USB RAT (Remote Administrator Tool )

This Is Vary Advance USb RAT it can hack any High Secured servers and pc within second.

Its 100% Fud (Fully Undetactable by all Antiviruses )

its Silent Stealth .

it will run as Anonymous.

Its Untraceable.

Fully Strong Encrypted  with 5 Security Layers.

Email Keyloggers.

What You can do with USB RAT.

just Put USB RAT into Any Highly Protected and multilayered SERVER Or PC Usb port as normal Pendrive.

After connect it will take just 5 to 8 seconds to start Remote connections.

100% FUD , Stealth and Multi Encrypted So Impossible to Detect and TRACK.

Fully Control Any Servers and Computers.

Send All Captured Text and Virtual Keyboard Clicks every 10 minutes .

you can use Victim Servers or Computers as Administrator.

Full Control .

Water proof .

PACKAGE CONTENT.

USB RAT PENDRIVE.

GUI BASED DashBoard for Administrator.

SERVER BASED CONTROL SYSTEM 24/7 Live.

5x time Dedicated SERVER For Online Control Your USB RAT for 3 Years.

Ultra HD VIDEO Traning.

24/7 Email Support.

Team Viewer Support.

1 year Hack-exploits Member with T-shirt .

Everything you need to know about keyloggers: a complete guide

A keylogger, sometimes called a keystroke logger or keyboard capture, is a type of surveillance technology used to monitor and record each keystroke on a specific computer. Keylogger software is also available for use on smartphones, such as the Apple iPhone and Android devices. Monitor the activities on any Android device with these efficiently hidden keyloggers. If you are interested in keyloggers, we will walk you through all the information you need regarding keyloggers. So let’s start our journey through keyloggers.

What exactly is a keylogger?

A keylogger is a software or application that enables you to record every activity on a device on which it is installed. It is basically a form of malware or hardware that keeps track of and records your keystrokes as you type. It takes the information and sends it to a hacker using a command-and-control (C&C) server. A keylogger monitors and records such activities without the knowledge of the device user. 

Why do you need a keylogger?

These are used to quietly monitor your computer activity while you use your devices as normal. Keyloggers are used for legitimate purposes like feedback for software development but can be misused by criminals to steal your data. The reasons for installing or using a keylogger may vary from person to person. Let’s explore some most common reasons for using keyloggers.

Parental control

Parents may want to protect their children from cyber crimes. Keyloggers allow parents to monitor their social media interactions, Geo-location, call details, web history, etc. All this makes keyloggers useful for parents.

Employee monitoring

Employers or business owners may also want to verify whether their employees are properly utilizing their working hours. They may also want to know if their workforce is honest enough for their organization. For this reason, employers also use such apps commonly.

Stealing info

Cyber criminals also use keyloggers to steal passwords, bank details, financial information, etc.

Types of keyloggers

A hardware-based keylogger is a small device that serves as a connector between the keyboard and the computer. The device is designed to resemble an ordinary keyboard PS/2 connector, part of the computer cabling or a USB adaptor, making it relatively easy for someone who wants to monitor a user's behavior to hide the device.

A keylogging software program does not require physical access to the user's computer for installation. It can be purposefully downloaded by someone who wants to monitor activity on a particular computer, or it can be malware downloaded unwittingly and executed as part of a rootkit or remote administration Trojan (RAT). The rootkit can launch and operate stealthily to evade manual detection or antivirus scans.

How to install a keylogger on your smartphone?

To install a keylogger on any Android device, you just need single-time physical access to that device. Most of the keylogger or spy apps are not available on Google Play. As a result, you must first enable app installation options from third-party sources. You need to install the app by permitting the monitoring of the phone. Once you do all this, you can use the keylogger account for necessary configurations, such as monitoring apps. This configuration will enable the app to run in the background and record all the activities. You can later log into the desktop version of this keylogger app and view all the details of the activities. 

To sum up

This article helped you understand keyloggers and find the right one for your Android monitoring needs. Ethical and sensible use of a keylogger can help you safeguard your assets, whether it is about your kids or your organization.

You may also want to explore the best keylogger app for Android and iPhone.

The Thieving Magpie Chapter 2: Auction day

Note: So thank you for all for being super patient for this chapter update, well I am actually 90% done when I want to send it to my beta readers, since @highkingofhuckleberries was not too well during that process (You are still loved my darling) I want to thank @akazireael for helping me to step up to look over my chapter and suggest an extension as promised. Anyway please enjoy this little chapter and yes there will be some Meve/Gascon action! 

“You’re on…” One of his men hissed in Gascon’s ears. Gascon brushed off the dust in his new suit. Slowly he entered to the entrance of the room, indeed it was held with such grace. He made all preparations to bypass whatever obstacles that came in the way.

Shit

Gascon glanced at the lanky man, and quickly slip on his ray-bans “You came for the auction…” He quietly passed the ticket to him “Yep…” He held his breath firmly “Nothing to hide, just checking if it will fit my collection.” as he slipped a coin unto his suit pocket. Reynard nodded slightly “Mhmm…” as he was escorted to the crowd of gallery visitors, admiring the collection of Reginald. He somehow averted his face to the dazzling works, dropping his shoulders slightly. Well he may live his life in his own art terms, but his collection, damn, he rival all his steals- bottles of wine and whisky shimmered amidst tungsten light, screens of courtesans and samurais patrolling the lonely streets, shimmering statues of gods and mortal in deep ecstasy. He even took himself to admire the rows of dummies dressed in the best suits (Though he thought it was a little dated in his times.) He observed silently how the patrons in the auctions mummer about the condition of the works. Quietly he glanced over that figure, no longer in her mourning gear, her heels clicked quietly as she gazed quietly at the artworks, with that lanky man by her side.

“I hope I do not get to keep all Reynard….”

The man (which Gascon knew by now, is Reynard) held his head up quietly “Do not worry madam, it will be displayed elsewhere, at most the money we earned from the auction will help to clear Reginald’s debt.” Reynard paused quietly, watching the crowd admiring the menagerie of items that Reginald collected over the years. He even hid a small smile “At most, it will do us good, and I hope we do not have any intrusions along the way."

