-for-years-of-trolling-and-harassment

#kiwifarms
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

CSharp PoC for transacted hollowing

https://github.com/daem0nc0re/TangledWinExec/commit/f898bf157ad993f900985d78b8d8fdc22df0163c

#CSharp #poc #hollowing
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Uninvited Guests: Analyzing the Identity and Behavior of Certificate Transparency Bots

https://www.securitee.org/files/ctpot_usec2022.pdf

#pdf #bots
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

We won. Kiwi Farms is dead

https://nitter.pussthecat.org/keffals/status/1566921249036681217

via Twitter

#DropKiwifarms
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Inside the Windows Cache Manager

The cache is an integral part of the operating system and its hybrid kernel. Roughly speaking, it's just a virtual memory region in the kernel address space, on which the Cache Manager maps file data to provide quick access to them in the future. This access is frequently used by the File System Driver (FSD) or the Windows Memory Manager (VMM). Instead of reading file data from disk every time a user or system needs to access to it, the OS kernel calls the Cache Manager in an attempt to get this data from memory. In turn, the Cache Manager is a set of function in the kernel executable file ntoskrnl.exe, which starts with a prefix Cc. These functions are private, so to get to their names, you need to configure the symbol server settings in WinDbg or IDA.

Learning the Windows Cache Manager is quite a difficult task for beginners. This Windows kernel subsystem is closely related to the VMM, so if you don't have enough knowledge in it, try to understand the basic concepts without going into complicated technical aspects. In addition, you should have some knowledge in the field of file system drivers (FSD), because they are the most frequent clients of the Cache Manager. It's worth to note that the cache concept exists only at the level of file system, lower drivers on the device stack like the volume manager, partition manager, disk driver, and disk port driver don't use it.

https://www.linkedin.com/pulse/inside-windows-cache-manager-artem-baranov

#windows #cachemanager
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

Encrypted app Signal just hired one of Big Tech’s sharpest critics

Meredith Whittaker, the former Google manager, is Signal’s first president. She is out to convince users to pay for the free app.

Signal has hired Meredith Whittaker, a former Google manager who has been outspoken about the harms of Big Tech, as its first president, adding to the roster of tech critics leading the encrypted messaging app.

In the crowded market for messaging apps, Signal stands apart. It’s committed to encryption in an industry built on collecting personal data. It’s run by a nonprofit but competes against WhatsApp and iMessage, backed by some of the richest companies in the world, Facebook parent Meta and Apple.

As president, Whittaker will help guide strategy, communications and policy. In an interview, she said she plans to focus on sustaining Signal, which hopes to support itself with small donations from millions of users. Signal announced her new role Monday at an event in Berlin.

...(...)
"An alternative to data collection only exists if the community of people who rely on it “kick in a little bit." (Meredith Whittaker)

https://www.washingtonpost.com/technology/2022/09/06/signal-meredith-whittaker/

#signal #messenger
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv

New EU law amplifies risks of state over-reach and mass surveillance

The EDRi network published its position paper on the proposed Regulation on automated data exchange for police cooperation (“Prüm II”). The European Commission’s Prüm II proposal fails to put in place vital safeguards designed to protect all of us from state overreach and authoritarian mass surveillance practices. In the worst case scenario, we may no longer be able to walk freely on our streets as the new law would treat large parts of the population as a criminal before proven otherwise.

https://edri.org/our-work/new-eu-law-amplifies-risks-of-state-over-reach-and-mass-surveillance/

#surveillance #edri
📡@cRyPtHoN_INFOSEC_IT
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv