The goal is to find all the domain names of a single entity. This can only be achieved step by step with the correlation of vertical and horizontal domains. In the text, a word denotes the entity of interest in the correlation process.

Vertical domain mapping: with the domain name, the vertical domain mapping is a method of searching for domains that match the same base domain. This process is called subdomain enumeration 1.

Horizontal domain mapping: with the domain name, horizontal domain mapping is a method of searching for domain names, which have a different second-level domain name but match the same entity 1.

As an example, eff.org has been selected as an objective.

For the first step, experts say that you should perform a vertical correlation on eff.org

This is done with tools like Sublist3r, amass or aquatone. You should keep in mind that there are many open source tools for enumerating subdomains that give poor results. The information security professional comments that it is better to use “meta-sub-domain enumeration” that combines results from multiple enumeration services.

Sample output of Sublist3r.

Stop the next step, you should perform a horizontal correlation on eff.org. This step can be a little complicated. You cannot rely on a syntactic match like in the previous step. Surely, abcabcabc.com and cbacbacba.com will be owned by the same entity; however, they do not match syntactically. For this we can use WHOIS data. These are inverse services that allow you to search based on the common value of the WHOIS database.

An email address is provided as a registration contact, says the security expert. At this point you can do a reverse WHOIS search to reveal other domains with the same email.

For reverse WHOIS, the expert recommends using the viewdns.info service.

In step number three, it is necessary to identify the interesting domains of step two and execute a vertical correlation.

Must have a large list of domain names linked to your goal, says the information security professional.

With any luck, your goal will have registered a range of dedicated IP addresses. To verify this, the easiest way is to execute the translation from IP to ASN in three IP addresses that are in the domain names.

Now it seems that EFF.org does not have dedicated IP space. As a counterexample, let’s look at Google.

Google operates on AS15169 which is one of its AS.

Obtaining a dedicated IP range makes things easier: the company has IP ranges listed in the AS. With this information, we can compile a list of IP addresses from the CIDR notation.

If our goal does not have dedicated space, we must trust the domain names compiled previously. From this, we will solve the IP addresses. Even if the objective has a dedicated IP range, it is recommended to follow the process. There is a possibility that part of the infrastructure is already running in the cloud.

The information security researcher tells us that it is important to keep in mind that there is a possibility of false positives with this approach. The target can use shared hosting, p. for a landing page. The IP address of this host will be included in your list, this address is clearly not dedicated to your goal.

For DNS resolution, the expert recommended massdns. It will resolve the domain names in the compiled list to the IP addresses of its corresponding registers.

A list of IP addresses corresponding to the FQDNs of the target will be generated. Now, you can add the result set to the IP addresses of the CIDR blocks. You must have a list of IP addresses linked to your goal.

Now the most interesting part, services. The reason for collecting domain names and then IP addresses is to reveal what services is the target that is exposed to the Internet. For this, we need to scan the hosts, commented the information security professional.

We have two options:

Active scanning: traditional nmap approach. For a list of hosts, it can also be Masscan. It is important to note that active scanning consumes more time and can trigger IDS for the public. But you get more accurate representation of open services.

Passive analysis: it is based on data collected from another source. These sources include, for example, Shodan or Censys. The drawback is that the results may take several days and some services may already be closed. On the other hand, this “stealth” mode is generally preferred when performing APT simulations.

Shodan offers dork for this purpose. You can search for a specific IP range like this:

net: 64,233,160.0/19

Also, we can filter according to the organization in the WHOIS database:

org: “Google”

Censys offers the same functionality:

ip: 64.233.160.0/19

For the organization / filter ASN:

autonomous_system.asn: 15169

autonomous_system.organization: “Google Inc.”

For stealth mode, you can use Project Sonar to recover everything.

Now, you must have very good visibility in your goal.

The final set must contain IP port that belongs to the target.

Information security experts comment that post-processing tasks can be performed to reveal the most interesting services; you can run the screen capture tool of the massive site, such as Snapper, which will provide an overview of the running of websites in one place.

Source:https://  0xpatrik.com/asset-discovery/

The post How to do reconnaissance attack over your target the correct way appeared first on Information Security Newspaper | Hacking News.

