by Manny Cuevas on Blog

NSA SHALL RELEASE A FORMIDABLE REVERSE ENGINEERING TOOL FOR FREE

NSA, in preparation of the forthcoming RSAConference this March 2019, will soon release online a free  called GHIDRA. GHIDRA has been previously mentioned in the CIA Vault 7 documents released by WikiLeaks last 2017.  They referred to a “pretty cool” tool called Ghidra, which was developed by NSA. NSA claimed that GHIDRA is currently compatible for Windows, macOS and Linux.  NSA plans to make a full demonstration of the tool at the next RSAC, and shall be released at their repository page at the following link address: https://code.nsa.gov/ The forthcoming tool shall have an interactive GUI capability for easy use.  It shall also contain features similar in high-end commercial tools with further functionality. Some developers expect much more from the GHIDRA tool compared to existing free reverse engineering tools.  The global cyber-community expects highly of the said tool from the renowned NSA of the US.

 
by Manny Cuevas on Blog

GRANDCRAB 5.04 STEALS IMPORTANT FILES BEFORE ENCRYPTION

The latest version of GrandCrab ransomware uses the Vidar information stealer to steal credentials of the victim computer prior to encryption. Vidar is a new payload equipped in GrandCrab which lets the authors to steal passwords and forms on web browsers.  Additionally, it can be configured to search for particular strings such as payment card numbers and other credentials.  The stolen data are compiled into a ZIP archive and sent to the attackers’ C&C server. Furthermore, Vidar is equipped with a GUI for easy monitoring of victims and stolen data. After credentials were stolen, GrandCrab now proceeds with the following process: It should be noted that files encrypted by GrandCrab 5.0.4 are appended with a randomly-generated extension. This way, by using Vidar, GrandCrab authors can earn by selling the stolen credentials in dark web forums, even if a victim refused to pay the demanded ransom. As of now, there is no third-party decryption tool yet for victims of GrandCrab 5.0.4 and 5.0.3.  However, all earlier versions can be decrypted by the tool developed by Romanian antivirus, Bitdefender.  The said decryption tool can be downloaded for free under the following link address: http://download.bitdefender.com/am/malware_removal/BDGandCrabDecryptTool.exe

 
by Manny Cuevas on Blog

WINDOWS DEFENDER CAN NOW BE RUN IN SANDBOX MODE

Microsoft has finally announced that their built-it antivirus for Windows, Windows Defender, can now be run isolated it its own sandbox process. This process highly improves the security of Windows, since their built-in antivirus and anti-malware can now be run in its own isolated environment.  Running in a sandbox means that a particular application uses a custom-made environment, exclusive only for the application, instead of using the system of Windows.  This means that attackers need to penetrate first the sandbox before they can compromise the application.  Moreover, the compromised application cannot affect system entities outside the sandbox.   Since the antivirus is one of the primary protection of Windows, and it has the highest levels of privileges to function effectively, it means that it should be protected the most.  In the past, several vulnerabilities were reported against Windows Defender, and that it can compromise the entire Windows system.  Windows took the challenge and announced earlier that they would make efforts to increase the security of their system through the antivirus.   Trying to run Windows Defender in Sandbox mode is not an easy task for Microsoft Security researchers.  Additionally, since it creates an exclusive environment for Windows Defender, it is also resource intensive.   The feature has been launched on Windows 10 with version 1703 or later.  However, since the said functionality is still in testing mode, users will have to manually enable the same by doing the following steps: Open “Command Prompt” Run as administrator Type: setx /M MP_FORCE_USE_SANDBOX 1 and then press ENTER Restart your computer Users will have to check if the process takes a toll on the system upon enabling the same.  

 
by Manny Cuevas on Blog

VULNERABILITY FOUND IN SIGNAL MESSAGING APP

A vulnerability was discovered in the Signal messaging app in Windows and Linux platforms capable of remote code execution. Only in April 2018, a screen lock bypass in Signal app for iOS was discovered which could let anyone bypass the app screen lock within seconds and in a few taps Signal is an encrypted messaging application for Android and iOS, as well as a desktop version for multiple platforms.  It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos, and make one-to-one voice and video calls. The said vulnerability is a remote code execution vulnerability which is capable of executing JavaScript codes sent through a message. However, details of the vulnerability are yet to be disclosed publicly.  Security researchers worry that the vulnerability might be based from the Electron framework, a framework which Signal and many other apps such as Skype and Wordpress utilize.  Hence, a flaw in the Electron framework might also compromise other apps apart from Signal. Fortunately, the vulnerability has already been fixed in the latest Signal updates. Despite the vulnerability being fixed immediately by Signal, the details of the vulnerability should be closely monitored to check whether there are other platforms affected by the same. Signal has been found to contain numerous bugs since the start of 2018, and it is advisable for users to refrain from communicating sensitive information through the said messaging app to prevent unwanted security issues.  

