Search This Blog

Showing posts with label Sensitive data. Show all posts

Security Flaws Impacting Oracle’s iPlanet Web Server Discovered By Researchers



Cyber Security Experts discover two security defects affecting Oracle's iPlanet Web Server that could cause sensitive data exposure and limited injection attacks. 

Tracked as CVE-2020-9315 and CVE-2020-9314, discovered by experts at Nightwatch Cybersecurity on January 19, 2020, the two flaws are said to reside in the web administration console of the enterprise server management server. 

The first issue, known as CVE-2020-9315, could permit unauthenticated remote attackers to secure the read-only access to any page inside the administration console, without validation, by essentially replacing an admin GUI URL for the target page. 

The vulnerability could bring about the leak of sensitive information, including configuration information and encryption keys. 

While the second tracked as CVE-2020-9314, could be exploited to infuse external images which can be utilized for phishing and social engineering attacks. It lives in the "productNameSrc" parameter of the console. 

An inadequate fix for CVE-2012-0516 XSS validation defect considered this parameter to be abused related to "productNameHeight" and "productNameWidth" parameters for the injection of images into a domain. 

The two vulnerabilities affect Oracle iPlanet Web Server 7.0.x, that is no longer supported. 

At the time it isn't clear if the earlier versions of the application are likewise influenced. As indicated by the experts, the most recent variants of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, yet they don't appear to be vulnerable. 

“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” concludes the report published by Nightwatch Cybersecurity. ”Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.” 

Following is the timeline for the issues: 
2020-01-19: Initial discovery 
2020-01-24: Initial disclosure sent to the vendor; rejected since the product is not supported 
2020-01-24: Clarification questions sent to the vendor 
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment 
2020-01-29: CVEs requested from MITRE 
2020-02-07: Initial report sent to CERT/CC 
2020-02-17: CVE request rejected by MITRE, resubmitted with more data 
2020-02-18: Response received from CERT/CC 
2020-02-20: CVE assignments received from MITRE 
2020-02-20: CVEs and disclosure plans communicated to the vendor 
2020-05-10: Public disclosure

Researchers Monitor Rise Of An Infostealer Dubbed As ‘Poulight’ That Most Likely Has A Russian Origin


In times where info-stealer is progressively becoming one of the most common threats, the Infostealer market has thus risen as one of the most lucrative for cyber crooks, for the data gathered from infected frameworks could be 'resold' in the cybercrime underground or utilized for credential stuffing attacks.

This class of malware is said to incorporate many well-known malware like Azorult, Tesla, and Hawkeye.

Recently over the two months, Researchers from Cybaze-Yoroi ZLab observed the evolution and the diffusion of an info stealer dubbed as Poulight that most probably has a Russian origin. First spotted by MalwareBytes specialists in middle March and indicators of compromise have been as of now shared among the security community.

The vindictive code has propelled further stealing capabilities and continues to evolve. 

Hash                                8ef7b98e2fc129f59dd8f23d324df1f92277fcc16da362918655a1115c74ab95
Threat                              Poulight Stealer
Brief Description             Poulight Stealer
Ssdeep                       1536:GJv5McKmdnrc4TXNGx1vZD8qlCGrUZ5Bx5M9D7wOHUN4ZKNJH:                                               GJeunoMXNQC+E5B/MuO0Ogt

Above is the sample information / Technical Analysis

Like a large portion of the malware of this particular family, it is created from a builder accessible to cyber-criminal groups that offer a 'subscription plan' for its "product". The outcome is a .NET executable:

Static information about the binary file

A quirk of this sample is that it doesn't have a minimal indication of obscurity; the analysis is very simple to depict the malware abilities/capabilities. When the malware is propelled, it plays out a classical evasion technique (as shown in Fig.3):

Figure 3: Evasion Technique

This implemented evasion technique is one of the most exemplary ones, where, through the utilization of Windows Management Instrumentation (WMI) by executing the inquiry "Select * from Win32_ComputerSystem". Specifically, along these lines, a few checks of the most relevant tracks of virtualization are given, as:
• “vmware”
• “VIRTUAL”
 • “VirtualBox”
• “sbiedll.dll” (Sandboxie)
• “snxhk.dll” (Avast sandbox)
• “SxIn.dll” (Avast sandbox)
• “Sf2.dll” (Avast Sandbox”)

These checks are additionally recorded from the Al-Khaser or Pafish tools which are planned to be a test suite to distinguish malware analysis environments and intended to test the strength of the sandboxes. At that point, the malware can continue with the infection beginning giving rise to another threat called "Starter".

