Friday 6 January 2017

Golden Eye Ransomware targets HR departments with fake job applications

Spam Campaign targets those who most often need to open attachments from unknown sources.
Attackers are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware -- and they're even providing covering letters in an effort to lull targets into a false sense of security.
A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.
Cybersecurity researchers at Check Point have been monitoring the campaign, which attempts to deliver ransomware to German targets using emails and attachments claiming to be from job applicants. The initial email contains a short message from the fake applicant, directing the victim to two attachments.
The first is a covering letter within a PDF which doesn't actually contain any malicious software, but is intended to reassure the target that they're dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.
Upon opening the Excel attachment, the target is presented with a document which claims to be 'Loading' and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users' files before presenting them with a ransom note using yellow text -- rather than the red or green used by other Petya variants.
The note demands the victim pays a ransom of 1.3 bitcoins - around $1,000 - in order to retrieve their files. Much like other increasingly professional ransomware and cybercriminal campaigns, the perpetrators detail how the victim can acquire bitcoin on the dark web and even offer the option of exchanging messages with a GoldenEye admin if they're having trouble with the payment or decryption process.
It's believed by researchers that the developer behind Petya ransomware is going by the alias Janus -- apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.
The cybercriminal operation behind the GoldenEye campaign has also been known to offer ransomware-as-a-service schemes which allow almost any wannabe hacker to cash-in on cyber extortion.

One way users can avoid falling victim to GoldenEye and other ransomware variants is by never enabling Macros within Microsoft Office documents and being mindful of unexpected or overly generic email messages.

.
Posted by at No comments:

Thursday 5 January 2017

Apple iPhone bug causes iMessage app to freeze, crash

A new bug has been revealed for Apple iMessage that causes the app to freeze. YouTube user vincedes3 posted a video on his channel demonstrating how a vcf attachment sent on iPhone running on iOS 8 to 10.2.1 makes your iMessage vulnerable to the bug. Clicking on the malicious message, which is basically a large vcf file, will cause iMessage app to freeze. You can dismiss iMessage from recently used apps on your iPhone, but reopening will cause it to crash.
“When you click, iOS want to read the text, the text in the file is very complicated for the system and cause a CPU average: the app freeze. You close the app, want to reopen but iOS want to reload the previous message but can’t because it’s the vcf file,” vincedes3 explains on his site.

However, he has provided a ‘magical link’ on the site, which he claims will make the bug go away, restoring iMessage app to normal. However, he has warned the fix (link) doesn’t work for some iPad devices. Users will need to open the given link on Safari browser. The link then starts to fix your app and you receive a message in the end that says, “‘I have just save you’re iPhone bro ;-)”
The exploit is particularly destructive in that restarting the Messages app, or even the iPhone, is ineffective, unless the owner looks to Vincedes3’s blog post for a solution.
Along with access to a copy of the vCard, Vincedes3 has thankfully detailed multiple ways of restoring the iOS device to normal. The exploit works on the premise that Apple’s iOS will always try to open the most recently opened text. By sending yourself a message and then opening it via Siri, the exploit will move down the list of messages and become ineffective. Alternatively, the hacker has supplied a link which can be opened in Safari to restore the iOS device to normal.
This is not the first bug facing iOS devices in recent times. A five-second video was shared by YouTube channel EverythingApplePro, and viewing it on Safari caused iOS to crash. However, the bug wasn’t limited to one iOS build.
In May last year there was a bug which caused iPhones running iOS 8.3 to crash when a message containing a specific string of text was received. Apple had later issued a software fix for the bug. The Cupertino giant is likely to do the same this time around as well.

Posted by at No comments:

Tuesday 20 December 2016

About Me | Sapna Juneja

Sapna Juneja|CEH

 Ethical Hacker | Cyber Forensics Investigator | Information Security Consultant

With a 4 + years of experience in various domains of Information Security, I have been able to solve very complex security problems across many technologies and then teach and enable the clients to do the same. 

I have worked and gained expertise in various technical and business domains - Malware Analysis, Ethical Hacking, Social Engineering, Phishing, ISO Auditing Reverse Engineering, Infrastructure Configuration Security audit, Malware analysis , Cyber Crime Investigation, Spam Analysis .

