Home Tags Password-protected

Tag: password-protected

Georgia’s voting system is uniquely vulnerable to election-tampering hackers

Report uncovers a litany of lapses in voting system used state wide.

VU#251927: CalAmp LMU-3030 devices may not authenticate SMS interface

OBD-II devices are used to provide telematics information for managers of fleets of vehicles. One type of device,manufactured by CalAmp,has an SMS(text message)interface. We have found multiple deployments where no password was configured for this interface by the integrator/reseller.

Companies using the CalAmp hardware should be aware that they need to set a password or disable SMS.
Vendors were notified and the SMS interface was disabled or password-protected by all vendors known to be affected.

Web exposed MongoDB installs wiped by bitcoin ransoming script scum

Patch or perish Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned. Victor Gevers (@0xDUDE), penetration tester and chairman of the GDI.foundation, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners. One open server contained a ransom warning message in place of the database content Gevers expected. Rather than encrypt the data, the attacker, "harak1r1," ran a script that replaced the database's content with the ransom message. So far 16 organisations appear to have paid harak1r1. John Matherly, the brains behind security search engine Shodan, where many exposed MongoDBs can be found, has warned since 2015 of the dangers of exposed installations. Back then he warned of some 30,000 exposed MongoDB instances open to the internet without access controls, a number that has since fallen to about 25,000, with version 2.4.9 being the most popular install. Gevers told BleepingComputer old MongoDB instances were deployed to cloud services, saying a whopping 78 percent of Amazon Web Services hosts were running known-vulnerable versions of the platform. Those old versions exposed databases to the internet, a problem that is fixed in the current releases. Gevers says he is receiving requests for assistance from ransomed and exposed organisations, and recommends MongoDB administrators check logs and ensure unauthorised accounts have not been added. ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

Microsoft Finds Cerber Ransomware Activiity Increased During Holidays

Microsoft security researchers warn that after a brief quiet period, the Cerber ransomware family has reemerged with a vengeance to target holiday shoppers and enterprise business data files. The holidays are no time to drop one's guard when it comes to cyber-security.After tracking the popular Cerber ransomware family and noticing a decline in activity earlier this month, the Microsoft Malware Protection Center warns that attackers have ratcheted up their efforts during what is considered a slow period at many businesses, but a prime shopping time for online bargain hunters.Microsoft's security researchers have uncovered a pair of new  campaigns, including a flood of new spam that exploits the uptick in ecommerce transactions during the season.The Cerber ransomeware is constantly evolving. Not content with encrypting user files and holding them for ransom, last month Cerber's authors expanded into databases and files associated with critical business applications. Version 4.1.5 of the ransomware was coded to seek out Microsoft Access, MySQL and Oracle database files.
In some cases Cerber shuts down running databases so that the malware can encrypt files in use. In the latest wave, attackers are spamming inboxes with malicious attachments that download and install the ransomware.

The malware masquerades as password-protected zip files.

The passcode is typically provided in the body of the email, which is another red flag for potential malware, that purportedly contains online order and delivery details.Attackers are also using an exploit kit to spread Cerber over malicious and compromised websites.

The sites use vulnerabilities like those found in older versions of Adobe Flash to download and execute the latest version of Cerber on a victim's machine.

This tactic is proving particularly effective in Asia and Europe, telemetry data from Microsoft's Windows Defender anti-malware software shows.Adding a new wrinkle in Cerber's development, version information has been removed from the ransomware's configuration data, making it somewhat tougher to track its evolution, observed Microsoft security specialists Rodel Finones and Francis Tan Seng, in their exhaustive analysis of the threat.Cerber is also casting a wider net, targeting an additional 50 file types, while excluding .cmd, .exe. and .msi, a first for this type of ransomware.Cerber also now prioritizes Office folders containing critical files, suggesting that attackers are targeting enterprise environments.

Corporate networks are overflowing with sensitive information and business-critical software, adding urgency to efforts to protect against ransomware and its damaging effects.Behind the scenes, two sets of additional IP address ranges have been added to the command-and-control server setup used by the malware to communicate with attackers.

Finally, a Tor proxy site has replaced the three proxy sites that formerly provided a payment site.

