Jump to content

Search the Community

Showing results for tags 'Hacking'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • ChainScriptz
    • News
    • Site Updates
    • Add Links
    • Feedback and Comments
  • Miscellaneous
    • Welcome Intro
    • Jokes
    • Chit Chat
    • Radio Stations
    • Hot Picks
    • Test Forum
  • IRC Help and News
    • Scripting Help
    • IRCd Snippets
    • IRCd Chat
    • Chat Networks
    • Eggdrop
    • Script Reviews
    • mIRC Chat
    • IRC Servers & Rooms
    • mIRC Tutorials
    • IRC Clients
  • Tutorials
    • IRC Network Tutorials
    • IRC Client Tutorials
  • Coding Corner
    • WebSite Corner
  • Archives
    • MSN Chat
    • Defunct Chat Networks
    • Gallery
    • Old Scripting site archives
  • Sparkpea
  • Oasiz Chat
  • Phreik Chat
  • Icons & Toolbars
  • Koach.com
  • MTS Themes
  • MSN Old Scriptz
  • New Downloads
  • Support Files & DLL's
  • Vibe SN
  • Maztal
  • Slovenain Scriptz
  • Italian Scriptz
  • Turkish IRC Scriptz
  • Greek Scriptz
  • Script Support Files & DLL's
  • Groups
  • Security Software - Daily Updates
  • Security Programs - Updates
  • General Software - Updates
  • Other Operating Systems - Updates
  • Social Networks
  • Software Reviews
  • Security News and Alerts
  • Virus, Spyware and Trojan Removal
  • Security Bulletins


  • Info Addons
  • Buzzen
    • Buzzen Addons
    • Buzzen Archives
  • Sparkpea (ircwx)
    • Sparkpea Scripts (ircwx)
    • Sparkpea Connections (ircwx)
  • Chat Club
  • Evolutionchat
  • Essential chat
  • Scriptz(IRC)
  • IRC Bots
  • International Scripts(IRC)
  • Multiconn Scripts
  • TCN
  • Net4110
  • Script Support Files & DLL's
  • IRC Administration Resources
  • IRCd's
  • Server Clients
  • Phoenix Chat
  • Scripting Essentials
  • Phreik Chat
    • Addons
    • Games
  • MSN Archive Scripts
    • Addons
    • War Scriptz
    • MSN Addons
  • Sparkpea Scripts
    • Greek IRC Scriptz
    • Sparkpea Connections
    • Italian Scriptz
    • Sparkpea Addons
    • Slovenain Scriptz
    • Sparkpea Vincula Scripts
    • Turkish IRC Scriptz
    • sparkpea Trivia & Game scripts
    • Swedish Scripts
    • Russian Scriptz
    • French Scriptz
  • Tutorials
  • EggDrop
    • Anti-Spam Scripts
    • Info Scripts
  • Dlls

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 29 results

  1. Team Wordfence have come up with another vulnerability report affecting WordPress sites. This time, the vulnerability existed in the Ninja Forms plugin that boasts over 1 million active installations.. As revealed in their post, they found a CSRF vulnerability in the plugin that appeared due to flaws in two functions. These functions failed to check nonces, thereby failing to verify whether an incoming request is from a legitimate user or not. One of the affected functions includes ninja_forms_ajax_import_form that imports forms with HTML content. Attribution link: https://latesthackingnews.com/2020/05/06/csrf-to-xss-vulnerability-in-ninja-forms-risked-over-1-million-wordpress-sites/
  2. A new PayPal/Facebook scam has been discovered by CyberNews that is allowing blackhat hackers to steal roughly $1.6m per month from regular Facebook users. Those who fell victim to this new scam were not hacked, forced or threatened but instead all sent out money voluntarily to their Facebook friends' bank account after receiving the same amount of funds in their PayPal accounts. However, these funds didn't stay in their PayPal accounts for long as within a few days, all of the money they received was removed from their accounts. To make matters worse, since they sent it via bank transfer, they are unable to get their money back. How to check if your identity has been stolenUninstall these dangerous Android apps now - they could be stealing your dataAlso check out our roundup of the best identity theft protection It turns out that their so-called Facebook “friend” asking for money wasn't actually someone they knew at all but rather a hacker that had managed to gain access to one of their friend's accounts. The hacker behind the scam then messaged many of the stolen account's friends until they found someone willing to participate in their complicated scheme. Read More @https://www.techradar.com/news/this-paypal-and-facebook-scam-might-cost-you-thousands
  3. Fake Chrome Browser Extensions According to ZDNet, Harry Denley of MyCrypto observed numerous browser extensions with malicious behavior on the Chrome Store. As per his findings, these fake Chrome extensions stole keys from crypto wallets. Sharing the details in a post, Denley explained that he found 49 different Chrome extensions using malicious impersonation. They targeted crypto wallets: Ledger, Trezor, Electrum, Jaxx, KeepKey, Exodus, MyEtherWallet, and MetaMask. , among these Ledger emerged as the most-targeted crypto wallet. Regarding how the extensions worked, researchers stated,Attribution link: https://latesthackingnews.com/2020/04/17/google-removed-49-fake-chrome-browser-extensions-targeting-crypto-wallets/
