Home   Blog   Twitter   Database  

Global Community Service Day 2018: Together for good

By: Emily, Communications Program Manager

When I finished college, I went to work for the same nonprofit youth sports organization where I tried volleyball, basketball and other sports growing up. The keyword is ‘try,’ because, let’s face it – I was bad at sports. All coaches for the organization were – and still are – volunteers. I’m sure they thought they were just teaching us kids how to dribble a basketball. But in actuality, I learned important life lessons: how to be a team player, the meaning of dependability, how to maintain grace when faced with challenges, and so much more. Motivated by the impact of giving back, I continued to volunteer as an adult and joined the nonprofit workforce.

When I left the nonprofit sector and joined McAfee late last year, I hoped I wouldn’t lose touch with my service-based roots. Fast-forward to Global Community Service Day, and I’m more in tune with them than ever.

All About #McAfeeGCSD

Global Community Service Day (GCSD) is an important McAfee tradition that encourages employees worldwide to step away from their desks and spread goodness to people and animal shelters, schools, food pantries, children’s charities, veterans’ services, parks, hospitals and more. This year, GCSD took extra steps to support McAfee’s mission to protect what matters by encouraging employees to participate in and teach the newly relaunched Online Safety Program. McAfee’s Online Safety Program is designed to educate and inspire children from all over the world, at every age, to learn about online safety.

When my team began working towards this special day, it was difficult for me to picture how such an event would shape up with so many people doing so many different things in so many locations. But the people of McAfee came together for good! And they came eagerly with open hearts. Across dozens of sites around the globe, with representation from all departments, my McAfee colleagues stepped up to do good by coordinating projects with their favorite charities, signing up to support the projects of others at their sites, donating needed items, and teaching McAfee’s Online Safety Program to thousands of children.

From Texas and California – to Ireland and the U.K. – over to Argentina – and all the way to Australia and India – and many more, sign-ups for service activities around the globe came pouring in. What an inspiration! Take a look at some of the photos from activities around the globe.

     

      

      

How My Day Shaped Up

At the Plano, Texas site (my home office) alone, there were 13 different activities benefiting even more charitable organizations to choose from. For my own GCSD experience, I chose to volunteer with Jake’s Heart, a local organization led by a very special 8-year-old boy. With several of my McAfee peers by side (next to me in an assembly line, to be exact), I went to work preparing and packaging meat and cheese sandwiches for the local homeless community. By the end, we’d packed up two huge boxes of ready-to-go sandwiches for those in need. But it went by too fast! I had so much fun helping out, that I almost rushed out to buy more bread so that we could keep the assembly going. It’s safe to say that I’m already counting down for GCSD 2019!

Wherever I go, wherever I work, keeping a heart of service will always be important to me. It’s a great feeling to be part of an organization of wonderful people who believe that ‘Together is power,’ and I’m happy to be a part of this amazing global McAfee community.

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Interested in joining our teams? We’re hiring! Apply now!

The post Global Community Service Day 2018: Together for good appeared first on McAfee Blogs.

Posted: 21 May 2018 | 9:28 am

Penetration tester pokes six holes in Dell EMC's RecoverPoint products

Three fixed, including critical remote code execution bug

Infosec outfit Foregenix has uncovered six vulnerabilities in Dell EMC's data protection platform RecoverPoint, three of which have been fixed.…

Posted: 21 May 2018 | 9:07 am

GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities

by Trend Micro IoT Reputation Service Team and Trend Micro Smart Home Network Team

In April, we discussed our findings on increased activity originating from China targeting network devices in Brazil that mimicked the Mirai botnet’s scanning technique. We recently found similar Mirai-like scanning activity from Mexico. The difference in these attacks, however, is that some of the detected activity is being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers. These two vulnerabilities can be exploited to allow remote code execution (RCE) on the affected device.

