Jump to content

David H. Lipman

Experts
  • Content Count

    16,326
  • Joined

  • Days Won

    1

Posts posted by David H. Lipman

  1. *** UPDATE ***  By Brian Krebs, KrebsonSecurity

    Chinese Antivirus Firm Was Part of APT41 ‘Supply Chain’ Attack

    apt41-group.png

    Quote

    One of the men indicted as part of APT41 — now 35-year-old Tan DaiLin — was the subject of a 2012 KrebsOnSecurity story that sought to shed light on a Chinese antivirus product marketed as Anvisoft. At the time, the product had been “whitelisted” or marked as safe by competing, more established antivirus vendors, although the company seemed unresponsive to user complaints and to questions about its leadership and origins.

    wickedrose.png

    Tan DaiLin, a.k.a. “Wicked Rose,” in his younger years. Image: iDefense

    Anvisoft claimed to be based in California and Canada, but a search on the company’s brand name turned up trademark registration records that put Anvisoft in the high-tech zone of Chengdu in the Sichuan Province of China.

    A review of Anvisoft’s website registration records showed the company’s domain originally was created by Tan DaiLin, an infamous Chinese hacker who went by the aliases “Wicked Rose” and “Withered Rose.” At the time of story, DaiLin was 28 years old.

    That story cited a 2007 report (PDF) from iDefense, which detailed DaiLin’s role as the leader of a state-sponsored, four-man hacking team called NCPH (short for Network Crack Program Hacker). According to iDefense, in 2006 the group was responsible for crafting a rootkit that took advantage of a zero-day vulnerability in Microsoft Word, and was used in attacks on “a large DoD entity” within the USA.

    “Wicked Rose and the NCPH hacking group are implicated in multiple Office based attacks over a two year period,” the iDefense report stated.

    When I first scanned Anvisoft at Virustotal.com back in 2012, none of the antivirus products detected it as suspicious or malicious. But in the days that followed, several antivirus products began flagging it for bundling at least two trojan horse programs designed to steal passwords from various online gaming platforms.

    Security analysts and U.S. prosecutors say APT41 operated out of a Chinese enterprise called Chengdu 404 that purported to be a network technology company but which served a legal front for the hacking group’s illegal activities, and that Chengdu 404 used its global network of compromised systems as a kind of dragnet for information that might be useful to the Chinese Communist Party.

     

    • Like 2
  2. http://www.marina.gi
    
    http://www.gib-conservatives.com
    
    http://www.gibnews.net
    
    http://www.gibname.net
    Quote

    I find my webserver is being blocked by malwarebytes saying its sending malware.

    This is a different one to the email one you use [ referencing services provided to me ]

    I don't think it is but anyone using malwarebytes is being blocked.  I've complained to them but they are asking for data from my PC which is not really the problem.

    And let me know if there is anything bad being sent as its a new server the IP could have been bad in the past.  I had a DHCP IP at home once that was bad news.

    Thanks in advance

    <site owner>

     

  3. Report: Popular Marketing Tool Exposes Dating Site Users in Massive Data Leak

    Quote

    vpnMentor’s research team recently received a report from an anonymous ethical hacker about a massive data leak exposing users of over 70 adult dating and e-commerce websites from around the world.

    The various websites were all using the same marketing software built by email marketing company Mailfire — who was responsible for the leak.

    The software in question had been compromised through an unsecured Elasticsearch server, exposing people all over the world to dangers like identity theft, blackmail, and fraud.

    Upon further investigation, it turned out that some of the sites exposed in the data leak were scams, set up to trick men looking for dates with women in various parts of the world.

    Data Leak Summary

    Company Mailfire
    Headquarters Cyprus
    Industry Online Marketing
    Size of data in gigabytes 882.1 GB
    Suspected no. of records 320 million
    Websites affected 70+
    No. of people exposed 100,000’s
    Date range/timeline August 2020
    Geographical scope Worldwide
    Types of data exposed Notification contents; PII data; Private messages; Authentication tokens and links; Email content
    Potential impact Fraud; Identity theft; Phishing scams; Blackmail and extortion; Website account takeover
    Data storage format Elasticsearch

    Timeline of Discovery, Investigation, and Owner Response

    • Data leak discovered: 31st August 2020
    • Vendors contacted: 3rd September 2020
    • Response received from Mailfire: 3rd September 2020
    • Server secured: 3rd September 2020
    • Client companies informed: 4th September 2020

    Sometimes, the extent of a data breach and the data’s owner are obvious, and the issue is quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.

    Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

    Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

    In this case, the data leak originated from an unsecured Elasticsearch server, which we suspected was owned by Mailfire. The server appeared to be connected to a notification tool used by the company’s clients to market to their website users and notify them of private chat messages.

    After investigating the server and compiling sufficient evidence to confirm Mailfire owned the exposed server, we reached out to the company and presented our findings. They acted immediately and secured the server within a few hours. Mailfire assumed full responsibility and insisted that the companies exposed were in no way responsible at all — and our research has also confirmed this to be true.

