Group Details Private

Global Moderators

Forum wide moderators

Member List

  • Panic Button: a program that urgently erases all your data

    c0fe472f-5f0e-43a1-bc25-8b679772c283-image.png
    The CyberYozh security group team announced the release of the Panic Button, the first program for the emergency destruction of digital data on Windows computers. Any penetration into the computer, whether it is secretly gaining access by a colleague or extracting information by law enforcement officials, triggers the immediate and irreversible destruction of data.

    This program is intended for everyone who wants to protect confidential information from unauthorized access or forensic analysis. This category includes journalists, entrepreneurs, officials and politicians, as well as ordinary users who fear cybercriminal attacks.

    It is important that the Panic Button can be activated both by user actions (clicking on a shortcut or pressing a combination of predefined keys), and automatically - in the logic bomb mode. The user sets a specific action in the program settings, the failure of which leads to the destruction of confidential data. Thus, the logic bomb will work if access to the computer is obtained secretly or forcefully.

    Panic Button can urgently destroy data on user activity in the operating system: information about the last viewed documents, images and running programs. It also destroys data on network activity - browser history and cache, cookies, bookmarks and saved passwords. The program works with all popular browsers: Chrome, Mozilla, Opera, Edge and Yandex.Browser.

    In addition, when activated, the Panic Button destroys any files specified in the program settings. If desired, the user can configure the sending of email notifications about the operation of the program.

    As a result, the Panic Button can perform the following actions:

    Urgently destroy all information about user activity in the system and on the network;

    Urgent destroy any files specified in the program settings;

    Automatically trigger when unauthorized access to a computer;

    Activated by secret attempts to penetrate the computer.

    posted in Announcements
  • A rare language, an ateptic cryptographer.

    Intzer experts and the IBM X-Force IRIS team have published an analysis of the new PureLocker ransomware, which is characterized by a number of unusual features for programs of this kind. The ransomware attacks primarily corporate servers running Windows and Linux.

    Noteworthy is the programming language in which it is written - PureBasic. This is not the most common programming language; on the other hand, it is, firstly, cross-platform, and secondly, strangely enough, many antiviruses can hardly cope with the programs written on it.

    “An unusual choice provides attackers with a number of benefits,” the researchers write. - Vendors of antivirus products can hardly cope with the generation of reliable signatures for PureBasic binary files. In addition, PureBasic code can be easily ported to Windows, Linux, OS X, which simplifies attacks on various platforms. "

    PureBasic even supports AmigaOS.
    83b5ae49-af0c-454b-ae6b-71a4b3a18681-image.png
    Researchers also attributed its anti-detection mechanisms to atypical encryption features.

    For example, this malware tries to avoid interception of API functions of NTDLL functions by downloading another copy of ntdll.dll and resolving API addresses from it. Interception of the API allows antivirus systems to see what exactly each function that the program calls, when and with what parameters, does.

    Researchers noted that this is a common technique for avoiding detection, but cryptographers use it very rarely.

    In addition, the malware calls the Windows utility regsrv32.exe to silently install the PureLocker library component - no dialog boxes are displayed to the user.

    Later, the ransomware checks that regsrv32.exe was actually launched, that the file extension is .dll or .ocx; in addition, he checks whether the year 2019 is installed on the machine and the victim has administrative rights. If at least one condition is not met, the malware is deactivated and does not take any action.
    Level 120 Stealth

    According to experts, this behavior is not typical for cryptographers, who usually do not show particular selectivity; on the contrary, they seek to infect as many cars as possible.

    If the encryptor is “happy with everything,” he starts encrypting the files on the victim’s machine using a combination of AES + RSA algorithms using an RSA key embedded in it. All encrypted files are provided with the extension .CR1, and the original files are destroyed. Leaving a ransom demand message, the encryptor file self-destructs.

    Here is another surprise: in the message from the attackers, the amount of the ransom is not called. Each victim is invited to write to a unique address in Proton's secure mail service - for the purpose of negotiation.

    Experts believe that PureLocker is just one step in a complex infection chain.

    While analyzing the code, the researchers found in the PureLocker code borrowing from the more_eggs backdoor code, which is offered on the darknet in the MaaS (malware-as-a-service) format. He is actively used by financial cybercriminal groups Cobalt Group and FIN6.

