Hackers exploiting Router vulnerabilities to hack Bank accounts through DNS Hijacking

In past months, we have reported about critical vulnerabilities in many wireless Routers including Netgear, Linksys, TP-LINK, Cisco, ASUS, TENDA and more vendors, installed by millions of home users worldwide.

Polish Computer Emergency Response Team (CERT Polska) recently noticed a large scale cyber attack ongoing campaign aimed at Polish e-banking users.
Cyber criminals are using known router vulnerability which allow attackers to change the router's DNS configuration remotely so they can lure users to fake bank websites or can perform Man-in-the-Middle attack.

'After DNS servers settings are changed on a router, all queries from inside the network are forwarded to rogue servers. Obviously the platform of a client device is not an issue, as there is no need for the attackers to install any malicious software at all.' CERT Polska researchers said.
That DNS Hijacking trick is not new, neither most of the router vulnerabilities are, but still millions of routers are not patched or upgraded to the latest firmware version.
The Domain Name System, or DNS, the Internet’s method of converting Web page names into IP address numbers can be hijacked just by changing the server address to a malicious DNS server from router's settings; and that which malicious DNS server should be in control of the hacker to facilitate interception, inspection and modification of the traffic between users and the online banking websites they wanted to target.
"It looks like criminals are primarily targeting e-banking users as they modify DNS responses for several banking domains, while resolving other domain names normally." they said.
Most of the Banking and E-commerce sites are using HTTPS with SSL encryption, making it impossible to impersonate them without a valid digital certificate issued by a Certificate Authority (CA), but to bypass such limitation cyber criminals are also using the SSL strip technique to spoof digital certificates. 

“While criminals intercept the unencrypted request, they simply modify links to clear HTTP, adding “ssl-“ String to a hostname, apparently in an attempt to fool casual users (Note that the nonexistent ssl-. hostnames would only be resolved by malicious DNS servers) While the connection is proxied through malicious servers, SSL is terminated before it reaches the user. Decrypted content is then modified and sent unencrypted to the customer.”
"In cases we have seen, they produced a self-signed certificate for thawte.com domain, which causes a browser to complain about both domain name mismatch and lack of a trusted CA in the certificate chain. This should be a clear indicator of the fraud for most users."

Demonstration of Exploitation:
Penetration tester and Computer Science Student, ABDELLI Nassereddine from Algerian, who reported previously about critical unauthorized access and password disclosure vulnerability in the TP-LINK Routers provided by Algerie Telecom, has also published the practical demonstration on 'How to Hack Victim's computer and accounts by hijacking Router's DNS server'.

 

 

To perform this, he used DNS Proxy tool 'Dnschef' and exploitation tools including Metasploit, webmitm and Burp Suite. Steps to follow:

• Install these tools and run following command:

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

(where interface is the original IP address and fakeip is the resolution of the DNS query)

• Run 'webmitm tool' that will handle the HTTP requests and responses and also forward the traffic to Burp Suite Proxy to inject an iframe of the Metasploit's Browser AUTOPWN Server.
• Launch the Bowser AUTOPWN module on Metasploit and get access.

Our readers can get detailed explanations of exploitation technique on the Nassereddine's blog.
How to Protect?
Now that you know how hackers can target routers to mess up the internet connection or even steal banking, Facebook, Google passwords, the next best thing to do is to secure your own routers:

• Change the default username and password.
• Update the Router's firmware to latest patched version.
• Users can spot fake sites by pay attention to the browser’s address bar and HTTPS indicators.
• Disable Remote Administration feature, especially from WAN. The router should be configurable only from the local network or LAN. 

  

Source: THN

Unseen 4096-Bit Encrypted Email, Chat and File Sharing Service to counter NSA Spying

With the beginning of a new week, we always came across a new revelation of surveillance programs run by the U.S. Government. A Recent NYT Report disclosed that how whistleblower Edward Snowden downloaded 1.7 million classified files which are revealing a number of secret spying projects that are being executed by NSA. The only lesson we have learned, is about taking our PRIVACY very seriously. 

To Communicate using electronic media, we need to explore something which can make the conversation more secure and private. The only point where my search ends is to 'Encrypt the message' to be sent with a robust encryption technique which might provide at least a handy balance of security and convenience.

Recently, it was reported that most widely adopted encryption technique RSA had a backdoor for the NSA. So ‘Privacy’ becomes a question to all of us and what technology we should trust upon.

We have various sets of options to choose encryption e.g. Advanced Encryption Standard (AES) or the Elliptic Curve Cryptography (ECC), but the question still persists after an un-proved leak that NSA has developed a quantum computer which can collide with any secure key being used by an algorithm in a cost effective manner. So at this point, these types of encryption might get fails.

A Secure messaging service for Email, Chat, VoIP, and File Sharing is being claimed by UNSEEN.is, provides 4096-bit encryption. For key exchange it uses NTRU (latency based cryptography technique), and hence made a shield against quantum computing attacks.

The service provider claims that they are not storing encryption keys on their servers and so the keys are not known to them, even if the government agency asks for any data of a particular due to any reason, so it would not be of any use to them.