 
by Manny Cuevas on Blog

GRANDCRAB RANSOMWARE V2 IS IMPENETRABLE COMPARED TO ITS FIRST VERSION

After being decrypted by security researchers, the GrandCrab ransomware now returns with version 2 which has currently impenetrable C&C servers and has more decent ransomware capabilities. GrandCrab ransomware is a new ransomware-as-a-service which emerged in the Dark web during early 2018.  The GandCrab was advertised in Russian hacking community.  Security researchers noticed that the developers leveraged the RIG and GrandSoft exploit kits to distribute the malware. Some of the advertising points of the GrandCrab ransomware-as-a-service include high percentage of proceeds, technical support, updates, and prohibition to use it against countries in the Commonwealth of Independent States. This February 2018, security firm Bitdefender, the Romanian Police, and Europol allegedly gained access to the GandCrab Ransomware’s Command & Control servers, which allowed them to recover some of the victim’s decryption keys. In GrandCrab V2, the hostnames for the ransomware C&C servers are changed to politiaromana.bit, malwarehunterteam.bit, and gdcb.bit, in mockery of the team that led to the breaching of the threat actors’ initial C&C servers. Apart from the change of hostnames, the GrandCrab ransomware now appends a .CRAB extension to the file name of encrypted files.  A ransom note is also included in a notepad file CRAB-Decrypt.txt along with payment instructions. The following image shows a screenshot of the ransom note: The payment site at TOR for GrandCrab V2 also had a considerable change in layout and payment procedure. The security researches who took down the first version of GrandCrab ransomware must not stop at their initial success.  They should not let the GrandCrab V2 team be successful with the redesign of the ransomware for it will greatly affect their reputation in terms of global cyber security.  The security researchers should again take down the V2 to prove their global competence, and to demonstrate that the malicious attackers cannot prosper against a team of white-hat hackers.    

 
by Manny Cuevas on Blog

CRYPTO-MINERS ARE NOW EQUIPPED WITH PROCESS KILLER

Cryptocurrency miners now possess process-killing   function to kill processes which consumes the CPU processing power. Since majority of cyber-attackers are now focused on cryptocurrency, every device that has computing power is now a target of malware propagation.  Different kinds and methods of cryptocurrency-mining emerged such as smartphone miners, NSA tool-powered miners, and even nuclear facility miners.   All these schemes are effective in their own ways, and are gradually making innovations through time. Recently, it was discovered that newly-engineered crypto-mining malware have the capability to kill processes that consume the computing power of the target system.  Included in the code of the crypto-mining malware is a kill list consisting of processes that might hinder the mining process consumption.  The list includes some Operating system processes, as well as known processes from other cryptocurrency-miners to ace the competition. The following is the list of some of the processes included in the kill list: Silence Carbon xmrig32 nscpucnminer64 mrservicehost servisce svchosts3 svhosts system64 systemiissec taskhost vrmserver vshell winlogan winlogo logon win1nit wininits winlnlts taskngr tasksvr mscl cpuminer sql31 taskhots svchostx xmr86 xmrig xmr win1ogin win1ogins ccsvchst nscpucnminer64 update_windows Although the process-killing capability of the crypto-mining malware will make the miner more effective, the function is quite advantageous to the infected system.  Primarily, the malware is easily detectable since it is noticeable that some windows processes are terminated without the user interaction.  Second, security researches can utilize the same code used in the malware to develop defensive applications which can auto-kill processes coming from crypto-mining malware.

 
by Manny Cuevas on Blog

$70 MILLION WORTH OF BITCOIN STOLEN IN NICEHASH HACKING INCIDENT

NiceHash, the largest Bitcoin mining marketplace, has been hacked, which lost more than $70 million USD worth of Bitcoin. Most of the major hacking and breaches concerning Bitcoin happened early this year including CoinDash, Veritaseum and Etherparty.  Considering the skyrocketing price of Bitcoin, attackers are now focusing their skills and resources towards such cryptocurrency.  Since Read more…

 
by Manny Cuevas on Blog

A TEAMVIEWER VULNERABILITY LETS THE VIEWER BE VIEWED HIMSELF, OR VICE VERSA

A vulnerability in TeamViewer was discovered which could allow the server (viewer) to be viewed by the client or initiate a change of control if exploited by the viewer. TeamViewer is a registered computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.  TeamViewer is used to let Read more…

 
by Manny Cuevas on Blog

UBER CONCEALED A MAJOR DATA BREACH

On October 2016, Uber Technologies Inc. concealed a major data breach by paying one hundred thousand USD ($100,000) to hackers. Uber Technologies Inc. is a global transportation technology company headquartered in San Francisco, California, United States, operating in 633 cities worldwide.  It develops, markets and operates the Uber car transportation and food delivery mobile apps.  Read more…

 
by Manny Cuevas on Blog

MAILSPLOIT, AN UNDETECTABLE EMAIL SPOOFING IN MAJOR EMAIL CLIENTS

Mailsploit is an Email exploit where attackers employ email spoofing without being detected in major email clients. Email spoofing is the forgery or imitation of an email header so that the email appears to have originated from someone or somewhere other than the actual source.  Email spoofing is a method used in phishing and spam Read more…