  4. Recently, Zoom has remained present in the news world owing to numerous security issues with their app. While they managed to address most of them, they couldn’t stop the hackers from exploiting the app’s fame. Cybercriminals have now targeted the video conferencing app Zoom owing to its growing popularity amidst COVID-19 and have bundled a seemingly legit Zoom installer with a cryptominer to exploit users. Cryptominer Bundled With Zoom Researchers from Trend Micro have found cybercriminals targeting the Zoom app installer with a cryptominer. As revealed in their post, hackers have bundled the legit Zoom installer, available on unofficial websites, with Coinminer. In brief, whenever a user attempts to download the Zoom app from a malicious third-party website, the malware reaches their device together with the installer. The bundled AutoIt compiled malware Trojan.Win32.MOOZ.THCCABO drops numerous files to the device, most of which carry Coinminer. The dropped files also include a task scheduler and the legit Zoom installer for version The malware gathers various details from the target device regarding the operating system, GPU, CPU, video controllers, and processors. Furthermore, it also checks the system for the presence of Microsoft SmartScreen, Windows Defender, and some other popular antivirus solutions. It also attempts to evade detection by looking for other monitoring tools. Following this discovery, Trend Micro reached out to Zoom officials to inform them of the matter. As stated in their post,Attribution link: https://latesthackingnews.com/2020/04/08/hackers-are-bundling-cryptominer-with-a-seemingly-legit-zoom-installer-on-unofficial-websites/
  5. Critical Firefox Zero-day Bugs As evident from Mozilla’s recent advisory, two critical severity bugs existed in the Firefox browser. What’s troublesome is that both the vulnerabilities caught the attention of criminal hackers before Mozilla could address them. According to the advisory, both the vulnerabilities were use-after-free flaws affecting different components. The first of these CVE-2020-6819 would exist when running the nsDocShell destructor. Whereas, the second, CVE-2020-6820 existed during handling a ReadableStream. A race condition would cause use-after-free in both cases. Mozilla admitted the exploitation of both vulnerabilities in the wild. As stated, Read More Here: https://latesthackingnews.com/2020/04/05/mozilla-patch-two-zero-day-bugs-that-were-under-exploit-with-firefox-74-0-1/
  6. As people increasingly work from home and online communication platforms such as Zoom explode in popularity in the wake of coronavirus outbreak, cybercriminals are taking advantage of the spike in usage by registering new fake "Zoom" domains and malicious "Zoom" executable files in an attempt to trick people into downloading malware on their devices.According to a report published by Check Point and shared with The Hacker News, over 1,700 new "Zoom" domains have been registered since the onset of the pandemic, with 25 percent of the domains registered in the past seven days alone."We see a sharp rise in the number of 'Zoom' domains being registered, especially in the last week," said Omer Dembinsky, Manager of Cyber Research at Check Point."The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure, and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I'd take an extra look to make sure it's not a trap." Read More Here: https://thehackernews.com/2020/03/zoom-video-coronavirus.html
  7. A newly discovered watering-hole campaign is targeting Apple iPhone users in Hong Kong by using malicious website links as a lure to install spyware on the devices.According to research published by Trend Micro and Kaspersky, the "Operation Poisoned News" attack leverages a remote iOS exploit chain to deploy a feature-rich implant called 'LightSpy' through links to local news websites, which when clicked, executes the malware payload and allows an interloper to exfiltrate sensitive data from the affected device and even take full control.Watering-hole attacks typically let a bad actor compromise a specific group of end-users by infecting websites that they are known to visit, with an intention to gain access to the victim's device and load it with malware. read more here:  https://thehackernews.com/2020/03/iphone-iOS-spyware.html
  8. Multiple zero-day vulnerabilities in digital video recorders (DVRs) for surveillance systems manufactured by Taiwan-based LILIN have been exploited by botnet operators to infect and co-opt vulnerable devices into a family of denial-of-service bots.The findings come from Chinese security firm Qihoo 360's Netlab team, who say different attack groups have been using LILIN DVR zero-day vulnerabilities to spread Chalubo, FBot, and Moobot botnets at least since August 30, 2019.Netlab researchers said they reached out to LILIN on January 19, 2020, although it wasn't until a month later the vendor released a firmware update (2.0b60_20200207) addressing the vulnerabilities. https://thehackernews.com/2020/03/ddos-botnets-lilin-dvr.html
  9. Cybercriminals will stop at nothing to exploit every chance to prey on internet users. Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks. Reason Cybersecurity recently released a threat analysis report detailing a new attack that takes advantage of internet users' increased craving for information about the novel coronavirus that is wreaking havoc worldwide. The malware attack specifically aims to target those who are looking for cartographic presentations of the spread of COVID-19 on the Internet, and trickes them to download and run a malicious application that, on its front-end, shows a map loaded from a legit online source but in the background compromises the computer. New Threat With An Old Malware Component The latest threat, designed to steal information from unwitting victims, was first spotted by MalwareHunterTeam last week and has now been analyzed by Shai Alfasi, a cybersecurity researcher at Reason Labs. It involves a malware identified as AZORult, an information-stealing malicious software discovered in 2016. AZORult malware collects information stored in web browsers, particularly cookies, browsing histories, user IDs, passwords, and even cryptocurrency keys. read more here: https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html
  10. Serious security vulnerabilities have been discovered in Avast’s Antitrack and AVG Antitrack tools. Exploiting the flaws could expose users to MiTM attacks whilst downgrading browsers’ security. Avast AntiTrack Certificate Vulnerability Reportedly, researcher David Eade found numerous security vulnerabilities in the Avast Antitrack tool. One of these is a vulnerability in certificate validation feature that could have allowed man-in-the-middle (MiTM) attacks. Elaborating his findings in a post, the researcher stated, Avast Antitrack does not check the validity of certificates presented by the end web server. This makes it trivial for a man-in-the-middle to serve a fake site using a self-signed certificate. An attacker could not only intercept the victim’s traffic but could also hijack live sessions by cloning cookies, thus bypassing two-factor authentication as well. Exploiting this bug required no user interaction, hence becoming entirely possible for a remote attacker. The researcher also noticed two other issues with the same tool. At first, it downgraded the browser’s security protocol to TLS 1.0. Then, the chosen cipher suites by the tool did not support Forward Secrecy. Patches Rolled Out The researcher found the said issues in the Avast Antitrack tool. However, since it shares codes with AVG Antitrack as well, the same vulnerabilities also applied to the latter. Specifically, the bugs affected all Avast Antitrack versions prior to, and AVG Antitrack versions below Upon discovering the flaws in August 2019, the researcher contacted Avast to report the matter. After continued communication in the following months, the vendors eventually patched the flaws. At first, they released Avast Antitrack, and then AVG Antitrack containing the patches. Avast has confirmed the existence and subsequent patching of the vulnerabilities whilst acknowledging the researcher in a separate advisory. As stated,Attribution link: https://latesthackingnews.com/2020/03/12/avast-antitrack-vulnerability-exposed-users-to-mitm-attacks/
  11. T-Mobile has once again made it to the news owing to a security incident. One more time, T-Mobile has suffered a data breach that exposed the personal and financial information of their customers. T-Mobile is presently notifying customers affected during this incident. T-Mobile Data Breach Reportedly, T-Mobile has once again suffered a data breach affecting numerous users. While it isn’t clear how many users were affected by the breach, the extent of information exposed during the incident sounds huge. Specifically, the incident happened as a result of a malicious attack against their email vendors. As a result, the attackers could gain access to T-mobile employee email accounts that included customers’ information. The news surfaced online after the service started notifying their customers about a ‘security event’ they recently ‘shut down’. Nonetheless, they have sent these notifications differently to every customer based on the extent of information exposed. For the customers who only suffered breach of personal details, the company directed them to the PII notice of the breach. In the case of these customers, the affected information included names, addresses, phone numbers, govt. ID numbers, Social Security numbers, billing and account details, rate plans and features, and financial account data. While, to some other users, the firm forwarded another security notice addressing the breach of account information. For such customers, the exposed data includes personal details such as names, contact numbers, addresses, account numbers, billing information, rate plans and features. Whereas, their Social Security numbers and financial information remained unaffected during the incident. What Next? Following the incident, the telecom giant began notifying affected customers. Though, they assured no misuse so far of the exposed details. For users receiving the PII breach notice, T-Mobile has offered free credit monitoring and identity theft services for two-years. However, for the other subset of the affected users, the firm hasn’t offered any such compensation. This isn’t the first time that the company has suffered a security incident. In 2018, they twice made it to the news owing to data breaches.Attribution link: https://latesthackingnews.com/2020/03/06/t-mobile-suffer-another-data-breach-affecting-personal-and-financial-data-of-customers/
  12. Another WordPress plugin has now joined the list of plugins exhibiting threatening security flaws. This time, the vulnerability appeared in the GDPR Cookie Consent plugin and risked the integrity of 700,000 websites. GDPR Cookie Consent Plugin Vulnerability Reportedly, a researcher from NinTechNet, Jerome Bruandet, has discovered a serious vulnerability in the GDPR Cookie Consent plugin. The bug, considering the 700,000+ active installations of the plugin, could have risked thousands of websites. As explained in a blog post, Bruandet, found a critical XSS flaw in the plugin that existed due to lack of capability checks in AJAX endpoint. In turn, it exposed the values autosave_contant_data and save_contentdata, enabling an attacker to conduct malicious activities. Specifically, exploiting save_contentdata could have let an adversary to pull published data offline, or entirely delete it. Whereas, exploiting autosave_contant_data could allow injecting malicious JavaScript codes to the site. Alongside Bruandet, the team Wordfence has also reviewed this vulnerability after they noticed updates in the plugin. The flaw particularly caught their attention after the plugin was closed for review, as stated in their post. They have deemed the bug a critical severity flaw with a CVSS score of 9.0. Patch Rolled Out The researcher Bruandet found the vulnerability and reported it to the plugin developers on January 28, 2020. The bug affected plugin versions until 1.8.2. Consequently, the developers patched the vulnerability with the release of GDPR Cookie Consent v.1.8.3. Since the fix is out, users must ensure they update their plugin to the latest versions to prevent potential exploits. GDPR Cookie Consent is a dedicated WordPress plugin that facilitates site admins in ensuring site compliance with GDPR. Earlier this year, WordFence team also discovered vulnerabilities in other WordPress plugins that also threatened thousands of users. These vulnerable plugins include Code Snippets, WP Time Capsule, and InfiniteWP Client.
  13. Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms. Ransomware Campaign Uses Malicious Gigabyte Drivers Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report, the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems. The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program. Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets. As stated by the researchers, In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference. The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files. Source: Sophos More details about the attack scenario are available in the researchers’ post. Possible Mitigations Earlier, having a robust antimalware solution was considered sufficient for protecting against a malware/ransomware attack. However, now, when more and more ransomware are adopting different tactics to evade security checks, an antivirus no more remains a dependable solution. The same applies to Robinhood ransomware attacks as well. Therefore, Sophos recommends employing multiple measures to ensure security. These include the use of multi-factor authentication, having complex passwords, restricting access of users to critical systems/networks, maintaining up-to-date backups, and limiting RDP. Users must also ensure activating the Tamper Protection feature of their respective security solution to prevent any malware from disabling the endpoint security. Read more here: https://latesthackingnews.com/2020/02/12/new-ransomware-attacks-install-malicious-gigabyte-drivers-to-disable-antivirus/
  14. Cybersecurity researchers have discovered a new critical vulnerability (CVE-2020-7247) in the OpenSMTPD email server that could allow remote attackers to take complete control over BSD and many Linux based servers.OpenSMTPD is an open-source implementation of the server-side SMTP protocol that was initially developed as part of the OpenBSD project but now comes pre-installed on many UNIX-based systems.According to Qualys Research Labs, who discovered this vulnerability, the issue resides in the OpenSMTPD's sender address validation function, called smtp_mailaddr(), which can be exploited to execute arbitrary shell commands with elevated root privileges on a vulnerable server just by sending specially crafted SMTP messages to it. https://thehackernews.com/2020/01/openbsd-opensmtpd-hacking.html
  15. The Japanese vendor Mitsubishi Electric declared a network hack last week in a press release. As revealed at the time (through the translated version of the press release), their network suffered the attack in June 2019. As a result, their system exposed data to the attackers, including “personal information and corporate confidential information”.  They did specify that the incident did not expose any important data relating to business partners. However, they did not reveal much technical detail about the incident. Then in an updated press release,  they confirmed that the incident occurred due to unauthorized access to their network and may have leaked some “trade secrets”. According to the (translated version of) the press release, some 200 MB of files was exposed that included data such as employment applicant information (1987 people), employee information (4566 people), and data related to retired employees of affiliate companies (1569 people). It also included some corporate data such as “technical material, sales materials, etc.”. Furthermore, they also explained the cause behind the attack, which turned out to be a bug in their antivirus. As stated (translated),Attribution link: https://latesthackingnews.com/2020/01/28/hackers-exploited-trend-micro-antivirus-zero-day-in-mitsubishi-electric-hack/
  16. Reportedly, Mozilla has recently banned a large number of Firefox browser extensions for malicious activity. The tech giant has banned 197 different add-ons in the previous weeks, which were found running malicious code. Among these, around 129 extensions belonged to 2Ring, which Mozilla removed for executing remote code. This is something in contrast to Mozilla’s policy which does not allow downloading dynamic codes from remote servers. For the same reason, Mozilla also banned six extensions belonging to Tamo Junto Caixa, and three other ‘fake premium products’. Similarly, they also banned thirty other add-ons for exhibiting malicious behavior on third-party websites. Other banned extensions include five add-ons for collecting search terms and intercepting searches, and separate batches of two, nine, and three add-ons for using obfuscated codes.Attribution link: https://latesthackingnews.com/2020/01/28/mozilla-bans-197-malicious-firefox-add-ons-amidst-crackdown/
  17. The 33-year-old former Amazon software engineer accused of hacking Capital One made little attempt to hide her attack. In fact, she effectively publicized it. It’s one of many riddles swirling around Paige Thompson, who goes by the online handle “erratic.” Well-known in Seattle’s hacker community, Thompson has lived a life of tumult, with frequent job changes, reported estrangement from family and self-described emotional problems and drug use. more here: https://globalnews.ca/news/5711965/capital-one-hack-paige-thompson/
  18. Researchers from Kaspersky have discovered some old malware active in the wild again. Identified as Faketoken, the old Android banking trojan is now back with more malicious functionality. The malware first emerged several years ago and was among the most widespread banking trojans in 2014. At that time, Faketoken meddled with the device-messaging only once to proceed with fraudulent transactions. However, in 2016, it became more sophisticated in stealing money, as it overlaid apps to steal users’ bank account credentials. At the same time, it also served as ransomware by encrypting the device data.  Whereas, in the following year, it emerged whilst impersonating popular e-wallets and mobile banking apps to bluff users. Hijacking Phone For Sending SMS Elaborating on their findings in a blog post, the researchers stated that their ‘Botnet Attack Tracking’ system recently found at least 5000 devices infected with Faketoken. They found all these devices involved in sending text messages. The researchers considered this behavior ‘unusual’ for a banking trojan. Scratching the surface revealed that the typical banking trojan has now emerged as an even more malicious virus. Faketoken now hijacks the victim devices to send messages to premium rate numbers. Whereas, in case of lack of balance, the attackers behind the malware can top up the victim mobile account through their bank account. Such messages will further cost the victim as the researchers found most messages being sent to foreign numbers. While, for now, it is unclear as to how Faketoken is targeting devices. Nonetheless, the usual precautions, which are avoiding downloads from third-party app stores, avoiding URLs received via SMS messages, reviewing app permissions, and empowering devices with robust mobile antivirus tools can help the Android users stay safe.Attribution link: https://latesthackingnews.com/2020/01/20/android-banking-trojan-faketoken-now-also-messages-premium-rate-phone-numbers/
  19. The security expert Barak Tawily demonstrated that opening an HTML file on Firefox could allow attackers to steal files stored on a victim’s computer due to a 17-year-old known bug in the browser. The researcher published the details of the attack through TheHackerNews website and demonstrated that his technique works against the latest version of Firefox. “Barak Tawily, an application security researcher, shared his findings with The Hacker News, wherein he successfully developed a new proof-of-concept attack against the latest version of Firefox by leveraging a 17-year-old known issue in the browser.” reported TheHackerNews. The expert was analyzing the implementation of the Same Origin Policy in Firefox when discovered that it is vulnerable to local files theft attack. “Recently, I was performing a research on Same Origin Policy attacks, I managed to realize that the la version of Firefox (currently 67) is vulnerable to local files theft attack (on any supported OS), due to improper implementation of Same Origin Policy for file scheme URIs. Let’s go over the PoC details then I will provide an explanation of why its not patched yet.” wrote the expert. According to Tawily, Firefox didn’t fix the flawed implementation of the Same Origin Policy (SOP) for File URI Scheme over the years. The expert also shared details of its PoC and a video PoC of the attack. Tawily explained how an attacker can easily steal secret SSH keys of Linux victims if they save downloaded files in the user-directory that includes SSH keys in its subfolder. Attacker sends email to victim with attachment file to be downloaded / Victim browse to malicious website and download file The victim opens the HTML malicious file The file loading the containing folder in an iframe (so my file path is file:///home/user/-malicious.html, and the iframe source will be file:///home/user/) The victim thinks he clicks on a button on the malicious HTML, but in fact he is clicking on the malicious file html inside the iframe’s directory listing (using ClickJacking technique, in order to apply the “context switching bug” which allows me access the directory listing of my containing folder) The malicious iframe now have escalated privileges and is be able to read any file on the folder contains the malicious file, (in most cases downloads folder, in my case is file:///home/user/). The malicious file is able to read any file on it’s containing folder (file:///home/user/), such as SSH private key by simply fetching the URL file:///home/user/.ssh/ida_rsa and stealing any file by 1 more fetch request to the attacker’s malicious website with the files’ content. The attacker gains all files in the folder containing the malicious file exploit this vulnerability An attacker could successfully carry out the attack by tricking victims into downloading and opening a malicious HTML file on the Firefox web browser and into clicking on a fake button to trigger the exploit. “Tawily told The Hacker News that all the above-mentioned actions could secretly happen in the background within seconds without the knowledge of victims, as soon as they click the button place carefully on the malicious HTML page.” continues The Hacker News The expert reported the flaw to Mozilla, but the company seems to have no intention to fix the issue soon. “Our implementation of the Same Origin Policy allows every file:// URL to get access to files in the same folder and subfolders.” reads the reply from Mozilla.
  20. A few days ago, Riviera Beach City agreed to pay $600,000 in ransom, now less than a week later, another city in Florida opted to do the same to recover its data after a ransomware attack. The victim is Lake City, Florida, that during an emergency meeting of the city council held on Monday, voted to pay a ransom demand of 42 bitcoins, worth nearly $500,000. Lake City is a small city in Florida with a population of 65,000 that was hit by ransomware earlier on June 10. “On Monday June 10th, 2019, the City of Lake City was targeted by a malware attack known as ‘Triple Threat.'” states the press release published by the city. “This ransomware program combines three different methods of attack to target network systems. As a result of this attack, many City systems are currently out of order. City personnel are working diligently to establish alternate methods of providing city services.” The systems were hit by so-called Triple-threat attack, a ransomware attack that involves three different malware. In the past Triple Threat attacks involved the QUERVAR ransomware, the SIREFEF, and ZACCESS.  At the time of writing, all City of Lake City email systems are out of order, such as most land-linephones. Other City networks are currently disabled as precautionary measure and the IT staff as isolated the Public Safety networks. In a few minutes after the initial infection, the ransomware compromised almost all the City computer systems, except the systems operated by the police and fire departments that are hosted on a separate network. Most City departments are operating using Emergency Operations cell phones. The activities of the small city have been blocked for nearly two weeks because of the ransomware attack. Crooks made a request of a ransom a week after the initial infection, they contacted the Lake City’s insurance provider, the League of Cities, which negotiated a payment of 42 bitcoins. The city’s IT staff is now working to restore operations after receiving the key to decrypt its data. In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data. In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.
  21. Security experts warn of a new piece of the Silex malware that is bricking thousands of IoT devices, and the situation could rapidly go worse. Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of IoT devices, over 2,000 devices have been bricked in a few hours and the expert is continuing to see new infections. Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system. The only way to recover infected devices is to manually reinstall the device’s firmware. Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide. According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days. “The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet. “Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.” The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices. Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet, According to Cashdollar, the Silex malware uses a list of known default credentials for IoT devices in the attempt to log in and perform malicious actions. The malware writes random data from /dev/random to any mounted storage it finds. “I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.” The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device. The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS. The malware could brick Linux servers having Telnet ports open that use known credentials. The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran. According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex). At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.