The service is available for free and also on a monthly premium basis, in both the plans, the security of data is same, but only storage capacity varies.

Unseen have all their assets in ICELAND and the country is known for its very strong Human Right policies, protection of whistleblowers and Privacy Laws.

Recently, unseen witnessed a service disrupting activity in which they were targeted by Law Enforcement Agency. “The NSA and GCHQ have programs to do precisely this sort of thing and Here’s the PROOF!”

 

 

The accuracy of the data has been yet a question but if it's true; one can easily confirm that NSA and GCHQ won’t get any detail from UNSEEN by enforcing any law.

User can also use PGP (Pretty Good Privacy) to encrypt emails. You are much better protected than if you communicate in the clear. Now that we have enough details about how the NSA eavesdrops on the internet, and can finally start to figure out how to protect ourselves.

 

 

Source: THN

Largest Ever 400Gbps DDoS attack hits Europe uses NTP Amplification

The Distributed Denial of Service (DDoS) attack is the one of favourite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack.

Since 2013, Hackers have adopted new tactics to boost Distributed Denial of Service attack sizes, which is known as ‘Amplification Attack’, that provide the benefits of obscuring the source of the attack, while enabling the bandwidth to be used to multiply the size of the attack.

Just yesterday, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic, striking at the company’s data servers in Europe.

“Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating,” CloudFlare CEO Matthew Price said in a tweet. “Someone’s got a big, new cannon. Start of ugly things to come,”

This massive DDoS attack was greater than ever in history of the Internet, and larger than previous DDoS record-holder Spamhaus DDoS attack i.e. 300Gbps, that almost broke the Internet.

Attackers leveraged weaknesses in the Network Time Protocol (NTP), which is used to synchronize computer clocks, but hackers are abusing the NTP servers by sending small spoofed 8-byte UDP packets to the vulnerable server that requests a large amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.

The frequency of NTP reflection attacks has grown in recent months. While researchers have long-predicted that NTP might someday become a great vector for DDoS attacks and ideal DDoS tool, and the trend has recently become popular, causing an issue for some gaming websites and service provider.

Recently, The US-CERT issued an alert warning, listed certain UDP protocols identified as potential attack vectors for Amplification Attack, including DNS, NTP, SNMPv2, NetBIOS, SSDP ,CharGEN, QOTD, BitTorrent, Kad, Quake Network and Protocol Steam Protocol.

As all versions of ntpd prior to 4.2.7 are vulnerable by default, the simplest recommended course of action is to upgrade all versions of ntpd that are publicly accessible to at least 4.2.7. Until all the misconfigured NTP servers are cleaned up, attacks of this nature will continue.
Update: The CloudFlare team has released more technical details on the above 400Gbps NTP amplification DDoS Attack. Hackers abused 4295 vulnerable NTP server, running on 1,298 different networks.
The Spoofed UDP packet was amplified 206-times larger than the request by exploiting MONLIST command  vulnerability on open ntpd servers. "An attacker with a 1Gbps connection can theoretically generate more than 200Gbps of DDoS traffic."

 

 

 

 That means, Just by using 2Gbps Internet Connection and exploiting 4,529 NTP servers, Hacker DDoSed websites with 400Gbps bandwidth. "On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network." they said.

CloudFlare has also release a list of all Networks with Naughty NTP Servers Used in DDoS Attack, rather than publishing the complete list of IP addresses. ,"At this time, we've decided not to publish the full list of the IP addresses of the NTP servers involved in the attack out of concern that it could give even more attackers access to a powerful weapon."

 

 

Source: THN

Hackers targeting non-browser applications with Fake SSL Certificates

Having SSL Certification doesn't mean that the website you are visiting is not a bogus website. SSL certificates protect web users in two ways, it encrypts sensitive information such as usernames, passwords, or credit card numbers and also verify the identity of websites.

But today hackers and cyber criminals are using every tantrum to steal your credentials by injecting fake SSL certificates to the bogus websites impersonating Social media, e-commerce, and even bank website.

Netcraft Security Researchers have discovered dozens of fake SSL Certificates being used to enact financial institutions, e-commerce site vendors, Internet Service Providers and social networking sites, which allegedly allows an attacker to carry out man-in-the-middle attacks.

When you will visit a bogus website from any popular web browser; having self signed fake SSL Certificate, you will see a foreboding warning in the web browser, but the traffic originates from apps and other non-browser software fail to adequately check the validity of SSL certificates.

The SSL Certificates are not digitally signed by a trusted certificate authority, so if you are accessing a sensitive website from your Smartphone apps or any other non-browser software, then you may be at a great risk.

"Online banking apps for mobile devices are tempting targets for man-in-the-middle attacks, as SSL certificate validation is far from trivial, and mobile applications often fall short of the standard of validation performed by web browsers. 40% of iOS-based banking apps tested by IO Active are vulnerable to such attacks because they fail to validate the authenticity of SSL certificates presented by the server. 41% of selected Android apps were found to be vulnerable in manual tests by the Leibniz University of Hannover and Philipps University of Marburg in Germany. Both apps and browsers may also be vulnerable if a user can be tricked into installing rogue root certificates through social engineering or malware attacks, although this kind of attack is far from trivial on an iPhone." Netcraft researchers said.

