Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Tools. Show all posts

Users get Directly Infected by AstraLocker 2.0 via Word Files

Threat researchers claim that the developers of a ransomware strain named AstraLocker just published its second major version and that its operators conduct quick attacks that throw its payload directly from email attachments. This method is particularly unique because all the intermediary stages that identify email attacks normally serve to elude detection and reduce the likelihood of triggering alarms on email security tools.

ReversingLabs, a firm that has been monitoring AstraLocker operations, claims that the attackers don't appear to be concerned with reconnaissance, the analysis of valuable files, or lateral network movement. It is carrying out a ransomware operation known as "smash and grab." 

The aim of smash and grab is to maximize profit as quickly as possible. Malware developers operate under the presumption that victims or security software will rapidly discover the malware, hence it is preferable to move right along to the finish line. 

Smash-and-grab strategy 

An OLE object with the ransomware payload is concealed in a Microsoft Word document that is the lure utilized by the developers of AstraLocker 2.0. WordDocumentDOC.exe is the filename of the embedded program. 

The user must select "Run" in the warning window that displays after opening the document in order to run the payload, thus decreasing the threat actors' chances of success. 

Researchers point out that this approach is less sophisticated than the recent Follina vulnerability which requires no user involvement or even the use of macros improperly which requires some user interaction. 
 
Encryption set up

Despite its haste to encrypt, AstraLocker still manages to do certain basic ransomware actions: It attempts to disable security software, disables any active programs that can obstruct encryption, and steers clear of virtual computers, which might suggest that it is being used by lab researchers.

The virus sets up the system for encryption using the Curve25519 method after executing an anti-analysis check to make sure it isn't executing in a virtual machine and that no debuggers are set in other ongoing processes. 

Killing applications that might compromise the encryption, erasing volume shadow copies that would facilitate victim restoration, and disabling a number of backup and antivirus services are all part of the preparation procedure. Instead of encrypting its contents, the Recycle Bin is simply emptied.

AstraLocker origins 

AstraLocker is based on Babuk's stolen source code, a dangerous but flawed ransomware strain that left the market in September 2021, according to ReversingLabs' code analysis. Furthermore, the Chaos ransomware's developers are connected to one of the Monero wallet addresses stated in the ransom text.

Supposedly, this isn't the work of a clever actor, but rather someone who is determined to launch as many devastating attacks as possible, based on the tactics that support the most recent campaign.

To Reliably Govern Multi-Cloud Workloads, IT Leaders Demand Better Security Insights

 

Gigamon has revealed the results of a Pulse. qa poll of IT and InfoSec experts to identify hurdles in progressing current multi-cloud plans. 

According to a recent Pew Research poll, 64 percent of Americans prefer to work in either an entirely remote or hybrid environment, pushing organizations to deal with the growing complexity of transferring and expanding workloads in the cloud. As a result, respondents to the Pulse.qa poll rank transparency over cloud data-in-motion as the most important security element globally. 

"Deep observability across hybrid and multi-cloud setups are required for every firm to stay competitive in a world of enhanced security risk and IT complexity. While each company's journey to service and infrastructure modernization is unique, bridging this visibility gap is critical to safeguarding and optimizing the network in order to provide a superior user experience." Gigamon's VP of brand and technical marketing, Bassam Khan, explained. 

Multi-cloud methods' challenges 

  • The successful administration of multi-cloud infrastructures is being hampered by increasing complexity and cost — 99 percent of respondents said the team lacked or violated an app service-level agreement (SLA) owing to challenges caused by an overly complicated cloud infrastructure. 
  • Attempts by tech executives to transfer and boost workloads in the cloud are being hampered by rising costs and complexity – High cloud expenses, according to 67 percent of respondents, are hindering the firms' ability to transfer applications and workloads as quickly as they need; 96 percent said connectivity bottlenecks or complex cloud troubleshooting attempts hold down migration efforts. 
  • The expense and complexities of cloud infrastructure deplete resources for other ventures and apps, frustrating already overworked IT employees — IT employee irritation was a close second (51%) to a lack of budget (61%) for critical applications. 

