CISCO Servers Hacked! Saltstack Vulnerability Exploited!

Hackers breached six Cisco servers through SaltStack Salt vulnerabilities!

Cisco published an advisory saying that, on May 7, 2020, they’ve discovered the compromise of six of their salt-master servers, which are part of the Cisco VIRL-PE (Internet Routing Lab Personal Edition) service infrastructure.

SaltStack Salt is open-source software that is used for managing and monitoring servers in datacenters and cloud environments.

It is installed on a “master” server and it manages “minion” servers via an API agent.

The two recently revealed vulnerabilities – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) – can be exploited by unauthenticated, remote attackers to achieve RCE as root on both masters and minions.

The company has remediated the affected servers on the same day and has provided software updates that address these vulnerabilities so that enterprise admins that installed these solutions on-premises can fix them.

Cisco did not say what the attackers’ ultimate goal was, but in previously disclosed attacks, their intent was to install crypto coin miners.

NSA Published A Serious Warning!!!

‘The US National Security Agency (NSA) has published a security alert warning of a new wave of cyberattacks against email servers, attacks conducted by one of Russia’s most advanced cyber-espionage units.

The NSA says that members of Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, have been attacking email servers running the Exim mail transfer agent (MTA).

Also known as “Sandworm,” this group has been hacking Exim servers since August 2019 by exploiting a critical vulnerability tracked as CVE-2019-10149.

When Sandworm exploited CVE-2019-10149, the victim machine would subsequently download and execute a shell script from a Sandworm-controlled domain. This shell script would:
⚠️Add privileged users
⚠️Disable network security settings
⚠️Update SSH configurations to enable additional remote access
⚠️Execute an additional script to enable follow-on exploitation

The NSA is now warning private and government organizations to update their Exim servers to version 4.93 and look for signs of compromise.

The Sandworm group has been active since the mid-2000s and is believed to be the hacker group who developed the BlackEnergy malware that caused a blackout in Ukraine in December 2015 and December 2016, and the group who developed the infamous NotPetya ransomware that caused damages of billions of US dollars to companies all over the world.

It is currently considered one of the two most advanced Russian state-sponsored hacking groups, together with Turla.

Hackers tried 2 methods of exploiting vulnerabilities in Sophos

sophos

Hackers tried 2 methods of exploiting a zero-day vulnerability in Sophos’ XG firewall, but Sophos says it made a temporary fix that mitigated the risks.

Attackers originally attempted to plant a Trojan in networks by exploiting the zero-day vulnerability, but then switched to ransomware.

The XG firewalls that received a hotfix were able to block the attacks, including the ransomware, which the company identified as Ragnarok.

This crypto-locking malware was first noticed in January, when security firm FireEye published a report on it, noting that its operators were trying to take advantage of flaws in Citrix’s ADC and Gateway servers at the time.

Sophos detected the first wave of these attacks in April when the hackers were attempting to take advantage of a zero-day SQL injection vulnerability in the XG firewall products.

CVE-2020-12271, allowed the attackers to target the firewall’s built-in PostgreSQL database server, then allowing the hackers to inject a single line of Linux code into databases that would enable them to plant malware within vulnerable networks.

The attackers attempted to plant a Trojan called Asnarök, which enables threat actors to steal user names and hashed passwords.

When Sophos analysts began to notice the attacks unfolding they rushed out a temporary fix to its customers.

The hackers then attempted to switch tactics.

During the initial attacks in April, the hackers left behind what Sophos calls a “backup channel” and other malicious files that would allow the attackers to re-enter a network if they had been detected and blocked.

When Sophos blocked the first firewall attack with a hotfix, the hackers attempted to leverage the EternalBlue vulnerability in older versions of Microsoft Windows and the DoublePulsar backdoor malware to re-enter networks and plant the Ragnarok ransomware.

The hotfix prevented the hackers from executing this newer attack because it disabled the malicious files.

Source: https://www.instagram.com/p/CAiSyUZAP6J/

Dalfox – Parameter Analysis & XSS detector Tutorial

dalfox
dalfox

Dalfox is an amazing Parameter Analysis and XSS scanning tool.

Dalfox typically means,

Dal = moon (Korean pronunciation ) ; Fox = Find of XSS.

Dalfox Features:

  • Parameter Analysis (find reflected parameter, find free/bad characters, Identification of injection point)
  • Static Analysis (Check Bad-header like CSP, X-Frame-options, etc.. with base request/response base)
  • Optimization query of payloads
    • Check the injection point through abstraction and generated the fit payload.
    • Eliminate unnecessary payloads based on bad char
  • XSS Scanning(Reflected + Stored) and DOM Base Verifying
  • All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
    • Support to Double URL Encoder
    • Support to HTML Hex Encoder
  • Friendly Pipeline (single URL, from a file, from IO)
  • And the various options required for the testing 😀
    • built-in/custom grepping to find other vulnerability
    • if you found, after action
    • etc..

Editor’s choice:


How to install Dalfox?

There are total of three ways to install Dalfox.

You can use anyone of them.