The privacy-enhancing Tor (The Onion Router) network employs encryption and relays to conceal an Internet user's location."For cyber-criminals, releasing a new version of malware not only increases [the] likelihood of evading antivirus detection; it's also a way of increasing the complexity of malware," the Microsoft security researchers  noted. "Cerber's long list of updated behavior indicates that the cyber-criminals are highly motivated to continue improving the malware and the campaigns that deliver it."

Research on unsecured Wi-Fi networks across the world

The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data. Confidential data can be protected by encrypting traffic at wireless access points.
In fact, this method of protection is now considered essential for all Wi-Fi networks.

But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions). Security of Wireless Networks Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users. Encryption type used in public Wi-Fi hotspots across the world Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all.

This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in.

Fortunately, modern online banking systems and messengers do not transfer unencrypted data.

But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point. The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points.

The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it.

From a data security point of view, using WEP is not much different from using open networks.

This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use. Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family.

The protocols from this family are currently the most secure.

The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner.
It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner. It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average.
If the encryption key is strong, it will take years to hack it.
Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal. Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure.
In particular, they allow brute-force and dictionary attacks.

There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals. Geography of Unsecured Wi-Fi Access Points Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country) We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list. Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption. Share of Wi-Fi hotspots that use WPA/WPA2 (by country) However, even when using an encrypted connection, you should not completely rely upon this security measure.

There are several scenarios that could compromise even well-encrypted network traffic.

These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”).

At any rate, taking care of your own security is a good idea. Recommendations for Users There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places. Do not trust networks that are not password-protected. Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password.

This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment. To maximize your protection, turn off your Wi-Fi connection whenever you are not using it.

This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too. If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere. To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings.
It is recommended to enable this option when visiting any websites you think may lack the necessary protection. If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them. And, of course, you should use dedicated security solutions.

They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat. One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security.

This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel.
Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

PoisonTap Hacking Tool Compromises Computers via USB Stick

If you step away from your computer, an attacker could quickly insert a USB stick and take control using a series of vulnerabilities. The device costs only $5. While most people know not to leave their computer alone in a public space, locking the system with a password gives many users a feeling of security.A new hacking tool released this week has shown how illusory that feeling is, demonstrating the danger of leaving any system unsupervised. The tool, known as PoisonTap, can be loaded onto a $5 Raspberry Pi barebones computer and will take over the internet connection of any system to which it is connected. Once plugged in, the program will steal the victim’s cookies for the top 1 million Web sites, expose internal routers to the Internet, and allow remote access to the system.The hacker behind the program, Samy Kamkar, a security researcher best known for creating the MySpace worm in 2005, announced the tool on Nov. 16.“When plugged into a locked or password-protected computer, it takes over all internet traffic momentarily,” Kamkar said in a video explaining the attack. “The back door and remote access persists even after the device is removed and you walk away.” The attack is a bold demonstration that leaving a computer unattended is never a good idea. When PoisonTap is plugged into a computer the device masquerades as an Ethernet device. The computer immediately sends a request to PoisonTap for an IP address, even if it is locked or password-protected. The address that PoisonTap returns makes it seem that “almost all IP addresses on the Internet are part of PoisonTap’s LAN,” Kamkar said.The result is that the targeted computer will send all its Internet traffic through PoisonTap.PoisonTap will intercept any requests to the Web and steal cookies to the top 1 million Web sites. The cookies could then be used by an attacker to automatically log into sites without needing a username and password, although the effectiveness of such an attack depends on the site’s security requirements.The program can also poison the browser cache and redirect requests for certain Web sites to go to an attacker-owned site, essentially giving control of the browser to the attacker, Kamkar said.“Whenever the Web socket is open, the attacker can remotely send command to the victim and force their browser to execute JavaScript code,” he said. “This allows that attacker to make requests as the user, with the user cookies and view the responses, with no visibility to the user.”There is very little a consumer can do to secure against the attack, he said.“To protect a client machine, I suggest adding cement to all you USB ports,” he said. The program will not run on computers that have file system encryption, such as FileVault, because the browser does not run in the background.Web sites can protect against parts of the attack by requiring all traffic to use HTTPS. While that seems to be a basic precaution, only 21 percent of the top–100 non-Google sites require HTTPS by default, according to a 2016 analysis by Google.Overall, the attack is able to avoid a laundry list of security protections, including password protected lock screens, same-origin policies in the browser, two-factor authentication and DNS pinning.

