Security Week 51: the old rake with a new force, "stretching" against vulnerable sites, another hacktivist
News
An outbreak of gold miners is raging on the Web: unknown attackers using Linux and Windows servers acquire mules (more precisely, Mule cryptomeners) for pumping out Monero. The campaign is thought out to the smallest detail, aggressive, like a zerg rush, and Zealot was named after one of the malicious files downloaded (there are plenty of other speaking terms in the code and in the file names too: how do you like Observer or Overlord?). Little is known about the organizers: firstly, they are clearly StarCraft fans, and secondly, they are equally clearly professional in their field.
The campaign is complex, multi-way and multi-component: first, attackers scan the Internet and look for servers with an unsecured vulnerability in ApacheStruts or in the DotNetNuke WCMS system.
Having penetrated the server through one of these holes, malware spreads over the local network using exploits merged by Shadow Brockers in the spring: the sensational EternalBlue and its slightly less well-known brother EternalSynergy are also used. Then on Windows, the PowerShell script is loaded, which Monero is downloading. On Linux, Python scripts are used for this.
So far, only one wallet has been tracked, at which time there were bitcoins worth about $ 8.5 thousand. The amount is rather modest, but the real revenue of hackers is probably much more. In addition, it is not over yet.
It is characteristic that all used vulnerabilities and exploits have long been made public and patched. Therefore, just in case, we recall: the age of the rake does not affect their impact force in any way, and updates are a useful and godly thing.
')
News in Russian , more in English
Scientists from the University of California decided to do good to society with a utility that checks how responsibly websites are to protect their users. And they called it Tripwire - “stretching”.
The mechanism of the utility is simple, but elegant: you register a new mailbox, and then an account on any site, using the same password as for the mailbox. Then Tripwire monitors the mailbox. If someone has entered it, it means that there was a leak of data on the site with a corresponding account. Roughly speaking, the hacking detector was built on a typical user jamb.
With Tripwire, you can unmask sites that use weak hashing or even have a bad habit of storing passwords in plain text. To do this, several uchetok are created on the resource: half with a weak password, half with a strong one. If only weak passwords are leaked, then the protection is quite reliable, and the attackers had to brute force. But if weak and strong have flowed away, the affairs on the site are absolutely bad.
The researchers themselves tested a number of sites with the help of “stretching”, and for the purity of the experiment they decided to exclude hacking of the mail server itself. To this end, they created several hundreds of control, to anything not attached addresses. Since no one else touched them, it means that the checked sites were to blame.
The test run gave even too successful results: out of 2300 sites, leaks were detected at 19, and one of them already has 45 million accounts (about as many users on Odnoklassniki and only a little more on Reddit). Naturally, Californian researchers wrote to all owners of holey sites. Oddly enough, they received no answer.
Alas, the authors of the utility cannot disclose exactly which sites turned out to be unreliable: no one gave consent to participate in the experiment, and its results are fraught with lawsuits, not only for the sites, but also for the verifiers themselves. However, those who wish can read the research they have written - however, in English. Or download the utility code on github .
News in Russian , more in English
Only last week we spent the rest on The Janit0r , but there’s no sacred place: another fighter for justice appeared on the news, although it was probably less experienced and not operating on such a scale.
We heard about it in connection with the “clearance” of the WiFiFamily blog, promoting Netgear products on Word Press, a site that has been operating since 2015. For some reason, access to HMTL-resources in it was open to everyone, although by default these settings in Word Press are disabled. As a result, almost from the moment of creation, the attackers used the site for their own purposes: to redirect to porn sites, phishing sites, sites of fake technical support and other bad places. In addition, spam posts on behalf of the administrator and registered users were published in the blog.
A security expert under the name Derek stumbled upon this hornet's nest by chance, was outraged that a tech company could not patch such a blatant hole for two years, and reported on it in his blog. Almost immediately after this, an unknown activist contacted him with the talking nickname Vigilante and said that he had found the PHP shell, picked up a simple password (root) and deleted the entire folder with the downloads, including the malicious ones. The threat disappeared for a while - and with it all the evidence against the intruders.
The researcher reminded an unknown enthusiast that he, from the point of view of the law, sinned more than unknown hackers with his actions for the benefit of society: they at least did not break anything and did not delete the content, only downloaded a new one. In today's reality, the only legitimate way to deal with harmful resources is to write to the owners of these resources and hope that they will fix something. It is desirable - earlier than two years.
By the way, from Netgear answered that the site does not belong to them: they only sponsored it, and completely different people are engaged in development and support. However, the resource is still instantly covered, without presenting any complaints to the hacker, - one might say, everyone was lucky this time.
Kiev-2048
Resident, affects the Boot-ceKTop of the C: drive and every 3rd run .exe file. At start-up, the virus creates in the root directory of the C drive: the file "'.SYS" with a length of 2048 bytes, to which the virus body is written, designed as a driver file; and the boot sector of the C: drive. Then this file is declared destroyed: in the root directory of drive C: the corresponding record is marked as deleted, but the file chain in the FAT is not released (that is, the file is formally destroyed, but the file sectors become inaccessible and make up the so-called lost cluster). In the boot sector of the C drive: a part of the virus code is written, which, when loaded, “animates” the file “.SYS” and adds the line: “device = '. Sys” to the beginning of the file C: \ CONFIG.SYS. When installing the driver "'.SYS", it restores CONFIG.SYS in its original form and "destroys" "' .SYS" by the method described above.
The virus remains resident in the memory only when booting from an infected Boot-sektopa. It contains the lines: "NUL", "KIEV", "c: \ '. Sys", "CONFIG.SYS", "device ='. Sys". The virus performs the Anthem of the former USSR relatively well. Does not work with disks larger than 32M.
