Loading...

Follow ThreatNinja – Improve Awareness on Feedspot

Continue with Google
Continue with Facebook
or

Valid

Introduction

Nowadays, an attacker is trying to exploit an old vulnerability that been found in the year 2017 on Microsoft Outlook (CVE-2017-11774). 

This malware has been discovered by Sensepost and reported the vulnerability to Microsoft in 2017. As a result, Microsoft has released the patch update for the vulnerability flaw around October 2017 to the public

According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency:

This can be a way to the attacker to install the malware on the victims’ network

How the malware works?

The malware will allow the attacker to install and run the malware into the Outlook sandbox where the attacker also can run any other malicious code that reside in the other operating system.

According to the analysis made by Sensepost, the only resort for this vulnerability will be patching the system. A Security practices that can strengthen the defense is advisable such as put a line of defense of multi-factor authentication. 

In 2018, APT33 (Iranian Hackers) have report the vulnerability been exploit despite of the patch made in October 2017. However, there is an unpatched system where the attacker took advantages of exploiting the bug to run commands on the victims’ system 

The way of exploit the flaw, the attacker will use brute-force attacks method to make use of weak password with multiple account which is been targeted all at the same time.

Previously on June, DHS have warned on the Iran Hackers are focusing the US network with a wiper malware. It will affect the relationship between those two countries to be rise. 

USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec

— USCYBERCOM Malware Alert (@CNMF_VirusAlert) July 2, 2019

Source: DHS Warns Hackers Exploiting Microsoft Outlook Vulnerability

The post CVE-2017-11774 appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
Methodology of Mobile Application Penetration Testing Discovery

Discovery phrase will be defined as Information Gathering phrase where it is the most important stage in any penetration testing. This phrase will gain any information hidden from naked eyes to other people.

This will contribute to the outcome of the mobile penetration testing whether it will be a successful or unsuccessful penetration testing

The process that will include in this phrase are such as follows:

  • OSINT (Open Source Intelligence): This process will help Security Consultant to gain information about the application via the internet like Shodan.io
  • Client-Side vs Server-Side Case: Security Consultant will have to understand the nature of the application whether native, hybrid or web.
Analysis

This Phrase can be considered as a unique phrase where Security Consultant will analysis the mobile application before and after installation.

The tools that will be use during this phrase will be Android JD-GUi and iOS otool

Exploitation/Testing

Within this phrase, Security Consultant will try to exploit the bug or weakness in terms of gaining access to the Mobile Device. As a result, Security Consultant will perform any malicious activities on the Mobile Device.

Owasp Mobile Top 10 - YouTube
Source: Owasp Mobile Top 10

The post Mobile Masterclass Part 2 appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Kaspersky researchers did found a money-stealing mobile malware where it can launch new variants of malware to the smartphone device

The malware have extend their target to Europe from Russia.  The Riltok have first discovered around Mid-2018.  

Smartphone users will gain a dangerous threat by Riltok because the Malware Trojan will gain access control to all financial accounts and steal any data of their victims such as login credentials and online banking session.

How Riltok Malware Trojan work?
  1. The attacker will send SMS message by using a phishing method (link of fake website that represent any well-known website) to the victims smartphone device
  2. However, the victims will click the link which it will redirect to a website that need to install a fake service that disguise of a new service
  3. As a result, fake service is installed in the smartphone and the Riltok malware will signal the attacker. It will assign the fake service as a legit service and main applications on controlling the SMS mechanism.

