Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

COVID-19 forces browser makers to continue supporting TLS 1.0>

LinuxSecurity.com - 2 Duben, 2020 - 16:39
COVID-19 is forcing browser makers including Google and Mozilla to continue supporting the TLS 1.0 and TLS 1.1 protocols.
Kategorie: Hacking & Security

44M Digital Wallet Items Exposed in Key Ring Cloud Misconfig

Threatpost - 2 Duben, 2020 - 16:00
Millions of IDs, charge cards, loyalty cards, gift cards, medical marijuana ID cards and personal information was left exposed to the open internet.
Kategorie: Hacking & Security

Emerging MakeFrame Skimmer from Magecart Sets Sights on SMBs

Threatpost - 2 Duben, 2020 - 15:10
Attacks using a brand-new card-harvesting code is targeting small- to medium-sized businesses, claiming 19 sites so far.
Kategorie: Hacking & Security

Hack the Box (HTB) machines walkthrough series — JSON

InfoSec Institute Resources - 2 Duben, 2020 - 15:01

Today we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named JSON. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple […]

The post Hack the Box (HTB) machines walkthrough series — JSON appeared first on Infosec Resources.

Hack the Box (HTB) machines walkthrough series — JSON was first posted on April 2, 2020 at 8:01 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

The state of threats to electric entities: 4 key findings from the 2020 Dragos report

InfoSec Institute Resources - 2 Duben, 2020 - 15:00

Introduction In January 2020, industrial cybersecurity firm Dragos released the North American Electric Cyber Threat Perspective, referred to as the Dragos report. This report summarized findings regarding threats and adversaries that focus on critical infrastructure and is intended to be a snapshot of the threat landscape in January 2020 and which is expected to evolve […]

The post The state of threats to electric entities: 4 key findings from the 2020 Dragos report appeared first on Infosec Resources.

The state of threats to electric entities: 4 key findings from the 2020 Dragos report was first posted on April 2, 2020 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Phone carriers must authenticate calls to fight robocalls, says FCC

Sophos Naked Security - 2 Duben, 2020 - 13:44
The FCC has given voice carriers until June 2021 to implement technology it says will stop the robocall plague that's driving us all insane.

New Zoom Hack Lets Hackers Compromise Windows and Its Login Password

The Hacker News - 2 Duben, 2020 - 12:08
Zoom has been there for nine years, but the immediate requirement of an easy-to-use video conferencing app during the coronavirus pandemic overnight made it one of the most favorite communication tool for millions of people around the globe. No doubt, Zoom is an efficient online video meeting solution that's helping people stay socially connected during these unprecedented times, but it's
Kategorie: Hacking & Security

Loncom packer: from backdoors to Cobalt Strike

Kaspersky Securelist - 2 Duben, 2020 - 12:00

The previous story described an unusual way of distributing malware under disguise of an update for an expired security certificate. After the story went out, we conducted a detailed analysis of the samples we had obtained, with some interesting findings. All of the malware we examined from the campaign was packed with the same packer, which we named Trojan-Dropper.NSIS.Loncom. The malware uses legitimate NSIS software for packing and loading shellcode, and Microsoft Crypto API for decrypting the final payload. Just as the earlier find, this one was not without its surprises, as one of the packaged samples contained software used by APT groups.

Primary analysis

Loncom utilizes NSIS for running shellcode contained in a file with a name that consists of numbers. In our example, the file is named 485101134:

Overview of the NSIS archive contents

Once the shellcode is unpacked to the hard disk and loaded into the memory, an NSIS script calculates the starting position and proceeds to the next stage.

What the shellcode does

Before proceeding to decrypt the payload, the shellcode starts decrypting itself piece by piece, using the following algorithm:

  • Find position for next 0xDEADBEEF dword.
  • Read dword: size of data to decrypt.
  • Read dword: first part of key.
  • Read dword: second part of key.
  • Find suitable key: check the numbers consequently, starting at 0, while xor(i, second part of key) != first part of key. This part is needed to hold up execution and prevent AV detection. After simplification, key = i = xor(first part, second part).
  • Decrypt next part of shellcode (xor), move on to it.

Decrypting the next part of the shellcode

Here’s the code that performs the algorithm described above:

After several such iterations of block decryption, the shellcode switches to active steps, loading libraries and retrieving the addresses of required functions with the help of the APIHashing technique. This helps avoid stating the names of requested functions directly, providing their hashes instead. When searching for functions by hash, a hash will be calculated for each element from the library export table until it matches the target.

