Story Title: Mirai Botnet activity detected in Germany
Exploiting SOAP requests sent via the TR-069 protocol used to control DSL modems remotely.
Exploit sends an update to reconfigure the modem’s NTP servers. Apparently the backtick characters ““” which are shell specials used to execute the command in backticks are not escaped, resulting in RCE, and thousands of compromised routers
This is a command injection vulnerability. Also theres a metasploit module for it already.
If you have port 7547 open on your ISP modem/router, you may possibly be at risk.
Story Title: Tor got pwned again
Synopsis/Talking points: Vulnerability in Mozilla Firefox discovered ITW being used to compromise TOR users
According to a user on ycombinator’s hacker news, the exploit is being delivered to visitors of the TOR CP site “giftbox”
The exploit reportedly “got loaded on the confirmation page after logging in”
Some are stating the exploit payload is roughly similar to that of the FBI’s payload when they were attacking TOR users in 2013
“The malicious payload it delivers, according to an independent researcher who goes by the Twitter handle @TheWack0lian, is almost identical to one that was used in 2013 to deanonymize people visiting a Tor-shielded child pornography site. The FBI ultimately acknowledged responsibility for the exploit, which was embedded in webpages served by a service known as Freedom Hosting.”
I have a humungous hate-boner for TOR, but respect the fact that there are a lot of political dissidents in regimes around the world that RELY on it to be secure.
In that same breath, fuck child predators who use TOR. I hope the FBI nails them.
To that effect, utilize noscript, and/or umatrix to block JS by default and only enable it when necessary.
Story Title: #Creditcardchallenge
Credit card challenge was a hashtag observed on twitter. People are posting credit card numbers, expiration dates and CVV2 codes on social media. Some are just trolling, and some are legitimately that stupid.
This is nothing terribly new, people have been observed dropping pictures of credit cards, passports, licenses, etc on social media. A lot of OSINT and Social Engineers have found this information and have even said “You should probably remove this” with varying degrees of success.
Story Title: SFMTA Light Rail Ransomware attack
San Francisco Municipal Transportation Agency (SFMTA)
Passengers get to ride free due to the attack
Ransomware infected the MBR
Attack likely exploited low hanging fruit
Might’ve exploited Weblogic vulnerability
Specifically seems to target the Primavera Project Portfolio Management Software
Has used this to target other victims
For a few extra BTC, hacker will help you close the flaw s/he exploited
Hacker seems to utilize open source tools and do his own target sourcing
Attribution puts the hacker in Iran, but using a Russian mobile number.
Hacking karma seems to have circled back around
Hacker’s inbox was gotten via guessing security recovery questions
SFMTA seems to be restoring from backups rather than paying the ransom
Hacker is now threatening to release 30GB of data if they aren’t paid
Don’t have lowdangling fruit
Segment your network
Its almost like I wrote a lot of shit about doing these things months ago.
Ransomware defense related:
ProTip of the Week:
Details: Accurately Model and Emulate Your Adversaries
Research the adversary or adversaries are for the targeted organization
Research the adversary’s capabilities to more accurately emulate them
Research the adversary’s infrastructure to try to match it as closely as possible