Hacker News: Turns Out Microsoft Has Already Patched Exploits Leaked By Shadow Brokers

windows-hacking-tool

The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.

But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month’s Patch Tuesday update.

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Microsoft Security Team said in a blog post published today.

On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” Microsoft  says.

The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.

Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.

Shadow-Brokers-hack

The most noteworthy exploit in the Friday’s dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.

Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.

But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.

“The patches were released in last month’s update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable – if you apply MS17-010 it should protect hosts against the attacks,” Matthew clarifies during a conversation with The Hacker News.

No Acknowledgement for SMB RCE Issue by Microsoft

There’s also news floating around the Internet that the “NSA has had, at a minimum, 96 days of warning,”knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.

The Intercept also reported that Microsoft told it that the company had not been contacted by any “individual or organization,” in relation to the hacking tools and exploits released by the Shadow Brokers.

The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.

This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.

So, only those who are still using Windows XP, which Microsoft doesn’t support for very long, are at risk of getting their machines hacked.

And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).

The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

A Chinese infosec researcher has reported about an “almost impossible to detect” phishing attack that can be used to trick even the most careful users on the Internet.

He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.

What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?

Okay, then before going to the in-depth details, first have a look at this demo web page (note: you may experience downtime due to high traffic on demo server), set up by Chinese security researcher Xudong Zheng, who discovered the attack.

It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.” Xudong Zheng said in a blog post.

If your web browser is displaying “apple.com” in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.

There is another proof-of-concept website created by security experts from Wordfence to demonstrate this browsers’ vulnerability. It spoof “epic.com” domain.

Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.

Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalised domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.

For example, Cyrillic “а” (U+0430) and Latin “a” (U+0041) both are treated different by browsers but are displayed “a” in the browser address.

Punycode Phishing Attacks

unicode-phishing-attack

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

For example, the Chinese domain “短.co” is represented in Punycode as “xn--s7y.co“.

According to Zheng, the loophole relies on the fact that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly same as the targeted domain, then browsers will render it in the same language, instead of Punycode format.

This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.

Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041), the defence approach implemented by web browser fails.

Zheng has reported this issue to the affected browser vendors, including Google and Mozilla in January.

Punycode Phishing Attacks
Fake Page (top) and Original Apple.com (bottom), but exactly same URL

While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.

Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.

How to Prevent Against Homograph Phishing Attacks

Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

  1. Type about:config in address bar and press enter.
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.

Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release.

Although, there are some third-party Chrome extensions/add-ons available on App Store that users can install to get alerts every time they came across any website with Unicode characters in the domain.

Meanwhile, one of the best ways to protect yourself from homograph attacks is to use a good password manager that comes with browser extensions, which automatically enter in your login credentials for the actual domains to which they are linked.

So, whenever you came across any domain which looks like legitimate “apple.com” or “amazon.com” but actually is not, your password manager software will detect it and will not automatically authenticate you to that phishing site.

Moreover, Internet users are always advised to manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link mentioned on some website or email, to prevent against such attacks.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Hacker News: Russian Hacker Selling Cheap Ransomware-as-a-Service On Dark Web

ransomware-as-a-service

Ransomware has been around for a few years, but it has become an albatross around everyone’s neck, targeting businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.

Forget about developing sophisticated banking trojans and malware to steal money out of people and organizations. Today, one of the easiest ways that can help cyber criminals get paid effortlessly is Ransomware.

This threat became even worse after the arrival of ransomware as a service (RaaS) – a variant of ransomware designed to be so user-friendly that anyone with little or no technical knowledge can also easily deploy them to make money.

Now, security researchers have uncovered an easy-to-use ransomware service that promises profit with just one successful infection.

Dubbed Karmen, the RaaS variant is based on the abandoned open-source ransomware building toolkit dubbed Hidden Tear and is being sold on Dark Web forums from Russian-speaking hacker named DevBitox for $175.

Like any typical ransomware infections, Karmen encrypts files on the infected PC using the strong AES-256 encryption protocol, making them inaccessible to the victim until he/she pays a large sum of money to obtain the decryption key from the attacker.