Activity detected in Mexico

From 12:00 p.m. UTC on May 8 to 12:00 a.m. UTC on May 10, we detected an influx of activity coming from 3,845 IP addresses located in Mexico. Unlike the previous activity, the targets for this new scanning procedure are distributed. However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.

 Figure 1. Mirai-like scanning activity from Mexico

Figure 1. Mirai-like scanning activity from Mexico

 Figure 2. The Mirai-like behavior is based on MASUTA, a variant of Mirai

Figure 2. The Mirai-like behavior is based on MASUTA, a variant of Mirai

 Figure 3. Attack on GPON routers exploiting the CVE-2018-10561 and CVE-2018-10562 vulnerabilities

Figure 3. Attack on GPON routers exploiting the CVE-2018-10561 and CVE-2018-10562 vulnerabilities

Routers and Cameras as the main targets

According to the monitored traffic, the attack mainly targets routers and cameras, which are being compromised via default usernames and passwords.  The large number of users that still use default credentials make botnet attacks especially effective, as they make easy targets for attackers.

The top 30 most-commonly used username and password pairs during this attack operation are listed below:

 Figure 4. The 30 most commonly used username-password pairs. The numbers on the left-most column indicate the counts for each

Figure 4. The 30 most commonly used username-password pairs. The numbers on the left-most column indicate the counts for each

Where are the attackers coming from?

We discovered that the Autonomous System Numbers (ASN) of the IP addresses used by most of this operation’s attackers is ASN 8151. This ASN is from one of the largest telecommunications companies in Mexico. In addition, based on the WHOIS info of the IP addresses, most of them are owned by the same company based in Mexico.

The Attackers’ TCP ports 22, 23, 80, 443, 8080 and UDP port 5060 were observed during the attack. Only 40% of the attackers open one of the observed ports, as shown in the figure below:

 Figure 5. 40% of the attackers open one of the observed ports

Figure 5. 40% of the attackers open one of the observed ports

Based on our data, 32% of the open-port attackers support the Session Initiation Protocol (SIP), a common function for home routers and IP cameras. This means that about 500 attacker devices enable the SIP function. Examples of this are open ports 5060 and 5061, which are both associated with the SIP protocol.

Figure 6. 32% of the open-port attackers support SIP

Figure 6. 32% of the open-port attackers support SIP

Roughly 300 attacker devices enable HTTP services. The device identification results of these devices can be seen below:

 Figure 7. The distribution of HTTP-enabled attacker devices.

Figure 7. The distribution of HTTP-enabled attacker devices

Identifying the attacker devices is generally difficult because the related information is limited. However, we can surmise that some of the bots consist of compromised routers and cameras.

The attacks use a malware downloading script to download four malware variants (Detected as ELF_MIRAI.AUTJ) for different architectures, namely ARM, ARMv7, MIPS and MIPS little-endian. These four are common architectures used for both embedded and IoT devices.

 Figure 8. The malware downloading script

Figure 8. The malware downloading script

The collected malware samples come in the following file formats:

Executable Architecture Instruction Set
ELF 32-bit LSB MIPS MIPS-I version 1 (SYSV)
ELF 32-bit MSB MIPS MIPS-I version 1 (SYSV)
ELF 32-bit LSB ARM version 1
ELF 32-bit LSB ARM EABI4 version 1 (SYSV)

The use of default usernames and passwords has long been a security headache when it comes to IoT-based attacks. Many users stick with the default credentials because they are unaware that it could compromise security down the line. However, as proven in this blog, and demonstrated in previous attacks targeting IoT devices, attackers often use exploited devices with default credentials as a primary infection vector. We recommend that users change the credentials of their devices — preferably, passwords that include at least 15 characters with a mix of uppercase and lowercase letters, numbers, and special characters — as soon as possible.

Given that the attacks also abuse vulnerabilities, users should also patch their device firmware to the latest versions, as these often come with security updates that address exploitable vulnerabilities. The use of firewalls and intrusion detection and prevention systems can also help prevent attackers from accessing a device or network.