1. Go-Install

  1. First simply clone this repository.
$ git clone https://github.com/hahwul/dalfox
  1. Install in cloned Dalfox path
$ go install
  1. Using dalfox
$ ~/go/bin/dalfox

2. Go-Get

  1. go get dalfox!
$ go get -u github.com/hahwul/dalfox
  1. Using dalfox
$ ~/go/bin/dalfox

3. Release version

  1. Open latest release page https://github.com/hahwul/dalfox/releases/latest
  2. Download file Download and extract the file that fits your OS.
  3. You can put it in the execution directory and use it. e.g
$ cp dalfox /usr/bin/

Usage of Dalfox:

    _..._
  .' .::::.   __   _   _    ___ _ __ __
 :  :::::::: |  \ / \ | |  | __/ \\ V /
 :  :::::::: | o ) o || |_ | _( o )) (
 '. '::::::' |__/|_n_||___||_| \_//_n_\
   '-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul


Usage:
  dalfox [command]

Available Commands:
  file        Use file mode(targets list or rawdata)
  help        Help about any command
  pipe        Use pipeline mode
  sxss        Use Stored XSS mode
  update      Update DalFox (Binary patch)
  url         Use single target mode
  version     Show version

Flags:
  -b, --blind string            Add your blind xss (e.g -b hahwul.xss.ht)
      --config string           Using config from file
  -C, --cookie string           Add custom cookie
      --custom-payload string   Add custom payloads from file
  -d, --data string             Using POST Method and add Body data
      --delay int               Milliseconds between send to same host (1000==1s)
      --found-action string     If found weak/vuln, action(cmd) to next
      --grep string             Using custom grepping file (e.g --grep ./samples/sample_grep.json)
  -H, --header string           Add custom headers
  -h, --help                    help for dalfox
      --ignore-return string    Ignore scanning from return code (e.g --ignore-return 302,403,404)
      --only-discovery          Only testing parameter analysis
  -o, --output string           Write to output file
      --output-format string    -o/--output 's format (txt/json/xml)
  -p, --param string            Only testing selected parameters
      --proxy string            Send all request to proxy server (e.g --proxy http://127.0.0.1:8080)
      --silence                 Not printing all logs
      --timeout int             Second of timeout (default 10)
      --user-agent string       Add custom UserAgent
  -w, --worker int              Number of worker (default 40)
$ dalfox [mode] [flags]

Single target mode

$ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://hahwul.xss.ht

Multiple target mode from file

$ dalfox file urls_file --custom-payload ./mypayloads.txt

Pipeline mode

$ cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"

Download Dalfox:

dalfox

Conclusion:

Dalfox is an amazing tool you can use.

If you have found value in this article. Make sure to comment down below and boost the enthusiasm of our team.

You can also give any suggestions or questions regarding this tool.

Our team will try to respond you as soon as possible.

DiscordRat – Download Discord Remote Administration Tool

discordrat
discordrat

DiscordRat” is the tool fully written in python3.

This is a RAT controlled over Discord with over 20 post-exploitation modules.

If you are not aware about what RAT is.

Let me explain like you are five.

A remote administration tool (or RAT) is a program that is used by hackers or other people to connect to a computer via the Internet or across a local network remotely.

Also, let me tell you.

RAT comes in malicious and legitimate applications.

Thus, be careful before downloading from any website.

DiscordRat Requirements:

  • Microsoft Windows OS.
  • Python3.

DiscordRat Setup Guide:

You will first need to register a bot with the Discord developer portal and then add the bot to the server that you want.

Once the bot is created copy the token of your bot and paste it at line 18 if you use the WithCV or line 17 if you choose the WithoutCV.

Now on go on discord>settings>appearance, scroll to the bottom, and activate “Developer Mode”, now go to the server where your bot added right-click on the channel where you want the bot to post, click copy ID and finally, paste the channel ID (not server ID) in the parenthesis in line 97 if you use the NoCV or line 67 if you use the WithCV.

Install requirements:

pip3 install -r requirements.txt

Then if steps above were successful after launching the python file, or executable, it will post a message on the server with a generated UUID, all that is left to do is posting “!interact ” with the given UUID.

Now your bot should be available to use !

Problems with DiscordRat:

If you have problems with the installation of win32api or other modules , try installing it in a python virtual environment.

There are two python files one has opencv and webcam related modules the other does not, this has been done because open-cv adds multiple dozens of megabytes to the compiled .exe file.

Disclaimer: The following tutorial is only for educational purposes. Any illegal usage of this tool is neither promoted or supported. You are responsible for your own actions.

Download DiscordRat:

discordrat

Israel Websites Hacked And Defaced!

Israel Websites Hacked And Defaced!

Thousands of Israeli websites have been defaced to show an anti-Israeli message and with malicious code seeking permission to access visitors’ webcams.

More than 2,000 websites are believed to have been defaced.

Most of the websites were hosted on uPress, a local Israeli WordPress hosting service.

In a message posted on Facebook, the company said the hackers exploited a vulnerability in a WordPress plugin to plant the defacement message on Israeli sites hosted on its platform.

The attack was carried out by a new hacker group going by the name of “Hackers of Savior.”

