Application security and vulnerability management platform DefectDojo has raised $7 million in Series A funding.
The post DefectDojo Raises $7 Million for Application Security Platform appeared first on SecurityWeek.
SecurityWeek – Read More
Often, malware uses platforms like — Telegram and Discord for data exfiltration. Due to its simplicity and the lack of need for building a server architecture, this exfiltration method has gained significant popularity. However, this very simplicity is also its weakness.
In this article we’ll show you how to obtain information related to threat actors’ activities using Telegram API, which can help reveal their identity, attribute malware samples to known families or discover new ones.
First, we need to find a relevant malware sample using Threat Intelligence Lookup with the following query:
TI Lookup reveals a hundred sandbox sessions featuring samples that match our query.
We can select one of them and rerun it with the MITM Proxy feature enabled.
In Telegram, to send a message, two main methods are typically used:
/sendMessage
/sendDocument
For sending text
For sending text and files
Any HTTP method (GET, POST, etc.) can be used. The GET method allows parameters to be passed in the query string (url-encoded)
Only the POST method is available. The POST method requires parameters to be passed in the request body
After turning on the MITM Proxy and starting the sandbox session, we navigate to the HTTP Requests tab, where we can see a request to api.telegram.org.
Looking at the POST request to /sendDocument, we see that it uses the form-data method for transmission.
In this case, the bot token can be obtained from the URL of the request, and the chat_id from the body (in the screenshot, it is the first parameter in the body).
We can also examine the response from the server. It arrives in JSON format and contains a lot of useful information: the chat_id, bot username, bot name/title, chat name, and chat type.
In this sandbox session, we can see an example of a request to /sendMessage using the GET method, where the data is passed in the query string (url-encoded):
Using CyberChef, we can decode the query string. Here is what the sent data looks like:
In this case, the bot token and chat_id are present in the query string.
Now, let’s use the attacker’s chat_id and bot token. The chat_id can refer to either a group chat or direct messages. First, we check if the bot has a webhook:
https://api.telegram.org/bot<token>/getWebhookInfo
The presence of a webhook means a high chance of early detection of abuse.
If a webhook is present, we save its data and delete it using /deleteWebhook.
NOTE! The webhook may have a secret token which could reveal the substitution.
If there is no webhook, the likelihood of detection is very low.
Next, you need to:
Create a Telegram group
Make yourself anonymous
And only then add the bot to the group
Here is how you can create a group using different clients:
Telegram Desktop
Menu (☰) > New Group > Next > Create
Telegram Web (K version)
New (🖉) > New group > Next (⮕) > Next (⮕)
Telegram App
Menu (☰) > New Group > Next (⮕) > Create (✓)
Then the group chat will open, if not – open it manually
Next, we need to set the Administrators list and change your user settings:
Telegram Desktop
Settings (⋮) > Manage Group > Administrators > Right click on your profile > Edit admin rights
Telegram Web (K version)
Click on group header > Side-menu appears > Edit (🖉) > Administrators > Click on your user profile
Telegram App
Click on group header > Edit (🖉) > Administrators > Click on your user profile
In the opened window, toggle Remain anonymous and click Save.
If everything is successful, the input field will display the placeholder “Send anonymously.” For Telegram Web, you may need to refresh the page.
Now, let’s add the bot to the group:
Telegram Desktop
Click on group header > Add member (+) > Enter bot name and click > Add
Telegram Web (K version)
Click on group header > Side-menu appears > Add member (+) > Enter bot name and click > Next (⮕) > Pop-up appears > Add
Telegram App
Click on group header > Click on “+ Add members” > Enter bot name and click > Submit (✓) > Pop-up appears > Add
The bot username can be obtained by calling /getMe.
After adding the bot, the following message will be displayed:
Next, it is necessary to call the /getUpdates method with the argument offset=-1.
This will reset the bot’s update history to the most recent update.
From the data received from the server (see the image above), we take the update_id and chat_id and save them. The chat_id is the ID of the group to which we added the bot.