Then, Loncom decrypts the payload contained in the same file as the shellcode and proceeds to run it. The payload is encrypted with an AES-256 block cipher. The decryption key is stated in the code, and the payload offset and size are passed from the NSIS script.

The main part of the shellcode: decrypting the payload

Unpacking

For automated Loncom unpacking, we need to find out how data is stored in the packed NSIS installers, obtain the payload offset and size from the NSIS script, and pull the key from the shellcode.

Unpacking the NSIS

After a brief analysis, we managed to find that the NSIS installers have the following structure:

  • an MZPE NSIS interpreter containing in its overlay the data to be processed: the flag, the signatures, the size of the unpacked header, and the total size of the data, and then the containers, i.e. the compressed data itself.
  • Containers in the following format: dword (data size):zlib_deflate(data). The 0th container has the header, the first container has our file with the shellcode and the payload, and the second one has the DLL with the NSIS plugin.
  • The header contains a table of operation codes for the NSIS interpreter, a string table and a language table.

As we have obtained the encrypted file, now all we need is to find the payload offset and size, and proceed to decrypting the payload and the shellcode.

NSIS data structure

As all arguments in the NSIS operation codes when using plugins are passed as strings, we need to retrieve from the header string table all strings that look like numbers within the logical limits: from 0 to (file size – shellcode size).
NSIS unpacking code:

To simplify determining the payload offset and size, we can recall the structure of the file with the shellcode: encrypted blocks are decrypted from the smallest address to the largest, top to bottom, and the payload is located above the shellcode. Thus, we can determine the position of the 0xDEADBEEF byte and consider it the end of the encrypted data (aligning as required, because AES is a block cipher).

Decrypting the shellcode

To decrypt the payload, we need to:

  • decrypt the shellcode blocks;
  • determine where the AES key is;
  • retrieve the key;
  • try to decrypt the payload for offsets received from the NSIS;
  • stop after obtaining the first two bytes = ‘MZ’.

Step one can be performed by slightly modifying the code that performs the decryption algorithm in IDA Pro. The key can be determined with the help of a simple regular expression: ‘\xC7\x45.(….)\xC7\x45.(….)\xC7\x45.(….)\xC7\x45.(….)\xE8’ — “mov dword ptr” 4 times, then “call” (pseudocode in the main part of the shellcode).
The other steps do not require a detailed explanation. We will now describe the actual malware that was packed with Loncom.

What’s inside

Besides Mokes and Buerak, which we mentioned in the previous article, we noticed packed specimens of Backdoor.Win32.DarkVNC and Trojan-Ransom.Win32.Sodin families, also known as REvil and Sodinokibi. The first is a type of backdoor used for controlling an infected machine via the VNC protocol. The second is a ransomware that encrypts the victim’s information and threatens to publish it.
However, the most exciting find was the Cobalt Strike utility, used both by legal pentesters and by various APT groups. The command center of the sample that contained Cobalt Strike had previously been seen distributing CactusTorch, a utility for running shellcode present in Cobalt Strike modules, and the same Cobalt Strike packed with a different packer.

We continue monitoring Trojan-Dropper.NSIS.Loncom and hope to share new findings soon.

IOC

BB00BA9726F922E07CF243D3CCFC2B6E (Backdoor.Win32.DarkVNC)
EBE191BF77044961684DF51B88CA8D05 (Backdoor.Win32.DarkVNC)
4B4C98AC8F04680F7C529956CFE8519B (Trojan-Ransom.Win32.Sodin)
AEF8FBB5C64734093E78EB13E6FA7849 (Cobalt Strike)

COVID-19 forces browser makers to continue supporting TLS 1.0

Sophos Naked Security - 2 Duben, 2020 - 11:52
In one of the strangest stories of the year, the COVID-19 virus has halted plans by major browsers to drop support for the aging and insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols.

