Nowadays, an attacker is trying to exploit an old vulnerability that been found in the year 2017 on Microsoft Outlook (CVE-2017-11774).
This malware has been discovered by Sensepost and reported the vulnerability to Microsoft in 2017. As a result, Microsoft has released the patch update for the vulnerability flaw around October 2017 to the public
According to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency:
This can be a way to the attacker to install the malware on the victims’ network
How the malware works?
The malware will allow the attacker to install and run the malware into the Outlook sandbox where the attacker also can run any other malicious code that reside in the other operating system.
According to the analysis made by Sensepost, the only resort for this vulnerability will be patching the system. A Security practices that can strengthen the defense is advisable such as put a line of defense of multi-factor authentication.
In 2018, APT33 (Iranian Hackers) have report the vulnerability been exploit despite of the patch made in October 2017. However, there is an unpatched system where the attacker took advantages of exploiting the bug to run commands on the victims’ system
The way of exploit the flaw, the attacker will use brute-force attacks method to make use of weak password with multiple account which is been targeted all at the same time.
Previously on June, DHS have warned on the Iran Hackers are focusing the US network with a wiper malware. It will affect the relationship between those two countries to be rise.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity#infosec
Methodology of Mobile Application Penetration Testing
Discovery phrase will be defined as Information Gathering phrase where it is the most important stage in any penetration testing. This phrase will gain any information hidden from naked eyes to other people.
This will contribute to the outcome of the mobile penetration testing whether it will be a successful or unsuccessful penetration testing
The process that will include in this phrase are such as follows:
OSINT (Open Source Intelligence): This process will help Security Consultant to gain information about the application via the internet like Shodan.io
Client-Side vs Server-Side Case: Security Consultant will have to understand the nature of the application whether native, hybrid or web.
This Phrase can be considered as a unique phrase where Security Consultant will analysis the mobile application before and after installation.
The tools that will be use during this phrase will be Android JD-GUi and iOS otool
Within this phrase, Security Consultant will try to exploit the bug or weakness in terms of gaining access to the Mobile Device. As a result, Security Consultant will perform any malicious activities on the Mobile Device.
Kaspersky researchers did found a money-stealing mobile malware where it can launch new variants of malware to the smartphone device
The malware have extend their target to Europe from Russia. The Riltok have first discovered around Mid-2018.
Smartphone users will gain a dangerous threat by Riltok because the
Malware Trojan will gain access control to all financial accounts and steal any
data of their victims such as login credentials and online banking session.
How Riltok Malware Trojan work?
The attacker will send SMS message by using a phishing method (link of fake website that represent any well-known website) to the victims smartphone device
However, the victims will click the link which it will redirect to a website that need to install a fake service that disguise of a new service
As a result, fake service is installed in the smartphone and the Riltok malware will signal the attacker. It will assign the fake service as a legit service and main applications on controlling the SMS mechanism.
Function of Trojan will be mention such as
Riltok can be use to steal credentials from online banking session by using fake online banking application so that the victims will key-in the payment card information
Riltok will hide activity session for other application and all notification from an legit online banking application.
Kaspersky Lab Security Specialists advise will be as
Check the link in SMS whether its a valid link or a dummy link
Strictly on the installation of any suspicious program from unknown sources.
Always monitor to the permission function that been installed in the smartphone
Need to have antivirus been installed in the smartphone to protect your smartphone. *(Don’t use Free Antivirus on your smartphone)
Recently, Instagram is having test their new features, which will make life harder for the attacker to compromise the victim’s account. A High-Profile Instagram account is the only target for the hacker because of the influencers of person or company to threatening the user to pay up the ransom
The attacker has taken all possible method so that the victims cannot retrieve their Instagram profiles back using the traditional method.
Instagram have said in a statement
“We know that losing access to your account can be a distressing experience. We have measures in place to stop accounts from being hacked in the first place, as well as measures to help people recover their accounts, but we heard from the community that these measures aren’t enough, and people are struggling to regain access to their accounts.”