Next, we call /getUpdates again with the argument offset=update_id + 1.
This will completely clear the bot’s update history. After this, if a webhook existed, we restore it using /setWebhook.
Once the bot has been added, you can use several methods such as /forwardMessage, /copyMessage, /deleteMessage, /getChat, and /getChatAdministrators, which are among the most useful.
You can experiment with these methods in interactive mode here: https://telegram-bot-api.vercel.app
We enter the bot token in the token field.
Next, we call /forwardMessage with the arguments:
chat_id: the ID of the group chat
from_chat_id: from the malware request
message_id: the index of the message in the chat
We enter the parameters in the corresponding fields (chat_id, from_chat_id, message_id) and click Execute.
As a result, we receive a response in JSON format containing information about the forwarded message.
You can also do this directly in the browser:
https://api.telegram.org/bot<token>/forwardMessage?chat_id=<your_chat_id>&from_chat_id=<malware_chat_id>&message_id=<message_id_from_malware>
For demonstration purposes, we will use another bot mentioned earlier. The actual request is: https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/forwardMessage?chat_id=-1002455457772&from_chat_id=6354844663&message_id=49817
The server returns data about the forwarded message, similar to the previous example. Here, we can see the message_id (in our group), the sender (from), the original chat (forward_origin, forward_from), and the date the original message was sent as a UNIX timestamp (forward_date).
The result in the chat:
If you want to copy a chat entirely, you need to understand how message_id works.
This id is actually the index of the message.
For private chats and each group (group/supergroup), the indices run in parallel. Message_id for private chats is shared across all chats with users. With each message received from an individual user or sent to an individual user, the message_id increments by one.
Thus, the first message in a chat with one user might have a message_id of 4096, even though in the context of the chat it should have a message_id of 1. In groups, however, message_id works as expected, starting from 1.
This can be visualized as follows:
Message_id
Group 1
Group 2
User 1
User 2
1
1
1
2
2
2
3
3
3
4
4
4
5
5
5
To determine the type of chat, you can use the /getChat method.
If it is a group (group/supergroup), there shouldn’t be any significant issues
If it is a private chat, there is a possibility that the bot has chats with multiple users, and some messages may not be accessible without the IDs of those users.
There is no simple way to retrieve all messages from a chat; some messages may not be accessible to the bot, but it will definitely have access to the messages it has sent.
In the malware request, we can see the message_id of the message from the malware, allowing us to estimate the number of messages.
Next, we iterate through all messages from 1 to the required number. Telegram allows for a stable rate of 20 requests per minute with short bursts.
To copy multiple messages at once, you can use /forwardMessages, which allows copying up to 100 messages in a single request. Thus, in one minute, you can stably copy 2000 messages or more if you utilize bursts.
Using a Python script, we can copy the entire chat
We recommend saving the server responses, as they contain additional data useful for research: the date of the original message, its ID, and the ID of the original chat.
For more detailed information on the Telegram Bot API, refer to the documentation.
Replicating the same method with Discord is challenging due to the use of webhooks.
A Discord webhook allows sending messages to a chat for which it was designated. Retrieving a message without knowing the message_id is difficult because Discord uses a snowflake ID, which includes the timestamp of the message and service information for identification.
The only known message IDs for you will be those you managed to intercept.
Among the methods that can be executed directly in the browser, there are only two:
Retrieving webhook data:
We once again run it with the MITM Proxy enabled.
Next, we find a request to Discord.
We copy the request URL.
By inserting the URL into the browser’s address bar, we can obtain data about the webhook, including its name (name) and the channel it is associated with (channel_id)
Now, let’s open the server response in the sandbox session. We’ll use the simplified view to find the message ID.
More useful are the methods that require POST and PATCH requests.
By sending a request to the previous URL, we can modify the message using PATCH.
You can also edit the webhook. Similarly, instead of retrieving webhook data using GET, you can use PATCH.
A POST request to the webhook URL will allow you to send a message.
For more detailed information, refer to the webhook documentation.