    It is also worth noting that Mailfire is not responsible for the activity of the customers using their service.

     

  4. US Staffing Firm Artech Keeps Silent About Data Breach, Leaves Customers at Risk of Fraud for Eight Months

     

    Quote

    Artech Information Systems, a minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S., has disclosed a data breach exposing personal, financial, and health information of some of its clients. Notably, the attack occurred in January, eight months ago.

    Artech disclosed the breach in a letter to affected parties, noting that its IT people noticed suspicious activity related to an employee’s user account in early January. Three days later, the firm’s systems had gotten infected with the REvil ransomware strain, but not before the hackers copied personal, health, and financial information of multiple individuals stored on the compromised systems.

    “The investigation determined that at the time of the incident the involved files may have contained information including name, Social Security number, medical information, health insurance information, financial information, payment card information, driver’s license/state identification number, government-issued identification number, passport number, visa number, electronic/digital signature, username and password information,” Artech says in a letter to affected customers.

    BleepingComputer reportedly became aware of the breach on January 11, when the REvil gang advertised 337MB of the stolen data on a website used to shame victims and coerce them into paying a ransom. Artech allegedly ignored the publication’s emails and only recently acknowledged the hack, leaving affected customers vulnerable to fraud and phishing attacks.

     

  5. It is now a well known fact that State Security Services and Military contract their respective country's hacker community members to assist in data and credential harvesting as well as monetary and intellectual property theft.  These joint venture Advanced Persistent Threats (APT) are assigned an APT number and may also be assigned a moniker such as Fancy Bear (APT28) and Cozy Bear (APT29).

    Cozy Bear compromised the two US Political Party committees prior to the 2016 election.  For one they released data publicly through Wikileaks to subvert that Party.  The other Political Party's harvested data was kept private but was passed along and is now used for political leverage and held over that Political Party's head like the Sword of Damacles.

    • Thanks 1
  6. Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally

    Quote

     

    Two Defendants Arrested in Malaysia; Remaining Five Defendants, One of Whom Allegedly Boasted of Connections to the Chinese Ministry of State Security, are Fugitives in China
     

    In August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments charging five computer hackers, all of whom were residents and nationals of the People’s Republic of China (PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments, as well as pro-democracy politicians and activists in Hong Kong.

     The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,” “Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates, customer account data, and valuable business information.  These intrusions also facilitated the defendants’ other criminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s unauthorized use of victim computers to “mine” cryptocurrency. 

    Also in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen who conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game industry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia issued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from the United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.  The department appreciates the significant cooperation and assistance provided by the Government of Malaysia, including the Attorney General’s Chambers of Malaysia and the Royal Malaysia Police.

    In addition to arrest warrants for all of the charged defendants, in September 2020, the U.S. District Court for the District of Columbia issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers, domain names, and command-and-control (C2”) “dead drop” web pages used by the defendants to conduct their computer intrusion offenses.  The FBI executed the warrants in coordination with other actions by several private-sector companies, which included disabling numerous accounts for violations of the companies’ terms of service.  In addition, in partnership with the department, Microsoft developed and implemented technical measures to block this threat actor from accessing victims’ computer systems.  The actions by Microsoft were a significant part of the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and command and control domain names.  In coordination with today’s announcement, the FBI has also released a Liaison Alert System (FLASH) report that contains critical, relevant technical information collected by the FBI for use by specific private-sector partners.

    “The department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens,” said Deputy Attorney General Jeffrey A. Rosen.  “Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”

     “Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said Assistant Attorney General John C. Demers.  “This is the only way to neutralize malicious nation state cyber activity.”

    “Today’s announcement demonstrates the ramifications faced by the hackers in China but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice,” said FBI Deputy Director David Bowdich. “The arrests in Malaysia are a direct result of partnership, cooperation and collaboration. As the cyber threat continues to evolve larger than any one agency can address, the FBI remains committed to being an indispensable partner to our federal, international and private sector partners to stop rampant cyber crime and hold those carrying out these kind of actions accountable.”

     

    https://www.fireeye.com/current-threats/apt-groups.html

    Quote

    APT41

    Suspected attribution: China

    Target sectors: APT41 has directly targeted organizations in at least 14 countries dating back to as early as 2012. The group’s espionage campaigns have targeted healthcare, telecoms, and the high-tech sector, and have historically included stealing intellectual property. Their cyber crime intrusions are most apparent among video game industry targeting, including the manipulation of virtual currencies, and attempted deployment of ransomware. APT41operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance.

    Overview: APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

    Associated malware: APT41 has been observed using at least 46 different code families and tools.

    Attack vectors: APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits. APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems.

     

    • Thanks 1
  7. Domo arigato @LiquidTension

    No change.