Function of Trojan will be mention such as

  • Riltok can be use to steal credentials from online banking session by using fake online banking application so that the victims will key-in the payment card information
  • Riltok will hide activity session for other application and all notification from an legit online banking application.
Recommendation

Kaspersky Lab Security Specialists advise will be as

  • Check the link in SMS whether its a valid link or a dummy link
  • Strictly on the installation of any suspicious program from unknown sources.
  • Always monitor to the permission function that been installed in the smartphone
  • Need to have antivirus been installed in the smartphone to protect your smartphone. *(Don’t use Free Antivirus on your smartphone)

Source: Riltok banking trojan begins targeting Europe

The post Riltok Trojan appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Recently, Instagram is having test their new features, which will make life harder for the attacker to compromise the victim’s account. A High-Profile Instagram account is the only target for the hacker because of the influencers of person or company to threatening the user to pay up the ransom

The attacker has taken all possible method so that the victims cannot retrieve their Instagram profiles back using the traditional method.

Instagram have said in a statement

“We know that losing access to your account can be a distressing experience. We have measures in place to stop accounts from being hacked in the first place, as well as measures to help people recover their accounts, but we heard from the community that these measures aren’t enough, and people are struggling to regain access to their accounts.”

As we have known, there a lot of ways that attacker can compromise the Instagram accounts 

  1. Phishing link
  2. Same login and Password have been used for email that might suffer any data breach

As a result, Instagram did announce that two new features would be able to help victims to retrieve their hacked accounts on Last Monday. Those two new features are such as

  1. Authentication will send to email or phone that tied to the account
  2. Instagram will ask the user to key-in the information such as email address and phone number that been tide to Instagram account

The Instagram user can retrieve their compromise Instagram account even though the attacker did change the email address and phone number. Another new feature like Authentication will remove access of the attacker from their device and will be unable to get login back on.

After the victims have re-gains access to their compromise Instagram account, they can choose whether will maintain the original email address and phone number or change to different information. 

On a separate feature, Instagram did also announced that they have rolled out to all Android users to stop the name-squatters. On the other hand, this feature will be rolling out within the near future to all iOS device. This will make harder for an attacker to compromise the account because once the user changes their username, it will be locked for a period of time before someone else can claim the username

Source: Instagram is making it easier to get your account back from hackers

The post Instagram Recovery appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

As of last Thursday Amit Serper, Cybereason’s head of security researchers has warned about the attackers that might be exploiting the Exim flaw to gain an access control over the target Linux Server via SSH using root access.

Exim Remote Command Execution Vulnerability (CVE-2019-10149) - YouTube
Source: Exim Remote Command Execution Vulnerability (CVE-2019-10149)

Amit Serper have said that

 “The campaign uses a private authentication key that is installed on the target machine for root authentication,”

He continued saying

“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”

How the flaw works?

However, the flaw has been resolved and patches been released in February, there still have many vulnerable servers have not resolved and patch in the real world.

Below are the stats from Shodan.io website which refer to Exim flaws

Source: Shodan.io

Reminder:

Please patch your server if you are not patching your server…

Recommendation:

System Administrator has to update their operating system which been running in Azure Virtual Machines (VMs) based on the 16 June 2019 update.

Microsoft have said that

“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,”

Source: Linux servers under attack via latest Exim flaw

The post Exim flaw is under attack on Linux Server appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Bluekeep or also called CVE-2019-0708 is a vulnerability that related to critical remote code execution bug which found in older and legacy version of Windows such as Windows 7 and older. The vulnerabilities could give the attacker to gain complete control access and give permission to install any malicious program and modify any data inside the Operating System.

As a result, the vulnerabilities will not ask the attacker to be authenticated in order to exploit the Operating System. Due to that, Microsoft has warned all their user to update their Windows Operating System where it will be a recommendation against the vulnerability.

Jake Olcott, vice president at BitSight, have said that

It’s surprising that organizations haven’t been more efficient and diligent in patching this vulnerability, particularly given the ominous nature of the warning from both Microsoft and the NSA

Luis Grangeia, BitSight senior security researcher have told

One million potential beachheads into internal networks when attempting to quantify the total systems at risk, even if there is no other system running Remote Desktop Protocol behind the firewall

CVE-2019-0708 PoC Exploit on Windows Server 2008 R2 x64 - YouTube
Source: CVE-2019-0708 PoC Exploit on Windows Server 2008 R2 x64 (Youtube)

Source: A devastating exploit using ‘ticking-bomb’ BlueKeep is “only weeks away”

The post BlueKeep Ticking bomb appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Last Wednesday, a High Severity Cisco flaw has been found and been announce in the public alongside with the patch. However, there is no workaround for this vulnerabilities been release.