We have prepared demonstration scripts in Python to make it easier to replicate the techniques shown above. You can find these scripts in our GitHub repo.
This script allows you to obtain the chat ID of the group to which the bot will be added. The script will warn about the presence of a webhook and offer to delete it. If the bot already has unprocessed updates, the script will offer to delete them.
After that, you only need to add the bot to the group. The script will restore the webhook if it existed and delete the update about being added to the group.
As an example, we’ll use the following bot token:
bot6562806943:AAGufR13-622BXIjHsbpmkQygiIJA1Vo–c
Once we run the script , the chat ID will be displayed.
If a webhook is present:
The next useful script is forward_message.py, which allows forwarding messages from one chat to another.
The bot must have access to messages from the first chat and must be able to send messages to the second chat.
You can specify the range of messages to forward, the method for handling HTTP 429 (too many requests), and the frequency of requests.
All request results will be saved in a separate directory, which can also be reassigned.
The script writes the launch parameters to the console and the ID of the message it attempts to forward.
Server responses will be saved in separate JSON files in a specified directory.
The next script is forward_messages.py. Despite the similar name and settings, it has some differences from forward_message.py:
It forwards up to 100 messages in a single request.
You do not receive data about the messages.
Here is how you can use forward_messages.py
Example:
The script writes the launch parameters to the console, the range of messages it attempts to forward, and the number of messages that were successfully forwarded within that range.
The server returns only an array containing the IDs of the messages forwarded using the /forwardMessages.
For more convenient data extraction, ANY.RUN lets you access malware’s configuration via the MalConf tab (see sandbox session). In this configuration, you can find the token. If there is info about requests in the process memory, their parameters are also displayed.
You can also explore ready-made links for API requests, which you can paste into your browser’s address bar.
The available links for Telegram are:
Get info about the bot
Get incoming updates
Get webhook
Delete webhook
Drop incoming updates
For Discord, malware typically uses webhooks. With a GET request, the only available action is to retrieve information about the webhook itself.
See another session with an extracted malware config.
In most cases, the malware retains data about the request and its result in memory, and you can obtain these details from the configuration.
For Telegram, the most important data are chat_id and token. Thanks to ANY.RUN’s config extraction, you can see the text of the message sent by the malware.
Malware that uses Discord is often written in Python or JavaScript.
In most cases, they do not leave complete data about requests in memory. However, if such data remains, you will be able to see it in the MalConf tab.
We can obtain the message ID, channel ID, sending date, URL for downloading attachments, and other useful information from the server response.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
POST request to /sendDocument: https://app.any.run/tasks/93e29328-a39a-4769-94d7-44256e1c9cbb
GET request to /sendMessage: https://app.any.run/tasks/861482ae-8f96-41ff-918f-3a642c87db79/
POST request to webhook URL: https://app.any.run/tasks/189ce54d-7b1a-4d6f-a3ab-c6ea88d1aa5b
Two telegram bots and one discord webhook in one sample: https://app.any.run/tasks/861482ae-8f96-41ff-918f-3a642c87db79?malconf=66e7c1acfec4983250763c78
Discord webhook and server response: https://app.any.run/tasks/b86b6efc-093b-4418-ab4d-7385e1761bb8?malconf=true
Statement of Account as of AUGUST 2024SOA.pdf.exe ()
MD5: ddbaaa52ea1192377573a76e4ac8fb7b
SHA256:
svchost.exe / Builder.exe
MD5: 6aba4665085cf92ad3d569a7b37f2b53
SHA256: 7f158a2e68162d7e882dc389c8c4d8e4dcd1161272fd4ba5a2edd63e31385f69
Builder.exe
MD5: 3c168aa3065d0ff315220f060fbae7b3
SHA256: e72325336065b6a088a43221a4e7da4e86e2c627c2b671c1b05a643dc19e9060
svchost.exe
MD5: 50dce71a753bad01a07904f2af283123
SHA256: 8fb751033d1546ce28f5dcef171857ee879bdd31d76be2ae556f246c258473f3
csrss.exe
MD5: 0998890ccf8a3d8702db7a84fe6dd7b3
SHA256: c33e1408ea96b9ea7a72d44d7742effb4a98776711b7c94c4997a155af61b220
Stlr.exe
MD5: 712e31bac690f0f557c37f324cfe541b
SHA256: 5809167017915ccd66d1fff1c39da41ea43f0dcf0a6b8fd3e5938281a5d78ac4
The post How to Intercept Data Exfiltrated by Malware via Telegram and Discord appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
The India-linked threat actor SloppyLemming has been targeting government, law enforcement, and other entities in Pakistan.