“That I agreed, the stranger with the sunglasses, I will never forget that face…” Meve muttered under breath, as she watched Caldwell clearing his throat as he looked over the group of guards patrolling the drawing room. Caldwell held his breath slightly, watching calmly at the gazes of the family members and friends who gathered in this expansive space. Perhaps the only things that "We hope that Reginald rests well, given the expanding collection of art and memorabilia that is, perhaps all human comprehension, one of the greatest.”

The crowd watched with bated breath as men in gloves carried objects that dazzled the spirits of all. Wine bottles boasting a certain vintage, drawings of angels and Traders tenderly laid between tissue papers. Paintings that streaked back and forth splashes, watches that glimmer amidst tungsten light, jewels that dazzled the bewildering crowd  “These things, he wrote in his will to be auctioned anywhere…” Meve is right about her husband’s impulsive buys.

“Some will be kept by the family... one of them, as dictated by the will, a Japanese sculpture dating back to the Meiji era…I suppose he wishes to keep it as a way to remember him even if his mortal body faded.” and soon the carriers clutched the object, which itself was a beauty. “Once a symbol of protection for the samurai in that era, it was indeed his most prized possession he ever collected in history, to the point, the access of the sculpture is only left to a certain few, including myself."

Meve gasped slightly on that sculpture, Reynard knew that his former boss treasured it well. It was indeed a fearsome object, coated with lacquer, a mythical creature made of fish and dragon.  For that moment Meve swore that its eyes darted to her grieving state.

It must be astonishing craftsmanship.

He clenched his hand slightly, as one of the carriers nearly dropped that prized object. “He wrote in his will, that, whatever circumstances no one should or will do touch that sculpture. Those who are permitted, are spoken in private after the auction…” Caldwell quietly shuffled the papers back and forth, breaking away the mummers in the room. His eyes widened with shock but he hid it with marvellous grace. “And that sculpture is left to his wife Meve.” She clenched her knuckles slightly. Reynard’s mouth nearly gaped and the crowd grew wild with chatter.

“I think Reginald must think fondly of you…” Reynard simpered quietly “I only heard it by private conversations, but you holding this, you know how many will fight for this…”

Meve frowned darkly, as she watched the carriers lifting the object again and moving into the darkness “Afraid so…”

Gascon took that opportunity to slip by the back door. He heaved himself quietly to himself, slipping his fingers unto the breast pocket of his blazer. A cloud of sleeping gas came over the room. He quickly took his kerchief, covered his mouth and nose from the gas.

His heart seems to race as he left the cloud of smoke to an obscure corner of the house, apparently, if his memory served right, it used to be where Reginald will hold prizes that he wished to keep in secret, which conveniently turned into a security room. He quickly took out a woman’s hairpin and unlocked the door. Somehow the guard who was clutching a game console stared at him with horror. Quickly Gascon gave him a knock in the head and whispered under his breath “Good night sweet prince…” Before long, the guard was laid unconscious. He rolled his eyes as he lifted up the heavy body and placed him in the nearby locker.

His breath ragged from He quickly pressed his cufflink and soon a raspy voice came out “You’re in boss?”

“Yeah…” Gascon stuck his tongue quietly as he pressed the keyboards frantically, typing the password in the big screen “Got to deal with a hapless guard. You should have seen his face when I punched the living shit out of him….” He quickly glanced through the plans for the security cameras, showing the auction at play and of course from another angle- Gascon’s slippage to the room. “Hhmmm  I wonder which one...” Continuously he flickered through the rooms until he found his prize. Indeed it was a scary looking object- but it would be his magnum opus. Gascon could imagine the flurry of comments when he reached for it. “Shit this thing is beautiful…”

“How are you going to reach this thing…” one of his men rasped frantically “It is a hell of a fort…” Gascon tuned himself out from his blabbering, as he took out his swiss knife, switching it to a thumb drive compartment. He quietly slipped it to the USB holder, and slowly the loading screen blinks back and forth. “Just wait and see…” And soon it reached 100 %, the rooms came to pitch blackness and screens flickered back and forth.

Meve’s eyes widened with horror “The hell is that..” She could glance faint sparks back and forth in the darkened room.

Reynard flexed his eyebrow, he muttered shit under his breath as he heard the commotion swirling at the auction. Alarms from the house blared louder than before. Caldwell’s breaths become uneven with the chaos swirling back and forth “We seems to encounter some technical difficulties, please bear with us. I think Reynard will investigate that…” Caldwell approached him quietly and whispered to Reynard pensively  Meve stood in protest over the commotion. Amidst the darkness, Meve observed that the security cameras flicker back and forth. She looked at Caldwell’s expression, it seems strange that he seems unflustered by the heist. He even took the chance to grab bottled water, and sip it calmly

“What the hell is going on, some rat must infiltrate the auction…”

“I apologize Meve, I planned it to be tight-lipped somebody must leak information of the auction… There must be lapses on my part”   Caldwell heaved exasperatedly as he took his kerchief and moped his sweat. He somehow fixed his gaze to discuss matters with a fellow security guard "i will do whenever I can to get him caught…"

Meve barked at Caldwell “You better tell come up with a better reason for this…”

“Yes madam, I will try to clear it as quickly as possible…” Somehow Meve felt a sinking feeling in her stomach that Caldwell did not convey her wishes. He seems to hold a calm smile and mumbling mm-hmms to his fellow men. “I suggest you ask Reynard to look into the people’s backgrounds. There would surely be a rotten egg among us…"

Gascon glanced over the hallways, now dressing as the security guard in the camera room. He quickly put on his sunglasses and covers his mouth with the handkerchief passing through security officers who fell like dominos at every step to the fog of sleeping gas. He heaved to himself when he got into the next room, which he took out the tag and the red light blinked. Gascon puffed his cheeks slightly, maybe he should have brought the hacker, to hack all locks. He quickly snuck through another compartment of his swiss knife again and pulled a screwdriver out. His eyes darted to the wires which vibrated slightly, and with bated breath, he took another compartment and snipped the brown wire with ease.

Slowly he opened the door and quickly locked it with a few tight screws and some wiring fix-ups. The sound of brogues echoed his ears, all search for the rat. He slipped his earbuds and examined the distant object. Security cameras looming over the coveted object, it must be a great deal to him. Gascon thought pensively. The one that rumours spoke of, and indeed it was a fearsome thing. He heaved his breath slightly as he quietly shakes the bottle and sprays the room. Lasers slowly loomed out like a maze and Gascon smiled. Gascon looked over the room clouded with many obstacles both great and small.

That should be a piece of cake

He flicked his music player to one of the tunes, Mozart’s Symphony 40 in G Minor. Soon he swayed himself from the beams of light, his eyes darting to that prize.  At that moment, his cockiness started to rub on him as he slipped the lasers with ease. However, he glanced over another camera clicking his every movement. He quickly pressed a button to shut it down but it did not work. He looked over at a statue of Athena staring to the ceilings, a little clink covered haphazardly by some glue stood out to him. He quietly crept unto the statue, admiring its craftsmanship (he perhaps guess must be French Rococo sculpture by the softness of her expression). At that moment he could feel a sizzle in his skin as he reached the next part. Must be hidden lasers. Maybe his men did not account to all nooks and crannies, maybe an extra obstacle for him to overcome. Quickly he took out a small cologne bottle and slowly sprayed over the room. He quickly took off a handkerchief to prevent the fumes of the spray, and lines came out of the fog. And with a swift move-he broke off the arms of the statute, with a mumbling apology for its beauty.

Quickly he surveyed the room for any hidden areas, by quietly smashing every statute and vase (He guess it must be fake items, as it did not hold many rarities in his eyes).

He giggled slightly that, despite all of Reginald’s procedures to barricade that sacred room, there is no way that human error could slip away. That would have been the easiest break-in among the others.  And soon he grew in awe of that fearsome creature trapped in a glass cage. Reflections of him bounced back and forth in the creature’s coat.

“Reynard…”

Reynard shouted furiously “Madam, you should leave it to Caldwell to investigate that matter, my men are looking for the suspect…” Meve held her breath slightly “I have a feeling that whoever cause this, is one of the auction guests…”

“We did background checks for all…”

“All, that is not enough…we need security footage, anything, I do not care…” Meve growled in protest “Whoever caused this commotion on this auction, will be punished greatly…”  

“Mine, aren't you beautiful…” Gascon hummed slightly “You might scare rivals in the past but not under my watch…” Slowly he took a laser and traced a circle from its glass cage "You will be a pretty addition to my collection.." Quickly he knocked off the circle of glass and reached out for the object. “Well come to papa." His heart skipped slightly as he gripped the statute tightly. It is formidable in real-life as opposed which the creature prowled in its horrid cage. He is glad that he could free the creature from the gilded house. At that moment, a faint clink rung his ears. A red light flashed back and forth. Gascon’s eyes twitched back and forth, as he searched all over the area for a quick exit. At that moment he titled up his sunglasses, as he saw the guards rushing up and down with guns pointing in any direction. His heart raced slightly and suddenly he glanced at a coat of arms. His eyes darted to the open cage, if he ran over the lasers, it will hit again. Gascon mumbled slightly “Seems you have to stick with me, little fellow…” He quietly picked up his earphones, and press a button “Gentlemen you may have to wait for a while…Got myself into something sticky.” He peered at the guard tapping his pass card and opening the door. A cough is rattled at the distance. Probably the spray choked his lungs. Gascon quietly stashed the statute away in his satchel and took out a taser. And he quietly played a little piece as a lure to the guard.

The guard heard an operatic piece playing softly at the distance. He slowly looked over the row of armour which he knocked at them one by one. Until the last one, an impressive one, Spanish armour which he gave the final knock. It seems silent but he saw a pair of sunglasses shimmering at the distance. He knocked again and waited a few seconds. Without realizing, a clang came over him and he felt a buzz in the distance. Quickly he wrestled the armoured figure and before long, that figure seems to lose it, as he was clutching something.

Something precious.

The guard thought quietly. Then why is he…

Before he could gather his thoughts, his eyes grew wide with shock as he glanced at the void. It was the statute and the person holding it seems familiar. It was the guest in Meve’s wake that caused a ruckus.  Quickly the slim man bolted out from the armour, spraying pepper spray to his eyes and knocking him down by an old sabre. Gascon gave a cheeky grin “Touche sir. Touche…." Quickly he disappeared without a trace.

Moments later, he woke up to see sprinklers dancing at the distance. His muscles somehow wobbling at the distance, he took a walkie talkie and pressed the button “Reynard, copy, the statute is stolen…someone burglarized us…. call Alpha, beta, Omega squad, find the man, he is wearing sunglasses….5 foot plus.. over…"

Reynard’s ears perked to that sound of alarms blaring at the distance. Soon a buzz came in his ears “Over…Meve and I will come over…”Meve’s eyes widened slightly, as it continues, he did his patrols between her husband’s room and the auction that he could recognize the man with the same sunglasses, was the one that Caldwell expelled him out. “That bastard! I want him down…”

“Sir…”

Reynard noticed his haggard breathing as he placed his hand on his chest. “The…the thief…it seems planned…"

Meve commanded slightly “Speak…Reynard pass the guard a cup of water now!”Reynard scampered him to a small table and quickly grabbed him a paper cup filled with water. Slowly the guard gained back to his senses. “I NEED TO KNOW WHERE THE HELL IS HE, WHY DID YOU LET HIM GO, IT IS IMPORTANT DAMNIT DAMNIT…”

Reynard clutched Meve tightly by her wrists, restraining her from wriggling along. with ire. Surely there is a lapse of human error on his side.

“…We could check the footage if it is not hacked…"

Reynard somehow swung by to the nearby computer and quickly typed a password. He scrubbed over the security footage. He swore that some parts are cut off, perhaps intentionally by the thief. He calmly observed a slim man sneaking out of the room, after Caldwell announced who will be the main benefactor of the statute. Meve frowned slightly at the anecdote, he seems strangely calm to leave the auction, not for the hurried measure but something more. And he looks familiar. “Seems we have found ourselves the thief..” Reynard simpered slightly “Did Caldwell put a warrant on him a while back….”

And somehow he switched over another computer and saw him destroying every priceless object surrounding the room. Him spraying the area, in search of secret lasers. He paused and pressed the zoom button to see his face. And it all clicked.

Suddenly a voice perked up at the distance “And yes he did Meve….” and the face matched to the footage that they could reel in.

His hands up in playful surrender with handcuffs. Gascon combed his hair with fingers with bemusement as he glanced at the guards following him to the end. “I suppose you are looking for this…” as he dangled it playfully, causing her to tick. “Caldwell's boys are clever to catch me, at the worst of places…”

Quickly Meve took out a pistol and pointed it at her face.

“Do not test me….”

Gascon chuckled slightly, as he playfully plonked the statue back on the table. “Yes fine, fine I got my prize, after all, it is a worthless piece of shit…” He swallowed calmly and proceed to snatch a pen and slip it on his pocket “That itself is beautiful…I cannot wait to see Caldwell’s reaction…" he teased her as he laid the statue back in his satchel “I robbed the rarest of all, oh, by the way, do you know that your friend Caldwell has owned himself…” somehow his eyes looked over that door. He knew something seems amiss.

“Enough…”

Gascon watched Meve heaved a deep sigh. He noticed her knuckles grew red from the clenching. “The statue….” Meve growled, “Put it back now….”

Somehow a familiar voice came over “….It is not yours madam….” Caldwell walked up quietly, hands clutching to the papers, and his sons standing by. Her eyes darted to Villiem. He seems poised and calm. Anesis took the pleasure to tap at his late father’s desk.  “No that cannot be…” Meve gaped in horror as she was walked over Caldwell, and her sons all calm. Gascon looked over at them. “Seems we got new friends to witness my act. Name is Gascon if you do not mind madam."That moment the thief took the opportunity to disappear into thin air. Meve cursed under her breath that he got away. She would clear her name no matter what. Caldwell smirked coldly “You better build yourself a good case madam…” and soon some of the guards held her wrists. “There seems some amendments of your husband’s will and, according to Villeim….” as he laid down the paperwork. “You holding infinitely as the main carrier of this item, but there are issues. And what more, you let a thief slip into your hands. Until we can settle its provenance and reliability... All of your husband’s property and assets will be under Villeim and I….”

Meve’s face went pale with horror “No that is not valid, you said in the auction it is all under me…” Her heart raced with fear, there is no proof or backing off that claim. “I even witnessed it when he wrote it...It is not true... it’s not true... it’s not true… and that bloody Gascon. I do not even employ his services…” Slowly all of the guards left her, except for Reynard who went pale in horror “That I could vouch for Meve...Caldwell… you are making a mistake….she would not do such a thing”

“I beg your pardon, Reynard, you went off and screw with Meve. She clouded your mind with her husband’s fortune…" Caldwell throttled coldly “Unless you can vouch that you worked for your owner…”

“Yes…and I can say that she did not bring a fool to break into the house like Gascon…"

However, the protests seem to fell into deaf ears as he heard the pitter-patters of steps climbing up and down. “With all lamentations…” Caldwell could hear the clicking of the flashes and cameras glaring at him “Perhaps you must state your cause to the public since they will be disappointed that his filial wife has traded fortunes for something..horrendous…” He quietly nodded at her and left the room quietly. Villem nodded slightly “Father will be disappointed with you… my mother….”

“This is bullshit…” Meve’s body trembled with anger and despair, but, she could only do is to bite her lip as a flood of reporters swarmed her with questions and Reynard scrambling for his glasses to shield her from the glaring public. Shame burned in her body, however, anger gave way as she answered the questions with poise. Someday she will get him.

“I might be damned…”

“What boss…” One of his men, Grant muttered slightly as he examined the statute “That mysterious client seems awful generous to you…” as he glanced at his smirking “What did you do to bribe him…”

Gascon pondered slightly on the numbers given to him“I could only recall the last time we met, he said that he wanted a certain painting back…stole it from a gallery opening that night. You should see their faces when I stole that thing. In fact priceless…” Gascon smirked to read the numbers, that is even more what he earned when he liquidated the first edition book of a certain topic, In fact, he is willing to reduce charges for me for that heist, if I can help to bring a certain family’s fall…”

“Did he or she reveal anything other than that purpose…”

“Dunno seems he wanted to meet me up to thank him for stealing the statue…”Gascon plonked the statute to the table “Pity as I have a great fondness for that thing... alas I must meet conditions…"

“Do not let your guard down..remember with that..”

Gascon rolled his eyes slightly “Yes I know I know I know….” as he started to quickly texted him “Well he did not pull out of me, you, the boys and I in immunity with the client…Imagine every force from the world, unable to track our steps...what could go wrong…” He yawned slightly as he sauntered himself to the bathroom “Make sure you check the conditions of the statute, I think he wanted it to be in the condition when I stole it…” The man nodded slightly, as he looked over at the rooftops, a small black cat sauntered up and down the snaking mazes. “After we wanted his protection right…" It stared at the statute just monetarily and went back to its venue, searching over for a lover. Of course, he quietly brings it to his workshop. Maybe there is a secret that the statute held for many generations.

It is going to be a long night.

Tag List (DM if you wanted to be tagged)

@witcherislovewitcherislife

@tcustodis

@etaedraws

@akazireael

@highkingofhuckleberries

@dukeofqueers

@dukeofdogs

@this-is-a-job-for-vesemir

@riviae

​TheFatRat Exploiting tool which compiles a malware with famous payload, and then the compiled...

​TheFatRat Exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus. Features: ▫️ Fully Automating MSFvenom & Metasploit. ▫️ Local or remote listener Generation. ▫️ Easily Make Backdoor by category Operating System. ▫️ Generate payloads in Various formats. ▫️ Bypass anti-virus backdoors. ▫️ File pumper that you can use for increasing the size of your files. ▫️ The ability to detect external IP & Interface address . ▫️ Automatically creates AutoRun files for USB / CDROM exploitation https://github.com/Screetsec/TheFatRat #redteam #hackers #exploit #inject #rat

-

Why the World May Never Truly Be Rid of Dongles

A version of this post originally appeared on Tedium, a twice-weekly newsletter that hunts for the end of the long tail.

As you may guess from the stuff I write about, I have a lot of computers, of various shapes, sizes, and functions.

Some of them I only mess with occasionally; some are frequent companions; some (like my Pinebook Pro) are destined to be frequent targets of tinkering for me. But the one thing that they have in common is that they encourage me to plug in a rat’s nest of cabling to plug into the various gadgets I own. The monitor I got late last year I purchased specifically because I needed a USB hub to go with my high-resolution screen. 

But despite all these efforts to simplify my cabling life, dongles rule everything around me. And around you, too. It comes with the territory. 

Ultimately, the problem the dongle solves may never truly go away.

“We don’t know much, for sure, about the word that has been a source of so much frustration and controversy and, regardless, ubiquity. But that hasn’t stopped people from guessing.”

— Megan Garber, in a 2013 essay in The Atlantic discussing the origin of the word “dongle,” which she noted was fairly unclear. A 1984 article from The Guardian, in reference to Clive Sinclair’s ill-fated Sinclair QL computer makes a reference to dongles as “an ancient piece of computer jargon,” despite the fact that it’s one of the earliest references I can find in a mainstream newspaper. It suddenly showed up in newspapers around 1984, as did one of the earliest patent filings regarding dongles, in the United Kingdom. In technology publications, the first references I see date to October 1981, in issues of New Scientist and Byte, both in reference to antipiracy technology. 

An example of a parallel-port dongle. Image: Raimond Spekking/Wikimedia Commons

The dongle’s original legacy as an antipiracy tool

Last year, when the latest iteration of the Mac Pro came out, one thing that may have confused observers looking at this machine, which they will likely never use, is the unusual placement of a USB-A port on the machine’s motherboard.

To those that only lightly follow technology, the existence of this port likely made no sense. But it reflects a decades-long legacy of tying security to actual hardware that, for some programs at least, persists to this day.

A 1984 New Scientist piece explained the dynamic that led to the growing popularity of dongles throughout the period, but noted that despite their goal of security, they ultimately were seen as easy to break by technical users:

The dongle is a small plastic box which plugs into one of the ports at the back of a computer. A program protected by a dongle contains a routine that asks a computer to check whether the dongle is present and sometimes to read a code from it. If it has not been plugged in the program will not run. Most dongles do not prevent programs from being copied, but they stop the copies from being used, since each copy needs a matching dongle to work.

Unfortunately, there is nothing to prevent the owner of a dongle-protected program from displaying the program code on his computer screen and removing the dongle check from it. One expert says this task takes about two hours.

The dongle system has been refined by some companies. Instead of supplying a program in plain computer code, some or all of the instructions are scrambled. The key to this simple encryption is held by the dongle which passes it to the computer’s operating system (the program which coordinates the computer’s operations). Once unscrambled, the program is loaded into the computer’s memory and runs in the normal way; but it is not difficult to remove the built-in checks. 

For games, these approaches were eventually replaced by copy-protection schemes inside manuals or by different distribution approaches, like shareware. But dongles for more high-end or specialized software products, along with employee security, never really went away. In fact, they got more sophisticated, adding their own processing capabilities that interacted with the software being used.

Of course, people aren’t aware where they actually came from in the first place, as The Atlantic_’s Garber implied. This has led to fun stories, the most colorful of which was invented by the tech company Rainbow Technologies, which, in a 1992 advertisement than ran in _Byte, invented a character named Don Gall who they claimed the device was named after.

“He wasn’t famous. He didn’t drive a fancy car, but dressed in his favorite Comdex T-shirt and faded blue jeans, he set out to change the course of the software story,” the fable started.

While obviously totally made up, it nonetheless became something of an urban legend.

These devices generally hooked up to serial or parallel ports throughout the 1990s, with adapters that allowed users to continue to plug in devices such printers. In terms of video games, cheat tools like the Game Genie could be thought of as dongles.

But in the late 1990s, these devices were able to shrink thanks to USB. These dongles, while less prominent than they once were, have largely stayed in common use in a handful of industries, specifically those that sell computer-aided design or manufacturing software, and those that offer software for digital audio workstations. ACID and Autodesk, two manufacturers that specialize in are probably two of the best-known companies that rely on hardware security dongles in the modern day. These are the kinds of devices for which the Mac Pro has an internal USB-A port.

More common, however, are devices intended specifically for two-factor authentication, such as the YubiKey, which serve a similar security function, but for the user or the organization for which they serve, rather than to prevent piracy. These tools work in similar ways to the dongles of yore, perhaps with additional security mechanisms.

Speaking of USB, the switch of formats, which was ultimately a good thing for technology, helped create a pretty big market for dongles big and small, many of which connect to all variety of objects, from printers to TV sets. (Apple, the company that moved to USB early, is responsible for many of our dongles.)

The USB thumb drive is a great example of a dongle, and perhaps the most prominent example of flash disks around.

Similarly, video standards have a way of adding dongles to our lives. Ever converted HDMI to DVI to VGA to composite to RF? (No, just me?) Then you’ve lived the dongle life.

It’s a fact of life, and one that has only become more of a fact of life thanks to the rise of USB-C creating natural incompatibilities for dongles.

Five of the weirdest dongle connectors I’m aware of

USB-C to MagSafe. As is well-documented, I have issues with the design of the Mac’s default power brick, which I think has serious deficiencies because, prior to its conversion to USB-C, its primary cable is both thin and non-removable. For years, Apple made this port proprietary and failed to allow for alternative devices to be made, but after moving to USB-C, Apple took its eye off the MagSafe ball. I bought this adapter off of eBay, delivered straight from China, and use it with the adapter that comes with my HP Spectre x360, which supports USB-C by default.

Jawbone UP24 to USB. Despite the fact that most people associate exercise bands with the brand Fitbit, it was Jawbone that really set the stage for the category’s success with its UP series of fitness trackers, which actually pulled off the neat trick of looking cool without being showy (a credit to its designer, Yves Béhar). It helped to build a market segment … which Jawbone’s competitors quickly took for themselves. For this discussion, though, The interesting thing about this device is how it charged: You take off the cap and a 2.5mm headphone adapter appears. You plug that into a USB-A dongle with said jack, that isn’t useful for anything else.

DVI to ADC. While VGA is a far more memorable adapter for those looking to get a signal onto a video display, DVI has been a more consistent part of the video experience in recent years, appearing on video cards even today, while DisplayPort and HDMI are locked in a battle for supremacy. But ADC? This was a relatively brief attempt by Apple to try to minimize the number of cables needed to connect cables to its monitors. It was arguably ahead of its time—it took USB-C 15 years to make this capability common across the computer industry—but the problem was that the port was proprietary, and if you wanted to use a computer other than Apple’s G4 towers (say, a PowerBook), you needed to break apart those signals—which required a really big dongle. Apple’s official dongle, released in 2002, is both extremely expensive and as large as a standard laptop power brick, and while there is a smaller third-party alternative, it’s harder to find. At least one hardware-hacker has gone to the trouble of creating a reasonably sized version.

Crazyradio PA USB Dongle. This dongle, an open-source device, is essentially a USB radio that works on the same open 2.4-gigahertz as early versions of Wi-Fi. Why would you want this? Well, it’s effectively a wireless mouse dongle for everything else, except with a much larger antenna. Highly hackable, open-sourced, originally developed for a tiny drone, and with a massive range, it can be used for any manner of weird stuff, and is a popular choice for hardware hackers, though some have gone to the point of hacking those wireless mouse adapters for whatever they want.

The Shugru-covered wireless mouse connector. For those with wireless mice, Apple’s move to USB-C on laptops has made life a lot more frustrating because it requires the use of a dongle with your dongle. Rather than be stuck with that state of affairs, the YouTube channel DIY Perks pulled apart one of those mouse connectors, soldered it onto a USB-C breakout board, and covered the whole thing with Shugru, the moldable glue popularly used for DIY projects. A little hacky, but it totally worked.

There was once a massive dongle for sale that could Hackintosh your system

The very nature of dongles means that they come and go, and no dongle, perhaps, has come and gone as quietly as the EFiX USB dongle.

Unlike the security keys used to protect software from installation, EFiX literally does the opposite—it allows users to install software that its maker would prefer users didn’t.

A gadget modern enough that it was featured on websites such as Engadget, the EFiX (also known as EFI-X

, with both names referencing the UEFI firmware that is common today but Intel Macs were relatively early to) harkens back to a time when installing MacOS on a non-Apple PC wasn’t particularly easy. This object, produced by a firm named Art Studios Entertainment Media, was what the company called a “Boot Processing Unit,” which essentially took all the complicated parts of building a hackintosh (all the messy code and what have you) and hid those from the user.

“EFI-X

is not for everyone. It is not for who wants to save money, at all. It is for enthusiasts that put expandability and extreme performances before anything else in their computing needs. We heard those voices, and we answered,” the company that built this device stated on its website. 

The device, which plugs directly into a USB header on a motherboard rather than a single USB port, essentially handles all the messy parts of installing Mac OS X on a standard desktop PC. (The key word there is desktop; laptops tend not to have user-accessible USB headers.)

A 2008 Gizmodo review of the device noted that while you did have to open up your machine to plug it in, it was incredibly simple to use:

If you’ve got the hardware, the whole process is simple, so that even if you’ve never cracked your desktop before, you could still get this done with a quick search online for the requisite know-how. I plugged the EFiX dongle into a USB header on my motherboard-not, as you might have assumed, to a USB port on the outside. That’s really it for getting your hands dirty, though. I restarted my computer, selected EFiX as the boot device-it was listed under hard drives, actually-and was greeted with a drive selector. After selecting the Leopard disc, it started installing without a hitch.

But those who did get more technical were fairly skeptical about what they found. One Hackintosh blog doing an autopsy of the device in an effort to come up with a software-only solution said that despite the flashy looks and the use of an ARM processor on the module, it was not particularly novel.

“The whole thing, inclusive PCB, case, cable and packaging should cost less than 10 dollars, I guess,” the author wrote.

If this all sounds fairly gray area, it’s worth noting that this device came to life around the time that the Florida company Psystar was getting some negative legal attention from Apple after announcing plans to sell a Mac clone system—a battle Psystar ultimately, famously, lost.

The USA seller of the EFiX dongle, EFiX USA, at one point announced plans to release a clone system of its own … but then quickly changed course, realizing it would probably put them in a world of legal hell.

EFiX and its manufacturers faded away eventually, and the Hackintosh community came up with other solutions for easily turning a computer into a Hackintosh—no proprietary dongle necessary.

The thing with ports is that there is never a shortage of choice in terms of what you can do with them. But when you try shopping for cables with a specific use case in mind, things get confusing, fast.

Last fall, I made a trip to Micro Center, in part because I heard it was the best computer store chain in the country and I was utterly curious about this Mecca to silicon and circuitry. Overall, the experience was fairly positive, but I felt strangely claustrophobic in one section of the store—the section around KVM switches, which are devices (glorified dongles, really) that allow users to swap between different computers.

So many cables. So much switch. Image: Priwo/Wikimedia Commons

These products, generally, require a lot of cables. An absolute ton, a level that will make you never want to see another cable again. And there are a lot of them, of different shapes, sizes, and use cases. Despite the fact that VGA is a dinosaur of a technology, the vast majority of KVM switches that handle video seem to rely on VGA in the year of Our Lord 2020.

The perfect KVM switch is often hard to find if you have a specific need—and they can get ungodly expensive if you’re not careful.

I can’t remember what I was looking for, but I remember vividly that I not only didn’t find it, but I suddenly had a strong desire to leave this store I went out of my way to visit. Again, I’m the guy that loves computers enough that I wrote an entire article about dongles, and I couldn’t take it. I psyched myself out.

The good news is that USB-C has the potential to simplify the use of KVM switches entirely, at least eventually, as they will only require one cable from each device that you’re switching from. The bad news is that USB-C has confused the spec significantly, in some frustrating ways.

By way of example: Recently, I set up a wall stand next to my desk (a floating shelf for DVD players, essentially) that I set up to allow me an easy place to put my laptops and use them without taking space on my desk. Conceivably, I could plug in my USB-C-based laptops using a single cable and get going. The problem is that USB-C adapters have short cables that are embedded into the device.

So, what do you do to resolve this? First, you find a USB-C hub that doesn’t have a cable built-in. Great; here’s the only one I could find that cost less than $50 that had good power-delivery capabilities. But now this cable has to pull double-duty. It needs to be long enough that it isn’t directly next to your computer, able to transmit high-speed data, but able to charge a laptop. This is harder than it sounds. My HP Spectre x360 relies on a 90-watt charger; most cables with the ability to transmit power and high-speed data top out at 60 watts. Want one that supports 100 watts, powerful enough to handle the latest MacBook Pro? In most cases, the speeds will max out at USB 2.0 levels, meaning you may be better off with Thunderbolt 3, which costs even more than USB-C does. I want USB-C for compatibility for multiple devices.