Finally, users can look into employing security solutions that can monitor internet traffic, identify potential attacks, and block any suspicious activities on devices connected to the network. Our IoT Reputation Service (IoTRS), provided by the cloud-based Trend Micro™ Smart Protection Network™ infrastructure and integrated into several Trend Micro IoT security solutions, has updated its real-time block list to offer relevant safeguards against this threat and other malicious web accesses and aberrant behaviors associated with smart devices, including home routers, DVRs, and networked security cameras.

Trend Micro Smart Home Network™ users are protected from this threat via these intrusion prevention rules:

Trend Micro IoT Security for Surveillance Cameras™ (TMIS-CAM) users are protected from this threat via the IoTRS service.

Indicators of Compromise:

 ELF_MIRAI.AUTJ:

The post GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities appeared first on .

Posted: 21 May 2018 | 6:30 am

Real-time cellphone location data leaked for all major US carriers

From the carriers to LocationSmart to 3Cinteractive to Securus: there appears to be a chain pockmarked with lack of authentication and data lost to hackers.

Posted: 21 May 2018 | 4:43 am

Roaming Mantis dabbles in mining and phishing multilingually

In April 2018, Kaspersky Lab published a blogpost titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices. This activity is located mostly in Asia (South Korea, Bangladesh and Japan) based on our telemetry data. Potential victims were redirected by DNS hijacking to a malicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed manually by users. The application actually contained an Android Trojan-Banker.

Soon after our publication it was brought to our attention that other researchers were also focused on this malware family. There was also another publication after we released our own blog. We’d like to acknowledge the good work of our colleagues from other security companies McAfee and TrendMicro covering this threat independently. If you are interested in this topic, you may find the following articles useful:

In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.

27 languages: targeting the world

In our previous blogpost we mentioned that a user attempting to connect to any websites while using a hijacked DNS, will be redirected to malicious landing pages on the rogue server. The landing page displays a popup message that corresponds to the language settings of the device and which urges the user to download a malicious apk file named ‘facebook.apk’ or ‘chrome.apk’.
Kaspersky Lab confirmed several languages hardcoded in the HTML source of the landing page to display the popup message.

The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese.
But, of course, this multilingualism is not limited to the landing page. The most recent malicious apk (MD5:”fbe10ce5631305ca8bf8cd17ba1a0a35″) also was expanded to supports 27 languages.

The landing page and malicious apk now support the following languages:

We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator.

Apple phishing site for iOS device

Previously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy since then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:

A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.

The phishing site steals user ID, password, card number, card expiration date and CVV. The HTML source of the phishing site also supports 25 languages.

The supported languages are almost the same as on the landing pages and malicious apk files – only Bengali and Georgian are missing from the phishing site.

Web crypto mining for PC

Looking at the HTML source code of the landing page, we also discovered a new feature: web mining via a special script executed in the browser. More details about web miners can be found in our blogpost ‘Mining is the new black‘.

Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser.

Real C2 destination is hidden in email subject

Older malicious apk samples include a legitimate website, accounts and a regular expression for retrieving the real C2 address, which the malware connects to by using a web socket. This process for obtaining its C2 changes in more recent samples, further described below:

MD5 f3ca571b2d1f0ecff371fb82119d1afe 4d9a7e425f8c8b02d598ef0a0a776a58 fbe10ce5631305ca8bf8cd17ba1a0a35
Date March 29 2018 April 7 2018 May 14 2018
File name chrome.apk facebook.apk $random_num{8}.apk
Legitimate web http://my.tv.sohu[.]com/user/%s https://www.baidu[.]com/p/%s/detail n/a
Email n/a n/a @outlook.com
Accounts 329505231
329505325
329505338
haoxingfu88
haoxingfu12389
wokaixin158998
haoxingfu11
haoxingfu22
haoxingfu33
RegExp
"<p>([\u4e00-\u9fa5]+?)</p>\s+</div>"
"公司</span>([\\u4e00-\\u9fa5]+?)<"
“abcd”
Encrypted dex \assets\db \assets\data.sql \assets\data.sql
Encoding Base64 Base64 + zlib compression Base64 + zlib compression

Older samples retrieved the next C2 by accessing the legitimate website, extracting a Chinese string from a specific part of the HTML code, and decoding it. This scheme has been changed in the recent sample. Instead of using HTML protocol, it now uses email protocol to retrieve the C2.

The malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email subject (in Chinese) and extracts the real C2 address using the string “abcd” as an anchor.
The old and new decoding functions are exactly the same.

We decoded the following next stage C2 servers:

Backdoor command “ping”

Kaspersky Lab observed that the previous malicious apk (MD5:f3ca571b2d1f0ecff371fb82119d1afe) had 18 backdoor commands to confirm victims’ environments and to control devices.
According to our analysis, the recent malicious apk (MD5:fbe10ce5631305ca8bf8cd17ba1a0a35) now implements 19 backdoor commands: “ping” was added.

The backdoor commands in the recent sample are as follows:

This additional command calls the OS ping command with the IP address of the C2 server. By running this, the attackers validate the availability of the server, packet travel time or detect network filtering in the target network. This feature can also be used to detect semi-isolated research environments.

Auto-generating apk file and filename

Roaming Mantis uses a very simple detection evasion trick on the malicious server. It entails the landing page generating a filename for the malicious apk file using eight random numbers.

Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018. It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes. This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.
However, the malicious apk still contains a loader inside ‘classes.dex’ and an encrypted payload inside ‘\assets\data.sql’ that are identical to those in the previous variants. For security researchers, we have added MD5 hashes of the decrypted payloads without hashes of the whole apk files in the IoC of this report, as well as a few full apk hashes that were uploaded to VirusTotal.

Rapidly improving malicious apk and landing pages

Since our first report, Roaming Mantis has evolved quickly. The update history shows how rapidly the threat has been growing:

The actors behind it have been quite active in improving their tools. As seen in the graph below, which shows the unique detected user counts per day according to KSN data, the count increased on May 5. That date is very close to the update date of the new features on the landing pages.

Geographical expansion

Kaspersky Lab products detect Roaming Mantis’s malicious apk files as ‘Trojan-Banker.AndroidOS.Wroba’. Below is the data from Kaspersky Security Network (KSN) based on the verdict ‘Trojan-Banker.AndroidOS.Wroba.al’ from May 1 to May 10, 2018.

It’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India bore the brunt. According to data gathered between February 9 and April 9, the unique user count was 150. It’s worth mentioning that the most recent data shows more than 120 users of Kaspersky Lab products were affected in just 10 days.
Also, it’s important to note that what we see in the KSN data is probably a tiny fraction of the overall picture. There are two reasons for that:

  1. Some users may be using other AV products or no products at all.
  2. Roaming Mantis, after all, uses DNS hijacking, which prevents even our customers from reporting a detection. However, some devices made it through – probably due to switching to cellular data or connecting to another Wi-Fi network.

Conclusions

The Roaming Mantis campaign evolved significantly in a short period of time. The earliest report of this attack was made public by researchers from McAfee in August 2017. At that time, the Roaming Mantis distribution method was SMS and there was one target: South Korea. When we first reported this attack in April 2018, it had already implemented DNS hijacking and expanded its targets to the wider Asian region.
In our report of April this year, we called it an active and rapidly changing threat. New evidence shows a dramatic expansion in the target geography to include countries from Europe, the Middle East and beyond by supporting 27 languages in total. The attackers have also gone beyond Android devices by adding iOS as a new target, and recently started targeting PC platforms – the landing page PC users are redirected to is now equipped with the Coinhive web miner.
The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.
The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

For our previous findings, please refer to the Securelist post Roaming Mantis uses DNS hijacking to infect Android smartphones.