82 percent of IT and InfoSec leaders favor best-of-breed third-party security tools over cloud platform provider technologies to overcome these cloud migration bottlenecks and issues. Furthermore, the percent prefers a single point of visibility across the whole environment to a compartmentalized approach to cloud problems.

In a comparable pattern, multi-cloud is utilized. It gives organizations more ways to take advantage of the cloud's benefits. In response to demand, multi-cloud is certainly one of the most popular techniques.

Google’s security tools can shield from cyber-attacks

Google has long been asking users to enable its security tools for shielding all its services - from Gmail to Google Photos - from hacking attempts.

The search giant has been pretty vocal about the importance of these features, but now, instead of urging users, it has released hard stats revealing how useful these capabilities can really be.

Let's take a look.

Advantage

Adding phone number can fend off bot-based attacks.

Researchers from New York University and the University of California, San Diego partnered with Google to assess at the impact of its security tools in preventing hijack attempts.

The results, presented recently at The Web Conference, revealed that simply adding a recovery phone number to Google account helped block a 100% bot-based attacks, 99% of automated phishing attacks, and 66% of targeted attacks.

Protection

Two-factor authentication offers highest security.

Google has been saying this for years and the stats prove it - two-step verification is the securest offering right now.

The studies reveal that using phone number-based 2SV (SMS verification) blocked 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.

Meanwhile, on-device prompts prevented 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks.

Security key offers strongest shield.

Notably, among all two-step verification methods, using a physical security key proved to be the strong account shield. It blocked all kind of attacks with a 100% success rate.

Risk

Google also showed what happens when you don't use 2SV.

The same study also measured the effectiveness of default sign-in verification techniques, like last location signed-in or your secondary email.

These knowledge-based methods are used when the company detects a suspicious sign-in attempt, say from a new device/location, and you don't have a 2SV on.

The results showed these methods can block bot-based attacks but can fail miserably against phishing or targeted hijack.

HconSTF v0.5 codename 'Prime' Released


HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.

Hcon is very delighted to announce this, After around 14 months its released, HconSTF v0.5 codename 'Prime'  is here

Noticeable things for this version :
Now its more enhanced for,
  • Web Penetration Testing
  • Web Exploits Development
  • Web Malware Analysis
  • Osint , Cyber Spying and Doxing !!
  • and moch more with lots of hidden features

so HconSTF v0.5 briefly,
  • based on Firefox 17.0.1
  • Designed in Process based methodology
  • Less in size (40mb packed-80mb extracted), consumes less memory
  • More than 165+ search plugins
  • New IDB 0.1 release integrated
  • underlined Logging for each and every request
  • more NEW scanners for DomXSS, Reflected XSS
  • New reporting features like note taking, url logging for easy report making
  • Smart searchbox - just select and it will copy it and just change search engine to search
  • Integrated Tor, AdvoR, I2p and more proxies
  • New Grease monkey scripts (18 scripts)
More details can be found here.

Download


Download BackBox Linux 3.01 -PenTesting Distro


The BackBox Team annnounced the updated release of BackBox Linux, the version 3.01. This release include features such as Linux Kernel 3.2 and Xfce 4.8.

BackBox is an Ubuntu based Linux distribution penetration test and security assessment oriented providing a network and informatic systems analysis toolkit. BackBox desktop environment includes a minimal yet complete set of tools required for ethical hacking and security testing.



What's new
  • New and updated hacking tools (ex. backfuzz, beef, bluediving, cvechecker, htexploit, metasploit, set, sqlmap, websploit, weevely, wpscan, zaproxy, etc.)
  • System improvements
  • Upstream components
  • Bug corrections
  • Performance boost
  • Improved auditing menu
  • Improved Wi-Fi dirvers (compat-wireless aircrack patched)

The ISO images (32bit & 64bit) can be downloaded from the following location:
http://www.backbox.org/downloads

Hook Analyser 2.2 Released , malware analyzer tool


Hook Analyser is a freeware project, started in 2011, to analyse an application during the run-time. The project can be potentially useful in analysing malwares (static and run time), and for performing application crash analysis.