Meet PoisonTap, the $5 tool that ransacks password-protected computers

EnlargeSamy Kamkar reader comments 48 Share this story The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password. PoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once the payment card-sized computer is plugged into a computer's USB slot, it intercepts all unencrypted Web traffic, including any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server under the attacker's control.

The hack also installs a backdoor that makes the owner's Web browser and local network remotely controllable by the attacker. Enlarge Samy Kamkar PoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a password-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically locked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity and elegance, Kamkar's inventions also underscore the security and privacy tradeoffs that arise from an increasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of password-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom or lunch room. Kamkar told Ars: The primary motivation is to demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily.

Existing non-HTTPS website credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the 'secure' flag on the cookie can also be siphoned. Unsecured home or office routers are similarly at risk. Kamkar has published the PoisonTap source code and additional technical details here and has also released the following video demonstration:
PoisonTap - exploiting locked machines w/ Raspberry Pi Zero. Once the device is inserted in a locked Mac or PC (Kamkar said he hasn't tested PoisonTap on a Linux machine), it surreptitiously poisons the browser cache with malicious code that lives on well after the tool is removed.

That makes the hack ideal for infecting computers while they are only briefly unattended. Here's how it works. Once the PoisonTap software is installed, the Raspberry Pi device becomes a miniature Linux computer that presents itself as an Ethernet network. Like a router, it's responsible for allocating IP addresses for the local network through the dynamic host configuration protocol.
In the process, the device becomes the gateway for sending and receiving traffic flowing over the local network.
In this sense, PoisonTap is similar to a USB exploit tool demonstrated in September that stole login credentials from locked PCs and Macs. Through a clever hack, however, PoisonTap is able to become the gateway for all Internet traffic as well.
It does this by defining the local network to include the entire IPv4 address space. With that, the device has the ability to monitor and control all unencrypted traffic the locked computer sends or receives over its network connection. PoisonTap then searches the locked computer for a Web browser running in the background with an open page. When it finds one, the device injects HTML iframe tags into the page that connect to the top 1 million sites ranked by Alexa.

Because PoisonTap masquerades as the HTTP server for each site, the hack is able to receive, store, and upload any non-encrypted authentication cookies the computer uses to log in to any of those sites. Given its highly privileged man-in-the-middle position, PoisonTap can also install backdoors that make both the Web browser and connected router remotely accessible to the attacker.

To expose the browser, the hack leaves a combination of HTML and JavaScript in the browser cache that produces a persistent WebSocket. PoisonTap uses what's known as a DNS rebinding attack to give remote access to a router. That means attackers can use PoisonTap to remotely access a browser as it connects to a website or to gain administrative control over the connected router.

Attackers still must overcome any password protections safeguarding an exposed router.

But given the large number of unpatched authentication bypass vulnerabilities or default credentials that are never changed, such protections often don't pose much of an obstacle. PoisonTap challenges a tradition that can be found in almost any home or office—the age-old practice of briefly leaving a locked computer unattended.

And for that reason, the ease and thoroughness of the hack may be understandably unsettling for some people.
Still, several safeguards can significantly lower the threat posed by the hack.

The first is to, whenever possible, use sites that are protected by HTTPS encryption and the transmission of secure cookies to prevent log-in credentials from being intercepted.

A measure known as HTTP Strict Transport Security is better still, because it prevents attack techniques that attempt to downgrade HTTPS connections to unsecured HTTP. As a result, neither Google nor Facebook pages can be triggered by computers infected by PoisonTap.
Sadly, multi-factor authentication isn't likely to provide much protection because it generally isn't triggered by credentials provided in authentication cookies. End users, meanwhile, should at a minimum close their browsers before locking their computer or, if they're on a Mac, be sure to enable FileVault2 and put their machine to sleep before walking away, since browsers are unable to make requests in such cases. Regularly flushing browser caches is also a sound, albeit imperfect, measure.

For the truly paranoid, it may make more sense to simply bring laptops along or to turn off machines altogether.

