What Is Doxing?

Doxing is referred to as the dark side of OSINT or Open Source intelligence. OSINT is an overt method of data collection and involves the practice of gathering information from publically available resources such as public media, internet, public government data, professional or academic publications, corporate databases, financial assessments and grey data (unpublished papers, business documents & patent reports).
The term Doxing is an abbreviation for ‘dropping documents’ which means compilation and release of a dossier of personal information on someone. The information included in the dossier is gathered via public resources and thus, the act falls under the category of OSINT.

Sources Of Information
The perpetrator gathers information from public and open sources. Some common sources of information are:

  • Social media
  • Blogs
  • Personal websites
  • Online forums & web discussions
  • Online gaming profiles

Targeted Information
Typically a dossier contains following information about an individual.

  • Contact information
  • Social Security Number
  • Personal photographs
  • Social media profiles
  • Credit card details
  • Credit report
  • Banking information

Why Is Doxing Called Dark Side Of OSINT?
Although the information is gathered using overt methods; the online publication of personal information usually results in illegal implications. The tactic is rarely in public interest and is often targeted at breaching the victim’s personal information and publishing it to attract unwanted harassment. It can pose following threats:

  • Threat To Personal Safety: Public release of contact information, personal photos, address, etc. can be used by cyberbullies for harassing the victim. Also, it may lead to some hacking acts such as fake memberships or serious crimes such as stalking, swatting, etc.
  • Threats To Cybersecurity: The information collected by Doxing may be used by hackers or cyber criminals to pressurize either an individual or an organization for financial gains.

Ways To Protect Yourself
Here are some simple tricks to protect yourself from Doxing attacks:

  • It is important to understand the basics of social engineering. Social engineers scan the online profiles and data for useful information that can be used to victimize the target. Thus, it is important to scrutinize the information you share on your social media profiles and avoid oversharing your personal information.
  • Check the privacy settings of your social media profile and edit them to ensure that your personal information is shared with your friends only. Also, be critical of people you add to your list of social media friends.
  • Hide your IP address by using a trusted proxy or VPN service for anonymity while using internet.
  • When purchasing a domain, invest in WHOIS protection to prevent unwanted access to the information you share on your website.
  • Avoid using a single email address for all online accounts. It is advisable to use different emails, passwords & usernames for different profiles, gaming and bills. Also, deploy multi-factor authentication for your accounts.

For more information on Doxing and its outcomes, call Centex Technologies at (254) 213-4740.

, , , , ,

What Is SamSam Ransomware?

SamSam is a targeted ransomware attack which incorporates custom infection using a wide range of exploits or brute force tactics. The ransomware is also known as Samas or SamsamCrypt. The first version of the ransomware was released in late 2015. The SamSam ransomware attacks do not make use of phishing or malware downloads to infect a network; instead they utilize following modes of infection:

  • Vulnerabilities in Remote Desktop Protocols (RDP)
  • Vulnerabilities in Java based web servers
  • Vulnerabilities in File Transfer Protocol (FTP)
  • Brute force against weak passwords
  • Stolen login credentials

Once, the ransomware has initial foothold on the victim’s network, it compromises the network to gain control. Also, SamSam is a manual attack. Thus, in case an application detects the ransomware, the attackers modify a registry entry to disable the endpoint tool’s detection. This enables them to compromise the application and control the network. SamSam uses a number of applications to accomplish the attack such as Mimikatz, reGeorg, PsExec, PsInfo, RDPWrap, NLBrute, Impacket, CSVDE, PowerSploit and JexBoss.

During the reconnaissance phase, the attackers try to write a plain text file named test.txt to target. If successful, they add the target to a list titled alive.txt on Domain Controller (DC). After ensuring that DC has writing privileges for machines, the ransomware is deployed and pushed to all the machines controlled by DC simultaneously.

The ransomware follows an efficient approach for encrypting the files on infected machines.

  • The encryption is initiated on holidays, weekends or late nights to buy time for maximizing the impact before getting noticed.
  • Files with selective extensions or important files required for running the machines are encrypted first.
  • The remaining applications or files are encrypted later; starting from smaller files and gradually moving towards larger files.
  • A unique AES key is generated for every encrypted file.
  • As soon as encryption is complete, ransomware deletes its installer and removes any traces of the attack.
  • It becomes difficult for victims to download files from off shore backup because the applications required to run the machine are also inaccessible. Thus, they are required to go thorough time consuming process of reloading the disk and installing applications before downloading back up files.

A ransom note is left on target organization’s machines demanding a set amount of bitcoin currency to decrypt a single machine and a lump sum amount for decrypting all the machines at once. Every victim is provided a unique web address on dark web which leads to chat feature for communicating with the attackers. The chat is deleted after a victim pays the ransom.

Security Practices To Prevent SamSam Attack:

  • Regularly install available patches for RDP service. Also, disable the service when not needed by the users.
  • Ensure that no RDP ports are left open during interactions between cloud-based virtual machines and public IPs. If it is required to leave RDP Port of a system open, keep the system behind firewall and instruct users to communicate with this machine via VPN.
  • Enable, two-factor authentication, strong passwords and account lockout policies.