The post India-Linked Hackers Targeting Pakistani Government, Law Enforcement appeared first on SecurityWeek.
SecurityWeek – Read More
Phishing attacks are becoming more advanced and harder to detect, but there are still telltale signs that can help you spot them before it’s too late. See these key indicators that security experts use to identify phishing links:1. Check Suspicious URLs
Phishing URLs are often long, confusing, or filled with random characters. Attackers use these to disguise the link’s true destination
The Hacker News – Read More
Security Orchestration, Automation, and Response (SOAR) was introduced with the promise of revolutionizing Security Operations Centers (SOCs) through automation, reducing manual workloads and enhancing efficiency. However, despite three generations of technology and 10 years of advancements, SOAR hasn’t fully delivered on its potential, leaving SOCs still grappling with many of the same
The Hacker News – Read More
CVE-2024-7593 is the third Ivanti product vulnerability patched in recent months that has been exploited in the wild.
The post Third Recent Ivanti Vulnerability Exploited in the Wild appeared first on SecurityWeek.
SecurityWeek – Read More
With browser bookmarks, Gmail’s bottomless inbox, the ever-present Wikipedia, and the effective backup of iOS devices in iCloud, it’s easy to get the impression that data online is stored both safely and forever. Sadly though — it’s not always the case. Therefore, it’s a good idea to make a backup of important personal information and protect it from ransomware and spyware. This post examines the whats, whys, and hows of the backup process.
We could write a fat textbook on how online data can disappear or otherwise become inaccessible, but we’ll limit ourselves here to listing some real-life instances of data going AWOL to better demonstrate their variety:
You bookmark your favorite recipes on a cooking website, but, after a redesign and restructuring of the site, the articles move to new addresses and your links are broken.
You listen to music on a streaming service, but songs disappear from your playlist because of copyright issues.
You chat with friends in a messenger and expect the chat history to be there forever — but the service shuts down and your history is lost.
You compile a bibliography for a thesis or research paper, but some of the referenced articles are published on sites that later close down or get paywalled.
You use a free note-taking service that suddenly becomes payable or shuts down.
You saved a link to a helpful tax and benefits guide on a government website, but some time later it becomes unavailable.
You store your photos and videos in an online photo album, but the provider decides to lower the image resolution, which causes blurring of video backgrounds and text in screenshots.
You published a website, but the hosting provider loses all your data in a cyberattack.
You liked or published a social media post, but a few months later you can’t find it. It might not even be deleted — you just have no means to search for it.
Online content loss can be divided up into two distinct types: (1) where you can no longer find information that used to be publicly available; and (2) where you lose your own data: notes, photos, or documents.
The first type of data loss is global in scale: according to a recent study, 38% of links active in 2013 were broken ten years later. For government websites, this figure is 13%; for Wikipedia links — 11%. A recent report on China’s internet landscape stated that web pages published before 2004 were near impossible to find since site owners actively purge old content. In an ironic twist, the posts of a Chinese blogger on this topic were themselves deleted.
Losing your own non-public data occurs less often, but hits much harder, so backing it up should be a priority.
First of all, make a list of all your important data. Think carefully about what’s really valuable to you in the digital world, and where it’s stored. Family photos? Household accounts? PhD thesis? Design ideas for your future apartment? Personal notes? Tracks of all your runs? Sort everything in descending order of importance, and make backups working your way down. Depending on the type of information, there are several backup options.
