Search This Blog

Showing posts with label Microsoft Hacks. Show all posts

Hackers abusing Microsoft Azure to deploy malware

Now Microsoft Azure becomes a sweet spot for hackers to host powerful malware and also as a command and control server for sending and receiving commands to compromised systems.

Microsoft Azure is a cloud computing platform created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.

Initially, this malicious operation was uncovered and reported by @JayTHL & @malwrhunterteam via Twitter in which they provide the evidence that there is a malicious software being hosted in Microsoft Azure.

Researcher’s already reported this malicious operation to Microsoft. however, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later, Appriver Reported.

This is an evidence of Azure that failed to detect the malware residing on the Microsoft server, but Windows defender is detecting the malicious files if users attempt to download from the malware-hosting server.

Windows defender detects this malware as Trojan:Win32/Occamy.C and the first new sample ( searchfile.exe ) was initially uploaded to VirusTotal on April 26, 2019, and another sample (printer/prenter.exe) was first submitted on April 30, but also remains undetected on Azure servers.

According to appriver, however, it does not appear the service is currently scanning Azure sites or, one could surmise that these files would’ve been detected by now.

Based on the analysis report using the printer.exe file, attackers uncompiled this malware with the c# .net portable executable file.

Attackers cleverly using an uncompiled file as an attempt to evade the gateway and endpoint security detection by thoroughly examining the downloaded binaries.”

Once running, this malicious agent generates XML SOAP requests every 2 minutes to check-in and receive commands from the malicious actors Azure command and control site at: systemservicex[.]azurewebsites[.]net/data[.]asmx”

This is not a first-time malware operator abusing Azure, but already we reported that attackers abuse Microsoft Azure Blog Hosting and it also attempted to steal the login credentials.

Peter Kleissner scheduled to release Windows 8 Bootkit on Malcon Conference

An Ethical Hacker Peter Kleissner said that he has developed a Malware named as "Bootkit" for forthcoming Windows 8 Operating System. He is going to release this at upcoming Malcon Security Conference in Mumbai .

This Bootkit able to load from a hard drive's master boot record and reside in memory all the way through the startup of the operating system, providing root access to the system. This exploits defeats the security features of Windows 8's new Boot Loader.

Peter Kleissner said Stoned Lite, as the latest version of his bootkit is called, doesn't bypass defenses that will be available to people using Windows 8 on newer machines.He said it doesn't bypass a protection known as UEFI(Unified Extensible Firmware Interface), which scans boot drives for malware prior to starting up.

Kleissner previously developed the Stoned bootkit, a proof-of-concept exploit that could attack Windows XP, Vista, and 7, as well as Windows Server 2003

Microsoft office 2007 Excel.xlb Vulnerable to Buffer Overflow Attack


This Metasploit module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results in arbitrary code execution under the context of the user.

Discovered by :
Aniway
Abyssec
sinn3r
juan vazquez

Reference taken from :
CVE 2011-0105
OSVDB 71765
MSB MS11-021

Platform : windows
Targets :
Win XP sp3 ( Vista and 7 will try to repair the file )
Microsoft Office excel 2007 on Windows XP
Microsoft Office excel 2007 SP2 on Windows XP




source:
snypter

Microsoft released temporary fix for Kernel 0-day Security Flaw


Few days back, Symantec and the Laboratory of Cryptography and System Security (CrySyS) discovered the zero day security flaw in windows kernel while analyzing the Duqu malware.  Microsoft released a temporary fix this problem.  Microsoft determine the problem is in the Win32k TrueType font(TTF) parsing engine.

An attacker can exploit this vulnerability and install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft is working on to fix this vulnerability with partners in Microsoft Active Protections Program (MAPP). In mean time, Microsoft released "Fix this problem" tool as a temporary solution.

This tool will disable the system access to the T2embed.dll file. The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

Microsoft's Official Youtube Channel hacked and All videos deleted



Microsoft Official Youtube Account is hacked by Unknown hacker. He removed all videos from their channel. Hacker uploaded four videos , all time-stamped within two hours.