    Borrowings in the code that indicate a connection with the Cobalt Group refer to a specific component that Cobalt uses in its multi-stage attacks, the DLL dropper used to protect against detection and analysis. Experts believe that the developer more_eggs added a new set of malware to the arsenal that is offered to other cybercriminal groups, providing the former backdoor with the functionality of an encryptor.

    “This solution is not without even some grace,” said Anastasia Melnikova, an information security expert at SEC Consult Services. - It’s easier to add an “unexpected” function to an existing set and make the malware even more dangerous than writing from scratch a highly targeted encryptor that can resist detection and analysis. For potential victims, however, this "grace" only bodes even more trouble than before. The ransomware function, apparently, is literally designed to kill the victim, which the attackers manage to rob earlier using their other programs. ”

    posted in Announcements
  • Vulnerability allows attackers to listen and intercept VPN connections

    Vulnerability allows attackers to listen and intercept VPN connections
    53f82b5f-2155-4faa-b2fc-4f23e7aa273c-image.png
    Researchers from the University of New Mexico have discovered a vulnerability affecting Ubuntu, Fedora, Debian, FreeBSD, OpenBSD, macOS, iOS Android, and other Unix-based OSs. The problem allows you to listen, intercept and interfere with the operation of VPN connections.

    The bug got the identifier CVE-2019-14899, and the root of the problem lies in the network stacks of a number of Unix-based operating systems, and more precisely, in the way these OSs respond to unexpected network packets. An attacker can use the vulnerability to "probe" the device and identify various details about the state of the user's VPN connection.

    Attacks can be performed on behalf of a malicious access point or router, or an attacker can be present on the same network to determine if another user is connected to the VPN, find out his virtual IP address assigned by the server, and determine whether the victim is connected to a specific site. Even worse, the bug allows you to determine the exact sequence of packets in certain VPN connections, which can be used to inject into the TCP data stream and compromise the connection.

    Researchers report that they have successfully exploited the vulnerability in the following operating systems, and also write that the problem extends to Android, iOS and macOS:

    Ubuntu 19.10 (systemd)

    Fedora (systemd)

    Debian 10.2 (systemd)

    Arch 2019.05 (systemd)

    Manjaro 18.1.1 (systemd)

    Devuan (sysV init)

    MX Linux 19 (Mepis + antiX)

    Void Linux (runit)

    Slackware 14.2 (rc.d))

    Deepin (rc.d)

    FreeBSD (rc.d)

    OpenBSD (rc.d)

    It is emphasized that the attack works against OpenVPN, WireGuard, and IKEv2 / IPSec, and so on, since the VPN technology itself does not matter, nor does the use of IPv4 or IPv6.

    posted in General Discussion
  • The main differences between social engineering and social programming.

    6515a0cb-b5b5-4a30-be9c-6a302648e645-image.png
    We define social engineering as the manipulation of a person or a group of people with the aim of breaking into security systems and stealing important information.

    Social programming can be used regardless of any hacking, and for anything, for example, to curb an aggressive crowd or ensure the victory of a candidate in the next election, or vice versa, to denigrate a candidate and to make a peaceful crowd aggressive . It is important that here there is already no talk of a particular computer.

    Thus, we will use the term social engineering when it comes to an attack on a person who is part of a computer system.
    Note

    Sometimes, in addition to the term social engineering, the term reverse social engineering is also used. The bottom line is that with reverse social engineering, you don’t force a person directly to anything, but create such conditions that he turns to you.

    For example, if you need to come to an organization under the guise of a telephone wizard, you can just come and start checking phone boxes. This terminology is social engineering.

    And you can do it differently. You create a situation in which you are known as a telephone wizard in a particular organization. After that, you wait for something to happen to the phones, or do something with them yourself, and calmly wait for someone to call you and ask you to come. This is reverse social engineering.

    Thus, you yourself do not come out of nowhere for no reason, but you are asked to come. Of course, the second case is much preferable, because it removes all your suspicions.

    Social programming can be called a science that studies the methods of targeted impact on a person or group of people in order to change or keep their behavior in the right direction. Thus, in essence, the social programmer aims to master the art of managing people.

