I’ve posted a new writeup on the Seasonal/Arena box Busqueda. It will remain password protected until it is retired!
Categories
Categories
New HackTheBox Writeup
I just posted a new writeup about the initial invitation process for HTB.
HackTheBox has a very unique and interesting way to sign up – you must first complete a challenge. Without being too exclusionary, HTB managed to engage me and keep me working on it for around 10 minutes. Take a look at it if you haven’t signed up for HTB yet!
Categories
What are iframes?
An iframe, also known as an inline frame, is something used in html to embed another document (page) within the current html document on a website. A web developer can choose the size of their iframe depending on the application. You can have an iframe as large as a page, or as small as a 1×1 pixel box making it undetectable by the human eye. Within an iframe, a person with malicious intent could embed a harmful website or utilize xss (cross-site-scripting) to execute scripts in the background while you browse the site. For example, someone could host a website and have a landing page that looks completely normal. In the background of their site however, there’s an iframe somewhere with malicious code embedded. The site could then bring up an actual legitimate login screen for a service like Google or Facebook but then their code records every keystroke you type in. For example, a person could be on a website reading an article, then be asked to sign in to “share” what they’re reading with others. Although the login process the site presents to you is actually legitimate, an iframe with malicious code on the website somewhere could record everything they typed in.
A security flaw with Microsoft’s Internet Explorer 5 back in 2002, and again in 2015 with Internet Explorer 11, allowed malicious people to utilize xss and iframes to their advantage and steal information quite easily. Usually in order for someone to use an iframe and code to their advantage they would have to get people onto their website first to be able to execute bad code and listen. However, this bug with IE5 and IE11 allowed the hackers to listen in on their site AND the other site which they placed within their iframe. This attack was widespread and very serious and was quickly addressed by Microsoft.
As far as preventing yourself from iframe exploits go, there is not much you can do. Inline frames are NOT always used for malicious purposes and are actually quite common on most sites. The best thing you can do is be extra cautious about signing into anything on a website not directly associated with the website, and keep up to date with your browser updates.
A variation of a trojan by the name of AZORult was recently discovered by Minerva Labs to be using a self-signed certificate (that did not belong to Google) to appear as a legitimate update service signed by Google. When installing a program or running an executable on your computer, usually there will be a box or a little green shield (Windows) somewhere saying that the program is legitimate and has a signed certificate by the company to prove so. In this case AZORult used a real signed certificate to make the malware appear as a legitimate program on people’s machines, however the signer was NOT Google. This trojan’s purpose is to phish and steal as much information from a computer as it can. Some of the things AZORult will look for include: saved passwords (in browsers or otherwise), browser cookies, Skype chat history and files in Skype chat history, files on the desktop of the pc, files with specific extensions on the pc, a list of installed programs, a list of running currently processes, the username, computer name, and operating system type. In order for a person to encounter AZORult, they must first get infected by the first stage of the malware — a delivery service. AZORult is delivered onto one’s computer through another malware such as Seamless, which utilizes iframe exploits to deliver its payload. Once Seamless is on the computer, another payload is dropped called Ramnit. Ramnit once again collects some information from the computer and then finally drops AZORult. AZORult itself isn’t extremely dangerous and can be easily removed using tools provided by Symantec. The purpose of AZORult is to collect information from someone’s computer, and open a gateway for other payloads to be executed. What makes AZORult potentially dangerous is that it can act as a delivery service for other payloads.
The way that Minerva detected the fake certificate being used by the malware was through a report sent in by one of their customers. The customer went to run GoogleUpdate.exe on their computer, and Minerva’s Anti-Evasion Platform prevented the executable from running. Although the program did have a signed certificate, this does not mean that the program is safe.
This is the signature on the fake GoogleUpdate.exe
(Image provided by Minerva)
What makes this variant of AZORult stand out from others commonly found on people’s computers is that not only does it trick people into thinking it’s a legitimate Google program that is signed for, but it also will go and replace the regular GoogleUpdate.exe (located in: C:\Program Files\Google\Update\GoogleUpdate.exe.) with the malicious version. This allows the malware to gain administrative permissions easily and remain on the system with a much lesser chance of being detected. To protect yourself from trojans like so, always be wary of what you are downloading and where you are downloading from and be extra cautious of links. If you receive a suspicious link do some research about the link before clicking on it. Something as simple as clicking on a link could allow an iframe exploit to do something to your computer.
For those interested more in iframe exploits, a new blog will be posted tomorrow explaining exactly what they are, how they work, and how potentially damaging they can be. To read more about the technical workings of AZORult click here.
