Saturday, April 20, 2019


Some information regarding #APT34:

On the 20th of March 2019, some webshell accounts were offered for sale on RAID FORUMS, some of the offered accounts belonged to:

Published accounts include:

  • Abu Dhabi Airports
  • Etihad Airways
  • Emirates Policy Center
  • Nigerian Building & Research Institute 
  • National Security Agency of Bahrain
  • Emirates National Media Company
  • Emirates National Oil Company
  • Qatar padiwan
  • Emirates Federal Competitiveness and Statistics Authority
  • Emirates Prime Minister Office
  • Lamprell Energy Ltd.
  • Abu Dhabi Statistics Center 
  • Oman Administrative Court
  • Kuwaiti Diwan
  • SSTC 
  • Jordan NITC - National Information Technology Center
  • Emirates Ministry of Presidential Affairs



On the 25th of March a channel was created on Telegram under the name of Lab Dookhtegan, after one day, the following paragraph was posted on it:

“We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks.  We hope that other Iranian citizens will act for exposing this regime’s real ugly face!”



Following that post, there were several posts claiming to expose the identity of some Iranian hackers who are responsible about #APT34, including their CVs, and the tools and techniques used:


  • Poison Frog (Similar to Glimpse) – panel, server side and powershell agent (communicates over DNS and HTTP) – all written and used by the group.
  • webshell written by the group, uses encrypted RSA communication.
  • DNSpionage tool: code used for MITM to extract authentication details (written in python) and code for managing the DNS hijacking. 
  • Highshell, Hypershell, Minion Project, FoxPanel – webshell codes and their managing panels created and used by the group.


Starting from the same date, 26th of March, there was posts leaking the webshell accounts of the aforementioned entities, these posts were posted consecutively till 6th of April.

On the 20th of April, it was confirmed that a copy of the leaked accounts is available to download as a 7z compressed file hosted on AWS.

It is highly advisable that, all affected entities, should start investigating this issue, and if breach is confirmed, they should start their incident response processes immediately.
Posted by Ahmad Zaki at 1:46 AM 5 comments
Labels: , , , , , , , , ,

Friday, December 29, 2017

Watching over your privacy inside the Cyber world. Episode 1, Dating Apps

Watching over your privacy inside the Cyber world. Episode 1, Dating Apps

Disclaimer: This post is for educational purposes only and I do not endorse any illegal or unethical activities using the information in this post. Should you get involved in any illegal or even unethical activity then you, alone, are responsible for any legal consequences of your deeds.

I’ve been postponing this post over and over since a few months now, I didn’t want it to be a stalking cookbook but a not-so-late alarm to anyone who value privacy and uses any of the several dating apps out there.
Enough loud thoughts and let’s dive into the subject, as you know there are a lot of dating apps, and a feature of many of them is the “location”.

I’ll demonstrate the issue using the famous Tinder application. When you browse any of the available persons, most of the time you can find a number representing the distance between yourself and that person. Let’s say the distance is 5 miles, you can read “5 miles away” right under the photos section by a couple of lines. I guess many have wondered if they can determine that location by just this info, however the distance info can only determine the location within a diameter of a circle while you are at its middle, and the said distance is its radius.



But we can check that person’s profile from at least three different locations on condition that these three different locations are not on the same line, but forming a triangle so we can have a rough estimate about that person’s location which you can check using google maps. And to get back to the profile on Tinder, when you view the profile for the first time, you should click on "RECOMMEND (Person Name) To A FRIEND", then copy the shown text and paste it somewhere where you can easily access it later to open it again, in case you are not matched.




Now I bet some of you are wondering if there is an option in google maps to draw a circle with certain radius, unfortunately google does not provide such feature.
However, and luckily for us demonstrating this issue, Oliver Beattie has made a spectacular work creating this add-on layer here: http://obeattie.github.io/gmaps-radius/?
After you determine the distance from the Tinder profile three times like mentioned in the previous step, you can obeattie's link and start forming three circles with the read radii
Where we can use it to roughly determine the location on the map and then continue checking the person’s profile from many various points to determine the near exact location, hopefully.


You can always attain more information about that person using normal reconnaissance techniques including the written information inside the profile, and maybe some social engineering.


So that was just a thought about exploiting privacy via Tinder or other dating applications.

Your comments are welcome.
Posted by Ahmad Zaki at 7:42 AM 1 comments
Labels: , , , , , , , ,

Thursday, September 5, 2013

Could it be a 0day against RDP?