So it took quite a bit of digging to find the right hub and the right cable to make this setup possible. But now I can plug in a single cable to my laptop and start working. (OK, technically two, because the hub transmits HDMI at a slower speed than the port on the laptop itself. Can’t win everything.)

So why am I telling you about the complications of all this? Simply, I think it’s important to point out that we’re replacing dongles with ports that can theoretically take basically everything, but that have specifications so inconsistent and hard to follow that, once USB-C becomes the one port to rule them all, we may be replacing the physical hell of dongles with a sort of technical hell of inconsistent standards, where the value of a specific cable is defined by what it can do rather than what it looks like.

You can buy a working system for a lower price than you can this cable.

We’re already seeing this. Recently, Apple drew a lot of attention for selling a Thunderbolt 3 cable for $129. It was very much a weird-flex-but-OK situation, but part of the reason that it sells for so much is that it’s relatively long (2 meters, or 6.6 feet, or $1.63 per inch), but supports the full Thunderbolt 3 and USB 3.1 specs. Most cables of that type only support certain elements of these specifications; Apple’s expensive cable supports the whole thing, making it an extremely valuable cable for someone who prides maximum compatibility, maximum speed, and maximum flexibility in a single span of braided black cable. This kind of consumer, apparently, exists.

All of this raises the question: Are dongles as bad as they look? Probably not. But they sure look weird.

Why the World May Never Truly Be Rid of Dongles syndicated from https://triviaqaweb.wordpress.com/feed/

Original Post from Security Affairs Author: Pierluigi Paganini

Security firm revealed that China-linked APT group Turbine Panda conducted cyber-espionage operations aimed at various aerospace firms for years.

Security researchers at Crowdstrike conducted long-running cyber-espionage operations aimed at various aerospace firms. According to the experts the cyber espionage operations begun in January 2010, after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) selected U.S.-based CFM International to provide a custom engine (LEAP-1C) for its C919 aircraft. The researchers attributed the attacks to a China-linked threat actor tracked as TURBINE PANDA who targeted multiple companies that manufactured the C919’s components between 2010 and 2015. The operations are traceable back to the MSS Jiangsu Bureau, the same unit blamed for the 2015 U.S. Office of Personnel Management (OPM) breach. 

“However, the C919 can hardly be seen as a complete domestic triumph, because it is reliant on a plethora of foreign-manufactured components. Likely in an effort to bridge those gaps, the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919’s various components.” reads a blog post published by Crowdstrike.

Researchers noticed that in August 2016, both COMAC and AVIC became the main shareholders of the Aero Engine Corporation of China (AECC/中国航空发动机集团), which produced the CJ-1000AX engine. Experts claim that CJ-1000AX is quite similar to the LEAP-1C, its dimensions and turbofan blade design demonstrate it.

Researchers suspect that the aircraft maker benefited information obtained through cyberespionage campaigns carried out over the years.

“The actual process by which the CCP and its SOEs provide China’s intelligence services with key technology gaps for collection is relatively opaque, but what is known from CrowdStrike Intelligence reporting and corroborating U.S. government reporting is that Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs.” continues Crowdstrike.

The hackers targeted multiple companies that were involved in the supply of components for the project, including Honeywell and Safran.

The Turbine Panda cyberespionage group used multiple malware to compromise the systems of the target organizations, the researchers reported the involvement of the PlugX RAT, the Winnti backdoor, and the Sakula malware.

Researchers identified a HUMINT element to the JSSD’s espionage operations against the targets in the aerospace industry that were involved in the project.

“In February 2014, one of our own blogs described the relationship between cyber activity in 2012 against Capstone Turbine and an SWC targeting Safran/Snecma carried out by TURBINE PANDA, potentially exposing the HUMINT-enabled cyber operations described in some of the indictments.” reads the report published by the experts. “As described in the ZHANG indictment, on 26 February 2014, one day after the release of our “French Connection” blog publicly exposed some of TURBINE PANDA’s operations, intel officer XU texted his JSSD counterpart, cyber director CHAI, asking if the domain ns24.dnsdojo.com was related to their cyber operations. That domain was one of the few controlled by cyber operator lead LIU, and several hours after CHAI responded to XU’s text that he would verify, the domain name was deleted”

According to the report, in November 2013, the JSSD Intelligence Officer Xu Yanjun recruited a Safran Suzhou insider named Tian Xi.

Tian Xi delivered the Sakula malware to the target company using a USB drive with the Sakula malware on it, in January 2014.

Despite Xu Yanjun, the Sakula developer Yu Pingan, and two individuals working as insiders have been arrested, the cyber espionage campaigns have not ceased.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike concludes. “Similar to the procedure for developing the C919, the JV is currently taking bids for an aircraft engine that will be used until a Chinese-Russian substitute can take its place; this appears likely to be the CJ2000, an upgraded version of the CJ-1000AX used in the C919.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – China Turbine Panda, cyberespionage)

The post China-linked cyberspies Turbine PANDA targeted aerospace firms for years appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini China-linked cyberspies Turbine PANDA targeted aerospace firms for years Original Post from Security Affairs Author: Pierluigi Paganini Security firm revealed that China-linked APT group Turbine Panda conducted cyber-espionage operations aimed at various aerospace firms for years.

KOSTENLOS COMPUTERSCHUTZ HERUNTERLADEN

Produkte Lösungen Sicherheitsdienste Partner. G Data Internet Security Genau das bietet Hotspot Shield. Schützen Sie sich mit unseren richtungsweisenden Handy-Apps, damit Sie sicher bezahlen, ganz privat E-Mails versenden können und stets über den benötigten Speicherplatz verfügen. Sehr oft ist es die reine Gier, die so manche ins Verderben stürzt. Die besten Tipps und Tools zum anonymen Surfen Backup erstellen:

Name: kostenlos computerschutz Format: ZIP-Archiv Betriebssysteme: Windows, Mac, Android, iOS Lizenz: Nur zur personlichen verwendung Größe: 25.67 MBytes

So ist es für ein Antivirenprogramm deutlich schwerer, das RAT zu erkennen. Und verwenden Sie einen Werbeblocker. Leider genügt das nicht, um vor Hacker-Angriffen gefeit zu sein. Kostenloser Download für PC. Weitere spannende Digital-Themen finden Sie hier. Vielfach preisgekrönter Schutz für Windows.