Features:
1. Spawn and Hook to Application
This feature allows analyst to spawn an application, and hook into it

2. Hook to a specific running process
The option allows analyst to hook to a running (active) process.

3. Perform quick static malware analysis
This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces.

4. Application crash analysis
This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.

Change log -

  • The UI and modules of the project have been re-written. The interactive mode is more verbose.
  • The (static) malware analysis module has been enhanced.
  • Bug fixes and other improvements.
Download it from here:
beenuarora.com/HookAnalyser2.2.zip

'Knight X Plus' - Cyber intelligence product from ClubHack2012



ClubHack Introducing 'Knight X Plus' - Cyber intelligence product which gives you Power of Queen & Knight in your cyber intelligence .

A big data based OSINT platform that harnesses the power of cloud, big data and highly scalable architecture to do proactive monitoring, analysis and automated response of live cyber threats and opportunities

Product Features:
  • Blazing Fast
  • Automated Information Retrieval
  • Knowledge Discovery
  • Cyber Media Monitoring
  • Geospatial Analysis
  • Analysis based on stats, time-series data, link analysis logic and more
  • Graphic Rich Visualizations for better understanding of the data
  • User Friendly UI
  • Drill Downs on almost anything

Platform Features:

  • Automated Alerts on Information / Knowledge Discovery
  • Pluggable approach to pour in any type of data
  • Unique Job Queue Management Design, built to scale in distributed processing
  • Post processing jobs can range from doing huge data crunching to “distributed ping” upto your imagination
  • Highly scalable, expand distributed engine in 10 minutes flat
  • Intelligent data storage for lightning fast retrieval
Further details can be found here:
http://knightxplus.com

Tools released at Defcon can crack widely used PPTP encryption in under a day

Security researchers released two tools at the Defcon security conference which can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) as well as WPA2-Enterprise (Wireless Protected Access) sessions which use MS-CHAPv2 for authentication.


MS-CHAPv2 is an authentication protocol created by Microsoft and introduced in Windows NT 4.0 SP4. Despite its age, it is still used as the primary authentication mechanism by most PPTP virtual private network (VPN) clients.

ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.


This DES key can then be submitted to CloudCracker.com -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.


The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.


PPTP is commonly used by small and medium-size businesses -- large corporations use other VPN technologies like those provided by Cisco -- and it's also widely used by personal VPN service providers, Marlinspike said.


The researcher gave the example of IPredator, a VPN service from the creators of The Pirate Bay, which is marketed as a solution to evade ISP tracking, but only supports PPTP.


Marlinspike's advice to businesses and VPN providers was to stop using PPTP and switch to other technologies like IPsec or OpenVPN. Companies with wireless network deployments that use WPA2 Enterprise security with MS-CHAPv2 authentication should also switch to an alternative.

Wireshark released version 1.8.1 and 1.6.9 to close critical vulnerability


Wireshark Team have released versions 1.8.1 and 1.6.9 to close important vulnerabilities in their open source network protocol analyser.

The vulnerabilities are a problem in the Point-to-Point Protocol (PPP) dissector that leads to a crash and a bug in the Network File System (NFS) dissector that could result in excessive consumption of CPU resources; to take advantage of the holes, an attacker must inject a malformed packet onto the wire or convince a victim to read a malformed packet trace file.

Versions 1.4.0 to 1.4.13, 1.6.0 to 1.6.8 and 1.8.0 are affected; Users are advised to upgrade to 1.6.9 and 1.8.1 to fix the problem.

Wireshark 1.6.9 and 1.8.1 are available to download

MJP Security Plugin for WordPress Released

MJP Security Tools is a plugin designed to fix a lot of WordPress security issues, as well as providing extra support.

Features:

* Scan the database for possible XSS issues.
* Limit login attempts to one per ten seconds per user.
* Check all file permissions.
* Check for presence of index.html files in all directories.
* Check if WordPress is up-to-date.
* Remove the version number from HTML source.
* Log all POST requests.
* Log all failed login attempts.
* Change the admin username.
* Randomize the database table prefix.
* Require stronger passwords.
* Detect SSH.