    The basic concept of social programming is that many of the actions of people and their reactions to a particular external influence are in many cases predictable. The thing, generally speaking, is very interesting. But for the most part this is true. The general scheme of the methods of work of social programmers is presented in the picture.
    5f4b8e89-6aba-4ce0-a5cc-0c14035923df-image.png
    In social programming, the development of an impact scheme proceeds from the end, i.e., from the desired outcome.

    I will give you one very simple and very bad example. Let there be someone, for example, a deputy, who, well, is very disturbed by the boss. Suppose this deputy knows that his boss has a sore heart and weak vessels, and one who has a sore heart loves to "kiss the glass." Relatives, of course, walk on their heels and take this glass, and it even works. And our deputy. the chief in one way or another begins one who has a sore heart, purposefully solder. In the end, the vessels do not stand up. Hemorrhagic stroke. Deputy the boss became the boss. At the funeral, he sobbed the most, and then he remained the closest friend of the family. Despite the fact that he actually killed the head of the family.

    Why are the methods of social programming wonderful for criminals, that either no one will ever know about them, as in the above example, or even if someone knows something, it is very difficult to bring such an agent to justice. Well, we don’t have the article “Bringing to a stroke” in the criminal code. And if it was, go and prove that it was so, because the “brought” did everything purely voluntarily, being capable, nobody put him into hypnosis, he didn’t irradiate with electromagnetic rays ...

    We have considered this rather classical and very simple scheme of negative application of social programming. In different variations, this scheme has been operating since ancient times, if we recall the history.

    In this case, the desired result is the physical elimination of the opponent. So, the goal is formulated. The psychophysical characteristics were further developed, as a result of which the tendency to drink and the presence of chronic cardiovascular diseases were clarified. Then a measure of exposure is developed (excessive alcohol consumption), which, if used correctly, gives the intended result.

    It is very important that human behavior is natural for himself. Which is interesting. For this, the calculation of psychophysical characteristics is performed.

    Because otherwise it would not be social programming. After all, when a killer maniac, for example, has already chosen a victim and is going to kill him, he also knows about the victim’s future behavior that she still doesn’t know about herself (that she will not be in this world soon). But, you must admit, the victim’s behavior in this case can hardly be called natural: it is difficult to imagine that meeting with maniacs is her natural pastime. Thus, social programming is when you artificially model a situation for a specific person, in which you know how this person will act, based on knowledge of the psychotype of that person. The same applies to a group of people.

    ...

    Social programming, in contrast to social engineering, has a broader scope, because it works with all categories of people, regardless of which part of the system they are. Social engineering, however, always works only with a person who is part of a computer system, although similar methods are used in both cases.

    Another important difference is that social engineering is almost always a negative field of application, while social programming, like any field of knowledge, has both a positive and a negative field of application. One example of the negative area of ​​application of social programming is just social engineering.

    To conclude the conversation on social programming, we give a well-known example of how skillfully manipulating people can be.

    Once, one grandmaster received a letter in the mail in which an unknown person, introducing himself as a young beginner chess player, offered to play a remote game of chess. Remote, because the moves were mailed. The grandmaster was promised a very large amount of money for the win, and if there is a draw, or, God forbid, the grandmaster loses, then he pays the money. True, two times less than the amount that he will receive if the young chess player loses. The grandmaster agreed without hesitation. They made a bet and began to play.

    From the very first moves, the famous grandmaster realized that they won’t be able to earn money “for free”, because the first moves were already given to the young chess player by a promising master. In the middle of the mast, the grandmaster lost peace and sleep, constantly calculating the next moves of the opponent, who turned out to be not just a promising master, but a very big master.

    In the end, after a considerable time, the grandmaster barely managed to draw the game in a draw, after which he brought down a bunch of compliments on the young man and offered him not money, but his support, saying that with such talents he would make him the world champion.

    But the young chess player said that he did not need world fame, and that he asked only to fulfill the conditions of the bet, that is, to send the money he won. Which the grandmaster did with reluctance.