For more information on how to secure your network, call Centex Technologies at (254) 213 – 4740.

, , , , ,

Surprising Places Where Hackers Hide

Though most of the businesses follow the basic IT security protocols like using strong passwords, installing updated security solutions and blocking unauthorized access; there is a constant increase in number of hacking instances. Nowadays, hackers utilize diverse mediums to serve as an entry points to infect a system or network and initiate widespread attacks. It is important to be aware of these entry points in order to develop effective cybersecurity strategies.

  1. Off-brand Apps: Some apps may not be available on certain operating systems. Hackers design off-brand apps with similar features and offer them for download on these operating systems. Once a user installs this app, the system is compromised and hackers gain access to his personal data like login details,  photos, videos, etc. An example of such attack is the phishing attack that targeted Snapchat users. Hackers sent a link to users via a compromised account. This link pointed to a mobile site that was designed to look like Snapchat login page. As the users entered their login information, the details were copied and saved by the hackers. The stolen login information including passwords of affected users was then publicly posted on a phishing site.
  2. Home Appliances: Hackers now use home appliances like smart refrigerators to launch an attack. The smart home devices are generally factory configured including a preset password. It is common for users to forget to reset or personalize their password which makes them an easy target for hackers.
  3. Your Car: Most cars are installed with wireless or Bluetooth connectivity. The system enables users to enjoy benefits like keyless entries, remote start, navigation, etc. These features collect data like locations saved in navigation system, location where car is parked and other such vulnerable data. Car manufacturers tie up with third party data storage companies to store this personal information of users. This provides an opportunity for hackers to breach the system and steal the data.
  4. Cash Register: Hackers steal payment card details of customers by using POS Malware. When a card is swiped to make the payment, the payment card data is encrypted. The data is then decrypted in RAM of processing device to complete the payment. POS Malware attacks inefficiently secured systems to steal the payment card details from their RAM. The unencrypted data is then sent to the hacker. Stolen card details are then sold by the hackers.
  5. Fax Machine: The communication protocols of fax machines offer security vulnerabilities that can be used as loopholes by the hackers to launch widespread cyberattacks in organizations. Hackers create a colored jpeg image file coded with any type of malware. The coded image is sent to a target fax device where the image is decoded and saved into fax-printer’s memory. The malware can now spread over any network to which the fax printer is connected.

For more information about cybersecurity risks, call Centex Technologies at (254) 213 – 4740.

, , , ,

Understanding Software Supply Chain Attacks

PDF Version: Understanding-Software-Supply-Chain-Attacks

, , ,

SpeakUp: A New Malware Threat

SpeakUp is a backdoor Trojan which originally affects Linux distributions and MacOS systems. However, the scope of SpeakUp attack includes any server running ThinkPHP, Hadoop Yarn, Oracle WebLogic and Apache ActiveMQ. It has been named after its command-and-control domain ‘SpeakUpOmaha[dot]com’. SpeakUp exploits remote code execution vulnerabilities to propagate internally within the infected subnet and across new IP ranges. It downloads miners in the infected systems for unauthorized cryptomining.

Mode Of Infection: For introducing the infection vector, SpeakUp takes advantage of the CVE-2018-20062 vulnerability of ThinkPHP. It is a remote command execution vulnerability.

  • The hackers use GET request to send malicious code to the target server. It acts as a PHP shell that executes commands sent by the module parameter in a query.
  • Another HTTP request is sent to the target server to serve as Perl backdoor. It is a standard injection which pulls the Intelligent Input Bus (ibus) payload and stores it on a different location.
  • An additional HTTP request is then sent for launching the backdoor. This request executes the Perl script and deletes the files for eradicating evidence.

Registering A New Victim: On victimizing a server, SpeakUp communicates with its command-and-control domain via POST and GET requests. It uses POST request over HTTP to send the victim ID, current version of installed script and other information to the C&C domain. The domain sends “needrgr” response to the request indicating that it is a new victim & requires registration. The Trojan then forwards complete information of the victim system by running a series of Linux commands.

Functions And Tasks: After registering the victim, the Trojan communicates with its C&C domain at regular intervals known as ‘Knock Interval’ which is 3 seconds. C&C domain commonly uses following commands:

  • “newtask”: It commands the Trojan to execute a code, download & execute a file, uninstall the program and send updated information.
  • “notask”: The command indicates that the Trojan should sleep for ‘Knock Interval’ of 3 seconds and then request for a new task.
  • “newerconfig”: This command indicates the Trojan to update the miner configuration file.

The Trojan defines 3 User-Agents. A User-Agent is a Python library that provides a way to detect devices such as mobile, tablet or a PC. The User-Agents defined by SpeakUp include two MacOS X User-Agents and a hashed string.
Propagation: For further propagation, SpeakUp is loaded with an additional Python script which allows the Trojan to identify, scan and infect other Linux servers within internal & external subnets.

For more information on malware threats and to know how to secure your IT system, call Centex Technologies at (254) 213-4740.

, ,