Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

SELinux blocks loading kernel modules

LinuxSecurity.com - 10 Říjen, 2017 - 14:41
LinuxSecurity.com: The kernel has a feature where it will load certain kernel modules for a process, when certain syscalls are made. For example, loading a kernel module when a process attempts to create a different network socket.
Kategorie: Hacking & Security

Busted! Founder sells $51m website, hacks it, tries to sell site its own data

Sophos Naked Security - 10 Říjen, 2017 - 13:28
What's worse than Dracula sucking your blood? Dracula sucking your blood and then trying to sell it back to you

Warning: Millions Of P0rnHub Users Hit With Malvertising Attack

The Hacker News - 10 Říjen, 2017 - 12:30
Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections. Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad
Kategorie: Hacking & Security

ATMii: a small but effective ATM robber

Kaspersky Securelist - 10 Říjen, 2017 - 11:00

While some criminals blow up ATMs to steal cash, others use less destructive methods, such as infecting the ATM with malware and then stealing the money. We have written about this phenomenon extensively in the past and today we can add another family of malware to the list – Backdoor.Win32.ATMii.

ATMii was first brought to our attention in April 2017, when a partner from the financial industry shared some samples with us. The malware turned out to be fairly straightforward, consisting of only two modules: an injector module (exe.exe, 3fddbf20b41e335b6b1615536b8e1292) and the module to be injected (dll.dll, dc42ed8e1de55185c9240f33863a6aa4). To use this malware, criminals need direct access to the target ATM, either over the network or physically (e.g. over USB). ATMii, if it is successful, allows criminals to dispense all the cash from the ATM.

exe.exe – an injector and control module

The injector is an unprotected command line application, written in Visual C with a compilation timestamp: Fri Nov 01 14:33:23 2013 UTC. Since this compilation timestamp is from 4 years ago – and we do not think this threat could have gone unnoticed for 4 years – we believe it is a fake timestamp. What’s also interesting is the OS that is supported by the malware: One more recent than Windows XP. We can see this in the image below, where the first argument for the OpenProcess() function is 0x1FFFFu.


OpenProcess call with the PROCESS_ALL_ACCESS constant

It is the PROCESS_ALL_ACCESS constant, but this constant value differs in older Windows versions such as Windows XP (see the picture below). This is interesting because most ATMs still run on Windows XP, which is thus not supported by the malware.


A list of PROCESS_ALL_ACCESS values per Windows version

The injector, which targets the atmapp.exe (proprietary ATM software) process, is fairly poorly written, since it depends on several parameters. If none are given, the application catches an exception. The parameters are pretty self-explanatory:

param  short description /load Tries to inject dll.dll into atmapp.exe process /cmd Creates/Updates C:\ATM\c.ini file to pass commands and params to infected library /unload Tries to unload injected library from atmapp.exe process, while restoring its state.

/load param

<exe.exe> /load

The application searches for a process with the name atmapp.exe and injects code into it that loads the “dll.dll” library (which has to be in the same folder as the exe.exe file). After it has been loaded it calls the DLLmain function.

/unload param <exe.exe> /unload

As the name already suggests, it is the opposite of the /load parameter; it unloads the injected module and restores the process to its original state.

/cmd param <exe.exe> /cmd [cmd] [params]

The application creates/updates C:\ATM\c.ini which is used by the injected DLL to read commands. The file is updated each time the .exe is run with the /cmd param.


Contents of c.ini after execution of “exe.exe /cmd info”

The executable understands the following set of commands:

command description scan Scans for the CASH_UNIT XFS service disp Stands for “dispense”. The injected module should dispense “amount” cash of “currency” (amount and currency are used as parameters) info Gets info about ATM cash cassettes, all the returned data goes to the log file. die Injected module removes C:\ATM\c.ini file dll.dll injecting module

After injection and execution of the DllMain function, the dll.dll library loads msxfs.dll and replaces the WFSGetInfo function with a special wrap function, named mWFSGetInfo.

At the time of the first call to the fake WFSGetInfo function, C:\ATM\c.ini is ignored and the library tries to find the ATM’s CASH_UNIT service id and stores the result, basically in the same way as the scan command does. If the CASH_UNIT service is not found, dll.dll won’t function. However, if successful, all further calls go to the mWFSGetInfo function, which performs the additional logic (reading, parsing and executing the commands from the C:\ATM\c.ini file).


Contents of C:\ATM\c.ini after execution of “exe.exe /cmd disp RUB 6000”

Below is an output of the strings program uncovering some interesting log messages and the function names to be imported. The proprietary MSXFS.DLL library and its functions used in the ATMii malware are marked with red boxes.