You can get it from here:
http://wordpress.org/extend/plugins/mjp-security-plugin/

fwknop: Single Packet Authorization and Port Knocking , Linux Firewall


CipherDyne released fwknop-2.0 ,fully written in C and functions on embedded systems, OpenBSD, and more.

fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA is essentially next generation port knocking .

Download it from here:
http://www.cipherdyne.org/fwknop/

Twitter released Android SMS Encryption Tool "TextSecure"

Twitter has released a tool "TextSecure " to encrypt the messages in Android mobiles before sending.

"We're excited to announce the open source release of TextSecure, our secure text messaging client for Android, which Twitter acquired when we joined their team last month.

We've always been interested in the ability for individuals and organizations to communicate freely and securely." Whisper Systems's development team.

TextSecure is a replacement for the standard text messaging application, allowing you to send and receive text messages as normal. Additionally, TextSecure provides:
  1. Local Encryption -- All text messages, regardless of destination, that are sent or received with TextSecure are stored in an encrypted database on your phone.
  2. Wire Encryption -- When communicating with a recipient who is also using TextSecure, text messages are encrypted during transmission.
It is open source software so everyone can contribute to the development.   Those interested in the source can find it over on GitHub. There is also a mailing list for those who have questions, suggestions, or wish to get involved.


PuTTY version 0.62 is released

All the pre-built binaries, and the source code, are now available
from the PuTTY website at

http://www.chiark.greenend.org.uk/~sgtatham/putty/

PuTTY 0.62 is a bug-fix release: it contains fixes for eight bugs
present in 0.61, and otherwise the two versions do not differ. Most of
the changes in the current development snapshots are not included in
this code.

One of the bugs is a SECURITY FIX, so if it affects you, you should
update now:

- PuTTY 0.62 fixes a security issue present in 0.59, 0.60 and 0.61.
If you log in using SSH-2 keyboard-interactive authentication
(which is the usual method used by modern servers to request a
password), the password you type was accidentally kept in PuTTY's
memory for the rest of its run, where it could be retrieved by
other processes reading PuTTY's memory, or written out to swap
files or crash dumps.

source

OpenDNS released preview of DNSCrypt Tool which secures DNS Traffic


OpenDNS released a preview of DNSCrypt Tool , a piece of lightweight software that everyone should use to boost online privacy and security.  It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

For now, DNSCyrpt supports only Mac platform.

DNSCrypt works like SSL in that it wraps all DNS traffic with encryption the same way SSL wraps all HTTP traffic, it's not the crypto library being used. We're using elliptical-curve cryptography, in particular the Curve25519 eliptical curve. The design goals are similar to those described in the DNSCurve forwarder design.


What about DNSSEC? Does this eliminate the need for DNSSEC?

No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I'm getting a response for coming from the owner of the domain name I'm asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you're getting are verifiable. But unfortunately, DNSSEC doesn't actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.

That said, DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.


Download DNS Crypt

Naxsi 0.41 released -Open Source Web Application Firewall module for Nginx

What is Naxsi?

Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.

Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.

The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.

Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.

Changelog:

- Feature: added support for FILE_EXT. We can now control file uploads
names/extensions as well.
- Added a rule for FILE_EXT into naxsi_core.rules
- Added unit testing for FILE_EXT feature
- Fixed erroneous log messages
- Fixed an error on whitelist of types $URL:xxx|URL


Download it from here:
http://code.google.com/p/naxsi/downloads/list

VanishCrypt -Virtual Encryption Tool Developed by SecurityLabs


SecurityLabs released VanishCrypt as a freeware,a Virtual Encryption Tool that used to lock your Confidential Data in Virtual Disk(like TrueCrypt). The Developer said it is completely inaccessible without correct password. This application stores the files with strong CryptoAPI.

It supports the following Operating System:
Win9x, WinNT, Win2000, WinXP, WinVista and Win7 and Linux under wine.

Additional Features:
  • It have "Advanced Mode" with you can create a real virtual drive accessible in Explorer that contains your files stored in the vdisk image.
  • It uses Win32 API for I/O operations for a great speed improvements

Download from here.