Russia-linked phishing campaign behind the DNC breach also hit Podesta, Powell

The spear-phishing e-mail received by Clinton campaign staffer William Rinehart matches messages received by both former Secretary of State Colin Powell and Clinton campaign chairman John Podesta.The Smoking Gun reader comments 28 Share this story The breach of personal e-mail accounts for Clinton presidential campaign chairman John Podesta and former Secretary of State Colin Powell have now been tied more closely to other breaches involving e-mail accounts for Democratic party political organizations. Podesta and Powell were both the victims of the same form of spear-phishing attack that affected individuals whose data was shared through the “hacktivist” sites of Guccifer 2.0 and DCLeaks. As Ars reported in July, the spear-phishing attack used custom-coded Bit.ly shortened URLs containing the e-mail addresses of their victims.

The URLs appeared in e-mails disguised to look like warnings from Google about the victims’ accounts.

These spear-phishing attacks were tracked by the security firm SecureWorks as part of the firm’s tracking of the “Fancy Bear” threat group (also known as APT28), a hacking operation previously tied to a phishing campaign against military and diplomatic targets known as Operation Pawn Storm. As The Smoking Gun reported in August, one of these e-mails was sent to William Rinehart, a staffer with the Clinton presidential campaign. Rinehart’s e-mails were leaked on the DCLeaks site.

DCLeaks also carried the e-mails of Sarah Hamilton, an employee of a public relations firm that has done work for the Clinton campaign and for the DNC. Hamilton's e-mails were offered to The Smoking Gun by someone claiming to be Guccifer 2.0 via a password-protected link on the DC Leaks site. E-mails with the same crafted Bit.ly Web addresses were found in the e-mails of both Podesta and Powell, as Motherboard’s Lorenzo Franceschi-Bicchierai reports. Podesta’s e-mails were shared by WikiLeaks; Powell’s were posted on DCLeaks.

That would suggest a firm connection between the DC Leaks  / Guccifer 2.0 campaign (already linked to Russian intelligence) and the source of the WikiLeaks DNC files.

Second hacking group targets SWIFT-connected banks

Odinaff shares links with Carbanak A second group of hackers – Odinaff – has broken into the SWIFT system, the fulcrum of the global financial payments system. Odinaff were found to be using the same approach as those who stole $81m from the Bangladesh central bank earlier this year. Attacks involving the Odinaff trojan and associated tools appear to have begun in January, 2016.

The attacks have hit a wide range of regions with the US the most frequently targeted, followed by Hong Kong, Australia, the UK, and Ukraine. It’s unclear to what extent these attacks have been successful – much less how much money the hackers have extracted. The targets are mostly banks and other financial institutions. Malware is spread through spear-phishing emails, many of which come with malicious macros. Password-protected RAR archives are another potential lure. Some Odinaff infections have been pushed through botnets onto already-infected machines.
Security firm Symantec has found evidence of tools capable of manipulating SWIFT customers’ transfer logs and wiping computers to hide traces of activity, it claims. “The attacks involving Odinaff share some links to the Carbanak group, whose activities became public in late 2014,” according to its security response team. “Carbanak also specializes in high-value attacks against financial institutions and has been implicated in a string of attacks against banks, in addition to point of sale intrusions.” Three command and control IP addresses connected to previously reported Carbanak campaigns also feature in Odinaff.
It may be that the two groups are cooperating with each other. Kevin Bocek, chief cybersecurity strategist at Venafi, said: “These attacks on SWIFT are like old-school bank robberies for a digital age; the hackers are taking money right from the bank’s safe." “This is a shift from previous attacks that have been more focused on stealing from banking customers.

After the success of the first SWIFT hack, it’s unsurprising to see the headlines doing the rounds again and I’d be shocked if this is the last we see of it.” ®

Odinaff Trojan Targeting SWIFT Messaging System Used by Banks

Symantec warns of the growing risk from a malware variant that is targeting the SWIFT messaging system that banks use for financial transfers. Symantec issued a warning on Oct. 11 about an emerging malware dubbed Odinaff that is going after the SWIFT m...

Polyglot – the fake CTB-locker

Cryptor malware programs currently pose a very real cybersecurity threat to users and companies.

Clearly, organizing effective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing a cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption process and roll back any malicious changes. However, what can be done if an infection does occur and important data has been encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the solution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes when implementing the cryptographic algorithm, or used a weak encryption algorithm. A brief description The cryptor dubbed Polyglot emerged in late August.

According to the information available to us, it is distributed in spam emails that contain a link to a malicious RAR archive.