A week ago, a client has suffered from a weird Windows Server 2003 ISA 2004 behavior, as it began to restart every few minutes after a Blue Screen Of Death (BSOD), leaving a  Stop Error  0x000050 or x00007e. Our technical guy suspected the RAM module and swapped it with another one and in another slot, still the same problem.

I started to debug the memory dumps with Windbg which suggested that the error is caused by RDPWD.SYS.

Hence I asked them to disable the RDP totally on this server until there is a remedy for it, a few days later, the same problem occurred with some other ISA/TMG Windows 2003 & 2008 servers with a couple of other clients, we have told them the same workaround, to disable the RDP on the Internet facing servers and use something else for remote administration if it's a must, they did as being told and bingo, their problems are gone.

I didn't recommend monitoring the incoming connections to the servers and blocking the attacking ones as it could be initiated from a lot of zombies, and would be impossible to block all of them IP addresses blocks.

Could it be a 0day attack against RDP service? Could it be an old not-so-famous exploit that is causing DoS to fully patched versions? I can't tell for sure as currently I'm not running a honeypot and I haven't enough time to start analyzing this specific attack, I'll try analyzing this attack as soon as I can spare some time for this interesting task.
Posted by Ahmad Zaki at 3:54 AM 2 comments
Labels: , , , , , , ,

Sunday, July 17, 2011

Why a firewall, IPS & Antivirus won't make you secure

Did you just install the Gartner's Magic quadrant No. 1 Firewall? Did you combine it with a powerful IPS with up to-date signatures? Did you add an Antivirus to the top of your arsenal? Do you keep updating/patching your operating systems & applications? Do you have the latest DLP protecting your data? Are you splitting your internal network into VLANs for security reasons? Well, that's an "OK" effort, but unfortunately it's not enough...
Now one might say: "Of course we need to monitor all these systems" still, not enough, another one might say "We are blocking all USB ports" but again, that's not enough either, one might say "We will run penetration tests every now and then to validate the how secure our measures are" yet again that's not enough, you might say: "Training is an ongoing process with our Information Security & IT Security departments" still, that's not enough...

Let's think of Information Security as a business model, a complete one, Information security is better thought of as a concept, not as a technology, technology help us to protect our data, but doesn't do that by itself, it needs human factor intervention to achieve that, human factor by itself is the most important link in the security chain, it might become the weakest as many of us already saw in many cases, and it might become the toughest, let's imagine a place where the most advanced technologies are being used to secure and protect the data while the employees are sharing their passwords among each other with the aim of facilitating their job, this place is risking a lot.In this case we may need to combine a biometric authentication with the common username/password authentication system forming a multi-factor authentication system to overcome this problem, but what if the employees, AKA system users, are not convinced with the forced security measures, what if a bank employee discusses some bank client's financial status with some external party like a friend or someone who might knew from a bar?
 The point is, besides following a standard like the BS7799 or the ISO 27001 and having our policies, solutions & technologies in place, we have to spread security awareness across our organization. Across many years I've "tried" to enforce information security policies, I've found that systems' users tend to apply and follow policies when they are convinced with them more than when policies are just enforced on them, being convinced with the policies can be achieved through security awareness, awareness can be spread via training, e-mails, web portals or even competitions.
 Just have a look at the whole business plan altogether, just like you shouldn't focus upon production and leave the distribution or focus upon the marketing while leaving human resources out of scope, you shouldn't focus upon information security standards, policies, solutions & technologies while leaving the human factor out of scope.
Posted by Ahmad Zaki at 6:51 AM 4 comments

Monday, May 16, 2011

Your guide to safe Internet searching & browsing

Yeap, you got that right "safe Internet searching"; a couple of weeks ago I was at my office searching for something using Google, then I got home and wrote the same terms in the search box to continue my search, when Google showed the results I found that the first result was in purple color meaning I have clicked it before, I looked at the upper right corner to find my name written there which means that I'm logged in to Google. So when you are logged on to Google it keeps track of all the terms you search for, that might be OK for some people but certainly not me, I find this bad to your privacy like smoking is bad to your health.

Imagine a huge archive that contains all what you ever searched for, it will reveal many sides of your character to whoever is having access to it specially people capable of profiling, maybe this kind of data is available for certain governmental institutions. You may or may not care about this but, many people really care about their privacy, specially when you are in a country that might try you in a military court or accuse you of  libel & slander of a public official or insulting a ruler entity when describing something that really happened to you...
Utilizing your Internet behavior, certain entities might start launching phishing or pharming attacks against you to further access your computer and your data.

