www.infysec.com
Demystifying Innovations
Security Testing (12)
Ransomware is a malware that encrypts contents on infected systems and demands payment in bitcoins.
How is it Spreading?
- WannaCry / WannaCrypt encrypts the files on infected Windows systems.
- There are two key components – a worm and a ransomware package
- It spreads laterally between computers on the same LAN by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems.
- It also spreads through malicious email attachments.
- This exploit is named as ETERNALBLUE.
- Initial ransom was of $300 USD but the group is increasing the ransom demands upto $600 in Bitcoin.
There's some potentially bad news for a lot of Oracle customers surfacing today, as it seems the company has fallen victim to a data breach. According to KrebsOnSecurity, the breach affected Oracle's MICROS division, which provides point-of-sale systems and support for many businesses around the world. In fact, the number of locations using MICROS around the world comes in at more than 330,000, spread across 180 different countries.
That makes MICROS one of the most used point-of-sale systems in the world. According to the KrebsOnSecurity report, the breach was considered to be small-scale at first, with anonymous sources claiming that what likely occurred was a single system became infected by malware before spreading that infection to other systems on Oracle's network.
Though Oracle is said to still be investigating the scale of the attack, here's the kicker about this report: a pair of unnamed sources told KrebsOnSecurity that the MICROS customer support portal was seen communicating with a server belonging to the Russain Carbanak Gang, which allegedly has a long and storied history with stealing money through attacks like these.
When discussing the systems that eventually became infected, Krebs' sources mentioned the ticketing system Oracle uses to help MICROS customers troubleshoot problems. These sources also claim that the hackers placed malicious code on the support portal itself, potentially making off with client usernames and passwords.
None of that has been confirmed yet, but Krebs said that Oracle didn't comment on the rumors directly, and we found the same when we got in touch with the company.
While various identity thefts became common incidents, misusage of Pan numbers has emerged as a principal branch of identity theft. The resources of these thefts are the new to people. As per the central Railway regulation, we need to provide our identity proof that will be displayed on the compartment wall along with the name and age. Even though we are aware of the identity theft, this new way of stealing our identity has not struck in our mind.
How Pan Numbers Can Be Misutilised: The game begins here, while you are relaxed and enjoying your journey. After some days, it will come to your notice that your name is in the list of highest revenue paying less tax. Billions of transactions happened in your account, but you have paid less tax. Will you not be shocked by knowing this? Yes, this can happen to you tomorrow.
The real fact is that, criminals take the displayed information from the train, and with the help of latest technologies, they fix their photo with your information on the pan card and submit it as their identity proof. Usually, while doing transaction more than 2 million in jewellery shop, one needs to submit the his Pan Card as an identity proof, where criminals can use yours. Similarly, in banks, more than forty thousand rupees transactions in one day need identity proof that is Pan card. In such cases, your identity can be used. Consequently, you will be the culprit in front of Government as a non taxpayer, and it will cause of penalized.
So, instead of Pancard, show any identity proof like voter ID, driving license etc. to avoid your information to be misused by criminals.
Being cautious and smart in every walk in your life can save you from unnecessary headaches and penalties. Thefts, hacking, cyber crimes always grab our attention. But tomorrow you should not grab others’ attention being a victim. The smart way of being safe is to find out flaws that will give chance criminals to get in.
DMA Locker is a dangerous ransomware, newly discovered, to lock your computer, denying access to your own files. It may cause great tension. This gradually infiltrates and encrypts stored data, and the message is displayed as “All of your files are encrypted by DMA Locker”. Also, DMA locker asks the victim to pay a ransom in exchange for a private key to decrypt the locked file.
As DMA Locker coding is so shoddy, sometimes the malware crashes before victim receives a ransom demand. As a result, users may find its computer inactive without knowing the reason behind it.
How it is Dangerous: Containing all the information regarding encryption and payment, this ransomware displays message stating victim must pay a 15 Bitcoin (BTC) ransom that is equivalent to US$6491.25. Or else, the encrypted data will be lost. Also, victims are provided the instructions to pay step by step. Actually, ransoms demanded by other ransomware type viruses fluctuates between 0.5 to 1.5, making DMA Lockers’ ransom higher.
Process of DMA Locker Removal: The bad news is that there are no tools able to decrypt the files or data. The best way to recover the files is to restore your system from backups. If you are backing up your information on the external server, before ransomware attacks your computer, it is very easy to recover the files or data logging in to the respective interface. Before doing this, ensure to remove the ransomware.