According to Cisco, this vulnerability will not affect other devices such as follows:

  1. Cisco IOS Software
  2. Cisco IOS XR Software
  3. Cisco NX-OS Software

In Cisco Advisory, they have said that:

The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link

They also mentioned in the their Advisory that

The vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system

For the user that want to see the HTTP Server Feature for the Cisco IOS device, the user can type the command such as

show running-config | include IP HTTP server|secure-server

The command of “Show Version” is to show the software release of the Cisco Device

Source: Cisco IOS XE Software Receives Fix Against High-Severity Flaw and Cisco Advisory

The post Cisco IOS XE software update appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

As been wrote at ThreatPost, there is around six vulnerability have been found in Amcrest Security Camera by Mandar Satam, a senior security researcher at Synopsys as follows:

  1. CVE-2017-8226
  2. CVE-2017-8227
  3. CVE-2017-8228
  4. CVE-2017-8229 (Serious Bug)
  5. CVE-2017-8230
  6. CVE-2017-13719 (Serious Bug)

The Vulnerability is only effect Amcrest HDSeries model IPM-721S cameras

Satam have told to Threatpost that

It’s sad to say, these are not terribly unique vulnerabilities and quite typical of what we see industry-wide

Satam also wrote as follows:

The device allows HTTP requests that allow enabling various functionalities of the camera by using HTTP APIs instead of the web management interface that is provided by the application

Remediation

All user affected will need to update their Amcrest Device firmware to the latest version

Source: Critical Flaws in Amcrest HDSeries Camera Allow Complete Takeover

The post Amcrest Security Camera Vulnerability appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Lately, there is an old vulnerability that not yet been fixed in WampServer where it related to Cross Site Request Forgery. The previous CVE for this vulnerabilities is CVE-2018-8817(https://www.exploit-db.com/exploits/44385)

The attacker can still abuse this old flaw to get to the new vhosts that been deleted or added in the Apache configuration file

The score for this vulnerability are such as follows:

CVSS 3.0

  • Impact Score: 3.6
  • Exploitability Score: 2.8
  • Base Score: 6.5

CVSS 2.0

  • Impact Score: 4.9
  • Exploitability Score: 8.6
  • Base Score: 5.8
Recommendation

It was been advisable to update to the WampServer 3.1.9

Source: https://seclists.org/bugtraq/2019/Jun/10

The post CVE 2019-11517 appeared first on Threat Ninja.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Recently, there is an massive vulnerability have been found in the Microsoft NTLM which it can result to RDP to the Microsoft NTLM Authentication Protocol,

The vulnerability that been found by Preempt researchers are as follows:

  • Message Integrity Code (MIC) can be exploited by the attackers where they can remove the MIC Protection. As a result, they can modify any field in the NTLM protocol.
  • SMB Session Signing can be exploited by the attacker where they can access as a privileged user to the server to relay the NTLM authentication requests to any server in the domain and network.
  • Enhanced Protection for Authentication can be exploited by the attacker by modifying the NTLM message so that they can generate a legitimate channel of binding information to the server
Remediation
  1. All system administrator need to do a patch to all workstation and server in order to protect themselves from NTLM vulnerabilities.
  2. All system administrator need to re-configure SMB Signing, LDAP/S Signing and EPA which needs to enforce, advisable to use the latest version of NTLM
  3. All system administrator is advisable to remove NTLM if there are not been used in the server.

Source: Critical Microsoft NTLM vulnerabilities allow remote code execution on any Windows machine

The post Microsoft NTLM Vulnerability discovered appeared first on Threat Ninja.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview