Easy SMTP Mail Relay Test

Author: Martin Voelk,
August 23, 2016

This is a neat tool to test for open relays. Whilst most true open relays are not out there these days, internal relay is as dangerous? Why? Imagine Mr Tom Smith is the boss of Mr Jack Miller. Now Jack Miller sends an insulting email to Tom Smith which could terminate his work contract. Likewise a fake Smith to Miller mail could create serious disturbance. We come across those internal relay problems in many of our audits. Disable internal mail relaying!

https://www.wormly.com/test_smtp_server

Share

Dangerous FTP dork

Author: Martin Voelk,
August 22, 2016

The following Google dork reveals open FTP directories spidered and indexed by Google. Shocking! As always, use responsibly but test for your own web site by adding the site operator

inurl:ftp -inurl:(http|https)

site:yourdomain.com inure:ftp -inurl:(http|https)

Share

nsa_gchq-e1448883882585

 

An unknown hacker or a group of hackers just claimed to have hacked into “Equation Group” — a cyber-attack group allegedly associated with the United States intelligence organization NSA — and dumped a bunch of its hacking tools (malware, private exploits, and hacking tools) online.

 

In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.

 

Screenshot from 2016-08-17 10:08:23

 

 

In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr, but a cached version here was still available as this post was going live). Last year, Kaspersky Lab researchers described Equation Group as one of the world’s most advanced hacking groups, with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn’t immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data have origins with some advanced hacking group.

 
The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.

 

According to the leaked files, Chinese company ‘Topsec’ was also an Equation Group target.

 

The leak mentioned names of some of the hacking tools that correlate with names used in the documents leaked by whistleblower Edward Snowden, like “BANANAGLEE” and “EPICBANANA.”

 

Screenshot from 2016-08-17 10:08:40 Screenshot from 2016-08-17 10:08:56 Screenshot from 2016-08-17 10:09:24

 

It is yet not confirmed whether the leaked documents are legitimate or not, but some security experts agree that it likely is. “I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.

 

While some are saying that the leak could be a very well-researched hoax, and the Bitcoin auction could be nothing but a distraction in an attempt to gain media attention.
At the same time, the Risk Based Security post cautioned that so-called false-flag operations—in which attackers manufacture evidence that falsely implicates others—is a regular occurrence in hacking campaigns, particularly those sponsored by nations. If the claims in the Shadow Brokers’ post are true, this may be one of the only publicly known times the NSA has been compromised. But even if the claims turn out to be exaggerated, the Shadow Brokers’ post is significant, if only for the amount of work and planning that went into the fabricating evidence to provoke one of the world’s most advanced hacking operations.

 

 

Share

Help an abused puppy

Author: Martin Voelk,
July 16, 2016

Squid proxy server

 
Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

 
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

 
“The attack enables cache poisoning of ANY unencrypted HTTP website,”.

 

Cache Poisoning issue in HTTP Request handling

 

Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.

 

“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

 
“For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

 

GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

 

 

Protection

 

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

 

C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.

 

 

https://drive.google.com/file/d/0ByM36MBckzBaQUFES0VYRlZydUE/view

Share

imagetragick_logo-100659291-primary.idge

 

 

Researchers have discovered several vulnerabilities in the popular image processing suite ImageMagick, including a serious remote code execution flaw that has been exploited in the wild.

 
ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library is used by many image-processing plugins, which means that the software is present in a large number of web applications.

 

The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

 

While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability (CVE-2016-3714) related to insuficient filtering of shell characters.

 
The vulnerability, dubbed “ImageTragick,” can be exploited by uploading a specially crafted file to a website that processes images using ImageMagick.

 

An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on so-called “magic bytes,” the first few bytes of a file that are specific to each file type. Once it detects that it’s not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.

 

An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

 
ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

 
In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.

 

Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in ‘/etc/ImageMagick’.
Other vulnerabilities found in ImageMagick can be exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).

Share

Map Real Time Cyber Attacks

Author: Satish Arthar,
May 4, 2016

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.

 

A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

 
The main method is by getting reports back from Intrusion Detection Systems. So each attack that hits an IDS is reported back you have the source of the attack – which may not be the instigator – just the ip registered as attacking you. and of course the target is known to the IDS as the IDS IS the target.The IDS could be software or hardware based.

 

FireEye Cyber Threat Map, While the FireEye Cyber Threat Map doesn’t technically operate in real time, it does generate a very interesting picture of how surreptitiously installed malware communicates with the server systems that are remotely controlling the malicious software.

 

 

Screenshot

 

 

My favorite – and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map – IPViking – includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.

 

 

Screenshot from 2016-05-04 14:45:27

 

 
Another live service with oodles of information about each attack comes from Arbor Networks’ Digital Attack map. Arbor says the map is powered by data fed from 270+ ISP customers worldwide who have agreed to share anonymous network traffic and attack statistics.

 

 

Screenshot from 2016-05-04 14:13:50

 

 

Kaspersky’s Cyberthreat Real-time Map is a lot of fun to play with, and probably looks the most like an interactive video game. Beneath the 3-D eye candy and kaleidoscopic map is anonymized data from Kaspersky’s various scanning services. As such, this fairly interactive map lets you customize its layout by filtering certain types of malicious threats, such as email malware, Web site attacks, vulnerability scans, etc.

 

 

Screenshot from 2016-05-04 21:12:33

 

 

The Cyberfeed, from Anubis Networks, takes the visitor on an automated tour of the world, using something akin to Google Earth and map data based on infections from the top known malware families. It’s a neat idea, but more of a malware infection map than an attack map, and not terribly interactive either. In this respect, it’s a lot like the threat map from Finnish security firm F-Secure, the Global Botnet Threat Activity Map from Trend Micro, and Team Cymru’s Internet Malicious Activity Map.

 

 

The Honeynet Project’s Honey Map is not super sexy but it does include a fair amount of useful information about real-time threats on honeypot systems, including links to malware analysis from Virustotal for each threat or attack.

 

 

Additionally, the guys at OpenDNS Labs have a decent attack tracker that includes some nifty data and graphics.

 

Speaking of attacks, some of you may have noticed that this site was unreachable for several hours over the last few days. That’s because it has been under fairly constant assault by the same criminals who attacked Sony and Microsoft’s gaming networks on Christmas Day. We are moving a few things around to prevent further such disruptions, so you may notice that some of the site’s features are a tad flaky or slow for a few days.

 

We made ths post becoz, we Cyber51 decided to build one of our own. When we started more focused on user experience and information accessibility. We were able to create a close to real time cyber attack monitoring system that is engaging, interactive, and insightful. Soon it may suprise you all with nice some functions.

 

Share

Cell-Phone-Spy-How-to-track-a-cell-phone call-listening hqdefault

 
IN FEBRUARY 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

 
The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.

 

A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.

 
The telecom industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real-and ongoing. AdaptiveMobile released a report in February highlighting some of those attacks.

 

SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed two German researchers using SS7 to spy on US Congressman Ted Lieu, with his permission. Lieu has called for a congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.

 

 
So what is SS7 and why is it so vulnerable?

 

SS7, also known as Signaling System No. 7, refers to a data network-and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system-SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.
SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.

 
The Problem

 

The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York.

 

This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing your texts and calls in this way, an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.

 

 

 

Who has access to SS7?

 

Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.

 
It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.

 

 

 

How Exactly Can SS7 Be Hacked to Track You?

 

To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.

 

Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.

 

 

 

In Depth

 

In mobile networks, subscribers are identified by the international mobile subscriber identity (IMSI), which is considered confidential information.

 

This attack is based on requesting the Mobile Switching Center (MSC) Visitor Location Register (VLR) address, and the IMSI. The request is part of the SMS delivery protocol, which allows the source network to receive information about the subscriber’s location for further routing of the message. The initial data includes the target subscriber number.

 

In case of successful exploitation, an attacker obtains the following data:

 
+ Subscriber’s IMSI

+ Servicing MSC/VLR address

+ Home Location Register (HLR) address where the subscriber’s account data is located

 

The MSC/VLR address will determine the subscriber’s location down to the regional level. Moreover, the intruder can use the obtained data in more complex attacks.

 

 

Screenshot from 2016-04-30 00:12:46

 

 

 

Discovering a subscriber’s location

 

Received data is commonly used for real-time tariffing of the subscriber’s incoming calls. The initial data is the IMSI and current MSC/VLR address.

 

The intruder obtains the CGI, which consists of:

 

+ Mobile Country Code (MCC)

+ MNCMobile Network Code (MNC)

+ Location Area Code (LAC)

+ Cell Identity (CID)

 

 

There are a number of services available on the Web that allow determining a base station’s location using these identifiers. In cities and urban areas, the accuracy of a subscriber’s location can be determined within a few hundred meters.

 

Screenshot from 2016-04-30 00:31:19

 

 
Intercepting incoming SMS messages

 

After registering the subscriber with the fake MSC/VLR, SMS messages intended for the subscriber are instead sent to the attacker’s host.

 
The attacker is able to:

 

+ send a confirmation that the message was received (it will look to the sender as if the message was delivered)

+ re-register the subscriber to the previous switch so that he/she also gets the message.

+ send a confirmation to the sender, re-register the subscriber to the previous switch and send him/her an altered message

 

 

The attack can be used to:

 

+ steal one-time mobile banking passwords delivered as SMS messages

+ Intercept or recover passwords used for various internet services (email, social networks, etc.)