In order to remove the DMA Locker, if you are using Windows XP and Windows 7, restart your computer. During the start process, press F8 key multiple times until you see the Windows Advanced Option menu and select Safe Mode with Networking from the list.
If you are Window 8 users, go to windows 8 start screen, in the search result select setting, type Advanced. Click on Advanced start up options, in the opened 'General PC Settings' window, and then select advanced start up. Click on 'restart now button' to restart your computer into the 'Advanced Startup options menu'. Go ahead and click the 'troubleshoot' button, and click on 'advanced options' button. In the advanced option screen, click 'Startup Settings'. Then click on the ‘Restart button’. Your computer will restart into the startup setting screen. Press F5 to boot in safe mode with networking.
Despite of having high security, you may fall prey to criminals in any form. Do you believe, your customer data have not been stolen? Are your websites completely secured? To know, scan your websites and get the reports in details.
As all we know from the various news channels and websites that Israeli Power Grid Authority had undergone massive cyber attack. But the truth has been revealed that the Power Grid was not affected, the only Israeli Electricity Authority was affected.
Yuval Steinitz, Israel's energy minister, asserted stating, Israel's Electricity Authority, which is the regulator of the Israel power company, was hit by a severe cyber attack. The Power Grid itself was not affected at any cost.
Also, he stated, “The virus was already identified and the right software was already prepared to neutralize it,” he said. “We had to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should.”
Power Grid Not Affected: The huge misunderstanding between Electricity Authority and Power Grid has been relayed to the world through media. The real fact is that The Israel Electric Authority is no way related to the networks of the Israeli electric companies, distribution sites or transmission. The Israeli Electric Authority is a regulatory body of consisting of few members, and the cyber attack happened on their network.
Tim Erlin, director of security and risk at Tripwire, expressed in reply to the email of SCMagazineUK that the attack doesn't happen on Israel Power Grid, but on the regulatory body, The Electricity Authority. This difference is significant as transmission, generation and distribution facilities have a direct impact on electricity supply than the authority that regulates them.
Before going through this information, one must understand the difference between The Electricity Authority and The Power Grid. The misunderstanding between these two terms, created a lot of confusion.
Gil Shwed, CEO of Check Point Software Technologies, expressed another attack, stating Iran launched a cyber attack that targeted Israeli army generals, scientist and human rights activists in the Arabian Gulf. According to Gil Shwed, the attack commenced a few months ago targeting 1,600 people worldwide. People were sent emails that led to infect their computers with malware upon opening that particular email.
It is out of our predictions how attacks will affect us and in which form. However, precaution is always better than cure. If you are under regular precaution, you will not have to take steps to cure. Scan your websites and know the vulnerabilities to have precautions not to be the victim of cyber attacks.
A severe vulnerability, found in eBay online sale platform, could let attackers launch the Phishing Attack against visitors. Spreading across 30 countries and serving around 150 million active users, eBay has earned the crown of kings in the e-commerce platform. As a successful company, it is no surprise that it has been the target of many attackers. It is discovered that an eBay visitor can be tricked easily by bypassing eBay’s code validation and execute malicious Java script code on target eBay users.
How a visitor can be Tricked: It is very simple to trick visitors through this vulnerability. An Attacker can send a legitimate page that contains malicious code to the target users, and users can be tricked into opening the malicious page. That page triggers the code execution that leads to various attacks starting from Phishing to binary download.
This vulnerability is exposed by a security researcher of Check Point who states “This vulnerability allows attackers to bypass eBay’s code validation and control the vulnerable code remotely to execute malicious Java script code on targeted eBay users. If this flaw is left unpatched, eBay’s customers will continue to be exposed to potential phishing attacks and data theft.”
JSF**k Technique: This is an esoteric and educational programming style that’s based on the atomic parts of JavaScript which uses only six different characters to execute the code. An attacker can use this technique in the description to pull the code. While eBay denies users from including scripts and iFrames in the descriptions by filtering out HTML tags, the validation mechanism fails to validate in the presence of JSF**k code. This technique can bypass the various intrusion prevention systems and web application firewalls with the help of different characters to execute code.
This flaw provides cyber criminals an easiest way to exploit the users sending a link to an attractive product to execute the attack. The attack aims to spread the malware and steal the private information of users. In addition, an attacker could create an alternate login option pop up via Gmail or Facebook and take over the user’s account.