A subdomain that points to a GitHub page is www. testing. com. If someone decides to remove https:// github. com/test0x01/testing and does not delete the DNS entry that points to this page, you can post content at www. testing. com.

Some hackers use sub-domain and brute force scraping tools such as Sublist3r to find the sub-domains of a target, say information security professionals. Then the DNS records will be verified and / or a screen capture script will be used to detect vulnerable subdomains. A subdomain that points to a GitHub page that returns a 404 can be an indicator that can be claimed on GitHub.

Now we will talk about Sublist3r. It is important to know that Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Information security researchers tell us that it also helps penetration verifiers and bug hunters collect sub-domains for the domain they point to. In addition, Sublist3r lists subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. On the other hand, it enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.

Experts comment that subbrute was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved word list.

Installation: git clone https://github.com/aboul3la/Sublist3r.git

About the security impact; a subdomain control takeover could allow an attacker to publish content in the subdomain, information security experts said. In the case where a subdomain is a secondary domain of the base name of the service, the attacker can also read and set cookies in the base name: subdomain.example.com can set cookies for example.com.

We have a real case of a subdomain acquisition made by Frans Rosén on inside.gratipay.com. Researchers tell us that, Frans posted a page on a hidden route (login123) instead of posting content on the landing page. This is the best way to avoid damaging the image of the company.

It is important to remove the DNS entry in the subdomain that points to the deleted service to make sure no one can take over.

The post How to make a Subdomain Takeover Attack appeared first on Information Security Newspaper | Hacking News.

A wave string of phishing campaigns is targeting airline consumers with messages crafted to trick victims into handing over personal or business credentials.

The phishing messages pretend to be sent from a travel agency or a someone inside the target firm, they include a weaponized document or embed a malicious link.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” explained Asaf Cidon, vice president, content security services at Barracuda Networks. 

According to Barracuda Networks, aviation-themed phishing attacks contain links to spoofed airline sites, threat actors personalize the phishing page in a way to trick victims into providing business information.

The attackers show a deep knowledge of the targets, hackers are targeting logistic, manufacturing and shipping industries.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon added.

Recently the U.S. Computer Emergency Readiness Team issued an alert of phishing campaigns targeting airline consumers.

“US-CERT has received reports of email-based phishing campaigns targeting airline consumers. Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information.” reads the US-CERT warning.

“US-CERT encourages users and administrators to review an airline Security Advisory(link is external) and US-CERT’s Security Tip ST04-014 for more information on phishing attacks.”

The US-CERT specifically references the security advisory published by Delta Air Lines that warned its consumers of fraudulent activities.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” states the Delta Air Lines warning.

Source:https://securityaffairs.co/

The post Phishing campaigns target airline consumers seeking business credentials appeared first on Information Security Newspaper | Hacking News.

SHA1 is a cryptographic hash function used generate hashes for digital data, hashes that, in theory, should be unique for each data blob, and used to sign and attest to a file’s authenticity and identity.

The SHA1 hashing function was designed by the United States National Security Agency (NSA) and its algorithm was first published in 1995.

The algorithm started showing its age in 2005 when cryptanalysts found theoretical flaws that could be used to break SHA1 via collision attacks, a term used to describe when a determined attacker generates a file that has the same SHA1 hash of another, legitimate file.

Collision attacks are very dangerous in real life, as they allow an attacker to replace files without raising any suspicions.

While cryptanalysts have recommended that companies move away from SHA1 to the newer SHA2 or SHA3 hashing functions, SHA1’s demise came in the autumn of 2015, when researchers from several universities across the world published a research paper named The SHAppening.

In this breakthrough research, scientists demonstrated that technological advances in computing power had accelerated SHA1’s lasting power, arguing that it would had taken between $75,000 and $120,000 to break SHA1 using Amazon’s EC2 service, a cost that some nation states could afford even right then.

Shortly after their research went public, browser vendors such as Mozilla, Microsoft, and Google started an accelerated process to replace SHA1 as the hashing function in TLS/SSL certificates, a plan which they are successfully carrying out, as we speak.

Google and Dutch scientists teamed up

Unknown to many was that Google had approached two of the researchers involved in The SHAppening and offered their help in continuing their work.

