HP has an awful history of ‘accidentally’ leaving keyloggers onto its customers’ laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.

A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.

The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.

Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger “by setting a registry value.”

Here’s the location of the registry key:

  • HKLM\Software\Synaptics\%ProductName%
  • HKLM\Software\Synaptics\%ProductName%\Default

The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually “a debug trace” which was left accidentally, but has now been removed.

A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners,” HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.

A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.

The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.

This is not the first time a keylogger has been detected in HP laptops. In May 2017, a built-in keylogger was found in an HP audio driver that was silently recording all of its users’ keystrokes and storing them in a human-readable file.

Advertisements

Caintech.co.ukThe NAS4Free operating system can be installed on virtually any hardware platform to share computer data storage over a computer network. ‘NAS’ as in “Network-Attached Storage” and ‘4Free’ as in ‘Free and open source’, NAS4Free is the simplest and fastest way to create a centralized and easily-accessible server for all kind of data!

NAS4Free supports sharing across Windows, Apple, and UNIX-like systems. It includes ZFS, Software RAID (0,1,5), disk encryption, S.M.A.R.T / email reports etc. with following protocols/services: CIFS/SMB (samba), Samba AD, FTP, NFS v4, TFTP, AFP, RSYNC, Unison, iSCSI, UPnP, Bittorent, Syncthing, VirtualBox and noVNC, Bridge, CARP (Common Address Redundancy Protocol) and HAST (Highly Available Storage).

This all can easy be managed by a configurable web interface.

Features
Backup
NAS
File Server

Websitehttps://www.nas4free.org

 

Caintech.co.uk

vsaudit

This is an opensource tool to perform attacks to general voip services It allows to scans the whole network or single host to do the gathering phase, then it is able to search for most known vulnerabilities on the founds alive hosts and try to exploit them.

Install dependencies

To start using vsaudit you must install the ‘bundler’ package that will be used to install the requireds gem dependencies through the Gemfile.

Download directly from website:

http://bundler.io/

Or install with ‘gem’ (ruby package manager) with:

deftcode ~ $ gem install bundler

After that the installation has been completed, run (in the directory where is located vsaudit):

deftcode vsaudit $ bundle

Now you can start vsaudit with:

deftcode vsaudit $ ruby vsaudit.rb

NOTE: If you get an error with gem, you need to install the libssl-dev package (kali-linux: apt install libssl-dev).

Environment commands

  • Display the available options that can be set
  • List the environment variables
  • Get the value of environment variable
  • Set or change the environment variables

Audit commands

  • Check mistakes in the local configuration files
  • Scan a local o remote network
  • Enumerate the extensions
  • Bruteforce extensions
  • Get the live network traffic
  • Intercept the network traffic by custom bpf

Informations commands

  • Get informations about modules or address
  • Show the report list
  • Show the extensions list

Global commands

  • Display the help message
  • Quit from the framework

Screenshot

Reference

Source: https://github.com/eurialo/vsaudit

So why do we restrict Powershell to users in an organisation, well the answer is Mimikittenz.

Mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
mimikittenz can also easily extract other kinds of juicy info from target processes using regex patterns including but not limited to:

  • TRACK2 (CreditCard) data from merchant/POS processes
  • PII data
  • Encryption Keys & All the other goodstuff

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
Currently mimikittenz is able to extract the following credentials from memory:

NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.

The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.

Currently mimikittenz is able to extract the following credentials from memory:

#####Webmail#####

Gmail
Office365
Outlook Web
#####Accounting#####

Xero
MYOB
#####Remote Access#####

Juniper SSL-VPN
Citrix NetScaler
Remote Desktop Web Access 2012
#####Developement#####

Jira
Github
Bugzilla
Zendesk
Cpanel
#####IHateReverseEngineers#####

Malwr
VirusTotal
AnubisLabs
#####Misc#####

Dropbox
Microsoft Onedrive
AWS Web Services
Slack
Twitter
Facebook

Download
git clone https://github.com/putterpanda/mimikittenz.git
https://github.com/putterpanda/mimikittenz.git

Also read: Unofficial Guide to Mimikatz & Command Reference

NACKered

NACKered is a small bash script based off the work of Alva Lease ‘Skip’ Duckwall IV to bypass 802.1x Network Access Control. Tested and working on a raspberrypi running a cut down version of Kali.

Hardware Prerequisites

  • You’ll need a system with two ethernet ports, you’ll need physical access to place your device inline.
  • If you’re running this on a box you’ve dropped into a network and you need to set up a remote connection to it, for example, 3G/4G, you’ll need to do some minor edits, adding your new interface into the bridge etc.