Kaspersky products detect this malware as:

Kaspersky Lab products block the Coinhive web miner for PC.

IoCs

Malicious hosts:

Malicious apks:

classes.dex:

Decrypted payload (dex file) from \assets\data.sql:

Posted: 18 May 2018 | 3:00 am

Reflow JavaScript Backdoor

A script was left behind on a compromised machine. This led to the discovery of a Windows backdoor written in JavaScript and the C&C backend scripts. Unfortunately I can’t post too much details because the victim’s organization name is present in the files.

The backdoor script is less than 2KB and the only indication of its presence on a compromised PC is a running process called “wscript.exe”, which is a legitimate Windows program. The main part of the script contains an endless do-loop awaiting commands after passing the query string “reflow” to the C&C else it sleeps for 4 hours.

The callback to the C&C looks like this:

I wanted to find out more so I searched for code snippets in various search engines and VirusTotal but that led me nowhere. I turned to Recorded Future and found exactly what I was looking for. In case you don’t know Recorded Future helps to enrich your raw data with useful contextualized and correlated threat intelligence. What I like best is its ability to find things that search engines can’t because it’s been removed from paste sites or posted to a private forum, as examples.

The results I got show three hits to matching files that were deleted back in December 2017. The cached data and link back to the original source helped me recover a compressed file with the C&C package.

There are four main scripts (3 PHP and 1 JavaScript files) in the package that are copied to a web server. The web server may be attacker-controlled or compromised by some means. The main script, index.php, contains an SVG animation that looks like this when a visitor happens to visit the page.

This script shows that when “reflow” is passed to the page, contents of a malicious JavaScript file (renamed as a PNG file) is sent to the victim PC and eval’d by the backdoor script. The malicious script uses WMI to obtain the system Information then sends that info back as part of its authentication method.

Here you can see the malicious script running an endless loop waiting for commands such as upload, download, and execute.

The “mAuth” function generates short random strings, concatenates them along with the system info and passes that to the C&C in a cookie after Base64-encoding it. These random strings are important as they are used as markers to identify instructions contained between them.

Data is transmitted back to the C&C using AJAX. There’s a function called “FillHeader” that populates the HTTP header.

Again, this is what the HTTP request looks like when the victim PC checks in:

Performing a Base64-decode on the cookie value results in the 2nd line. Repeating the Base64-decode on the string after the second caret reveals the system info.

One of the PHP scripts appears to be a template which is modified with HTML code to make the page look legitimate (e.g. it contain parts of an organization’s actual webpage). The script is renamed and referenced by the index.php script. This script has all the functions responsible for uploading and downloading files as well as creating activity logs. Among the log files are victim’s IP addresses, what files have been uploaded and downloaded, session information, etc.

The “Authentication” function reads in the cookie value from victims and parses out the system info, and defines variables used to create the log filenames. The victim’s username and computer name are MD5-hashed and used as part of the log filenames. When a victim PC connects to the C&C, three files are created on the C&C server:

The last PHP script in their package is used to interact with and send commands to the victim PCs. Note the timezone and interesting login method.

The available commands are quite limited but is more than enough to upload additional, more powerful tools to the victim PC and gain further access into their network. And finally, if the attackers sense they are about to be discovered, they can delete all the important log files with another set of commands built into this script.

I don’t have any attribution information on these scripts but it doesn’t seem to be related to your-typical-crime-gang. It appears that this campaign is still ongoing as other files show updated timestamps.

Posted: 30 Mar 2018 | 1:12 pm

Rootkit Umbreon / Umreon - x86, ARM samples



Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro


There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)






Download

Download Email me if you need the password  



File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Posted: 20 Mar 2018 | 6:29 am

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

The post Equifax breach could be most costly in corporate history appeared first on CyberESI.

Posted: 2 Mar 2018 | 11:37 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).

Mac_Team_Test_Machines

The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am