If you scroll down only ten pages, you will find hundred of cyber threats happening every day, especially, e-commerce companies face these problems due to various known or unknown vulnerabilities. Do scan your websites to know the vulnerability and patch it as soon as possible to avoid the cyber threats.
Vulnerabilities are the prime gateways of cyber crimes. Even though it is a small bug, it can be a big weapon of criminals. Three vulnerabilities have been found in Nginx web server that could provide opportunities for the attackers to exploit.
Flaws Found in Different Versions: These flaws are identified in Nginx versions between 0.6.18 and 1.9.9 where the resolver directive is used in the configuration file. An invalid pointer dereference, Use-after-free condition and CNAME resolution flaws, found in Ngnix server, are not much severe, but it can lead to cyber threat. In order to avoid the attacks, you can upgrade to the latest Nginx version 1.9.10 and 1.8.1.
Types of Flaws: As mentioned above, Ngnix Resolver holds three flaws: An invalid pointer dereference, Use-after-free condition and CNAME resolution.
- An invalid pointer dereference: This happens, while DNS server responds, enabling attackers to forge UDP packets from the DNS server to affect worker process crash. Apart from this, there are lots of impacts your website will have.
- Use-after-free condition: User-after-free condition may occur during CNAME response process. It allows attackers to trigger name resolution to cause worker process crash.
- CNAME resolution: The last flaw is Cname resolution that is insufficiently limited where an attacker can trigger arbitrary name resolution that leads to an excessive resource consumption in worker processes.
As per Nginx Security advisory, these problems affect only Nginx 0.6.18 and 1.9.9, if resolver directive is used in the configuration file.
Non-Security Flaws: Apart from these, there are few non security bugs have been discovered in Ngnix server. Nginx version 1.9.10, which is advisable to upgrade, has fixed the issue where the proxy_protocol parameter of the listen directive was not working properly. The other problem was that upstream servers cached incorrectly when using the Keepalive directive, which was fixed in version 1.9.10.
After version 1.7.11 introduced, few problems appeared which prevent Ngnix from starting on different old Linux variants. Version 1.8.1 has come up with the resolution of this problem.
Version 1.8.1 also fixed the issue that was appearing in a worker process, if the alias directives and try file were used inside a location. Other bugs were also fixed.
Recently, Nginx released its flagship product Ngnix Plus R8 that carries a lot of features and it has also improved HTML5 video caching features, HTTP2 capabilities and OAuth authentication. So, if you are running your websites on Nginx server, upgrade it as soon as possible. We, at DoWebScan, are also providing modules of vulnerability test and Penetration test with advanced features to keep your websites secured.
Thousands of e-commerce companies, using Magento, are at risk as critical bug found in Magento. If you are using Magento to run your websites, patch it as soon as possible to protect your websites from massive attacks.
Stored XSS Flaw in Magento: It is found that the stored cross–site scripting (XSS) vulnerability exists in all versions of Magento community edition 1.9.2.2 and earlier including enterprise edition 1.14.2.2 and earlier. There is a plethora of consequences of the stored cross–site scripting (XSS) flaws. An attacker can take over your website via administrator account, steal the credit card information and customers’ data and control the Magento based online store through this flaw.
How It is Exploitable: An attacker can embed the malicious Javascript code inside customer registration forms. Then Magento runs and executes the Javascript code in context of the administrator account that makes possible for an attacker to steal administrator session and have the control on entire server running the e-commerce platform.
According to Sucuri Advisory, "This vulnerability affects almost every install of Magento CE <1.9.2.3 and Magento EE <1.14.2.3. The buggy snippet is located inside Magento core libraries, more specifically within the administrator’s backend. Unless you’re behind a WAF or you have a very heavily modified administration panel, you’re at risk." "As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."
However, this vulnerability is patched and fixed. So, the awareness of latest bug and fixing it soon, is always considered as an active security action. The regular vulnerability test is required to have your websites secured.
Are you aware of the various attempts taken by the hackers on your website? Everyday sophisticated trials are happening to hack your websites. Every moment is precious for you to protect your website. Even though you follow the regular security system, the tricky ways of hacking can crack the wall of your web security. Hacking is growing rapidly for every business both large and small. Now, the question is, why do Hackers hack your website? A plethora of reasons is roaming in the mind of hackers to target the websites.
Why Hackers Hack Your Website: The known reasons will help you to save your website from the massive cyber attacks. The most common reasons for hacking the websites are:
- Knock Down Your Business: The main goal of your competitors are to affect your website or business severely to shut down. Distributed Denial of Service (DDoS) is the most popular form of server Disruption attack.