Ever sent or received a file through Skype? One Chilean employee (a supposedly trusted IT professional) working for the company Redbanc messed up big time when he decided to go job searching — on company time – and took part in a staged “job interview” via Skype. An employee (who’s name, as far as I am aware, has not been disclosed to the public) was looking around at jobs back in December while he was at work for Redbanc. Redbanc is the company in charge of ATM processing services for the majority of ATM machines in the country of Chile, and has connections with every single Chilean bank as well. This employee found a position on LinkedIn that looked promising to them and they contacted the “company” thinking they were going to take part in a virtual job interview via Skype. The hackers behind the fake LinkedIn replied, and the employee then took place in the staged interview. The interview started out as a fake conversation between the employee and the hacker(s), and then turned to a point in which the hacker(s) asked the employee to fill out a fake application. The way that the hackers delivered said application to the employee was via Skype’s file transfer system. Without hesitation, the employee downloaded the file (ApplicationPDF.exe) onto their Windows 7 work computer through Skype and opened it. A fake pdf was brought up for the employee to fill out, as malicious code executed in the background, giving the hackers access to the entire network and processing system of every single ATM machine in Chile.
The hacker group that claimed responsibility for this attack is known as the Lazarus Group (AKA Hidden Cobra, or Kimsuky). The Lazarus Group is the hacker group that claimed responsibility for the Sony hack back in 2014, and the WannaCry ransomware that infected an estimated 230,000 computers in 2017. The security firm Flashpoint confirmed that the attack carried out by the Lazarus Group utilized a toolkit called “PowerRatankba” which has supposed links to North Korean hackers known as “Bureau 121” (121국). The program is written in Visual Basic, and when opened, resembles a legitimate-looking application for a user to fill out. The malware itself actually has a second payload. After the user downloads the malicious file and runs it, the malware will create a connection to a server to call to the second payload and download a Powershell reconnaissance tool. This allows the hackers to basically control the compromised computer system at their will. The next task for the malware is to call to the server and ensure a connection is made, (in this case via HTTPS) and then delete the Powershell script afterwards. Then PowerRatankba will scrape the PC for as much information as it can obtain, including; which user is currently logged into Windows on the machine and their UAC level, the processlist, proxy settings on the machine, checks for open file shares and Remote Desktop Protocol ports in an attempt to find open ports. If the user logged into the computer does have admin rights, PowerRatankba will attempt to download yet another payload from their server which allows the hackers more leverage over the system.
Below is a picture of the GUI that is shown to the user when the executable is open (provided by Flashpoint):
The infiltration itself actually took place in December, but was not publicized until Chilean Senator Felipe Harboe blasted the company Redbanc on Twitter for not disclosing their breach to the public. Redbanc then acknowledged the infiltration, but did not disclose more information to the public. This attack would not have happened if there had not been an incompetent employee who decided to download a suspicious file via Skype onto their work computer to partake in a “job interview”.
(For more information on the virus itself visit here or here.)
Categories
Contactless Card Fraud via NFC
In this post, I’ll go over what contactless fraud is, why you should care about it, and how you can prevent yourself from becoming a victim. Contactless fraud is a method of stealing someone’s credit card information remotely. The reason why this method is so high-risk is because of how undetectable and easy it can be (if done correctly) by someone who is savvy in the fraud and tech world, and has the time on their hands to create a relatively simple device that will silently sniff a person’s information from a long distance.
Many businesses today have PoS (Point of Sale) systems that support contactless payments. These systems often utilize RFID and NFC technologies. In this post, I will primarily be covering the exploitation of NFC payment methods. NFC stands for Near-Field Communication, and this technology is able to receive and transmit data in a very close proximity (about 3 – 10cm between transmitter and receiver). NFC technology is extremely similar to RFID. However, RFID is only able to receive and read data while NFC can both transmit and receive data. NFC is used in a variety of technologies today but one of the more common applications of NFC is using it to pay for something.
Apple and Android both have their own contactless payment systems; Apple’s being Apple Pay and Android’s Google Pay. There are alternative contactless payment applications on Android (such as Samsung Pay) and on Apple devices. Both Apple and Android systems utilize NFC to transmit payment data to the vendor from the device. Apple Pay does not actually transmit your card information as cleartext over NFC to make the payment, rather a “payment token” is sent over NFC to the payment terminal which then waits for verification of the transaction for the payment to be completed to the vendor. Google Pay’s method of transferring payment information is similar, but not exactly the same as Apple Pay. Google creates a temporary “virtual account number” with the user’s card or payment information encrypted inside, and then a one-use key is given to the vendor to authenticate the transaction. Basically, both companies encrypt your data before transmitting it to the NFC terminal. The real challenge is figuring out a way to receive the cleartext payment info. On top of the encryption, both Apple Pay and Google Pay require the phone to have a passcode or biometrics lock enabled on the device for the contactless payment services to be used. Although it may seem like these systems are secure and tamper-proof, it is always proved that this is never the case.
A presentation by Eddie Lee at DEFCON 20 (2012) demonstrated how two Android devices and some thinking outside-the-box could provide someone with a “bridge” or proxy from the payment terminal to a device, and back to another device. The idea proposed by Lee used WiFi to communicate between the two Androids. This means that one phone could be used to grab card information and then send the information to the second phone, which would act as if it were the actual card and could make a payment via NFC. This idea was then taken to the next level by Salvador Mendoza. Mendoza demonstrates how an individual with malicious intent can replicate the idea and create two devices that will communicate with one another over a much longer distance with the purpose of recording NFC transactions. The devices used by Mendoza allowed the bridge idea, originally demonstrated by Mr. Lee, to be taken to the next level and would allow someone to sniff and log information from individuals up to 50 meters away (or more) from the payment terminal using LoRa technology.