A fifth video was apparently removed.. The video, “Garry’s Mod – Escape the Box,” featured what appeared to be an animated gunman shooting at the inside of a construction box.The channel’s description reads, “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/"

Now Mcirosoft recovered the account and uploaded videos back. Still they didn't find how hacker hacked it.

GOOGLE | YOUTUBE | MYSPACE | FACEBOOK | GMAIL | BING | MICROSOFT Hacked


Can't Believe this: A Hacker called dr@g has Hacked Guadeloupe  Google / Microsoft/ Motorola / Orange / Facebook / Youtube / Myspace / Live / Hotmail / Bing / Visa / Opera / Gmail / Joomla / Ubuntu / Internet / Bank America and Defaced them. The Hacker is in the team called Moroccain Security Cr3w.
Looks like DNS Hijacking(but not sure).

Hacked Site List:
http://www.google.gp/
http://www.google.com.gp/
http://www.google.net.gp/
http://microsoft.gp/
http://internet.gp/
http://motorola.gp/
http://orange.gp/
http://www.oracle.gp/
http://opera.gp/
http://ubuntu.gp/
http://yahoo.gp/
http://www.facebook.gp/
http://www.youtube.gp/
http://www.bing.gp/
http://www.joomla.gp/
http://www.myspace.gp/
http://www.ciscosystems.gp/
http://www.googleplus.gp/
http://www.gmail.gp/
http://live.gp/
http://bankamerica.gp/

Mirror:

http://www.zone-h.com/mirror/id/14877986
http://www.zone-h.com/mirror/id/14877923
http://www.zone-h.com/mirror/id/14877133
http://www.zone-h.com/mirror/id/14877973
http://www.zone-h.com/mirror/id/14877865
http://www.zone-h.com/mirror/id/14877897
http://www.zone-h.com/mirror/id/14877917
http://www.zone-h.com/mirror/id/14877916
http://www.zone-h.com/mirror/id/14877915
http://www.zone-h.com/mirror/id/14877912
http://www.zone-h.com/mirror/id/14877082
http://www.zone-h.com/mirror/id/14877090
http://www.zone-h.com/mirror/id/14877091
http://www.zone-h.com/mirror/id/14877094
http://www.zone-h.com/mirror/id/14877096
http://www.zone-h.com/mirror/id/14877119
http://www.zone-h.com/mirror/id/14877171
http://www.zone-h.com/mirror/id/14877235
http://www.zone-h.com/mirror/id/14877294
http://www.zone-h.com/mirror/id/14877820
http://www.zone-h.com/mirror/id/14877983
http://www.zone-h.com/mirror/id/14877864



Juan Sacco (runlvl) exposed XSS vulnerability in Bing.com Maps

Juan Sacco (runlvl),One of the Security Researcher - Insecurity Research Labs exposed the XSS vulnerability in Bing.com Search Engine.

BING.COM is prone to a XSS vulnerability because the application fails
to properly perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code in the
victim's browser.

Details
The reflected XSS vulnerability is a variant of a cross-site scripting
flaw: it occurs when the data provided by the attacker is exectued by
the browser, and then displayed on "normal" pages returned to other
users in the course of regular browsing, without proper HTML escaping. A
classic example of this is with online message boards where users are
allowed to post HTML formatted messages for other users to read

Vulnerabilit Details:
  • Name : XSS Reflected on BING.COM
  • Vulnerability Type : XSS Reflected
  • Severity : Very High
  • Researcher : Juan Sacco (runlvl) 
  • Vulnerable Link: here

The vulnerability is caused by the following code and affected by the
Generate Code map

<div id="LME_mapLinks" style="line-height: 20px">
<a id="LME_largerMap" //--&gt;&quot;&gt;'&gt; on Bing Maps (New
window)">View Larger Map</a>
</div>




Credits
Manual discovered by Insecurity Research Labs
Juan Sacco (runlvl) - http://www.insecurityresearch.com