This new variant of ransomware-as-a-service (RaaS) provides buyers access to a web-based control panel hosted on the Dark Web with a user-friendly graphical dashboard that allows buyers to configure a personalised version of the Karmen ransomware.

The dashboard lets buyers keep a running tally of the number of infections and their profit in real time, allowing anyone with very minimal technical knowledge to deploy Karmen, threat intelligence firm Recorded Future said in a blog post published today.

Hacker: Don’t Mess with my Malware; otherwise, Your Files are Gone!

Once infected, the Karmen ransomware encrypts the victim’s files and shows a popup window with a threatening message warning users not to interfere with the malware; otherwise, they might lose all their files.

What’s more interesting? Karmen automatically deletes its decryptor if a sandbox environment or analysis software is detected on the victim’s computer to make security researchers away from investigating the threat.

Initial Karmen infections were reported in December 2016 by victims in Germany and the United States, while the sale in underground forums began in March 2017.

So far, 20 users have purchased copies of Karmen malware from DevBitox, according to Recorded Future, while three of those buyers have left positive reviews on their profile.

You can also watch a YouTube video demonstration which shows the RaaS in action.

How to Protect Yourself from Ransomware Threat?

Here are some important steps that should be considered safeguarding against ransomware infection:

  • Always keep regular backups of your important data.
  • Make sure you run an active anti-virus security suite of tools on your system.
  • Do not open email attachments from unknown sources.
  • Most importantly, always browse the Internet safely.
Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does

vigilante-hacker-iot-botnet

It should be noted that hacking a system for unauthorised access that does not belong to you is an illegal practice, no matter what’s the actual intention behind it.

Now I am pointing out this because reportedly someone, who has been labeled as a ‘vigilante hacker’ by media, is hacking into vulnerable ‘Internet of Things’ devices in order to supposedly secure them.

This is not the first time when any hacker has shown vigilance, as we have seen lots of previous incidents in which hackers have used malware to compromise thousands of devices, but instead of hacking them, they forced owners to make them secure.

Dubbed Hajime, the latest IoT botnet malware, used by the hacker, has already infected at least 10,000 home routers, Internet-connected cameras, and other smart devices.

But reportedly, it’s an attempt to wrestle their control from Mirai and other malicious threats.Mirai is an IoT botnet that threatened the Internet last year with record-setting distributed denial-of-service attacks against the popular DNS provider Dyn last October. The botnet designed to scan for IoT devices that are still using default passwords.

How the Hajime IoT Botnet Works

Hajime botnet works much like Mirai — it spreads via unsecured IoT devices that have open Telnet ports and uses default passwords — and also uses the same list of username and password combinations that Mirai botnet is programmed to use, with the addition of two more.

However, what’s interesting about Hajime botnet is that, unlike Mirai, it secures the target devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be vectors used to attack many IoT devices, making Mirai or other threats out of their bay.

Unlike Mirai, Hajime uses a decentralized peer-to-peer network (instead of command and control server) to issue commands and updates to infected devices, which makes it more difficult for ISPs and Internet backbone providers to take down the botnet.

Hajime botnet also takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.

Besides this, Hajime botnet also lacks DDoS capabilities or any other hacking code except for the propagation code that lets one infected device search for other vulnerable devices and infects them.One of the most interesting things about Hajime: the botnet displays a cryptographically signed message every 10 minutes or so on terminals. The message reads:

Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED Stay sharp!

There’s Nothing to Get Excited

No doubt, there’s a temptation to applaud Hajime, but until users don’t reboot their hacked devices.

Since Hajime has no persistence mechanism, which gets loaded into the devices’ RAM, once the IoT device is rebooted, it goes back to its unsecured state, complete with default passwords and the Telnet port open to the world.

“One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hard coded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware,” the Symantec researchers explained.

There’s another problem…

Hacking someone to prevent hacking is not a thing, that’s why we are also concerned about a related amendment passed by the United States — Rule 41 — which grants the FBI much greater powers to legally break into computers belonging to any country, take data, and engage in remote surveillance.

So, the most concerning issue of all — Is there any guarantee that the author of Hajime will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.