Ειδοποιήσεις

A group of unknown hackers has leaked highly-sensitive personal data from more than 100 German politicians, including German Chancellor Angela Merkel, Brandenburg’s prime minister Dietmar Woidke, along with some German artists, journalists, and YouTube celebrities.

The leaked data that was published on a Twitter account (@_0rbit) and dated back to before October 2018 includes phone numbers, email addresses, private chats, bills, credit card information and photos of victims’ IDs.

Although it is yet unclear who perpetrated this mass hack and how they managed to perform it, the leaked data appears to be collected unauthorizedly by hacking into their smartphones.

The hack targeted all of Germany’s political parties currently represented in the federal parliament, including the CDU, CSU, SPD, FDP, Left party (Die Linke) and Greens, except for the far-right Alternative for Germany (AfD).

While Justice Minister Katarina Barley called this mass hacking as a “serious attack,” local media reports that none of the leaked data could be considered politically explosive.

Germany’s federal office for information security (BSI), who is investigating the attack, said that government networks were not affected by the incident and that the identity of the hackers and their motive were not yet known.

 

“The BSI is currently intensively examining the case in close cooperation with other federal authorities. The National Cyber ​​Defense Center has taken over the central coordination,” a BSI spokesperson said on Twitter.

“According to the current state of knowledge there is no concern of the governmental networks. However, we will continue to investigate.”

Among the victims include Chancellor Angela Merkel, President Frank-Walter Steinmeier, Foreign Minister Heiko Maas, as well as Robert Habeck, leader of the Green party, who was particularly badly affected by the attack with hackers leaking his digital communications with his family.

Besides German politicians, the intrusive hack attacks also affected well-known actor Til Schweiger, two renowned German comedians, Jan Boehmermann and Christian Ehring, as well as dozens of journalists from ZDF and ARD–public-funded German media outlets.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

1Password’s “pwned password” will check your password on the list of leaked passwords in previous or unannounced data breaches.

You must have heard about the various mega breaches like the ones experienced by MySpace, LinkedIn, Dropbox, Yahoo, Instagram or the one “Hack Read” reported yesterday in which 3,000 databases with 2 million accounts have been found on Dark Web and the repercussions faced by the users. If you also had an account at one such service then you can expect hackers to take control of your account, whether you like it or not. And, if the same password is used to access multiple accounts at different platforms then you will be locked out of accessing all your accounts.

But there are situations when the user has no clue at all about the password being stolen and companies often take years to notify users about a data breach or never inform the affected users. What are your chances then of finding it out whether your password has been stolen or not?

The first solution that comes to mind in such a scenario is to check out security expert Troy Hunt’s HaveIBeenPwned website, which was launched last year and serves as a database listing all the breaches. However, now you have another option in the form of 1Password. This is an amazing service that makes it a lot easier to check and find out if your password has been hacked and registered users will be notified to change their password if it is no more secure. The website works by integrating half a billion of dumped credentials featured on Hunt’s Pwned into 1Password’s database.

1Password can be accessed by opening your password vault. You need to click on any of your credentials and press Shift+Control+Option+C and if using Windows OS press Shift+Ctrl+Alt+C and then click on Check Password button that will be present right next to your password. As soon as you click on Check Password, you will get to know if the password is listed on Hunt’s HaveIBeenPwned database.

The basic idea behind this service, explained Hunt, is to help users in independently verifying if their password has been hacked or not and if they should use it or not. “Mind you, someone could actually have an exceptionally good password but if the website stored it in plain text then leaked it, that password has still been ‘burned’,” wrote Hunt.

According to 1Passwor’d blog post, one of its key features is to let users check that the password they want to use is already breached or not and if it is compromised then 1Password will inform the user to pick another one. Additionally, it has the standard password strength indicator bar that lets web used improve their security practices.

Then there is Pwnage check that further minimizes the risk of password reuse since it verifies if the specific password has already been part of previous data breaches. The Pwned passwords, which are hashed with SHA-1, are being used to facilitate this feature. Pwned passwords are also available in downloadable, plain text format and queryable through an API, which prevents the sharing of complete passwords with third parties.

The service is now available to everyone who has a 1Password membership. All you need to do to check your password is to sign in to your account by visiting 1Password.com.

Here is how it works:

 

The information contained in this website is for general information purposes only. The information is provided by Hack Read and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

 

CVE No: CVE-2018-7600

Modification History: March 21 2018 – April 19 2018

CVSS Score: 9.8

Risk Level: Critical

Product Affected: Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x

 

Description:

Drupal has been found critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.

CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects.

According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of “img” tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions

This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim’s browser and gain access to sensitive information.

Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.

CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.

Since CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, it is not affected by the flaw.

However, if you have installed the CKEditor plugin manually, you are advised to download and upgrade your plugin to the latest version from its official website.

Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2, a remote code execution bug that allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8.

However, due to people’s laziness of patching their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting in the wild by hackers to deliver cryptocurrency miners, backdoors, and other malware.

Therefore, users are highly recommended always to take security advisories seriously and keep their systems and software up-to-date in order to avoid become victims of any cyber-attack.

Solution:

  • Upgrade CKEditor 4.5.11+  to CKEditor 4.9.2 that contains a security fix for the Enhanced Image plugin.
  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.

 

The information contained in this website is for general information purposes only. The information is gathered from Drupal while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Cobalt hacking group specialized in breaching the networks financial institutions and banks is now using a new variant of the ThreadKit exploit builder kit for Microsoft Office documents.

Observed in a campaign on October 30, the new tactics show an evolution of the ThreadKit macro delivery tool. The final payload downloaded this way is the CobInt, a signature malware for the Cobalt group.

Small progress still counts as moving forward

The exploit building framework was first noticed in October 2017, although it had been used in campaigns as early as June that year leveraging CVE-2017-0199 that had exploit code publicly available.

Security researcher Kafeine tweeted at the end of May that the author of ThreadKit sold the tool for $400. This offer enabled numerous actors and groups to use the exploit kit builder for their operations.

An analysis from Fidelis cybersecurity company shows that new ThreadKit places into its own object the ‘M’ in the ‘MZ’ DOS format for executable files, and renames several of the objects inside.

The researchers saw this slight evolution in a document downloaded from a domain name (“sepacloud[.]org”) that pretended to be tied to the Single Euro Payments Area (SEPA) initiative for simplifying euro payments.

CobInt, also known as COOLPANTS, is a backdoor used by Cobalt for reconnaissance purposes that was discovered on a command and control (C2) server operated by the hackers.

 

Cobalt group has great phishing skills

The hacker outfit is using phishing to reach their target’s network.

Also, they use domain names that impersonate financial institutions and could easily fool an individual.

The activity of the group slowed down earlier this year when its alleged leader was arrested in Spain. Two months later, though, Cobalt operations were again spotted by security researchers.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

XtremeRAT is a widely known Remote Access Tool. The tool was originally created by a freelance coder with the alias of xtremecoder. It is one of the most commonly available RATs offered in cybercrime communities. XtremeRAT is used as general spyware and to facilitate computer intrusions. XtremeRAT is often delivered via phishing and drive-by downloads. XtremeRAT was in the spotlight in the recent years after being used in high profile espionage operations targeting the Israeli government in 2012. Meanwhile, the same attackers were also targeting US and UK government organizations. Several Latin American nations were also targeted using this tool during in 2013.

Response

When XtremeRAT infection is suspected, perform the following steps:

  • Gather the process list at the moment of the infection. This will provide the responder with a clear view of the process that might have caused the infection. However, XtremeRAT process names can be highly customizable.
  • Take a memory image of the compromised host in order to investigate the infection further.

Network indicators for this tool are very trivial to detect given the moderate encoding the network traffic has. The handshake always starts with a variation of myversion:version number (Private|public). The Version number varies; the ones observed in the wild have been 3.6 public and private. In addition, the server response always starts with the following byte sequence \x58\x0d\x0a.

Capabilities

XtremeRAT offers a wide selection of features that often leave easily detectable footprints on the system. These include:

  • Interactive remote shell.
  • List installed programs
  • Registry editor
  • Process manager, connection monitor, registry editor and file manager.
  • Download/Execution of files and scripts.
  • Remote camera monitoring.
  • Proxy.
  • USB spreader.
  • Self deletion after infection.
  • Remote mic monitoring.
  • Keylogger.
  • Open chat.
  • Install, uninstall, update, restart, disconnect, rename server on demand.
  • Password stealer

Host Indicators

Systems infected with XtremeRAT have several host based indicators. These are:

The tool performs injection in the following processes:

  • calc.exe
  • notepad.exe
  • explorer.exe
  • svchost.exe
  • firefox.exe
  • iexplorer.exe
  • chrome.exe
The information contained in this website is for general information purposes only. The information is gathered from Anomali Labs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.