Has an email address been leaked?
Erik found a cool tool to search public leak-databases for any given mailaddress.
Check out Cr3dOv3r from D4Vinci
- Search for public leaks for the email and if there's any, it returns with all available details about the leak (Using hacked-emails site API and now haveibeenpwned API too).
- Now you give it this email's old or leaked password then it checks this credentials against 13 websites of well-known websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!
Now legal in the US: Make 3D-files of guns available to public
WIRED is giving us an article, that the US court has permitted the publishing 3D-files of guns via the internet. Including an AR-15 printout file ready to go for your 3D-printer.
I personally think that this does not need any further comments.
Check out: 
By the way, as we had a discussion yesterday about some legal stuff, publishing such files would not be legal in Germany.
Do we monitor BGP HiJacks and false route propagations for our customers?
Read an APNIC article about BGP-Hijacks and raise the question if we should do some BGP monitoring for own own AS'es and the ones of our customers.
The RIPE NCC is supporting such monitoring with several tools and a free service to gather the BGP-Routes and do some magic with it at your end of the wire if you install the BGPlay version of MaxCam from GitHUB
Cool reconnaissance
For an order I got to scan all external IP addresses of a certain company and its subsidaries, I had some thoughts about doind a grepable database search.
Unfortunately, whois is limitited in his capabilities, so the idea is to mirror the whois into a MySQL and do the search for certain string on your local machine without any limitations.
Check my article about details (work in progress) here.
:-( Bye Bye UK - UK rebuffed over Galileo sat-nav procurement
The UK space industry, fighting to be part of the European satellite-navigation system, Galileo, has suffered another Brexit setback.
Delegations to the European Space Agency have approved the procurement of the next batch of spacecraft, despite British calls to delay.
The decision means UK companies will find it hard to win any contracts.
As it stands, no deal has been agreed between London and the EU-27 to allow Britain continued participation.
Your own FireEye-like threat map with Splunk
Did you ever wanted your own Maneger-Thrilling-Threat-Map that kicks your managers out of their chairs?
Well here you go, enhance your Splunk with this app and build your own Threat-Map from your own data.
This visualisation will show connected arcs on a map. Each arc is defined by two geographic points, and can have a color assigned. Additionally the arcs can be animated, with the pulsing animation being either at the start or the end of the arc.
Globally, the arc thickness, default color and map tileset can be chosen, as well as the starting map position and zoom.
This visualisation is based upon leaflet.migrationLayer by react-map: https://github.com/react-map/leaflet.migrationLayer
Some use cases could be:
- Show data replication links between sites and their status
- Show a representation of incoming attacks or requests
Note: If any lines are animated this will result in heightened browser CPU usage.
Search and data formatting
The visualisation looks for fields of the following names:
- start_lat: The starting point latitude (required)
- start_lon: The starting point longitude (required)
- end_lat: The ending point latitude (required)
- end_lon: The ending point latitude (required)
- color: The color of the arc in hex format (optional, default "#FF0000")
- animate: Whether to animate this arc (optional, default "false")
- pulse_at_start: When animated, set to true to cause the pulse to be at the start of the arc instead of the end (optional, default "false")
- weight: The line weight of the arc (optional, default 1).
The fields must be named in this way, but they are not order dependent.
An example dataset is distributed as a lookup to experiment with.
| inputlookup missilemap_testdata
Using the Office 365 Activities API to Investigate Business Email Compromises
Do you wanna feel and act like the big SecretServices?
Well,
Microsoft was nice enough to profide a complete API for doing that. - It just
forgot to tell the world about it.
But Anonymous closed this gap .... ;-)
EagleEye: Stalk your Friends. Find their Instagram, FB and Twitter Profiles using Image Recognition and Reverse Image Search.
This only works if their Facebook Profile is public
What does this do?
In simple words you have at least one Image of the Person you are looking for and a clue about its name. You feed this program with it and it tries to find Instagram, Youtube, Facebook, Twitter Profiles of this Person.
How does it work?
You give it a name and at least one photo. It then searches Facebook for this name and does Facial Recognition to determine the right Facebook Profile. After that it does a Google and ImageRaider Reverse Image Search to find other Social Media Profiles.
If a Instagram Profile was found it will be verified by comparing your known photo of the Person to some of the Instagram Pictures.
In the end you get a PDF Report :)
Another great source for "stalking" is here: https://inteltechniques.com/menu.html
Fancy additions to the PasteHunter for Splunk
I did some improvements to my former article of how to gather usefull information from pastbin.
You might want to have a look here.