Útočníci se snaží zneužívat náhlé popularity Zoomu. Pozor i u Microsoft Teams a Google Classroom

Zive.cz - bezpečnost - 2 Duben, 2020 - 10:52
S tím, jak většina národa přešla na práci z domova, se do pozornosti mnoha lidí dostala videokonferenční služba Zoom. Právě přes ní v současné chvíli probíhá většina firemních schůzek. Uživatelů má teď služba tolik, že si toho všimli i útočníci a jejího úspěchu se snaží zneužít. Registrují falešné ...
Kategorie: Hacking & Security

Portál italské správy sociálního zabezpečení napadli hackeři

Novinky.cz - bezpečnost - 2 Duben, 2020 - 09:01
Neznámí počítačoví hackeři napadli internetový portál italského Národního ústavu sociálního zabezpečení (INPS) a ve středu dočasně přerušili jeho provoz. Podle agentury Reuters to oznámil šéf INPS Pasquale Tridico. Útok přišel v době, kdy na internetových stránkách občané začínali žádat o zvláštní sociální příspěvky vyhlášené v souvislosti s pandemií způsobenou koronavirem. Zatím není jasné, kdo za incidentem stojí.
Kategorie: Hacking & Security

Wiper Malware Called “Coronavirus” Spreads Among Windows Victims

Threatpost - 1 Duben, 2020 - 23:07
Like NotPetya, it overwrites the master boot record to render computers "trashed."
Kategorie: Hacking & Security

Coronavirus ‘Financial Relief’ Phishing Attacks Spike

Threatpost - 1 Duben, 2020 - 21:48
A spate of phishing attacks have promised financial relief due to the coronavirus pandemic - but in reality swiped victims' credentials, payment card data and more.
Kategorie: Hacking & Security

Critical WordPress Plugin Bug Can Lock Admins Out of Websites

Threatpost - 1 Duben, 2020 - 20:03
A second vulnerability could be used to prevent access to almost all of a site’s existing content, by simply redirecting visitors.
Kategorie: Hacking & Security

Two Zoom Zero-Day Flaws Uncovered

Threatpost - 1 Duben, 2020 - 18:00
The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.
Kategorie: Hacking & Security

CZ.NIC představil Turris Omnia 2020 a věnuje 150 skládaček MOX děravým nemocnicím

Zive.cz - bezpečnost - 1 Duben, 2020 - 17:23
CZ.NIC se před pár dny pochlubil úspěšnou certifikací svého routeru Turris Omnia pro americký trh (FCC). Nejviditelnější novinkou je stříbrné provedení, které novou verzi jasně odlišuje od předchůdců, hlavně ale softwarová výbava: operační systém Turris OS 4.0 (vylepšené OpenWrt) a nový systém ...
Kategorie: Hacking & Security

Cyber Work podcast: Cryptography careers and IoT vulnerabilities with Ted Shorter

InfoSec Institute Resources - 1 Duben, 2020 - 16:17

Introduction In this episode of Infosec’s Cyber Work podcast series, host Chris Sienko speaks with Ted Shorter. Ted is co-founder and CTO of Keyfactor, a computer security firm. He has worked in security for over 20 years, with a focus on cryptography, application security, authentication and authorization services, and software vulnerability analysis. His past experience […]

The post Cyber Work podcast: Cryptography careers and IoT vulnerabilities with Ted Shorter appeared first on Infosec Resources.

Cyber Work podcast: Cryptography careers and IoT vulnerabilities with Ted Shorter was first posted on April 1, 2020 at 9:17 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Hackeři se zaměřili na videohovory, varovali bezpečnostní experti

Novinky.cz - bezpečnost - 1 Duben, 2020 - 15:30
S pandemií koronaviru bojuje již takřka celý svět. V pohotovosti ale nejsou pouze lékaři a složky záchranného integrovaného systému, ale také hackeři. Ti se v posledních dnech zaměřili především na videokomunikaci prostřednictvím internetu, varovali bezpečnostní experti z výzkumného týmu Check Point Research.
Kategorie: Hacking & Security

Top Email Protections Fail in Latest COVID-19 Phishing Campaign

Threatpost - 1 Duben, 2020 - 15:27
An effective spoofing campaign promises users important information about new coronavirus cases in their local area, scooting past Proofpoint and Microsoft Office 356 ATPs.
Kategorie: Hacking & Security

Europol a NÚKIB varují, co během karantény nedělat doma na internetu

Zive.cz - bezpečnost - 1 Duben, 2020 - 15:27
Češi jsou už několik týdnů zavření doma se svými dětmi, začínají se nudit a kvůli zabedněným obchodům začali nakupovat na webu. Riziko nákazy koronavirem tedy sice pokleslo, raketově ale vzrostla pravděpodobnost nákazy nějakým tím malwarem. Do stejné situace se nyní dostávají domácnosti po celém ...
Kategorie: Hacking & Security
Syndikovat obsah