This is the simplest way to back up photos, documents, and other files that are stored online and can be easily opened on a computer. Saving web pages in the same way is harder, but still doable — for example, you can use the “Save as PDF” option. We recommend creating a coherent storage system on your computer so that you can easily find such files later. If their volume is too large, you can use a removable drive or set up network-attached storage (NAS) at home. To protect your data from ransomware and spyware, use robust security software, such as Kaspersky Premium. And to insure against equipment malfunction, you can set up a RAID array of drives on your computer or NAS device (the simplest, most reliable, but pricier option is RAID 1).
Online applications and services that don’t use files as such (messengers, email clients, databases, note apps) often let you export data, or create an archive file or backup. Read the respective help and explore the settings to find out how to export and what formats are available.
Usually, the most common formats are offered: HTML, PDF, TXT, or CSV. In this case, exported data can be easily viewed without specialized software and then migrated to another service. At the end of this post you’ll find links to backup-guides for popular online services.
But sometimes the export file is a black box containing a backup that only allows data restoration within the same service. This is the case, for example, with WhatsApp backups stored on Google Drive or iCloud.
Some online services offer no export or backup options at all — social networks and streaming services are often guilty of this. In this case, it’s worth doing a search for a specialized export tool or online service using queries like SERVICENAME export or SERVICENAME backup. Two important warnings: before downloading anything, (1) install reliable protection on your computer to avoid picking up malware instead of a useful tool; and (2) make sure that the export procedure doesn’t violate local laws or copyrights.
For important web pages, you can create backups in specialized services. For example, Pocket is great for personal use — the premium version saves not just a link to the document, but a full-text copy of it. For public use, copies of web pages can be saved to the internet archive web.archive.org or the like-minded archive.is. We’ll soon be posting about these services separately.
This insures against shutdown or technical issues with one of the services. You can combine this tip with the first one above by downloading files and saving them, say, to a Dropbox local folder on your own drive, which will automatically sync with your cloud storage. This way, the file will have both offline and cloud backups. Storing two copies of a document, for example, in OneDrive and Google Drive may seem paranoid, but it truly is reliable.
This is the pinnacle of internet archiving — eliminating the need to update backups manually. For files, you can create a scheduled task for copying from one folder to another — allowing you to duplicate them on your home server and in cloud storage. Some note-taking services have additional sync modules that let you automatically create, say, a note in Joplin or Obsidian when new tasks appear in Todoist, add movies marked “favorite” on IMDb to separate notes, copy articles saved in Pocket to Evernote, and so on. Many such scenarios can be implemented through ready-made recipes in cross-platform automation tools like IFTTT and Zapier.
In some countries and regions, the right to download one’s data and migrate it to another service (data portability) is enshrined in law: among them are the European Union, India, Brazil, and the US State of California. If your online service offers no export or backup options, you can contact support, cite the relevant law, and get a copy of your data.
Remember to back up your online data on a regular basis — at least once a month.
Because recommendations vary depending on the service and type of data, we have a series of dedicated posts grouped together with the backup tag. The list will be updated and supplemented regularly, but right now you can read about creating backups for the following:
Notion
Telegram
WhatsАpp
Authenticator apps for two-factor authentication
Other services
And don’t forget to keep your backups safe!…
Kaspersky official blog – Read More
A now-patched security vulnerability in OpenAI’s ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool’s memory.
The technique, dubbed SpAIware, could be abused to facilitate “continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions
The Hacker News – Read More
Join the webinar to gain insights and learn actionable steps to enhance your organization’s data security and resilience.
The post Webinar Today: Shield Your Data, Secure Your Future: A Multi-Layered Approach to Operational Resilience appeared first on SecurityWeek.
SecurityWeek – Read More
Sweden is accusing Iran of hacking SMS service and sending out thousands of text messages calling for revenge over Quran burnings.
The post Iran Was Behind Thousands of Text Messages Calling for Revenge Over Quran Burnings, Sweden Says appeared first on SecurityWeek.
SecurityWeek – Read More