  22. The US Justice Department just officially charged Wikileaks co-founder Julian Assange, shortly after he was removed from the Ecuador embassy in London and arrested by local police. The charge is "conspiracy to commit computer intrusion" for agreeing to break a password to a classified US government computer. The Justice department also said it was in relation to "Assange's alleged role in one of the largest compromises of classified information in the history of the United States." It's the same allegation that was made in the Chelsea Manning trial in 2013, in which the former US Army private was found guilty of theft and espionage in relation to the release of classified government documents. But now that Assange has had his asylum revoked by the Ecuadorian government and has been arrested, he can finally be extradited to the US to face these charges. More specifically, the Justice Department alleges that Assange conspired to assist Manning in cracking a password that allowed access to US Department of Defense computers that contained classified information. The alleged conspiracy was said to be carried out in March of 2010, a time when Manning was already using her access to download documents and transmit them to WikiLeaks. The DoJ alleges that during their communications, Assange actively encouraged Manning to provide more information, even after she said that there was nothing left to send -- the charge of conspiracy to commit computer intrusion relates to Assange's offer to help break a password to get more classified info. If found guilty, Assange would face up to five years in prison, though the Justice Department notes that actual sentences are often less than the maximum penalty. That said, there could be more charges against Assange coming from the US -- these revealed today are just the basis of the US's extradition request. Before Assange can stand trial in the US, however, he needs to be extradited from the UK, a process that could take months or even years. Even if a UK judge agrees to the US government's request, Assange is likely to appeal that decision through the various layers of the UK court system. Shortly after the US charges were revealed, Assange appeared in a London at the Westminster Magistrates Court. A District Judge quickly found Assange guilty of failing to surrender to police on June 29th, 2012. He was out on bail in August of 2012 when he went into the Ecuadorian embassy in London; he then claimed asylum and lived there until today. His next appearance in UK court is now set for May 2nd (via video link), at which time the US extradition request will be discussed. Source:engadget
  23. Security experts at Bad Packets uncovered a DNS hijacking campaign that is targeting the users of popular online services, including Gmail, Netflix, and PayPal.Experts at Bad Packets uncovered a DNS hijacking campaign that has been ongoing for the past three months, attackers are targeting the users of popular online services, including Gmail, Netflix, and PayPal. Hackers compromised consumer routers and modified the DNS settings to redirect users to fake websites designed to trick victims into providing their login credentials. Bad Packets experts have identified four rogue DNS servers being used by attackers to hijack user traffic. “Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers.” reads the report published by Bad Packets. “All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect web traffic for malicious purposes.” Experts pointed out that all exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). The first wave of DNS hijacking attacks targeted D-Link DSL modems, including D-Link DSL-2640B, DSL-2740R, DSL-2780B, and DSL-526B. The DNS server used in this attack was hosted by OVH Canada (66[.]70.173.48). The second wave of attacks targeted the same D-Link modems, but attackers used a different rogue DNS server (144[.]217.191.145) hosted by OVH Canada. The fourth DNS hijacking attacks originated from three distinct Google Cloud Platform hosts and involved two rogue DNS servers hosted in Russia by Inoventica Services (195[.]128.126.165 and 195[.]128.124.131). In all the DNS hijacking attacks the operators performed an initial recon scan using Masscan. Attackers check for active hosts on port 81/TCP before launching the DNS hijacking exploits. The campaigns aim at users Gmail, PayPal, Netflix, Uber, attackers also hit several Brazilian banks. , says.  Experts found over 16,500 vulnerable routers potentially exposed to this DNS hijacking campaign. “Establishing a definitive total of vulnerable devices would require us to employ the same tactics used by the threat actors in this campaign. Obviously this won’t be done, however we can catalog how many are exposing at least one service to the public internet via data provided by BinaryEdge” continues Bad Packets. Experts explained that attackers abused Google’s Cloud platform for these attacks because it is easy for everyone with a Google account to access a “Google Cloud Shell.” This service offers users the equivalent of a Linux VPS with root privileges directly in a web browser. Further technical details, including IoCs, are reported in the analysis published by Bad Packets: https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/
  24. Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks.One of the main advantages of WPA3 is that it’s near impossible to crack the password of a network because it implements the Dragonfly handshake, Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Security researchers Mathy Vanhoef and Eyal Ronen discovered weaknesses in the early implementation of WPA3-Personal that could be exploited by an attacker within range of a victim to recover WiFi passwords by abusing timing or cache-based side-channel leaks. One of the main advantages of WPA3 is that it’s near impossible to crack the password of a network because it implements the Dragonfly handshake, Unfortunately, we found that even with WPA3, an attacker within range of a victim can still recover the password of the Wi-Fi network. Security researchers Mathy Vanhoef and Eyal Ronen discovered weaknesses in the early implementation of WPA3-Personal that could be exploited