I hold the Following Certifications : 

Certified Ethical Hacker by EC Council (CEH)
Cyber Forensics
Certified Spam Fighter
Posted by at No comments:

Friday 16 December 2016

Ubuntu App Crash Reporter Bug Allows Remote Code Execution


A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.
Donncha O'Cearbhaill writes that the security bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked into opening a malicious crash file that includes Python code executed on launch.
“The vulnerable code was introduce on 2012-08-22 in Apport revision 2464. This code was first included in release 2.6.1. All Ubuntu Desktop versions 12.10 (Quantal) and later include this vulnerable code by default,” the researcher notes.
A proof-of-concept shows that it’s possible to compromise a system using this vulnerability with the help of a malicious file, which allows for arbitrary code execution when clicked. In the demo, the researcher launched Gnome calculator with a simple crash report file, explaining that the code can be saved with the .crash extension or any other extension that is not registered on Ubuntu.
“Apport typically reads a subset of the fields in the crash file in order to prepare the GUI which prompts the user to submit a bug report. The CrashDB field is not parsed and executed until after the user agrees to submit the bug report. However when ProblemType: Bug is set in the crash file, Apport-GTK will switch to the streamlined Bug GUI which causes the CrashDB field to be parsed and executed without any further user interaction,” he explains.

Flaw already patched

The good thing is that the flaw has already been patched in Ubuntu on December 14, and the CrashDB code injection issue is listed as CVE-2016-9949 and the path traversal bug is CVE-2016-9950.
O'Cearbhaill ends his research note with an advice for security researchers to audit free and open-source software because vulnerabilities like this can still exist, allowing attackers to take control of unpatched systems.

He notes that researchers are often approached to sell the vulnerabilities they find, and only in this case, he was offered $10,000 to provide all the details of the crash reporting app bug. O'Cearbhaill emphasizes that companies need to offer bigger incentives to researchers for their work, explaining that Google and Microsoft are going in the right direction with their bug bounty programs.

Donncha O'Cearbhaill Said

I would encourage all security researchers to audit free and open source software if they have time on their hands. Projects such as Tor, Tails, Debian and Ubuntu all need more eyes for audits which can improve the safety of the internet for everyone. There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.


Follow Link to watch the video Demonstration :

https://vimeo.com/194867494


Posted by at No comments:

Wednesday 14 December 2016

Facebook Messenger Hijacked(Originnull Vulnerability)

Critical Issue found in Private Chats of Facebook which allowed attackers to read all your Private Conversations.

A Security Researcher has discovered this Vulnerability which is affecting the privacy of around 1.8 billion messenger users.
How Attackers targeting us?

All they are doing is redirecting us to a malicious website. Once we have clicked on the link. All private conversations either from Facebook messenger or a web browser, would be accessible to attacker including photos and video's as well.

 Dubbed Origin-null Vulnerability as Facebook hats are linked to another servers {number}-edge-chat.facebook.com which is not on actual Facebook domain.

 This Issue was discovered and reported to Facebook by Security Researcher Ysrael Gurt(Facebook has since fix this flaw.)
The Vulnerability discovered is a cross-origin bypass attack which allows the hacker to use an external website to access and read a use's private Facebook messages. Normally the Browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a "bridge", in order to enable "subsites" of Facebook.com to access Messenger Information. A Vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger Chats.


"Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the "Access-Control-Allow-Origin" header with the caller’s origin, and the "Access-Control-Allow-Credentials" header with "true" value, so that the data is accessible even when the cookies are sent," Gurt explained"

The root of this issue was misconfigured cross-origin header implementation on Facebook's chat server domain, which allowed an attacker to bypass origin checks and access Facebook messages from an external website.

This was a critical issue, not only due to high number of affected users, but also because if any victim sent their messages using another computer or mobile, they were still completely Vulnerable"


 Access-Control-Allow-Origin: null

Gurt has also release a proof-of concept video demonstration of Originnull vulnerability, which shows the cross-origin-bypass-attack in action.