LoRa is a technology used for transmitting small amounts of data wirelessly over long distances. LoRa was created by Cycleo, a French company who is now owned by Semtech. A single LoRa module is about the size of a dime and can transmit data over 10km (~6.2 miles) while using little power and transmitting the data over a sub-gigahertz frequency. This technology is complex and with a little bit of time and hard work, a malicious person could replicate Mendoza’s creation. With the right code and tools, they could build a relay system to steal innocent people’s payment information and log it to their off-site PC or server anywhere in the world completely autonomously. On top of that, if the malicious person wanted to take the stolen information they had obtained and fabricate their own physical card with the stolen information, they could do so — using a mag stripe encoder and a blank card. Worst case scenario, this would create a swipeable card for the attacker to use as much as they like until the original card holder or bank froze the card and/or closed the account.
The applications of long range NFC sniffing are many, and all it takes is a little creativity to create your own sniffing tool or relay. There have been theories that directional antennas, paired with a device like Mendoza’s, could grab card info from an unsuspecting person a mile away or more, and then transmit the data to another phone to be used to make payments via NFC. A demonstration of Mendoza’s longer range NFC relay can be found here.
(This diagram created by Eddie Lee demonstrates how the NFC payment transmitting system works. The green line shows that if correctly exploited, the data sent is not being encrypted, but rather it communicates directly with the NFC chip which could allow for someone to pick up the data unencrypted.)
The reason why you should care about contactless card fraud is because of the rise in the use of contactless payment methods today. As paper money becomes something of the past, more plastic credit and debit cards are being compromised for lucrative rewards. Ultimately, there is a chance that contactless payment methods may become the new go-to for the world in the future. If this were to be the case, individuals need to understand the security risks they may face, and how they can help prevent themselves from falling victim to fraud.
Today, the only real solution to preventing your card from being stolen when using a contactless payment service such as Apple Pay or Google Pay would be to not use the service at all unless you absolutely must. The chance of someone stealing your information is very low but it could happen.Use a wallet that can block RFID and NFC signals while your card is not in use. Be aware of suspicious devices near a card reader, and limit your use of contactless payment methods.
(For more information please check out: https://salmg.net/ or Eddie Lee’s presentation at DEFCON 20 on YouTube)
At the start of this year, new spyware was discovered within a few apps on the Android Google Play store. This spyware, labelled “MobSTSPY” was intended to scrape information from the user’s device and steal while being the least susceptible. A user would unknowingly download a totally legitimate-looking application from the Google Play store with the spyware in it, and upon launching the application they would be prompted with a Facebook or Google login screen. Without even entering any information, in the background the application has already compromised the device and given the hacker the ability to connect to the device and upload files from the device. “MobSTSPY” is capable of dumping contacts, stealing SMS conversations, reading clipboard items, finding the location of the device, take text documents, pictures, audio files, and upload them to the perpetrator’s system.
Today, it is pretty common to have an app ask you to sign into Facebook or Google when first launching it. The reason for this is because a lot of games will allow you to record your progress in the game, collect badges, earn points, and share your progress with others easily by using the linked social media account to do so. The spyware would bring up a promising, yet false login screen for Facebook or Google and once the user enters their info they’ve been compromised. The malicious applications had the most downloads in India and Russia, but still managed to find their way onto people’s devices from about 196 different countries.
The spyware was hidden in an array of applications on the Google Play store. The most common applications the spyware was hidden in were apps such as: a Flappy Bird look-a-like, a flashlight app, a Windows 7 emulator for Android, and other various applications. The way the spyware would retrieve your information is through a C&C server. “MobSTSPY” specifically uses Firebase Cloud Messaging to transfer compromised data to it’s server, then the hacker could access and do as he or she pleased with the stolen information.
Originally Reported by TrendMicro.
Categories
Introduction to Ashton
I was truly enlightened to the world of net.sec in 2016, at Phoenix’s CactusCon. There, I met some PayPal employees and started on my first CTF/ARG. I spent hours on a school-loaned MacBook Pro getting through each step. Previous to this event, I had worked on HackThis and OverTheWire, but had no idea what kind of practical application it had in the real world. As cyber security has exploded as a field since then, I declared a cyber major at Embry-Riddle and began my network adventures. In my free time, I enjoy solving ARG puzzles and browsing the infosec Twitter world. I work in the IT department on-campus and have been awarded an exciting opportunity working as a security consultant for a Scottsdale-based company. As more information comes out about my personal endeavors as well as new security breaches and news, I will be sure to study, research, and report them here. I’m hoping this online “portfolio” will not only document my learning, but enlighten others about the world of cyber security.