“scan” command

Because of the architecture of XFS, which is divided into services, the injected library first needs to find the dispense service. This command must be successfully called, because the disp and info commands depend on the service id retrieved by scan. Scan is automatically called after the dll has been injected into atmapp.exe.

After collecting the WFS_INF_CDM_STATUS data, additional data gets added to the tlogs.log. An example can be found below:


(387):cmd_scan() Searching valid service
(358):FindValidService() Checking device index=0
(70):CheckServiceForValid() ————————————————
(72):CheckServiceForValid() Waiting for lock
(76):CheckServiceForValid() Device was locked
(86):CheckServiceForValid() WFSGetInfo Success 0
(182):CheckServiceForValid() Done-> szDevice: WFS_CDM_DEVONLINE, szDispenser: WFS_CDM_DISPOK, szIntermediateStacker: WFS_CDM_ISEMPTY, szSafeDoor: WFS_CDM_DOORCLOSED
(195):CheckServiceForValid() Unlocking device
(390):cmd_scan() Service found 0

Part of a tlogs.log possible log after successfully executed “scan” command

“info” command

Before the criminals can dispense cash, they first need to know the exact contents of the different cassettes. For this, they use the info command which provides exhaustive information on all cassettes and their contents. The list of used XFS API functions is the same as with the scan command, but this time WFSGetInfo is called with the WFS_INF_CDM_CASH_UNIT_INFO (303) constant passed as a param.

Below is an example of the data in log file returned by the info command.


(502):ExecuteCmd() Executing cmd
(506):ExecuteCmd() CMD = info
(402):cmd_info() ! hFoundGlobalService = 0
(213):GetDeviceInformation() ————————————————
(220):GetDeviceInformation() Device locked 0
(337):GetDeviceInformation() Module: C:\program files\dtatmw\bin\atmapp\atmapp.exe
Cash Unit # 1, name=SOMENAME
Type: 3
Status: HIGH
Currency ID: 0x52-0x55-0x42
Note Value: 5000
Notes Count: 3000
Notes Initial Count: 3000
Notes Minimum Count: 10
Notes Maximum Count: 0

Example5 Part of a tlogs.log possible log after successfully executed “info” command

“disp” command

The dispense command is followed by two additional params in the command file: currency and amount. Currency must contain one of the three-letter currency codes of notes kept in the CASH_UNIT_INFO structure (currency codes are described in ISO_4217 e.g. RUB, EUR). The amount code holds the amount of cash to dispense and this value must be a multiple of ten.

“die” command

Does nothing except deleting C:\ATM\c.ini command file.

Conclusion

ATMii is yet another example of how criminals can use legitimate proprietary libraries and a small piece of code to dispense money from an ATM. Some appropriate countermeasures against such attacks are default-deny policies and device control. The first measure prevents criminals from running their own code on the ATM’s internal PC, while the second measure will prevent them from connecting new devices, such as USB sticks.

5 security mistakes your IT team wish you wouldn’t make

Sophos Naked Security - 9 Říjen, 2017 - 19:32
Your IT team will thank you for reading it!

Exploiting Protostar: Net0 – Final0

InfoSec Institute Resources - 9 Říjen, 2017 - 19:00

In this article, we will be solving all networking challenges and one remote buffer overflow challenge of Protostar. Introduction These levels introduce us to the fundamental concept of sending and receiving data over a network in a different format, and the hurdles of debugging and developing an exploit for remote stack overflows. We will have […]

The post Exploiting Protostar: Net0 – Final0 appeared first on InfoSec Resources.

Exploiting Protostar: Net0 – Final0 was first posted on October 9, 2017 at 12:00 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

How to do cybersecurity at work

Sophos Naked Security - 9 Říjen, 2017 - 17:58
This week in National Cybersecurity Awareness Month is about how to do cybersecurity at work - and we mean all of us, not just IT!