The Researcher disclosed this critical Vulnerability to Facebook through Bug Bounty Program.

Facebook team has acknowledged the issue and patched the Vulnerable Component.

Posted by at No comments:

Tuesday 13 December 2016

More Firmware Backdoor Found in 26 Low-Cost Android Devices(Android is no more Safe)

Android is no more Safe.

Here's is some bad news about Android User's.

Security Researcher comes up with new malware(Backdoor) hidden in the firmware of Several low end Android Smartphones and tablets, which displays advertisements on the top of running applications and install unwanted applications on the devices of unsuspected users.

Security Researchers from Russian antivirus vendor Dr.Web explained that this malware appears to be added by  "dishonest outsources who took part in creation of Android system images decided to make money on users"


 According to a report, the following 26 Android device models are affected:

  •     MegaFon Login 4 LTE
  •     Irbis TZ85
  •     Irbis TX97
  •     Irbis TZ43
  •     Bravis NB85
  •     Bravis NB105
  •     SUPRA M72KG
  •     SUPRA M729G
  •     SUPRA V2N10
  •     Pixus Touch 7.85 3G
  •     Itell K3300
  •     General Satellite GS700
  •     Digma Plane 9.7 3G
  •     Nomi C07000
  •     Prestigio MultiPad Wize 3021 3G
  •     Prestigio MultiPad PMT5001 3G
  •     Optima 10.1 3G TT1040MG
  •     Marshal ME-711
  •     7 MID
  •     Explay Imperium 8
  •     Perfeo 9032_3G
  •     Ritmix RMD-1121
  •     Oysters T72HM 3G
  •     Irbis tz70
  •     Irbis tz56
  •     Jeka JK103

These all are low cost devices, mostly marketed in Russia, and which run on MediaTek platform.

Malware Pushes to add Unwanted Applications


The Trojans, detected as Android.DownLoader.473.origin and Android.Sprovider.7, are capable of collecting data about the infected devices, contacting their command-and-control servers, automatically updating themselves, covertly downloading and installing other apps based on the instructions it receives from their server, and running each time the device is restarted or turned on.
Currently, this malware is forcibly downloading and installing the H5GameCenter app. This application is a Play Store-like app catalog that allows users to install other apps. The app is considered extremely intrusive because it shows its icon (an open blue box) floating above other apps non-stop, such as in the image below, and without an option to disable this behavior.
If users remove the H5GameCenter app, the firmware malware will reinstall it at a later point.

How to Identify


  • if you will see any unwanted application notification on current Running application and asking again and again to install apps identifies your android device is infected .

How to Prevent

  • Don't install any unwanted applicaions.
  • Don't Change Default settings of your Android  Device.
  • Read ever Terms and Conditions before installing any applicaion


Posted by at No comments:

Thursday 8 December 2016

Critical Yahoo Flaw Allowed Hackers to Read User Email's

YAHOO! has recently fixed its severe vulnerability in its email system which were allowing Hackers to read Emails of all users.

It was  a DOM Based persistent XSS ( Cross Side Scripting ) attack which was allowing attacker to read all victim emails and as well as allows attacker to send emails Embedded with malicious Scripts.

Researcher Juko Pynnonen has exposed this Flaw through HackerOne Bounty Programme.



He also explained that this is a flaw similar to last's years Email Bug, which also lets attacker to compromise a user's account.  Yahoo Filters HTML messages and ensures that malicious code won't infect or come through user's browser, but the researcher found the flaw that its not catching all the attributes.

He also demonstrated how victim is redirected to external site and created a virus and attached itself to all outgoing emails by secretly adding a malicious script to message signatures and as soon as the victim's open that malicious email and its hidden script it immediately submit victim's inbox content to an external website controlled by the attacker.

"Pynnonen says he found the vulnerability by force-feeding all Known HTML tags and attributes in order to filter Yahoo uses to weed out Malicious HTML, but certain malicious HTML code manage ed to pass through "


"Juko Pynnonen also awarded $10,000 for privately disclosing it through HackerOne Bounty Programme.
Posted by at No comments:
Subscribe to: Posts (Atom)