So what can we do about it? Try to stay anonymous as much as you can:
  1. Dedicate a browser for any Internet search activities.
  2. Do not log on to sites such as Google, MSN & Yahoo when you want to search the Internet.
  3. Delete all cookies before you open any site in this dedicated browser and delete all cookies & history after you finish.
  4. Some people even use a virtual machine to access the Internet from it to decrease the attack surface of their machines/data, and if you are very paranoid like these guys you can take a snapshot of the virtual machine in a stable state after the installation and before browsing any site and restoring it to that specific snapshot after every time you access the Internet, while putting all data you gonna need again on a detachable USB drive connected only to this virtual machine when you need to write to it then copying all data somewhere else after making sure that all content are virus free.
  5. Use anonymous proxies (e.g. tor which we discussed in an earlier post).
Posted by Ahmad Zaki at 9:40 AM 3 comments

Sunday, April 24, 2011

Your guide to safe social networking - part 2

Today we continue discussing how to safely browse social networking sites under the assumption that we are seeking some anonymity, anonymity might be required for many reasons, for example:
  • One is writing his/her opinions frankly in countries that do not tolerate "other" opinion.
  • One is having her/his social network account just for fun and don't want it to be traceable to real life person.
Follows are some advices upon meeting the anonymity requirements:
  1. Take special care upon enabling/using the location feature of your social network account, it can be traced to know your place to get to you or to determine the place you are not at, yes you read it correctly the place "you are not at" please check this "Please Rob Me" site which tries to raise awareness about over-sharing.
  2. Think thoroughly before adding people you don't know as your friends on Facebook, My Space or other social networks sites.
  3. Think twice before identifying your family members and tagging them within your photos.
  4.  In case you think that your "frank" opinions might provoke some officials in your country you better make your social network account with an alias, not your real name, never put personal info in there and use Tor (this excerpt from its site explain what is it "Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis" ) as you can find hereafter:












 


Hope that would be helpful to you  social networkers everywhere and until next post, should you need to ask about any related issue please do not hesitate to post your questions here:)

Posted by Ahmad Zaki at 1:09 AM 1 comments
Labels:

Saturday, April 23, 2011

Your guide to safe social networking

As we are getting more and more involved in social networking via sites like Twitter, Facebook LinkedIn....etc we are in a need of some guidelines protecting our privacy throughout this cyber space:-

  1. Use a complex password & change it every 30 days or when weird things start to happen to your account:
    Use at least 8 characters password that contains alphanumeric (containing Capital & small letters mix) & special characters (e.g. ~!@#$%^&*()). And to answer your question NO you can't use your pet's name, family name or your favorite movie or actor as a password unless you make it, somehow, comply with the previous rule, for example to use the name "George Clooney" you can write it like this "gC!0oN3y" or similer combination of Capital letters, small letters, numbers & special characters.
  2. Use the HTTPS/SSL feature of the web sites you are using:
    As most of us might not know, when we log on to one of our social networks, our credentials (i.e. username & password) or at least our password will be sent encrypted to that site so that no one can know it, but after the authentication process the site will default you to the unencrypted connection which mean that all the traffic between your web browser and the web site will be sent in clear text, which make your browsing prune to sniffing (where someone might be able to grab a copy of everything that is being sent to or from your web browser) also make you vulnerable to some attack called Sidejacking where an attacker can used some sniffed cookies of ours to browse the site using our account (yes that explains why weird things do happen e.g. our account seems to be adding/deleting friends/followers or posting things that we never wrote......etc ) and just for the record, Sidejacking also works with e-mail hosting sites. using HTTPS feature of web sites, if not blocking these previous attacks it will at least lower the ability of an attacker to implement them unless s/he is a very resourceful one.
     To enable the HTTPS feature on Facebook follow this guide:





To enable the HTTPS feature on Twitter follow this guide:







    3. Unless you want Twitter followers to know your Facebook id, don't use a Facebook profile picture as your avatar on Twitter as your profile id is written in its name and can be easily traced to your Facebook profile.
   4. Do not post personal stuff on your social network account as it may be used to stalk you.


Well folks, I guess that will be enough for today, if you have any inquiry I'll be more than happy to help, just post it here:)



   


Posted by Ahmad Zaki at 5:25 AM 0 comments
Subscribe to: Posts (Atom)