    I keep the utility in question updated and in-hand and installed the "System Monitor service" per your request and monitored MBAM accessing the account.  Nothing was logged. 

    I then specifically loaded Fiddler and setup MBAM to use a Fiddler Proxy.  Results ==> Data.ZIP

     

    Note that no other program complains about a Proxy.  There is only a Proxy use when I specifically setup one like Fiddler.  No other components of MBAM have issues and the program gets updates.  It is only an issue with keystone.mwbsys.com and it only occurs when checking license compliance.  It did not happen with 4.1.x nor when I updated to v4.2.  It only occurred after a v4.2.x update.

    When I started this thread, I was at:  4.2.0.82, 1.029403 and 1.0.1036  and I am now at 4.2.0.82, 1.029939 and 1.0.1045

    With the same inability to access the license server problem.

    If it was a Proxy issue I would have a problem getting updates too as all MBAM components would use a Proxy and not just the License Server check-in process.

    As you previously noted, this is the issue...

    On 9/4/2020 at 11:59 AM, LiquidTension said:

    Thank you. This is the issue:

    
    "Exception details: text=SSL Exception: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed"

     

    Referencing "Certificate verify failed", it begs the questions...

    • Does MBAM use OpenSSL or the Microsoft CryptoAPI ?
    • Does MBAM use or depend upon external DLL/modules or are they embedded/compiled ?
    • Where is the Certificate? 
      • Is it a disk file (.cer/.der, .crt, .pem, .key, .p7b/.p7c, .pfx, etc) ? 
      • Is it in the certificate store ?
    • Can we verify the certificate chain with an OCSP ?

    EDIT:

    As I wrote this v4.2.1 was released.  However it will not perform and online in situ upgrade and actually downgrades the program.

    From; 4.2.0.82, 1.029939 and 1.0.1045  to  4.2.0.82, 1.029391 and 1.0.1036

    I await the release of the Offline installer for v4.2.1

     

  8. FipsAlgorithmPolicy = 0
    Rebooted, no change.

    FipsAlgorithmPolicy = 1
    Rebooted, no change

    reverted back to, FipsAlgorithmPolicy = 0
    Rebooted, no change

    IIS Crypto 3.2 - Backed up registry - RegistryBackup.zip

    Advanced, "Best Practices"
    Rebooted, no change

    Restored registry
    Rebooted, no change

    Sayonara Bonjour
    Rebooted, no change

    "There are no updates available for your computer" ( Win7 Ultimate/32 )

  9. The Internet’s Biggest Webmaster Forum Had a Data Breach

    Quote

    Another day and another big data leak. On July 1st the WebsitePlanet research team in cooperation with Security Researcher Jeremiah Fowler discovered a non-password protected database that contained records of the internet’s largest webmaster portal. Upon further research it appeared that Digital Point had leaked the data of 863,412 users.

    Digital Point claims to be the world’s biggest webmaster forum and marketplace for web related services. The forum lets people buy and sell websites, SEO, and a wide range of services. The site caters to those individuals who maintain or create websites either for themselves or customers.

    Data Breach Summary

    Domain DigitalPoint.com
    Location San Diego, California

     

    Industry Internet Forum / Webmaster
    Total number of Records 62,858,144 records
    No. of people exposed 863,412 Digital Point Users
    Geographical scope Worldwide
    Types of data exposed User emails, names, internal user ID numbers, Internal records and user posts.
    Potential impact Domain Hijacking, targeted phishing attempts, email based malware attacks, social engineering. Database at risk for ransomware. Middleware information that could allow for a secondary path for malware. Storage info that cyber criminals could exploit to access deeper into the network.

     

    Data storage format This is an Elastic database set to open and be visible in any browser (publicly accessible) and could have been edited, downloaded, or even deleted data without administrative credentials.

    *As Security Researchers we never extract data or circumvent password or other security measures. We only take a limited number of screenshots to validate our discoveries.

     

     

  10. Phishing is all about capturing user credentials in a masquerade as some entity.  This can be a Bank, an online store, Insurance account, medical account, email account, etc. For example, the below is a Phish for USAA...

    Spoiler

    Image.thumb.jpg.e773c346d8769d8fcd468ecd

     

    The email could have been a Malwarebytes account Phish but we would have to see the Full Header and Body of the email (RAW format in text not a graphic screenshot)  to make that determination.  The objective would be to block the Phish URL by Malwarebytes' products.

    Malwarebytes' provides a sub-forum for provideing URLs of suspect and/or malicious sites in;  Newest IP or URL Threats and one can submit after reading;  READ ME: Purpose of this forum

    The best way to determine if that email was a Malwarebytes Phish and to get the URL blocked if it was, is to place the RAW email Header and Body text in a TXT file and attach that to a post in;  Newest IP or URL Threats.  Attachments can only be accessed  by Experts and Malwarebytes Staff and will keep Personal Information contained in the attachment private.

     

     

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.