FormBook Malware Targets US Defense Contractors, Aerospace and Manufacturing Sectors

Threatpost - 9 Říjen, 2017 - 17:00
FormBook info-stealing malware has been part of two recent distribution campaigns and is being sold on the Dark Web for as little as $29 a week.
Kategorie: Hacking & Security

VPN logs helped unmask alleged 'net stalker, say feds

LinuxSecurity.com - 9 Říjen, 2017 - 15:05
LinuxSecurity.com: Virtual private network provider PureVPN helped the FBI track down an Internet stalker, by combing its logs to reveal his IP address.
Kategorie: Hacking & Security

Mozilla pilots Cliqz engine in Firefox to slurp user browsing data

LinuxSecurity.com - 9 Říjen, 2017 - 15:04
LinuxSecurity.com: Mozilla has launched a pilot program using Cliqz technology to pull user browsing data in Firefox.
Kategorie: Hacking & Security

Cyber security as big a challenge as counter-terrorism, says spy chief

LinuxSecurity.com - 9 Říjen, 2017 - 15:02
LinuxSecurity.com: Defending against cyber-attacks is as big a challenge for the UK as protecting against terrorism, according to the director of GCHQ.
Kategorie: Hacking & Security

NFL Players, Agents Targeted in Database Extortion Attempt

Threatpost - 9 Říjen, 2017 - 15:00
Researchers uncover a misconfigured Elasticsearch database, exposing data tied to NFL players and their agents.
Kategorie: Hacking & Security

Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?

InfoSec Institute Resources - 9 Říjen, 2017 - 15:00

Documents leaked by the famous whistleblower Edward Snowden shed light about the surveillance machine used by the NSA to spy on allies and foreign government. Many documents described the ability of the US cyberspies of compromising legitimate software and hardware with implants, in some cases with the help of hardware manufacturers and software vendors. Recent […]

The post Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks? appeared first on InfoSec Resources.

Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks? was first posted on October 9, 2017 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Exploiting Protostar – Heap Unlink Exploitation

InfoSec Institute Resources - 9 Říjen, 2017 - 15:00

In this article, we will be solving the 4th challenge from Heap Levels of Protostar. Introduction This level introduces us to a very old heap unlink vulnerability where one can exploit the malloc’s way of unlinking free heap chunks and gain code execution by overwriting arbitrary memory locations on the heap. If you have no […]

The post Exploiting Protostar – Heap Unlink Exploitation appeared first on InfoSec Resources.

Exploiting Protostar – Heap Unlink Exploitation was first posted on October 9, 2017 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Hackeři se nabourali do firemních cloudových účtů na Amazonu a těžili bitcoiny

Zive.cz - bezpečnost - 9 Říjen, 2017 - 13:10
Těžba kryptoměn je stále lukrativní záležitostí, na které se dá vydělat hodně peněz, obzvláště pokud máte nízké poplatky za elektřinu. Nejlepší ale je, když nemáte poplatky žádné. A této strategie využili hackeři, kteří se nabourali do několika velkých firemních účtů u cloudu Amazonu (AWS) a tajně ...
Kategorie: Hacking & Security

Postřehy z bezpečnosti

CSIRT.cz - 9 Říjen, 2017 - 10:59

V uplynulém týdnu jsme se v seriálu Postřehy z bezpečnosti zaměřili na bezpečnostní analýzu DNS balíčku, útok na herní službu Rainbow Six Siege, výsledky souboje Windows Defenderu se zranitelností Samby, blýskání na HSTS časy i na analýzu podceňování rizik spojenými s DNS útoky.

Kategorie: Hacking & Security

Monday review – the hot 24 stories of the week

Sophos Naked Security - 9 Říjen, 2017 - 10:34
From how forgetting to renew a domain name cost $3m and Google's all-seeing tracking feature to Chrome tightening up on encryption, and more

FBI Arrests A Cyberstalker After Shady "No-Logs" VPN Provider Shared User Logs

The Hacker News - 9 Říjen, 2017 - 10:21
FBI recently arrested a psycho cyber stalker with the help of a popular VPN service and this case apparently exposed the company's lies about the "no logs" policy. Taking down cyber stalkers and criminals is definitely a good thing, and the FBI has truly done a great job, but the VPN company whose first line of the privacy policy is—"We Do Not monitor user activity nor do we keep any logs"—
Kategorie: Hacking & Security

Česko patří k nejbezpečnějším zemím, tvrdí počítačoví experti

Novinky.cz - bezpečnost - 9 Říjen, 2017 - 10:07
Každý den kolují internetem podle nejstřízlivějších odhadů milióny počítačových virů. Přesto se podle všeho nemusí tuzemští uživatelé příliš obávat. Naše domovina totiž patří podle statistik bezpečnostních expertů k nejbezpečnějším zemím. Vyplývá to z údajů antivirové společnosti Check Point.
Kategorie: Hacking & Security

iPhone’s new “off” switch that leaves Bluetooth and Wi-Fi turned on

Sophos Naked Security - 9 Říjen, 2017 - 01:20
Apple's new definition of "off" means "will turn itself on again soon" - at 5am, or next time you move.
Syndikovat obsah