The archive contains the cryptor’s executable code. Here are some examples of the links used: hXXp://bank-info.gq/downloads/reshenie_suda.rar hXXp://bank-info.gq/downloads/dogovor.rar When the infected file is launched, nothing appears to happen. However, the cryptor copies itself under random names to a dozen or so places, writes itself to the autostart folder and to TaskScheduler. When the installation is complete, file encryption starts.

The user’s files do not appear to change (their names remain the same), but the user is no longer able to open them. When encryption is complete, the cryptor changes the desktop wallpaper, (interestingly, the wallpaper image is unique to each victim) and displays the ransom message. The cryptor’s main window New desktop wallpaper with the “open key” block unique to each victim computer The user is offered the chance to decrypt several files for free. The free trial decryption window After this, the user is told to pay for file decryption in bitcoins.

The cryptor contacts its C&C, which is located on the Tor network, for the ransom sum and the bitcoin address where it should be sent. C&C communication window From this moment on, the cryptor allows the user to check the ransom payment status on the C&C. Ransom payment details If the ransom is not paid on time, the cryptor notifies the user that it’s no longer possible to decrypt their files, and that it is about to ‘self-delete’. Last window displayed by Polyglot Imitating CTB-Locker Initially, this cryptor caught our attention because it mimics all the features of another widespread cryptor – CTB-Locker (Trojan-Ransom.Win32.Onion).

The graphical interface window, language switch, the sequence of actions for requesting the encryption key, the payment page, the desktop wallpapers – all of them are very similar to those used by CTB-Locker.

The visual design has been copied very closely, while the messages in Polyglot’s windows have been copied word for word. The main graphical interface windows: Polyglot CTB-Locker List of encrypted files: Polyglot CTB-Locker Window for the trial decryption of 5 random files: Polyglot CTB-Locker The private key request window: Polyglot CTB-Locker The desktop wallpapers: Polyglot CTB-Locker The ‘connection failed’ error message: Polyglot CTB-Locker Offline decryption instructions: Polyglot CTB-Locker The similarities do not stop there.

Even the encryption algorithms used by the cybercriminals have clearly been chosen to imitate those used in CTB-Locker. Polyglot CTB-Locker Algorithms used for file encryption File content is packed into a ZIP archive and then encrypted with AES-256. File content is compressed with Zlib and then encrypted with AES-256. Algorithms used while working with the keys ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. ECDH (elliptic curve Diffie-Hellman), curve25519, SHA256. Extensions of encrypted files File extensions are not changed. File extensions are changed, depending on version:– .ctbl– .ctb2– 7 random lower-case Latin symbols Demo decryption 5 files are decrypted for free as a demo.

Their decryption keys and file names are saved in the registry. 5 files are decrypted for free as a demo.

Their decryption keys are only stored in the RAM memory while the process is running. C&C location C&C is in the Tor network, communication is via a public tor2web service. C&C is in the Tor network, communication is via a Tor client integrated into the Trojan, or (in some versions of CTB-Locker) via a public tor2web service. Traffic protection / obfuscation Bitwise NOT operation. AES encryption. That said, we should note the following: a detailed analysis has revealed that Polyglot was developed independently from CTB-Locker; in other words, no shared code has been detected in the two Trojans (except the publicly available DLL code). Perhaps the creators of Polyglot wanted to disorient the victims and researchers, and created a near carbon copy of CTB-Locker from scratch to make it look like a CTB-Locker attack and that there was no hope of getting files decrypted for free. C&C communication The Trojan contacts the C&C server located on Tor via a public tor2web service, using the HTTP protocol. Prior to each of the below data requests, a POST request is sent with the just one parameter: “live=1”. Request 1. At the start of operation, the Trojan reports the successful infection to the C&C.

The following data is sent to the C&C: {“ip”:”xxx.xxx.xxx.xxx”,         //ip address of the infected computer“method”:”register”,         //action type. “register” = Trojan informs C&C of new infection“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,         //Infected computer’s ID“version”:”10f”,         //Trojan version contained in its body“info”:”Microsoft (build xxxx), 64-bit”,         //OS version on the infected computer“description”:” “,         //Always a whitespace (” “)“start_time”:”14740xxxxx”,         //Trojan’s start time“end_time”:”0″,         //Encryption finish time. 0 = no encryption has run yet“user_id”:”5″         //Number hardwired in the sample} This data block is passed through a bitwise NOT operation, encoded into Base64 and sent to the C&C in a POST request. Contents of the sent request Parameters of the POST request: signature – CRC32 from the sent dataver – Trojan versiongcdata – data, with contents as described above. Request 1 and the reply received from the C&C Request 2. When the Trojan has finished encrypting the user’s data, it sends another request to the C&C.