 

 

Screenshot from 2016-04-30 00:16:06

 

 
Intercepting outgoing calls

 

An attacker substitutes a billing platform address with their equipment address, in the subscriber’s profile. When the subscriber makes a call, the billing request along with the number of the destination subscriber are sent to the attacker’s equipment. The attacker can then redirect the call and create a three-way (destination subscriber, calling subscriber and an attacker) conference call.

 

Screenshot from 2016-04-30 00:30:16

 

 

 

 

What Can Be Done?

 

That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.

 

There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.

 

“So all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.

 

Share
March 26, 2016

badlock

 

 

Security researchers have discovered a nasty security vulnerability that is said to affect almost every version of Windows and Samba and will be patched on April 12, 2016, the Samba development team announced Tuesday.

 

So, Save the Date if you are a Windows or Samba file server administrator.

 

Developers from Microsoft and Samba are working on a security patch to fix a severe vulnerability that affects almost every version of Windows and Samba.

 

Samba, which is present in nearly all Linux distributions, is a free software which implements the SMB/CIFS networking protocol to provide file and print services. Samba is also installed as a component of *BSD and OS X systems, it can integrate with Windows Active Directory and can act as a domain controller or as a domain member, Samba it popular because it allows a stable integration between Linux systems and Active Directory.

 

In 2015, Another Samba critical flaw was patched, it was a remote code execution vulnerability (CVE-2015-0240) that received a CVSS score of 10.

 

The flaw dubbed Badlock has been discovered by Stefan Metzmacher from SerNet firm which is also a member of the Samba Core Team. Badlock is a critical vulnerability that Microsoft and Samba developers plan to fix in the next Patch Tuesday, on April 12, 2016.

 

The researchers are sure that the Badlock flaw will be exploited once they will publicly disclose its details.

 

“Badlock was discovered by Stefan Metzmacher. He’s a member of the international Samba Core Team and works at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem.” is reported on the website.
The experts at SerNet have developed a website that will include all the information related to the Samba issue.

 

Details about the Badlock vulnerability will be disclosed on April 12, when the developers of Microsoft and Samba release security patches to fix the flaw.

 

With a proper name, website and even logo, Badlock seems to be another marketed vulnerability that will likely be exploited by hackers once its details become public.

 

Here’s what Badlock.org website reads:

On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.

 

Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It’s April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.

 

Although this sort of pre-notification is appreciated, especially for system administrators to help them apply the patch as soon as possible, the security blunder could also benefit the bad guys.

 

Security experts also believe that the available information might be enough for malicious hackers to independently find Badlock and exploit the vulnerability before a patch is released.

Share

313095-android-trojan

 

An evolutionary malware, known as the “Accessibility Clickjacking”, has been discovered by SkyCure, a US-based global mobile threat Security Company, and revealed to the world at the 25th annual RSA conference, which is the world’s biggest cyber-security event, that just ended on Friday the 4th of March.

 

The Accessibility ClickJacking” malware is a critical and dangerous discovery

 
In their study, the company discovered that the start of the advanced mobile malware had already impacted more than half a billion Android devices globally. This very modern mobile malware had the capability to not be detected in scanner detection, which is usually based on signatures, static and dynamic analysis approaches, the company had pointed out in its report.

 
“Accessibility Clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent.

 
If you want to see accessibility clickjacking in action, just watch the video from Skycure below, which utilizes a free ‘Rick and Morty’-themed game to get users to unknowingly enable certain accessibility features:

 

 

A number of functions and capabilities had been put into web browsers and web servers in order to limit the clickjacking risk, the mobile platform was still a vulnerable platform and, therefore, it showed that Android is still susceptible to similar kinds of threats.

 

Smartphone users of the Android operating system were advised to be careful when playing games or running applications, as hackers were able to create simple so-called “benign” games that could automatically trigger the “Accessibility ClickJacking” in the background unbeknownst to the owner of the device.

 

The malware could allow malicious apps to get hold of all text based sensitive information on the affected Android devices and take automated actions via other apps or even the operating system. Malicious apps include emails, text messages, data from messaging apps, and important business applications such as CRM software, marketing automation software and more. This makes Android users vulnerable to the games and applications they download.

 

When let inside the victim’s device, the hackers could, therefore, change passwords. However the security did mention that the malware was only active on older versions of the Android operating system accounting for 65 percent of these devices and said that there was no reason to worry for users of the latest operating systems, Lollipop and Marshmallow platforms. Anything between Android 2.2 Froyo to Android 4.4 KitKat was most likely to be affected by ClickJacking, SkyCure noted.

Share