Software Prerequisites

Very limited software prerequisites are needed:

  • Debian Based OS (with usual tools bash/ipconfig/route etc)
  • brctl (bridge control – used to create the bridges)
  • macchanger (alters mac addresses)
  • mii-tool (forces a reauth by cycling connections)
  • tcpdump (packet capture stuff)
  • arptables/ebtables/iptables (does rewriting and NAT’ing)

Execution Flow

The script currently has debugged breakpoints in it (it does “Press Enter” to do next step”), I’ll release a fully automatic one at some point.

  1. We set up the environment, killing services we don’t like, disabling IPv6, removing dns-cache etc
  2. We set some variables, obtaining MAC addresses from interfaces etc
    • The BridgeIP is set to 169.254.66.66, the “secret” SSH callback port is set to 2222, the NAT ranges is set to 61000-62000
  3. We kill all connections from the laptop and set up the bridge
  4. We do the little kernel trick to forward EAPoL packets
  5. We bring up the legit client and the switch side connection on the bridge – should auth now and be happy.
  6. We start packet capturing the traffic running through our device (but we are still dark!)
  7. We use arptables/iptables to drop any traffic from our machine
  8. A rule is made in ebtables to rewrite all MAC addresses leaving the device to look like the Victims.
  9. A default route is made such that all traffic is sent to our fake gateway, which has the mac of the real gateway (which we only know the mac address of). Because layer 2 is fine it will get to where it needs to go to.
  10. Sneeky ssh callback is created victim-ip:2222 will actually SSH into ourmachine:22
  11. Rule is made in iptables to rewrite all TCP/UDP/ICMP traffic with Victim-IP
  12. SSH server is started on attack machine in case it wasn’t
  13. Everything should be working so we take off the traffic drops made in line 7, and in theory, we can get going, doing what we need to do.

Download

git clone https://github.com/p292/NACKered.git

Use

./nackered.sh

Source: https://github.com/p292/NACKered

In capsule:

  • New ransomware named DoubleLocker infects android devices
  • Discovered by security researchers in ESET antivirus
  • The ransomware not only encrypts data but also changes the pin
  • Ransomware is spread through fake adobe flash player app
  • A ransom amount of 0.0130 BTC is demanded to retrieve the data

Security researchers have discovered a new ransomware called DoubleLocker which infects Android devices.

The specialty of DoubleLocker ransomware is that it can change device’s PIN which prevents users from accessing their device and also encrypts the data found in the device.

According to researchers from ESET antivirus, the ransomware is spread via fake adobe flash player app using compromised websites.

After installation, the app request for activation of google play service for obtaining accessibility permissions. The app uses them to activate device administrator rights to make itself as the default home application.

ESET malware researcher Lukas Stefanko said that “Setting itself as a default home app – a launcher – is a trick that improves the malware’s persistence. Whenever the user clicks on the home button, the ransomware gets activated, and the device gets locked again. Thanks to using the accessibility service, the user doesn’t know that they launch malware by hitting Home.”

The new pin set by the attacker is of a ransom value which is neither stored or sent anywhere making it impossible to recover it. When the ransom is paid the attacker resets the pin remotely and unlock the device.

The files are encrypted using AES encryption algorithm through “.cryeye” extension. The attacker has implemented the encryption properly so without the decryption key it is impossible to recover the files said stefanko.

A ransom amount of 0.0130 BTC (approximately USD 74) is demanded to retrieve the data.The only option for the user to retrieve their device other than paying ransom is factory reset, but files will be lost if not backed up properly.

Researchers said there is a possibility to bypass the pin in rooted devices if the device was in debugging mode before getting infected.

“The user can connect to the device by ADB and remove the system file where the PIN is stored by Android. This operation unlocks the screen so that the user can access their device. Then, working in safe mode, the user can deactivate device administrator rights for the malware and uninstall it. In some cases, a device reboot is needed.”

To prevent your device from infection, do follow the instructions below:

  1. Always switch off “Allow installation from unknown sources” in security settings thereby restricting download apps from a third party and anonymous sources.
  2. Always backup your data regularly.
  3. Don’t download attachments from unknown sources.
  4. Always Use google play store to install apps, don’t use any third party app stores.
  5. Download apps from verified developers and check their app rating and download counts before installing an app.
  6. Verify app permission before installing an app.
  7. Install the best and updated antivirus/antimalware software which can detect and block these type of malware.
 A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security mis-configurations.