Source: THN

Magento vulnerability allows an attacker to create administrative user

It seems you cannot go a day without hearing about someone or some group hacking a website or stealing credit card and other sensitive data from e-commerce sites.

The Market of E-commerce is at its boom, and that provides even more opportunities to hackers. There are many readymade e-commerce platforms available on the Internet, that are easy to install and easy to manage at no extra cost and 'Magento' is one of the most popular out of them.

Recently security researchers at Securatary have reported a critical cross-store vulnerability in the Magento platform that lets attackers to escalation privilege by creating an administrative user on any 'Gostorego' online store.

The authentication bypass vulnerability left 200,000 merchants data vulnerable to hackers before it was patched. To exploit the flaw, an attacker only needed to modify the HOST header to the URI of the target account in the GET request.

They dubbed it as "Stealth mode", allow the attacker to steal store credits and gift coupons, change the price of products and also can manipulate a number of other things in more than 20,000 web stores. "All these requests however “impersonate” the store owner account so action are logged as this user and does not look so suspicious." they said.

To demonstrate the vulnerability security researcher has used Burp Suite, which easily allows an attacker to capture the login request, change the host entry in the header, and all other facilities for adding a new user in targeted store.

The Security Company has reported the vulnerability to eBay, who own the Magento project and hence patched.

Source: THN

Edward Snowden obtained classified NSA documents by stealing Coworker’s Password

We are quite aware of the leaks that the Whistleblower Edward Snowden carried out against the US National Security Agency (NSA) and after reading every related update, watching every document that he provided to various news websites, you all are left with a question in mind that, How he could carry out this whole operation without any helping hand?

Yes, you are right! The former NSA contractor Edward Snowden allegedly managed to access thousands of the classified documents by stealing one of his coworker's passwords, according to an unclassified NSA memorandum obtained by the NBC News.

Three Members, one NSA's civilian employee, an active duty member of the U.S. Military and a contractor were found involved in the actions that may have aided Snowden's operation; from which NSA's civilian employee has been stripped of his security clearance and has resigned.

Other two has been obstructed from accessing National Security Agency (NSA) facilities, the memo states indicating that their status is under review currently.

The coworker said that he allowed Snowden to use his Public Key Infrastructure (PKI) certificate to access the classified information on ‘NSANet’ that was officially denied to access by Snowden.

The memo’s account doesn’t provide much detail, according to NBC, but going through the whole memo, Snowden’s somehow got one of his civilian NSA employees and coworkers to enter his password “onto Snowden’s computer terminal,” the memo states. “Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information”

The memo also states that the civilian coworker was not aware of Mr. Snowden’s intentions that he “intended to unlawfully disclose classified information,” and shared his PKI certificate, a system of highly secure credentials that provided greater access to NSA’s internal computer system, and “failed to comply with security obligations,” that made him resign.

This was not the first time we heard about the involvement of the coworker of NSA in the matter of so called nation’s pride. Bake in the month of November, the memo appears to be the first official confirmation of a Reuters report in November; Reuters reported that some of the employees, as many as 20 to 25 workers who shared their passwords had been identified, questioned, and removed from their assignments, but the NSA never publicly commented on that report and Snowden appeared to deny it during a public Google chat just last month.

Now this is what NSA must quite aware of the discipline maintained by the workers who work at NSA to carry out the most sophisticated project to spy on each individual, while their inbuilt threat may blow their head off.

 

Source: THN

Underground Marketplace 'Utopia' Seized by Dutch Police, 5 suspects arrested

After Silk Road, another underground online marketplace 'Utopia' has been seized by Dutch National Police, where users could buy illegal drugs and guns for home delivery.

The police started their investigation under Codename 'Operation Commodore' in 2013,  and finally seized Utopia's Germany-based servers and arrested total 5 suspects for running this marketplace. One arrested in Germany and other four suspects, aged 29 to 46, were detained in The Netherlands. Two of them had also been involved in another similar underground website 'Black Market Reloaded', which was closed in December 2013.

Utopia reportedly launched only last week (http://ggvow6fj3sehlm45.onion/), intended to become a direct competitor of the Silk Road, was a 'dark web' website, which is accessible only by using Tor anonymity software.

The website is now displaying a message: "This hidden service has been seized by the Dutch National police."

Many illegal Drugs, including ecstasy and cocaine as well as guns and stolen credit cards were available through the Utopia marketplace, and also were offering hacking tools and gambling services.
Dutch Police have seized 900 Bitcoin, currently worth between $540,000-$815,000 and 21-year-old Germany man could be extradited The Netherlands soon.

Dutch police declined to reveal details of how Utopia was closed, instead promising to release more information later this week.
On the other hand, the moderators of the site are calling the seizure of Utopia "a serious blow to the darkweb maketplace community" and trying to regroup with other members to launch a new website.

Source: THN