by an attacker within range of a victim to recover WiFi passwords by abusing timing or cache-based side-channel leaks. An attacker can steal sensitive transmitted information, including credit card numbers, passwords, emails, and chat messages. “Concretely, attackers can then read information that WPA3 was assumed to safely encrypt. This can be abused to steal sensitive transmitted information such as credit card numbers, passwords, chat messages, emails, and so on.” reads a dedicated website published by the experts that describe the DragonBlood research. The experts provided technical details about two design flaws in  WPA3 that could be exploited to carry out downgrade and side-channel leaks. Devices that support WPA3 must guarantee backward compatibility with WPA2 and this is done supporting a “transitional mode of operation” that could accept connections using both WPA3-SAE (Simultaneous Authentication of Equals (SAE) handshake aka Dragonfly) and WPA2. The security duo demonstrated that the transitional mode is vulnerable to downgrade attacks. An attacker could abuse it to set up a rogue AP that only supports WPA2, forcing the WPA3-certified devices to connect using insecure WPA2’s 4-way handshake. “We present a dictionary attack against WPA3 when it is operating in transition mode. This is accomplished by trying to downgrade clients to WPA2. Although WPA2’s 4-way handshake detects the downgrade and aborts, the frames sent during the partial 4-way handshake provide enough information for a dictionary attack.” reads the DragonBlood research paper. “We also present a downgrade attack against SAE, and discuss implementationspecific downgrade attacks when a client improperly autoconnects to a previously used WPA3-only network.” The attackers need to know the SSID of the WPA3- SAE network to carry out the attack, experts pointed out that a man-in-the-middle position is not needed. Anyway, the attacker must be close to a client to broadcast a WPA2-only network with the given SSID and force the target to connect to our rogue AP using WPA2.  The experts detailed two side-channel attacks against Dragonfly’s password encoding method (Cache-based (CVE-2019-9494) and Timing-based (CVE-2019-9494) attacks) that could be exploited by attackers to perform a password partitioning attack and obtain Wi-Fi password. “The cache-based attack exploits Dragonflys’s hash-to-curve algorithm, and our timing-based attack exploits the hash-to-group algorithm. The information that is leaked in these attacks can be used to perform a password partitioning attack, which is similar to a dictionary attack. The resulting attacks are efficient and low cost.” wrote the experts. “our cache-based attack exploits SAE’s hash-to-curve algorithm. The resulting attacks are efficient and low cost: bruteforcing all 8-character lowercase password requires less than 125$ in Amazon EC2 instances” continues the paper. To carry out the password partitioning attack, the experts need to record several handshakes with different MAC addresses. It is possible to record them by targeting multiple devicess in the same network (e.g. tricking multiple users to download the same malicious application). If the attackers are only able to hit one client, then it is necessary to set up rogue APs with the same SSID but a spoofed MAC address. Experts also demonstrated how to abuse side-channel defenses of SAE (against already-known leaks) to introduce overhead and cause a denial-of-service (DoS) condition. They were also able to bypass SAE’s anti-clogging mechanism that is supposed to prevent DoS attack “An adversary can overload an AP by initiating a large amount of handshakes with a WPA3-enabled Access Point (AP). Although WPA3 contains a defense to prevent such denial-of-service attacks, it can be trivially bypassed.” continues the experts. “By repeatedly initiating handshakes from spoofed MAC addresses, the AP performs many costly password derivation operations (i.e. it performs many executions of the “Hunting and Pecking” algorithm). Depending on the AP under attack, this may consume all resources of the AP.” The experts plan to release the following four separate proof-of-concept tools to test the vulnerabilities they described. Dragondrain—a tool that can test to which extend an Access Point is vulnerable to Dos attacks against WPA3’s Dragonfly handshake.Dragontime—an experimental tool to perform timing attacks against the Dragonfly handshake.Dragonforce—an experimental tool that takes the information to recover from the timing attacks and performs a password partitioning attack.Dragonslayer—a tool that implements attacks against EAP-pwd.The researchers reported their findings to the WiFi Alliance and are working with vendors to address the flaw in existing WPA3-certified devices. Below the press release published by the WiFi Alliance:
  25. A group of hackers is using a previously undocumented backdoor program designed to interact with attackers over Slack. While abusing legitimate services for malware command-and-control purposes is not a new development, this is the first time researchers have seen Slack, a popular enterprise collaboration tool, being used in this way. [ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ] The backdoor was detected by security firm Trend Micro in a targeted attack launched from the compromised website of an organization called the Korean American National Coordinating Council that posts articles related to North and South Korean politics. The technique of infecting websites that are of interest to a particular group of individuals or organizations is known as a "watering hole" attack. It's not clear if victims were directed to the website via an email campaign or if attackers just waited for regular visitors, but the site was modified to host an exploit for a remote code execution vulnerability in the Windows VBScript engine. That vulnerability is tracked as CVE-2018-8174 and can be exploited through Internet Explorer. However, the flaw was patched by Microsoft in May 2018, so having an up-to-date operating system would have prevented the attack. https://www.itworld.com/article/3359182/hackers-use-slack-to-hide-malware-communications.html
  • Create New...