- Economic Gains: This digital era has opened the various gates for hackers to steal the money through net banking by placing Banking Trojans. The net banking becomes more significant areas to steal the money.
- Gaining Information (Starting from employees’ data to company data): The most common motives of hackers to leak the information starting from employees’ data to company data that can lead to a great loss for your business.
-
Exposure of Customer’s information: Most of the hackers steal the potential customer’s information and sell it outside. This can break the seal of Trustworthy.
-
Credit Card Information Leakage: Online transaction provides the convenience, but it became the easiest way of privacy breach. Hackers try to steal the credit card information of the customers every day.
-
To Show the Potential: To grab the attention of people and show their own ability/skill, hackers target the popular websites to hack.
Methods of Hacking: “How do they hack“ is also important like “Why do they hack”. Below mentioned descriptions will provide you with fair ideas of various methods of hacking.
- Vulnerability Scanning: It refers to the security technique that identifies the weaknesses of the websites that can be the common gateway of several threats. By applying the sophisticated techniques, hackers can infiltrate the security system to gain the unauthorized access. Once your website has unethical trespassers, various gates will be opened for the hackers to have control on your domain. So, regular Vulnerability Scanning can save your websites from various threats.
- SQL Injection Attack: Hackers can edit, insert and modify the data through this form that can lead to the massive attacks.
- Cross Site Scripting Attack: This attack is also known as XSS attack. It is a type of injection in which malicious scripts are injected into, and XSS vulnerability originates when web applications take data from users and include it dynamically in web pages without validating the data properly.
- Cross-Site Request Forgery Attacks: It happens when a user logs into his account, and a hacker gets an opportunity to send the user forged HTTP request to gain his cookie information.
- DDOS Attack – Distributed Denial Of Service Attack: When a server or machine services are not available to its user, DDOS attacks happen. For instance; when a system is offline, a hacker can proceed to compromise either the entire website or a specific function of a website to their own advantage.
Protect Your Website: Having regular vulnerability Scanning and patching the flaws, offered by DoWebScan, will protect your website from hackers target. Regular scanning will provide you up to date report to keep a protective eye on your website to guard.
What is Kali Linux Rolling: After a long walk, the hacker’s favorite operating system Kali has raised its neck with first rolling releases on 21st January, 2016. Kali Linux is a powerful tool for penetration testing and it has more than 600 ethical hacking tools, in addition of Wireshark, Nmap, Armitage, Aircrack, Burp Suite etc. The last releases, Kali Linux 2.0 brought plethoras of features ranging from GNOME 3 to supporting KDE, GNOME3, Xfce, MATE, e17, lxde and i3wm. But Kali Linux Rolling came with more advanced features and more customizable.
New Changes in Kalli Linux Rolling: It came with the few changes that enable professionals to perform their tasks easily all the time.
- Continuously Updated Penetration Tools: The significant part is to ensure a constant flow of the latest package versions where Kali Linux Rolling ensures the latest stable releases of the tools. This usually takes a time of 24-48 hours from the notification of a new tool update to its packaging, testing, and pushing into our repositories.
- Kali Linux Package Tracker: This is another new feature Kali Linux rolling introduced, and it allows you to follow the evolution of Kali with the help of a powerful web-based interface. You can check the installed and newest versions of tools with the help of this tracker at any moment.
- Installation of VMware Guest Tools: This change emphasizes in the way how VMware guest tools are installed. This release looks after the VMware recommendation that suggests using distribution-specific open-vm-tools instead of the VMware Tools package for the guest machines.
VMware Tools & Open-VM-Tools: The VMware Tools package comes with the VMware products that contain both open source and closed source components while the open VMware Tools Package is just the open source component of the VMware Tools. In general the basic features of both are same, but there are very few extra things VMware Tools includes. If your Linux distro has a VMware Tools package in its repositories, it is based on Open VM Tools, not VMware Tools.
Why It Is Different: Kali Linux is designed to be used in a ”single root user” case, due to the nature of security audit. Most of the penetration testing tools need escalated privileges where as Kali Linux needs only enable root privileges when necessary. Top of that, It contains sysvinit hooks that disable network services by default. Also, it uses an upstream kernel, patched for wireless injection.
DoWebScan adheres all the Kali Linux standards to do penetration testing and uses the advanced tools to provide you accurate report in detail and appropriate solutions. Its aim is to provide strong security to your website with all advanced ways.