CVE-2018-8225 / Windows Domain Name System 'DNSAPI.dll' Lets Remote Users Execute Arbitrary Code on the Target System
|
CVE-2018-8235 / Microsoft Edge Multiple Bugs Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, and Bypass Security Restrictions on the Target System
Discovered by Jake Archibald check the link for background..
|
Exploit Kit Deliver GandCrab Ransomware part III - Payload
Now we will go through to the payload and the SWF file. :)
The
Exploitable SWF File:
for me, one of the trickiest file to analyze is the
SWF, because debugger for this file type are not so often seen in public, So
usually the way to analyze this as far as I know is through black-box, code
decompiler and static analysis of the code.
The SWF file downloaded by this
EK are compressed SWF, but nicely the jpex decompiler manage to decompile
it.
some noteworthy code in the SWF show that this was related to CVE-
2015-8651.
Continue reading here.
Launching VirusTotal Monitor, a service to mitigate false positives
TUESDAY, 19 JUNE 2018
Launching VirusTotal Monitor, a service to
mitigate false positives
One of VirusTotal’s core missions is to empower our antivirus partners.
By building better tools to detect and study malware, VirusTotal gets to make a
dent in the security of billions of users (all those that use the products of
our partners). Until now we have focused on helping the antivirus industry flag
malicious files, and now we also want to help it fix mistaken detections of
legit files, i.e. false positives. At the same time, we want to fix an endemic
problem for software developers.
False positives impact antivirus vendors,
software developers and end-users. For example, let us imagine a popular
streaming service app that allows in-app digital content purchases. We will call
it Filmorrific.
Continue here.
HIDDEN COBRA - North Korean Malicious Cyber Activity
The US-Cert made a cool collection available to public.
The information contained on this page is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government. The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.
For more information, see:
- June 14, 2018: Malware Analysis Report (10135536-12) – North Korean Trojan: TYPEFRAME
- May 29, 2018: Alert: (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
- May 29, 2018: Malware Analysis Report (MAR-10135536-3) – HIDDEN COBRA RAT/Worm
- March 28, 2018: Malware Analysis Report (MAR-10135536.11) – North Korean Trojan: SHARPKNOT
- February 13, 2018: Malware Analysis Report (MAR-10135536-F) – North Korean Trojan: HARDRAIN
- February 13, 2018: Malware Analysis Report (MAR-10135536-G) – North Korean Trojan: BADCALL
- December 21, 2017: Malware Analysis Report (MAR-10135536) – North Korean Trojan: BANKSHOT
- November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
- November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
- August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware
- June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
- May 12, 2017: Alert (TA17-132A) Indicators Associated With WannaCry Ransomware
Post 0x10: A Revised Emotet Downloader
0verfl0w did a cool blog, reversing a new emotet downloader.
worth
reading..!!!
You may remember I wrote a post where I took apart an Emotet Downloader that used Macros and Powershell commands to download Emotet from compromised websites. Well they’ve revised how their downloader works, and luckily it has already been uploaded to VirusBay. So lets analyse it!
MD5 Hash: 53ea2608f0e34e3e746801977b778305
As you can see in the image below (the right image is the new sample, the left is the old), there are similarities in the two documents, both which pretend to have an error rendering a document created with an older version of Microsoft Office, and in order to view it you need to click Enable Content. Seems legit, so lets see what runs when we click Enable Content.
Continue here.
Additionally, there is some nice background information on https://www.malware-traffic-analysis.net/2018/06/20/index.html about emotet.
Also check these files for IOC's (PW: infected):
- 2018-06-20-Emotet-malspam-101-email-examples.txt.zip 17.4 kB (17,384 bytes)
- 2018-06-20-Emotet-malspam-IOCs-and-notes.txt.zip 6.8 kB (6,798 bytes)
- 2018-06-20-Emotet-malspam-infection-malware-and-artifacts.zip 647 kB (646,730 bytes)
- 2018-06-20-Emotet-malspam-infection-traffic-both-pcaps.zip 3.3 MB (3,253,415 bytes)
IREC: Free evidence collector as alternative to RedLine
To have an alternative to RedLine, binalyze has made hist tool free to use. - So have a look.
IREC is an all-in-one Evidence Collector which lets you collect critical evidence from a live system with a single mouse click.Advantages
- Complete. Collects RAM Image, $MFT as CSV, Event Logs, Hibernation Info, DNS Cache and much more,
- Portable. No installation required,
- Compatible. Supports all 32 and 64 bit Windows versions starting from XP,
- User Friendly. Creates easy to share HTML and JSON reports,
- Lightning Fast. It collects them all in a few minutes!
I gave it a try and for a "quick win" it's quite nice. :-)
Androids debug bridge is pre-enabled and open to the internet on many asian cellphones
Read the latest of my ProveOfConcepts (POC) on my page here.
Easy enhance your SOHO secuity: DNSSEC in 5 minutes
Read my new article: DNSSEC on a Raspberry PI in 5 minutes