Intercepts int 8, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
An outbreak of gold miners is raging on the Web: unknown attackers using Linux and Windows servers acquire mules (more precisely, Mule cryptomeners) for pumping out Monero. The campaign is thought out to the smallest detail, aggressive, like a zerg rush, and Zealot was named after one of the malicious files downloaded (there are plenty of other speaking terms in the code and in the file names too: how do you like Observer or Overlord?). Little is known about the organizers: firstly, they are clearly StarCraft fans, and secondly, they are equally clearly professional in their field.
The campaign is complex, multi-way and multi-component: first, attackers scan the Internet and look for servers with an unsecured vulnerability in ApacheStruts or in the DotNetNuke WCMS system.
Having penetrated the server through one of these holes, malware spreads over the local network using exploits merged by Shadow Brockers in the spring: the sensational EternalBlue and its slightly less well-known brother EternalSynergy are also used. Then on Windows, the PowerShell script is loaded, which Monero is downloading. On Linux, Python scripts are used for this.
So far, only one wallet has been tracked, at which time there were bitcoins worth about $ 8.5 thousand. The amount is rather modest, but the real revenue of hackers is probably much more. In addition, it is not over yet.
It is characteristic that all used vulnerabilities and exploits have long been made public and patched. Therefore, just in case, we recall: the age of the rake does not affect their impact force in any way, and updates are a useful and godly thing.
')
Carefully mines
News in Russian , more in English
Scientists from the University of California decided to do good to society with a utility that checks how responsibly websites are to protect their users. And they called it Tripwire - “stretching”.
The mechanism of the utility is simple, but elegant: you register a new mailbox, and then an account on any site, using the same password as for the mailbox. Then Tripwire monitors the mailbox. If someone has entered it, it means that there was a leak of data on the site with a corresponding account. Roughly speaking, the hacking detector was built on a typical user jamb.
With Tripwire, you can unmask sites that use weak hashing or even have a bad habit of storing passwords in plain text. To do this, several uchetok are created on the resource: half with a weak password, half with a strong one. If only weak passwords are leaked, then the protection is quite reliable, and the attackers had to brute force. But if weak and strong have flowed away, the affairs on the site are absolutely bad.
The researchers themselves tested a number of sites with the help of “stretching”, and for the purity of the experiment they decided to exclude hacking of the mail server itself. To this end, they created several hundreds of control, to anything not attached addresses. Since no one else touched them, it means that the checked sites were to blame.
The test run gave even too successful results: out of 2300 sites, leaks were detected at 19, and one of them already has 45 million accounts (about as many users on Odnoklassniki and only a little more on Reddit). Naturally, Californian researchers wrote to all owners of holey sites. Oddly enough, they received no answer.
Alas, the authors of the utility cannot disclose exactly which sites turned out to be unreliable: no one gave consent to participate in the experiment, and its results are fraught with lawsuits, not only for the sites, but also for the verifiers themselves. However, those who wish can read the research they have written - however, in English. Or download the utility code on github .
Salvation of drowning is not the business of drowning.
News in Russian , more in English
Only last week we spent the rest on The Janit0r , but there’s no sacred place: another fighter for justice appeared on the news, although it was probably less experienced and not operating on such a scale.
We heard about it in connection with the “clearance” of the WiFiFamily blog, promoting Netgear products on Word Press, a site that has been operating since 2015. For some reason, access to HMTL-resources in it was open to everyone, although by default these settings in Word Press are disabled. As a result, almost from the moment of creation, the attackers used the site for their own purposes: to redirect to porn sites, phishing sites, sites of fake technical support and other bad places. In addition, spam posts on behalf of the administrator and registered users were published in the blog.
A security expert under the name Derek stumbled upon this hornet's nest by chance, was outraged that a tech company could not patch such a blatant hole for two years, and reported on it in his blog. Almost immediately after this, an unknown activist contacted him with the talking nickname Vigilante and said that he had found the PHP shell, picked up a simple password (root) and deleted the entire folder with the downloads, including the malicious ones. The threat disappeared for a while - and with it all the evidence against the intruders.
The researcher reminded an unknown enthusiast that he, from the point of view of the law, sinned more than unknown hackers with his actions for the benefit of society: they at least did not break anything and did not delete the content, only downloaded a new one. In today's reality, the only legitimate way to deal with harmful resources is to write to the owners of these resources and hope that they will fix something. It is desirable - earlier than two years.
By the way, from Netgear answered that the site does not belong to them: they only sponsored it, and completely different people are engaged in development and support. However, the resource is still instantly covered, without presenting any complaints to the hacker, - one might say, everyone was lucky this time.
Antiquities
Kiev-2048
Resident, affects the Boot-ceKTop of the C: drive and every 3rd run .exe file. At start-up, the virus creates in the root directory of the C drive: the file "'.SYS" with a length of 2048 bytes, to which the virus body is written, designed as a driver file; and the boot sector of the C: drive. Then this file is declared destroyed: in the root directory of drive C: the corresponding record is marked as deleted, but the file chain in the FAT is not released (that is, the file is formally destroyed, but the file sectors become inaccessible and make up the so-called lost cluster). In the boot sector of the C drive: a part of the virus code is written, which, when loaded, “animates” the file “.SYS” and adds the line: “device = '. Sys” to the beginning of the file C: \ CONFIG.SYS. When installing the driver "'.SYS", it restores CONFIG.SYS in its original form and "destroys" "' .SYS" by the method described above.
The virus remains resident in the memory only when booting from an infected Boot-sektopa. It contains the lines: "NUL", "KIEV", "c: \ '. Sys", "CONFIG.SYS", "device ='. Sys". The virus performs the Anthem of the former USSR relatively well. Does not work with disks larger than 32M.
Intercepts int 8, 21h.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/345610/
All Articles