    And where is the maniple

    posted in Blogs
  • Provider defeats Roskomnadzor court on plans to install SORM

    Provider defeats Roskomnadzor court on plans to install SORM
    The court supported the provider in a dispute with Roskomnadzor over plans to install a system of operational-search measures (SORM). The Department of Roskomnadzor in the Chelyabinsk Region tried to hold JSC “Quantum” administratively liable for violating the rules of interaction with the FSB in developing plans for the introduction and modernization of equipment, for which it appealed to the Arbitration Court of St. Petersburg and the Leningrad Region.

    However, the court dismissed the claim, and the court of appeal also upheld the decision.

    According to the case file, Roskomnadzor in the Chelyabinsk region received materials from the FSB department in the Chelyabinsk region, according to which Kvantum JSC allegedly violated the requirements of the legislation of the Russian Federation in the field of communications.

    In particular, it was said that at the end of April 2019 the FSB of Russia in the Chelyabinsk region informed Kvantum JSC that in order to modernize SORM on the networks of the telecom operator, it was necessary to develop and coordinate with the FSB of Russia in the Chelyabinsk region by the end of June 2019. new plan for the introduction of SORM technical means. By the appointed time, Quantum JSC did not fulfill the requirements.

    In July, a record of an administrative offense was drawn up in relation to Quantum, then the case materials were transferred to the court.

    However, the court found that the deadlines set in the letter for approval of the new plan were unilaterally determined by the FSB in the Chelyabinsk region. In addition, the court found that the plan proposed by the FSB does not meet the current requirements of the Ministry of Communications of the Russian Federation, as the plan indicates that the telecom operator at the first stage of the SORM implementation provides copies of the certificates of conformity of the SORM equipment, and the current version does not have the requirements of this paragraph.

    It was also established that at the time of sending the letter about the need to develop a new plan, there was already a plan signed by all parties, the validity of which is up to the 4th quarter of 2019. In this case, evidence of the circumstances in connection with which the development of a new plan would be necessary for the court was not provided.

    Based on the foregoing, the Arbitration Court of St. Petersburg and the Leningrad Region rejected the plaintiff's claims, then the Thirteenth Arbitration Court of Appeal upheld this decision.

    Recall that at the present time there is an introduction and preparation for the introduction of SORM equipment (systems of operational-search measures) on the networks of communication operators as part of the “Spring package”.
    f781a189-b911-4e17-a65d-0f93c125d239-image.png

    posted in Announcements
  • Facebook collects data on user activity outside the social network

    764aabda-f953-499c-9259-b8d3a8d80d3d-image.png
    On Tuesday, January 28, Facebook introduced the new “Off-Facebook Activity” feature, which not only allows users to clear their activity history outside the social network, but also indicates that Facebook is following them, even if the application is off.

    To select relevant Facebook ads and Instagram and Messenger belonging to it, you don’t need to eavesdrop and spy on users through cameras and microphones on their devices - the company has other tools for this. Facebook knows when a user visited the site of a politician supported by him, read the news in a newspaper, bought something in an online store or opened a “smart” lock using the application.

    Now thanks to the "Actions outside Facebook" function, the user can find out which sites and applications have sent Facebook information about him in the past 180 days.

    “Activities outside of Facebook include your interactions with the companies and organizations that they tell us about. For example, when you visit their sites via Facebook. [...] Companies and organizations that use our tools for business can send us information about actions on their websites or applications. This allows us to personalize content, for example, to select the most relevant ads for you. In accordance with our requirements, companies and organizations must notify users in advance that they will use our tools for business, ”the function description says.

    The function is hidden in the "Settings" of the application and is, rather, informative. It really allows you to delete the activity history outside the social network, but this will not affect the number of displayed ads, nor the further collection of information, nor the selection of advertising.

    posted in Announcements
  • When a victim gets on a computer, it is first necessary to evaluate and understand where we managed to gain a foothold.

    When a victim gets on a computer, it is first necessary to evaluate and understand where we managed to gain a foothold.