The content of the request is identical to that of request 1 except the field “end_time”, which now shows the time encryption was completed. Request 3. This is sent to the C&C to request the bitcoin address for payment and the ransom sum to be paid. {“method”:”getbtcpay”“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”} The C&C replies to this request with the following data: {“code”:”0″,“text”:”OK”,“address”:”xxxxxxxx”,         //bitcoin address (may vary)“btc”:0.7,         //amount to be paid in BTC (may vary)“usd”:319.98         //amount to be paid in USD (may vary)} Request 4. This is sent to request a file decryption key from the C&C. {“method”:”getkeys”,“key”:””,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“info”:[“DYqbX3m9u0Pk9bE9Rg2Co3empC2M/yrnqgNS3r0AT2vwCw8Zas08bd4BNiO3XuAqi6/5WQ0VBiUkRUToo+YFL/QtPkiRIQ/D9RyKhzpBHlNpf2hPb9eloDzpkonQl7L6cQyJ2FipEG2ggZOdTDBcNAEAAAA=”]} Request 5. The Trojan reports that data decryption has been completed and states the number of decrypted files to the C&C. {“method”:”setend”,“uid”:”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx”,“decrypted”:”1″} Description of the encryption algorithm During our analysis of the malicious code, it became evident that the Trojan encrypts files in three stages, creating intermediate files: First, the original file is placed in a password-protected ZIP archive.

The archive has the same name as the original file plus the extension “a19”; Polyglot encrypts the password-protected archive with the AES-256-ECB algorithm.

The resulting file again uses the name of the original file, but the extension is now changed to “ap19”; The Trojan deletes the original file and the file with the extension “a19”.

The extension of the resulting file is changed from “ap19” to that of the original file. Flowchart of the search and file encryption actions performed by Polyglot A separate AES key is generated for each file, and is nothing more than a ‘shared secret’ generated according to the Diffie-Hellman protocol on an elliptic curve. However, first things first. Before encrypting any files, the Trojan generates two random sequences, each 32 bytes long.

The SHA256 digests of each sequence become the private keys s_ec_priv_1 and s_ec_priv_2.

Then, the Bernstein elliptic curve (Curve25519) is used to obtain public keys s_ec_pub_1 and s_ec_pub_2 (respectively) from each private key. The Trojan creates the structure decryption_info and writes the following to it: a random sequence used as the basis for creating the key s_ec_priv_1, the string machine_guid taken from the registry, and a few zero bytes. struct decryption_info {        char s_rand_str_1[32];        char machine_guid[36];        char zeroes[12];}; Using the private key s_ec_priv_2 and the cybercriminal’s public key mal_pub_key produces the shared secret mal_shared_secret = ECDH(s_ec_priv_2, mal_pub_key).

The structure decryption_info is encrypted with algorithm AES-256-ECB using a key that is the SHA256 digest of this secret.

For convenience, we shall call the obtained 80 bytes of the encrypted structure encrypted_info. Only when Polyglot obtains the encrypted_info value does it proceed to generate the session key AES for the file. Using the above method, a new pair of keys is generated, f_priv_key and f_pub_key. Using f_priv_key and s_ec_pub_1 produces the shared secret f_shared_secret = ECDH(f_priv_key, s_ec_pub_1). The SHA256 digest of this secret will be the AES key with which the file is encrypted. To specify that the file has already been encrypted and that it’s possible to decrypt the file, the cybercriminals write the structure file_info to the start of each encrypted file: struct file_info {        char label[4] = {‘H’,’U’, ‘I ‘, 0x00};        uint32_t label2 = 1;        uint64_t archive_size;        char f_pub_key[32];        char s_ec_pub_1[32];        char s_ec_pub_2[32];        char encrypted_info[80];}; The elliptic curve, the Diffie-Hellman protocol, AES-256, a password-protected archive – it was almost flawless.

But not quite, because the creator of Polyglot made a few mistakes during implementation.