Figure 4: Loader module of the malware

The "Starter" class contains the routine to load the segments of the malware. Prior to that, there is the initialization of certain directories and files utilized to store the accumulated data from the victim machine. This activity is performed by the primary instruction "global:: Buffer.Start()", the method is very simple and easy: a series of folders were created within Windows Special folders (AppData, Local AppData, Personal, Desktop) along these lines:

Figure 5: Creation of folders in the Windows Special Folders

From that point forward, the malware extracts the configuration document and its parameters from the asset named "String0", a Base64 encoded string and through the following strategy they are then decoded:

Figure 6: Routine to extract the configuration file

The primary data tag "prog.params" is quickly recovered in the instruction "HandlerParams.Start()" which can be seen in Figure 4. Presently, a check of a previous infection is performed before beginning another one. The instruction "AntiReplaySender.CheckReplayStart()" (in figure 4) is assigned.

Figure 7: Check of a previous infection

The malware attempts to discover the id of the mutex. In the event that the file is available, the malware doesn't execute itself some other time, else it composes this empty document to sign the infection is begun. From that point forward, it transforms into the real vindictive main contained inside the "XS" class, as seen in figure 4. The primary bit of the code is the following:


Figure 8: Initialization of the mail module 
The first instruction is "Information.Start()" where all the data about the hardware and software of the host is collected along these lines:
Figure 9: Routine for retrieving the configuration of the victim machine

It is clearly evident that the malware utilizes both English and Russian dialects to log the data assembled. From that point onward, the stealer turns to count and log all the active processes inside the operative system.

Figure 10: Routine to extract the process list

Now as seen in figure 8, a 'check' on the third parameter is performed. On the off chance that it is equivalent to one; the "clippers" module is executed.

Figure 11: Routine to decode and execute an embedded component

As show in the above figure, this code can decode a component contained inside the "clbase" tag with the AES key stored within the "update" tag. Be that as it may, in the particular configuration there is no "clbase" field, so we don't have any other component to install. The last instruction seen in Figure 8 is "CBoard.Start", which works in the following way:

Figure 12: Routine to steal clipboard data

The subsequent stage is to accumulate all the sensitive data on the victim machine:

Figure 14: Detail of the stealing modules

The malware steals an immense amount of data:
  • Desktop Snapshot 
  • Sensitive Documents 
  • Webcam snapshot 
  • Filezilla credentials 
  • Pidgin credentials 
  • Discord Credentials 
  • Telegram 
  • Skype 
  • Steam 
  • Crypto Currencies 
  • Chrome chronology  
The most fascinating part is that the module "DFiles" instructed to steal sensitive documents. It begins with looking through the records with one of the accompanying extensions:

Figure 15: Routine to search the documents with specific extensions
Within the gathered files, the malware searches for the classic keywords showing that the content of the files conserves some valuable accreditations. The keywords are the accompanying:

Figure 16: List of keywords searched within the documents

Then the malware proceeds to gather all the data inside a unique data structure and sends it to the C2 retrieved in another resource named "connect":

Figure 17: Routine to upload to the C2 the stolen information

At long last, it downloads and executes various components from the Internet. The parameters are recovered similarly observed in the past segment: a tag named "file" contains the component to download.
Figure 18: Routine to download other components from the Internet
Thus there is no doubt in the fact that Poulight stealer has a mind-boggling potential to steal delicate data and it ought not to be disregarded that later on, it may supplant other info stealers like Agent Tesla, remcos, etc.

In any case, the limitation of the embed is the absence of code obfuscation and data protection, however, this could be clarified due to the fact that, possibly, the malware is in its early stages of development.

Since now that the attackers likely will enhance these features, therefore, being aware of them is the best step forward for the users now. RN

Instagram Users Fall Victim To yet another Phishing Campaign



Instagram user's become victims of a new phishing campaign that utilizes login attempt warnings combined with what resembles the two-factor authentication (2FA) codes to trick potential victims into surrendering over their sensitive data by means of fake sites.

It is believed that they use the 2FA to make the scam increasingly 'believable' and  alongside this they resort to phishing with the assistance of a wide scope of social engineering techniques, just as messages intended to seem as though they're sent by somebody they know or an authentic association.

Here, particularly the attackers utilize fake Instagram login alerts stating that somebody tried to sign in to the target's account, and thusly requesting that they affirm their identity by means of a sign-in page linked within the message.

In order to abstain from raising any suspicions these messages are intended to look as close as conceivable to what official messages might appear coming from Instagram.

Once on the target is redirected to the phisher's landing page, they see a perfectly cloned Instagram login page verified with a legitimate HTTPS certificate and displaying a green padlock to ease any questions regarding whether it's the genuine one or not.


To avoid from falling for an Instagram phishing trick like this one, the users are prescribed to never enter their sign-in certifications if the page requesting that they sign in does not belong to the instagram.com site.

Anyway in the event that the user has had their Instagram credentials stolen in such an attack or had their account hacked but in some way or another can still access it, at that point they should initially check if their right email address and phone number are still associated with the account.

Following this they it is advised that they change the account's password by adhering to specific guidelines given by Instagram.

Be that as it may, assuming unfortunately, that the user has lost access to their account after it being hacked, they can utilize these guidelines or instructions to report the incident to Instagram's security, which will then accordingly re-establish it subsequent to confirming the user's identity through a picture or the email address or phone number you signed up with and the type of device you used at the time of sign up."