UnderAttack - Slashdot User

Submission + - A "Looking Glass" For DNS (sans.edu)

Submitted by UnderAttack on Tuesday February 05, 2019 @04:59PM

UnderAttack writes: Ever wondered which websites may be blocked or redirected by certain countries? The SANS Internet Storm Center has a nifty little tool that was made live today that will resolve a hostname using recursive nameservers in different countries. The tool works for A as well as for AAAA records. You can also find "misbehaving" name servers that resolve a hostname badly, for example as a result of an attack against the DNS infrastructure of the particular domain.

Submission + - Huawei Executive Arrest Inspires Advance Fee Scams (sans.edu)

Submitted by UnderAttack on Monday December 10, 2018 @03:06PM

UnderAttack writes: Scammers are attempting to trick Chinese victims into sending thousands of dollars in order to secure the release of Chinese Huawei executive Meng who was arrested in Canada last week. The messages claim to originate from Ms. Meng and suggest that she found a corrupt guard who will let her go for a few thousand dollars. Of course, there will be riches for anybody who is willing to help (and more).

Submission + - Extortion Scams Are Made More Plausible by Including Leaked Password (sans.edu)

Submitted by UnderAttack on Thursday July 12, 2018 @02:25PM

UnderAttack writes: Extortion e-mails have been going around for a while. They usually claim that the sender has gotten a hold of some compromising video, and ask for some ransom in Bitcoin. But now, the attacker makes the threat more plausible by including a password of the victim that was leaked. The password is authentic and likely comes from one of the many recent password leaks.

Submission + - Mirais latest target: Phones with exposed Android Debug Port (sans.edu)

Submitted by UnderAttack on Tuesday July 10, 2018 @10:31AM

UnderAttack writes: The SANS Internet Storm Center noted a marked increase in scans for port 5555 today. Port 5555 is used by the Android Debug Bridge, a feature that should be disabled but for some reason was left enabled on some phones. Since this has been discovered a while ago, the feature has been targeted by various malware like crypto miners. But looks like now it is also hit by the latest Mirai variant looking for new victims.

Submission + - SPAM: Active Exploitation of Recent Drupal Vulnerability Under Way

Submitted by UnderAttack on Friday April 13, 2018 @12:04AM

UnderAttack writes: About two weeks ago, Drupal fixed a critical remote code execution vulnerability. At the time, the Drupal added a generic "sanitize" function for all input, not giving away the actual vulnerability. But this has changed since on Thursday a simple exploit was published to GitHub. Shortly after, the Internet Storm Center reported that various exploits had been spotted against its honeynet. If you haven't patched your system yet, then it may already be too later by the time you read this.
Link to Original Source

Comment old story (Score 3, Informative) 61

by UnderAttack on Friday September 22, 2017 @10:34PM (#55248545) Attached to: Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments

This has been happening at least since 2016.

Submission + - A Year After Mirai: DVR Torture Chamber Test Shows 2 minutes between exploits (sans.edu)

Submitted by UnderAttack on Monday August 28, 2017 @12:37PM

UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the Internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.

Submission + - Advertisement Networks Specializing in Deceptive Advertisements (sans.edu)

Submitted by UnderAttack on Wednesday June 07, 2017 @08:12PM

UnderAttack writes: If you are still not using a decent ad-blocker, then you may have seen deceptive advertisements, which claim to offer "necessary" video players or claim that your system is infected and offer anti-virus solutions or tech support to help with that. It appears that some advertisement networks specialize in placing these ads on websites. The Internet Storm Center looked into one of these networks, RevenueHits, and found that it placed exclusively deceptive advertisements on a test page. The payout wasn't bad on the other hand, which may explain why sites are willing to place these ads.

Submission + - Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 1

Submitted by UnderAttack on Tuesday February 14, 2017 @02:29PM

UnderAttack writes: Microsoft today announced that it had to delay its February patch Tuesday due to issues with a particular patch. This was also supposed to be the first patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates.

Submission + - New 0-Day Exploit Affecting All Windows Versions Including Windows 10 (sans.edu)

Submitted by UnderAttack on Thursday February 02, 2017 @04:29PM

UnderAttack writes: The Internet Storm Center is reporting that a new 0-day exploit was released to GitHub that causes current versions of Windows, including Windows 10, to crash. The exploit does require SMBv3, which is not supported on older versions of Windows. So your Windows XP system is likely still safe. The sad part is that this is a very simple missing length check, something that should have been avoided if any kind of QC would have been done on the code.

Submission + - "Domaincop" malicious abuse notifications (sans.edu)

Submitted by UnderAttack on Thursday December 08, 2016 @09:12AM

UnderAttack writes: An outfit by the name of "domaincops.net" apparently harassed domain owners with malware loaded spam. The spam claimed to include an abuse notification, and the domain name "domaincops.net" made them more plausible. Properly DKIM signed, these notes may have even slipped through many spam filters, and the site was (while it was still up) protect by Cloudflare.

Comment SOAP Vulnerability added to Mirai (Score 2) 27

by UnderAttack on Monday November 28, 2016 @12:35PM (#53377733) Attached to: Deutsche Telekom Says 900,000 Fixed-Line Customers Suffer Outages

see https://isc.sans.edu/forums/di...

looks like a new SOAP vulnerability was added to Mirai. Here come a few million more mirai bots.

Submission + - Thieves Find New Ways to Bypass iOS Activation Lock (sans.edu)

Submitted by UnderAttack on Friday October 21, 2016 @10:41AM

UnderAttack writes: Apple's effort to make its product jailbreak prove are often justified with attempting to secure the product from theft. For example, the iOS activation lock appears to have caused a significant drop in the number of stolen iOS devices. But thieves are adapting, and finding ways to bypass activation lock with some nifty social engineering and phishing tricks. This article summarizes some of the tricks that thieves are currently employing.

Submission + - The Dark Side Of Certificate Transparency (sans.edu)

Submitted by UnderAttack on Wednesday August 03, 2016 @07:40AM

UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

Submission + - Hiding Commands in AAAA DNS Records for Covert Command and Control Channels (sans.edu)

Submitted by UnderAttack on Tuesday July 26, 2016 @10:06AM

UnderAttack writes: DNS makes for a great command and control channel. Pretty much all systems are able to reach the global DNS infrastructure via recursive name servers. The other advantage of DNS is that any operating system includes tools to perform DNS lookups on the command line. To exfiltrate data, a simple "A" record lookup for a hostname can be used like 4111111111111111.evilexample.com to exfiltrate a credit card number. But to send commands back to the system, many covert channels use "TXT" records, which are much less common and easily detected or blocked.

The script prevented here uses a simple bash script to instead encode commands in AAAA records, and use them to send command back to the compromised systems. AAAA records hold 16 bytes per record, and due to them being displayed in hex, are easily decoded with tools like xxd.

Slashdot Top Deals