With Google’s immense computing power at their disposal, and with the help of five of Google’s top cryptographers, this seven-man team published today new research detailing a full SHA1 collision attack.

As proof of their work, they also released two different PDF files that feature the same SHA1 hash, which stands to serve as evidence for the first ever successful SHA1 collision.

To better understand their announcement and the consequences of an SHA1 collision attack in the real world, imagine you signed a contract, stored it online as a PDF, and used its SHA1 hash to authenticate that nobody tampered with the file.

Knowing now that SHA1 hashes could be faked, how would you tell if someone hasn’t replaced the original PDF contract with another one that has the same SHA1 hash, but completely different clauses?

Proof-of-concept code to be released in 90 days

The only good news out of today’s announcement is that Google engineers described the SHA1 collision attack as “one of the largest computations ever completed,” meaning it won’t be financially possible to execute such attacks anytime soon.

Nevertheless, Google plans to release the proof-of-concept code that they used for the collision attack in 90 days, meaning companies that still rely on SHA1 have three months to replace it with something else.

With computing power becoming cheaper each month, and with PoC code publicly available, generating custom SHA1 hashes on a daily basis is just months/years away.

Google has released the two PDF files with the same SHA1 hash here and here, and the following infographic with more information on the attack. There’s also a dedicated website.

Source:https://www.bleepingcomputer.com/

The post Google Announces First-Ever SHA1 Collision Attack appeared first on Information Security Newspaper | Hacking News.

Reuters writes that Artyom Sychyov, deputy head of the Bank of Russia’s security department, confirmed that the Federal Security Service (FSB) and the Interior Ministry, conducted several raids after the cyberattack and “multiple suspects” were arrested.

No other details were provided, but previous reports on the cyberheist revealed that in June this year, approximately 50 people were arrested for being involved in the attack.

In a report published last week, Russia’s central bank acknowledged a hack that happened at an undisclosed date this year that allowed attackers to steal $31 million from its accounts.

Investigation continues Although Russia has already managed to arrest so many suspects, it’s not yet clear if all (or any) are responsible for the attack, so authorities continue the investigation.

Also recently, the country said that it blocked a large-scale attack aimed at its financial system, explaining that hackers linked to a foreign intelligence service were planning to take down several banks using servers owned by a Ukrainian web hosting company.

Details were once again very scarce, but Russia explained that it detected several computers in the Netherlands that were supposed to be used in the attack. The hosting firm, however, denied the claims and said that Russia didn’t even contact them to discuss the findings.

“We reviewed all our systems and network and we have not found any abnormal pattern changes that could lead to FSB’s allegations. We must assume FSB has been able to handle the situation without the need of BlazingFast’s cooperation. Nevertheless, we hereby publicly demonstrate our willingness to cooperate with any legal entity,” the Ukrainian hosting firm said.

On the other hand, state-controlled Russian bank VTB says it experienced an attack anyway, but its servers managed to block it. No details regarding the source of the attacks or the date when they were launched were provided.

Source:https://news.softpedia.com/

The post Russian Police Arrested Hackers Suspected of Central Bank Attack appeared first on Information Security Newspaper | Hacking News.

It says that hospitals paid almost $100,000 (£75,500) to a specific bitcoin account. In the first half of 2016, one “actor” (it could be a single hacker, but more likely a group) apparently received $121 million in ransomware (189,813 bitcoin), targeting various industries. This actor, according to the report, has had profits of $94 million in the first six months of this year.

“With cyber security threats including ransomware rising at such a rapid rate, organizations are having to come to terms with the fact that it’s fast becoming a question of ‘when’, not ‘if’, they suffer a breach”, said Raj Samani, CTO EMEA Intel Security. “As such, to stay ahead of cyber criminals, companies must think beyond simply implementing protection strategies, to putting systems in place to rapidly detect threats and correct their systems in the event of an attack”.

“Industries such as financial services and retail have been aware of this threat for some time and have largely taken measures to implement such strategies”, adds Samani. “It’s crucial that the likes of healthcare and manufacturing pick up the pace with cyber security. Vulnerabilities in these sectors provide hackers with access to extremely personal, valuable and often irreplaceable data and IP”.

Source:https://betanews.com

The post Ransomware is lucrative: Attacker’s profits near $100 million appeared first on Information Security Newspaper | Hacking News.