This gave us the opportunity to help the victims and restore files that had been encrypted by Polyglot. Mistakes made by the creators As was mentioned earlier, all the created keys are based on a randomly generated array of characters.

Therefore, the strength of the keys is determined by the generator’s strength.

And we were surprised to see the implementation of this generator: A graphical representation of the random sequence generation procedure Let’s convert this function into pseudocode so it’s easier to follow: Please note that when another random byte is selected, the entire result of the function rand() is not used, just the remainder of dividing the result by 32. Only the cybercriminal knows why they decided to make the random string this much weaker – an exhaustive search of the entire set of the possible keys produced by such a pseudo-random number generator will only take a few minutes on a standard PC. Taking advantage of this mistake, we were able to calculate the AES key for an encrypted file.

Although there was a password-protected archive below the layer of symmetric encryption, we already knew that the cybercriminal had made another mistake. Let’s look at how the archive key is generated: We can see that the key length is only 4 bytes; moreover, these are specific bytes from the string MachineGuid, the unique ID assigned to the computer by the operating system.

Furthermore, a slightly modified MachineGuid string is displayed in the requirements text displayed to the victim; this means that if we know the positions in which the 4 characters of the ZIP archive password are located, we can easily unpack the archive. The MachineGuid string displayed in the requirements screen Conclusion Files that are encrypted by this cryptor can be decrypted using Kaspersky Lab’s free anti-cryptor utility RannohDecryptor Version 1.9.3.0. All Kaspersky Lab solutions detect this cryptor malware as:Trojan-Ransom.Win32.PolyglotPDM:Trojan.Win32.Generic MD5 c8799816d792e0c35f2649fa565e4ecb – Trojan-Ransom.Win32.Polyglot.a

New batch of leaked Colin Powell e-mails lambasts Trump and Clinton

reader comments 27 Share this story Add former Secretary of State Colin Powell to the list of high-ranking Washington insiders whose leaked e-mails are rankling their peers with just weeks to go before the US presidential election. DC Leaks, a site that researchers at security firm ThreatConnect have linked to the Russian government, has published 26 months of Powell's e-mails, spanning from June 2014 to last month, news organizations reported Wednesday.

The trove, which contains highly candid comments lambasting presidential candidates Donald Trump and Hillary Clinton, are part of a new batch that's separate from Powell e-mails leaked a few years ago. Powell aides reportedly confirmed the new compromise, telling The New York Times that the leaked messages "are his e-mails." In the e-mails, Powell describes Trump as a "national disgrace" and portrays the candidate as someone who is unfit to be president. As reported by Politico, Powell wrote in a June 23 e-mail to former Secretary of State Condoleezza Rice that "if Donald were to somehow win, by the end of the first week in office he'd be saying 'What the hell did I get myself into?'" The e-mails also castigate Clinton aides for linking Clinton's use of a private e-mail server during her tenure as secretary of state to Powell's use of a private e-mail address while he held the same post. The Clinton campaign’s “email ploy this week didn't work and she once again looks shifty if not a liar,” Powell wrote on August 20 to someone he worked with at the White House. “Trump folks having fun with her.” There are many more highly critical remarks on a range of people and highly charged issues.
It remains unclear how the 26 months of e-mail, which all appear to have been sent to or received from Powell's Gmail account, were compromised. Many of the similar leaks attributed to Russian hackers, including one from Tuesday involving the World Anti-Doping Agency, have stemmed from spear phishing attacks, which use personalized e-mails to trick a target into inadvertently revealing login credentials to the attacker. Another possibility is that Powell used the same password to protect both his Gmail account and a separate account from a server that was compromised in the past.
Indeed, Powell's e-mail address and password hash are contained in the list of 68 million Dropbox accounts compromised in 2012 that was made public two weeks ago, an independent security researcher said. The leak comes a few months after a person or group with the name Guccifer 2.0 published e-mails taken from one or more hacks of the Democratic National Committee.
Some of the contents that appeared to show Democratic officials denigrating former Democratic candidate Bernie Sanders before he was defeated in the primaries led to the resignation of DNC Chair Debra Wasserman Schultz. Powell's e-mails were published on a password-protected portion of DC Leaks that was available only to select news outlets.
So far, there have been no definitive reports on precisely how the messages were obtained by DC Leaks. Listing image by DoD News