According to a Facebook group, the hacker group is believed to have nine members, all from Muslim countries, such as Turkey, Palestine, Morocco, and Egypt.

The attacks have been timed to take place on “Jerusalem Day,” an Israeli national holiday commemorating the reunification of the city of Jerusalem and the establishment of Israeli control over Jerusalem Old City in 1967.

On all websites, hackers loaded a YouTube video along with the message of “The countdown of Israel destruction has begun since a long time ago” Israeli news media is reporting that the attack has been carried out by “Iranian hackers”

Malware Attack on Game Developers!

Hackers malware attack on Game makers.
Photo by Garrett Morrow from Pexels

Hackers have infected multiple game developers with advanced malware!

One of the world’s most prolific hacking groups recently infected several Massively Multiplayer Online game makers, a feat that made it possible for the attackers to push malware-tainted apps to one target’s users and to steal in-game currencies of a second victim’s players.

Researchers from Slovakian security company ESET have tied the attacks to Winnti, a group that has been active since at least 2009 and is believed to have carried out hundreds of mostly advanced attacks.

Targets have included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organizations.

Winnti has been tied to the 2010 hack that stole sensitive data from Google and 34 other companies.

More recently, the group has been behind the compromise of the CCleaner distribution platform that pushed malicious updates to millions of people.

Winnti carried out a separate supply-chain attack that installed a backdoor on 500,000 ASUS PCs.

The recent attack used a never-before-seen backdoor that ESET has dubbed PipeMon.

To evade security defenses, PipeMon installers bore the imprimatur of a legitimate Windows signing certificate that was stolen from Nfinity Games during a 2018 hack of that gaming developer.

The backdoor, which gets its name for the multiple pipes used for one module to communicate with another and the project name of the Microsoft Visual Studio used by the developers, used the location of Windows print processors so it could survive reboots.

ESET revealed little about the infected companies except to say they included several South Korea- and Taiwan-based developers of MMO games that are available on popular gaming platforms and have thousands of simultaneous players.

Based on the people and organizations Winnti targets, researchers have tied the group to the Chinese government.

EasyJet Became CyberAttack Victim!

easyjet hacked

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company on Tuesday disclosed that email addresses and travel details were accessed and said it will contact all of the customers affected.

Of the 9 million people affected, 2,208 had credit card details stolen, easyJet said in a statement to the stock market.

Those customers whose credit card details were taken have already been contacted, while everyone else affected will be contacted in the “next few days”.

The Information Commissioner’s Office, the data regulator, has recommended EasyJet contact everyone affected because of an increased risk of phishing fraud. EasyJet said, “there is no evidence that any personal information of any nature has been misused”.

The easyJet chief executive, Johan Lundgren, said: “We would like to apologize to those customers who have been affected by this incident. “Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

Google Chrome Update out now!

Google Chrome 83 web browser out now!

One of the most feature-packed Chrome updates released since the browser’s initial launch back in 2009.

Today’s v83 release includes a slew of new features.

These include enhanced privacy controls, new settings for managing cookie files, a new Safety Check option, support for tab groups, new graphics for web form elements, a new API for detecting barcodes, and a new anti-XSS security feature, among many many others.

The reason why Chrome 83 includes so many features is because Google canceled the Chrome 82 release due to the ongoing coronavirus pandemic.

As a result, some of the Chrome 82 features were pushed into Chrome 83, while others were rescheduled for later this year.

New features include:

  • New Tab Groups feature
  • New cookies settings
  • New cookies control in incognito mode
  • New Safety Check option
  • New Enhanced Safe Browsing mode
  • New web form controls
  • New extensions button
  • New Barcode Detection API
  • New anti-XSS security feature
  • New DNS-over-HTTPS experiment
  • Chrome blocks downloads in Sandboxed iframes and for files hosted on HTTP URLs

European Supercomputers Hacked!

Supercomputers across Europe have been hacked over the last week by an unknown group that has been inserting cryptocurrency mining software.

At least a dozen supercomputers in Germany, the U.K., Switzerland, and Spain were targeted, with many being taken offline as a result of the hacks.

The first system targeted is believed to be “Archer,” a supercomputer at the University of Edinburgh that was being used to perform analysis of coronavirus research before being taken offline.

Those behind that attacks were gaining access to the targeted supercomputers by stealing login credentials from compromised networks at universities in China and Poland.

According to Cado Security, it is reportedly common for users at different high-performance computing facilities to have logins for other institutions, making it easy for attackers to gain access.

In two of the security incidents, the group behind the attacks connected to the supercomputers using a compromised SSH account and then exploited a vulnerability in the Linux kernel to gain root access and install Monero or XMR crypto mining software.

The crypto mining software had been set up to run only at night in an attempt to avoid being discovered.

A notification from the Swiss Center of Scientific Computations in Zurich was vaguer, referring to only malicious activity that resulted in external access to the center being closed until security issues were fixed.

The true motivation behind the attacks remains unknown.

Although profit from the installation of the Monero mining script would appear the most obvious answer, most of the systems targeted were involved in COVID-19 research and analysis.

Access to that research could be the motivation with a nation-state actor behind the attacks.

Skip to content