PunkeyPOS, or Punkey, is point-of-sale malware that first appeared in April 2015 from an older version of the NewPoSThings PoS malware.

This threat has been relatively quiet, and nothing was heard about it until a recent campaign detected by an unnamed security firm that told reporter Brian Krebs about a possible infection with Punkey on the computers of CiCi’s Pizza, a restaurant chain in the US.

Punkey mostly targets US businesses

PandaLabs didn’t confirm Krebs’ findings that CiCi’s Pizza might be infected but revealed an ongoing Punkey campaign that, according to C&C telemetry data, has been targeting US businesses.

The researchers, who analyzed some of the malware’s samples, managed to reverse-engineer its code and discovered the C&C server’s IP address. Accessing this server, they found a Web-based password-protected administration panel.

“The cyber-criminals behind this attack haven’t been very careful,” the PandaLabs team explained. “Since the server was not configured correctly, PandaLabs was able to access it without credentials.”

Researchers were able to view all the computers infected with Punkey and map out their distribution around the globe using the statistical data collected by Punkey at infection time.

Researchers discovered over 200 infections, most of them in the US. The version number of this Punkey variant is “2016-04-01,” meaning this is a recent campaign.

Punkey works via a keylogger and a memory scraper component

Punkey is designed to target only Windows machines running PoS software. The malware comes with two components: one is a keylogger, and the other is a RAM scraper.

The keylogger records user keystrokes but generally ignores all the data and only collects number sequences that look like credit card details.

The memory scraper is from where Punkey’s authors obtain most of the juicy data. This component constantly reads data that’s currently passing through the PC’s memory and collects anything that looks like Track 1 or Track 2 credit card information, usually while being processed by the PoS software.

This info is later sent to the Punkey C&C server, encrypted using an AES algorithm, and made available to crooks in the Web-based admin panel seen below.

Source:https://news.softpedia.com/

The post Researchers Hack Their Way into Punkey PoS Malware Backend appeared first on Information Security Newspaper | Hacking News.

Both WhatsApp and Telegram messaging services have implemented the end-to-end encryption for chats in order to protect the privacy of their users and improve their security.

Is it enough to keep prying eyes far from them?

No, according to a recent research conducted by Positive Technologies, hackers can impersonate victims and reply to both WhatsApp and Telegram chat messages.

Hackers can exploit the Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another are needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Experts from Positive Technologies discovered that hackers can exploit a flaw in the SS7 protocol to steal the victim’s identity on the messaging services with just basic skills.

The principal instant messaging services, including WhatsApp and Telegram, rely on the SMS authentication as the primary security verification mechanism, which is routed through SS7 signalling. This means that hackers exploit the SS7 to compromise the verification mechanism and take over the victim’s account and impersonate him.

As explained by the experts, the most worrisome aspect of the story is that hacker does not need high-skills or a sophisticated equipment for such attack.

The hackers from the Positive Technologies used a common Linux distro and a publicly available SDK for their tests.

“An intruder doesn’t need sophisticated equipment. Positive Technologies used a popular Linux based computer and a publicly available SDK for generating SS7 packets. + After performing an initial attack using SS7 commands, the intruder is able to execute additional attacks using the same methods.” states the paper from Positive Technologies. “For instance, if an intruder manages to determine a subscriber’s location, only one further step is required to intercept SMS messages, commit fraud, etc. + Attacks are based on legitimate SS7 messages. Therefore, you cannot simply filter messages as it may have a negative impact on the overall quality of service”

Attacks relying on SS7 vulnerabilities could have serious consequences, many threat actors could exploit flaws in the signalling protocol to determining subscriber location, tapping calls, intercepting SMS, disrupt communication services … and takeover instant messaging accounts.

“If telecom and network operators protect their core telecom networks, it will improve the security of customers, but that’s not going to happen over night. Service providers such as WhatsApp need to consider introducing additional mechanisms to verify the identity of users to stay secure,” said Alex Mathews, technical manager EMEA of Positive Technologies.

Source:https://securityaffairs.co/

The post Researchers hack WhatsApp accounts through SS7 protocol appeared first on Information Security Newspaper | Hacking News.