As we have known, there a lot of ways that attacker can compromise the Instagram accounts
Same login and Password have been used for email that might suffer any data breach
As a result, Instagram did announce that two new features would be able to help victims to retrieve their hacked accounts on Last Monday. Those two new features are such as
Authentication will send to email or phone that tied to the account
Instagram will ask the user to key-in the information such as email address and phone number that been tide to Instagram account
The Instagram user can retrieve their compromise Instagram account even though the attacker did change the email address and phone number. Another new feature like Authentication will remove access of the attacker from their device and will be unable to get login back on.
After the victims have re-gains access to their compromise Instagram account, they can choose whether will maintain the original email address and phone number or change to different information.
On a separate feature, Instagram did also announced that they have rolled out to all Android users to stop the name-squatters. On the other hand, this feature will be rolling out within the near future to all iOS device. This will make harder for an attacker to compromise the account because once the user changes their username, it will be locked for a period of time before someone else can claim the username
As of last Thursday Amit Serper, Cybereason’s head of security researchers has warned about the attackers that might be exploiting the Exim flaw to gain an access control over the target Linux Server via SSH using root access.
“The campaign uses a private authentication key that is installed on the target machine for root authentication,”
He continued saying
“Once remote command execution is established, it deploys a port scanner to search for additional vulnerable servers to infect. It subsequently removes any existing coin miners on the target along with any defenses against coinminers before installing its own.”
How the flaw works?
However, the flaw has been resolved and patches been released in February, there still have many vulnerable servers have not resolved and patch in the real world.
Below are the stats from Shodan.io website which refer to Exim flaws
Please patch your server if you are not patching your server…
System Administrator has to update their operating system which been running in Azure Virtual Machines (VMs) based on the 16 June 2019 update.
Microsoft have said that
“As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim,”
Bluekeep or also called CVE-2019-0708 is a vulnerability that related to critical remote code execution bug which found in older and legacy version of Windows such as Windows 7 and older. The vulnerabilities could give the attacker to gain complete control access and give permission to install any malicious program and modify any data inside the Operating System.
As a result, the vulnerabilities will not ask the attacker to be authenticated in order to exploit the Operating System. Due to that, Microsoft has warned all their user to update their Windows Operating System where it will be a recommendation against the vulnerability.
Jake Olcott, vice president at BitSight, have said that
It’s surprising that organizations haven’t been more efficient and diligent in patching this vulnerability, particularly given the ominous nature of the warning from both Microsoft and the NSA
Luis Grangeia, BitSight senior security researcher have told
One million potential beachheads into internal networks when attempting to quantify the total systems at risk, even if there is no other system running Remote Desktop Protocol behind the firewall
CVE-2019-0708 PoC Exploit on Windows Server 2008 R2 x64 - YouTube
Last Wednesday, a High Severity Cisco flaw has been found and been announce in the public alongside with the patch. However, there is no workaround for this vulnerabilities been release.
According to Cisco, this vulnerability will not affect other devices such as follows:
Cisco IOS Software
Cisco IOS XR Software
Cisco NX-OS Software
In Cisco Advisory, they have said that:
The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link
They also mentioned in the their Advisory that
The vulnerability in the web-based UI (web UI) of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system
For the user that want to see the HTTP Server Feature for the Cisco IOS device, the user can type the command such as
show running-config | include IP HTTP server|secure-server
The command of “Show Version” is to show the software release of the Cisco Device
Lately, there is an old vulnerability that not yet been fixed in WampServer where it related to Cross Site Request Forgery. The previous CVE for this vulnerabilities is CVE-2018-8817(https://www.exploit-db.com/exploits/44385)
The attacker can still abuse this old flaw to get to the new vhosts that been deleted or added in the Apache configuration file
The score for this vulnerability are such as follows:
Impact Score: 3.6
Exploitability Score: 2.8
Base Score: 6.5
Impact Score: 4.9
Exploitability Score: 8.6
Base Score: 5.8
It was been advisable to update to the WampServer 3.1.9