Video Demo:

HFOX Security Testing Framework(HSTF) 0.1 Beta released by Hcon


HFOX Security Testing Framework(HSTF) 0.1 Beta released by Hcon.  This is chromium Based Penetration Testing tool.

Specification :
  1. Based on Chromium Source (iron build) version 14
  2.  more secure and Tracking free from Google & Stable then other Chromium based builds
  3.  Over 100 tools integration with very easy use interface
  4. Tested and heavily modified tools suggestions contributed by professional pentesters , web developers , Security
  5. Free and open source
  6. Totally Portable (no need to install) , you can carry it around in your usb , memory card etc. 
  7. Runs on all windows including windows - XP , VISTA , 7

Project Homepage:
http://www.hcon.in

Your Browser Matters ~Website to Rate the Browser Security , Microsoft


Microsoft launched a website named as Your Browser Matters for checking the security of your browser.  Whenever a visitor browse the site, It judge the browser security and return the score out of Four points.  The score is based on the protection over the Security risks such as phishing,malware and some other threats.

Looks like Microsoft launched this web application in order to create public awareness about the browser and Internet risks. 

Score Results in Different Browsers:
When i visit that site through my Firefox 6, it displayed 2 out of 4. For google chrome it shows 2.5 out of 4. I come to know that IE9 have 4 out of 4 score(i never used it).  For IE7 , it is 1 out of 4.  It refused to rate safari browser.

How the Grading System works? 

Your Browser Matters rate the browser based on the following factors:

#.Protection Against Malware/Virus Downloads(1 Point):
Internet browser must give protection against the Malware/Virus Downloads by restricting malware distributing websites. Microsoft developed IE9(Internet Explorer 9) with this protection.  IE9 scored 1 point here. But Mozilla and Chrome scored 0.

#.Blocking Phishing Sites(1 Point):
It should detect the Phishing sites and provide protection against them. IE9 scored 1, Firefox=1,Chrome=1

#. Protection Against Browser Attack(1 point):
Securing Extensions and an Effective Sandbox; also includes points for auto-updating, and a restriction for extensions and plugins. IE 9 = 1 point, Firefox = 0.5, Chrome = 1.

#. Protection Against Website Attack:
There are a lot of options here including blocking insecure content on webpages (which is kind of more annoying than what it’s worth, in my view), sanitizing HTML, and protecting against “Clickjacking.” IE 9 = 1 point, Firefox = 0.5, Chrome = 0.5.

So the total score for Firefox=2 ,Chrome=2.5 ,IE9=4.

Tweaking.com - Windows Repair (All in One) v1.4.0 Released

Windows Repair is an all-in-one repair tool to help fix a large
majority of known Windows problems including registry errors and file
permissions as well as issues with Internet Explorer, Windows Update, Windows
Firewall and more. Malware and installed programs can modify your default settings.
With Tweaking.com - Windows Repair you can restore Windows original settings.

Tweaking.com - Windows Repair (All in One) v1.4.0




v1.4.0
Removed the custom buttons from the program. It was causing the program to crash on some systems. Program is meant to repair, not look pretty, so ugly standard safe buttons it is :-)
Add new repair "Repair Windows Sidebar/Gadgets"
Changed the window size of the repair window, making it smaller and easier to fit on screen for smaller resolutions.
More code tweaks.

Malware Analyzer v3.3 Released ~Security Tools

 
Malware Analyser is a freeware tool to perform static and dynamic analysis of the malwares.

Features:
  • String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
  • Display detailed headers of PE with all its section details, import and export symbols etc.
  • On distros, can perform an ASCII dump of the PE along with other options (check –help argument).
  • For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
    ASCII dump on windows machine.
  • Code Analysis (disassembling)
  • Online malware checking (www.virustotal.com)
  • Check for Packer from the Database.
  • Tracer functionality: Can be used to identify
  • Anti-debugging Calls tricks, File system manipulations Calls Rootkit Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.
  • Signature Creation: Allows to create signature of malware.
  • Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories

Malware Analyzer v3.3 rleased.

Changelogs:

--Added Traces signatures
--Improved parsing
--Bug fixes