    Who cares, let's get started:

    1. systeminfo gives us information about
    • the name of the node;
    • name and OS version;
    • installation date and OS boot time (there is an opportunity to understand how often the PC reboots);
    • bit depth of the OS (many programs work only on certain bits);
    • The time zone and language of the system (to understand in what part of the world we are);
    • then the important point is whether to find out whether the PC is in the domain or not, this fact is determined by the lines the domain and the network entry server, if the network entry server and the host name match + the WORKGROUP domain, then the PC is not in the domain, if the network entry server different from the host name, then most likely the PC is in the domain (to find out more precisely you need to run the whoami command and see the full path of the username)
    • the next moment installed corrections, it allows you to understand whether the computer is being updated to be able to try certain vulnerabilities in the system;
    • network adapters, find out the number of interfaces and their IP addresses
    1. tasklist / V / FI "MODULES ne WOW64.dll" && tasklist / V / FI "MODULES eq WOW64.dll" I advise you to use this command using filters, since this makes it possible to understand what bit depth the running process needs to know for injection into processes.

    2. and of course we are interested in what kind of documents are processed on a computer, for this we use the following command dir / q / x% appdata% \ Microsoft \ Office \ Recent will show links of the last processed documents.

    3. google.com tracert will let you know which routers pass packets from the victim’s computer and which provider the victim uses

    4. whoami / priv - will allow you to find out the rights of a user working for a PC (a rather successful outcome when we have access to SeDebugPrivilege), which will allow you to run programs that require administrator rights.
      51f31464-982b-42d7-a5a6-2723efb50064-image.png

    posted in Blogs
  • The latest version is 3.14 from May 2019.

    The latest version is 3.14 from May 2019. This is an excellent framework for operation and post-operation. Beacon is used as a payload, which has the ability to obfuscate and freeze to bypass antiviruses. Supports migration to processes. Suitable as a C2 server - it is especially convenient to navigate with a large scope. Out of the box has a one-click payload generator, as well as various delivery methods, which saves a lot of time.

    Cobalt Strike's creed is stealth. Beacon most of the time is in the state of frieze or sleep, and only the “heartbeat” is sent to C2, so it is not easy to detect.

    The biggest drawback of Cobalt is that it is not available to ordinary users. Cobalt Strike is a commercial product, and developers are serious about distribution. There is a trial period of 21 days, but in this mode you will encounter significant limitations.

    Cobalt Strike generates its own executables and DLLs using the Artifact Kit. They, in turn, send a payload, which helps bypass some antiviruses. The trial version includes only the Artifact Kit template without the ability to create executable files.

    Also, the trial version of Cobalt does not download or use flexible C2 profiles. This is a feature that allows users to change network indicators in the Beacon payload. Each trial GET HTTP request includes an X-Malware header with an EICAR string as content. Similarly, modules for attacking Java include an EICAR file inside .jar packages.

    Finally, the Cobalt Strike primary payload encoder has been removed from the trial version. All these restrictions are made so that the trial version could not be used for malicious purposes.
    605f2f34-8dcb-4acb-9fe5-f9a6185a3c4c-image.png

    posted in Must-have! ( Hacking Tools
  • Open Databases and Hacking with Shodan

    Open Databases and Hacking with Shodan
    Increasingly, there are news about leaks. Researchers find confidential information in open databases (MongoDB, Elasticsearch, Kibana, CouchDB, Hadoop and others). After this, scandals begin, serious trials for companies and even ship investigations worth hundreds of millions of dollars. Some examples for visual demonstration in the media.

    Finding open databases with Shodan
    To search for databases, special search engines Shodan and Censys are used. Databases have a specific pattern in the form of a port and a so-called header. For example, for MongoDB, this is the standard port 27017 and the presence of the header "mongodb server information". Such patterns exist for other databases.

    The most popular option is MongoDB. At the time of writing, 69,100 results have been indexed. Most of them are closed (this is indicated by the Authentication partially enabled parameter).

    To find open databases create a query:
    You can use any manager to work with the database. You can also process data from the command line. Despite the fact that Studio 3T for MongoDB has more functionality (which is available for a trial period of 30 days), you saw that you can work quite well with free programs. All individually.

    Conclusion
    There are really many open databases. Loud news about a data leak comes out almost every week. It can be a database of a hotel, a store or a service center. A quick look, among the examples in the article, were two good options: a store and a bulletin board for selling cars. In the first case, it was possible to see the order, description and phone / mail of the owner, in the second case - the phone and make of the car.

    Very often confidential data is in unencrypted form. Many companies store information and do not even think about the possible consequences. I have demonstrated enough ways to find open databases with terabytes of records. What to do with the information found - the choice is yours.

    all: "mongodb server information" all: "metrics"
    In this case, we get 24943 results. About as many open databases exist that contain certain information. Of course, some part is dummies, there is nothing interesting in them. But this is the subject of analysis.
    998f36bd-ac1f-4309-9b2c-1ced99c70837-image.png
    USA is the leader in open MongoDB with a score of 7915.

    There are fewer results for Elasticsearch. 20,283 indexed entries, and the leader is China.

    port: "9200" all: "elastic indices”
    e0064024-07e9-47e5-9443-db901e586595-image.png
    To fully work with the results of issuing a database: filter records by size, date of entry into the index, number of collections, etc. need to use more functional tools. One of them is Lampyre.

    If you don’t want to deliver software to yourself, you can use the familiar Shodan Command-Line Interface. For those who want to work using the command line, I have prepared a file with commands that allow you to find and analyze data in json or xlsx formats.

    To work with more exotic databases, I recommend using LeakLooker. The script is written in Python and works with Shodan. In addition to standard databases, it supports Kibana, CouchDB.
    9be6f746-463a-4659-bc86-6987224f0205-image.png
    Finding open databases with Lampyre
    For more flexible settings, you can use the Lampyre tool for Windows. After downloading the application, you must specify the mail and confirm your account. After starting in Online Mode, you need to click New Investidation, select the folder for storing the project and start working.

    In the List of requests, select Shodan search. We enter the API key and our query in the Query field, which will allow us to find open databases.

    all: "mongodb server information" all: "metrics”
    06c9edd3-8841-46dd-bea6-9ca3e55aa488-image.png

    You can also specify additional parameters in the Shodan - 2 window. For example, country and port. We launch using the "Execute" button. Next up are the results. For graphical display, select “Schema” -> “Network”.
    0108ff99-f34f-4222-9c9a-65be4a3efad6-image.png
    Lampyre can filter found queries with the ExploreDB: MongoDB built-in query. Select the necessary IPs, then right-click on the menu and specify ExploreDB: MongoDB.
    0add6118-2d57-4909-aaae-2a8a16b8f4f1-image.png
    Then we get all the requests in a convenient format. You can filter by database size and other parameters that are not in Shodan. Confirmation that the database is open is the text parameter, which has the status open. It is worth sorting the results by the Size and Count documents parameters, since the most interesting databases will contain the maximum number of records in the tables.
    532b4f8d-badd-40b6-bd2c-fa349fb7dedd-image.png
    You can also notice from the screenshots that Lampyre supports working with ExploreDB: ElasticSearch. We do everything by analogy using the query:

    port: "9200" all: "elastic indices"
    3a2a718a-b5c5-416a-9d1a-8aeb8092ce61-image.png

    We receive in a convenient form the ElasticSearch database. You can see them by clicking on the link in the column "http query top 500".
    9f60d6c8-225e-4751-a9c4-9f6c2cb731fc-image.png
    As a result, we find an open database of some store where you can find the phone, date of creation, description, mail and some other interesting information. Remember, those who seek will always find
    69b70a9e-ce26-4776-a0ac-df4e15012c69-image.png
    You can use any manager convenient for you to work with the resulting databases. For example, for MongoDB, NoSQL Manager for MongoDB, Robo 3T, or Studio 3T for MongoDB is suitable. Consider, for example, one of the options.

    Analyzing Databases Using Robo 3T for MongoDB
    The choice fell on the free version of Robo 3T. Portable version takes about 15 mb and allows you to quickly connect to the desired database. After starting, we see a window where you need to specify the IP address. Right click and add using the Add button.
    446a2a48-7e91-444c-9e3d-2a62d6f695c8-image.png
    Specify the desired IP and click Save.
    ac2746a0-d89d-4961-8ddb-8d6fff7ebd9f-image.png

    After a successful connection, we can see the database. If the connection has occurred, a new client will appear in the left pane.
    4b8928c0-255c-4397-abfa-6ec7597a37ab-image.png
    Next we look at the collections that are used in the database:
    de58e20d-74d8-471c-8a9a-7f0dc8471e6e-image.png

    posted in Hackers Academy