Nero im Test: Windows 10 Firewall Koostenlos 8.

Avast Free Antivirus herunterladen. Was hat Ihnen nicht gefallen? Die Voreinstellungen sind kostenloz gut optimiert. Sie injizieren ihren Code in einen legitimen Prozess von Windows.

Neu in der aktuellen Version sind unter anderem die verbesserten Sicherheitsstandards und die intelligenteren Funktionen.

Testsieger bei Schutz, Leistung & Benutzerfreundlichkeit

Microsoft Attack Surface Analyzer ermittelt anhand von Testläufen Änderungen am Betriebssystem, die beispielsweise durch Neuinstallationen hervorgerufen werden können. Möglichkeit 2, Sie verschlüsseln Ihren Computer komplett.

Falls comuterschutz, arbeiten Sie diese Dinge nacheinander ab.

Zur Sicherung der eigenen Daten empfiehlt sich der Kauf einer externen USB-Festplatte, die man ganz einfach an den Rechner stöpselt und dort alle persönlichen Daten wöchentlich oder monatlich sichert.

Viren zapfen solche Verzeichnisse an, um an sich automatisch an alle diese E-Mail-Adressen zu versenden.

Computerschutz für Windows downloaden – die beste Software und die besten Apps

Sehr oft ist es die reine Gier, die so manche ins Compputerschutz stürzt. Für Links mit erhalten wir kostenloos.

Deft enthält mehrere Tools, die Sicherheitsvorkehrungen umgehen und Netzwerkverkehr abhören können. Wenn möglich, aktivieren Sie die automatische Update-Funktion.

Windows zusätzlich absichern: Kostenlose Security-Tools zum Nachrüsten – CHIP

Bei Problemen wird der ratsuchende Nutzer nicht im Regen stehen gelassen — der Avast-Hilfeservice antwortet sehr schnell. Ihr Gerät unterstützt kein Javascript. Hier sollten Sie zustimmen. Einfach zu installieren und zu computerwchutz, kein anderer Virenschutz kann da mithalten.

Gefahren zu erkennen ist jedoch nur die halbe Miete.

Aus diesem Grund sollten Sie diese stets aktuell halten. Ein sicheres Windows kriegt man mit kostenlosen Tools hin.

Download: KeePass

Kaspersky Internet Security So findet der Scanner auch Viren, die sich bei einem aktiven Windows verstecken können. Avast Koshenlos Antivirus herunterladen Kosttenlos Dabei müssen es nicht immer teure Security Suiten sein, auch wenn diese vollumfänglich schützen.

So sind Sie vor den Gefahren im Internet geschützt — und sparen dabei. Software Virenschutz Unser Team.

Dann bekommen Sie nicht nur aktuelle Funktionen geboten und Fehlerkorrekturen, sondern einige Programme z. So verschwinden auch jene Dateien zuverlässig, die mit anderen Löschtools beseitigt wurden.

PC-Schutz zum Nulltarif: Das sind die besten Gratis-Programme – Computer –

Unsere Bestenliste klärt, welches Virenschutz-Programm man sich installieren sollte. Ihr Handy ist zugleich Bank, Büro und Spielsalon. Schutz Leistung Benutzerfreundlichkeit Eine exzellente Schutzrate reicht uns nicht. Darüber hinaus punkten kostenpflichtige Antivirenprogramme computerschuttz einer Reihe von nützlichen Zusatzfunktionen.

The post KOSTENLOS COMPUTERSCHUTZ HERUNTERLADEN appeared first on Mezitli.

source http://mezitli.info/kostenlos-computerschutz-15/

via Adafruit Industries – Makers, hackers, artists, designers and engineers! https://ift.tt/2YTD6Od

heres's some good 'ol matt and pidge head cannons for ya

- the holt siblings sitting in random places in the middle of the night - pidge gettting a midnight snack: hey matt is there anything good up there matt sitting on top of the fridge with his laptop where all the chips are: theres some doritos up here pidge: cool ranch or the nacho cheese? matt: cool ranch. pidge: hand it over matt gving her a glare from where hes sitting in pitch black darkness: dont spill them under my bed again it took me forever to get it clean last time pidge: sure. fine just give them already! - pidge has a drawer files for blackmail to use against people one digital and one in her room - one time pidge found matt dressed up in sailor moon cosplay when he thought no one was home while pidge was taking pictures - matt never leaves his friends alone in his house while pidge is there - sometimes pidge shows the picture to matts friends just for giggles - once matt stole pidges usb for her essay and deleted everything on it so he could download some memes on it -pidge was so mad she hacked his computer to have a goat screaming at full volume whenever opens it - matt cant fix it cause he cant program for shit unlike pidge - he had to do all her homework for a month - one time pidge was bored and was looking to see informtion on the eistence of aliens were real and somehow hacked into the files of area 51 - the goverment tracked her down - ( pidge is 12 when this happens) - they went to her house and were comletley shocked that a 12 year old hacked their systems because they were simply bored - she got grounded for a month - ( no one knows but she has all the files of area 51 downloaded onto a usb) - pidge is the hacker of the family if you havent already noticed -she one time hacked the speakers in her school to play all stars on loop for the whole day and eventually school got cancelled, she and matt both had a test they didnt study for that day and they needed to get out - her parents knew that they were the ones behind it - they got ice cream after the holt parents picked them up because ’ it was fucking incredible - matt and pidge dont know ’ what is this thing you call sleep?’ - they have a record of who has stayed up the most ays without sleeping - pidge wins by staying up for a week and a half - prank wars - not even the holt parents are safe - not even their dog - matt lost all his hair one time - pidges body soap dyed her skin paper white for 2 weeks - bae bae got a rat tail once -sameul holt lost his car once - collen holt got a bucket of paint poured all over her and her fancy clothes

this is it dudes hoped you enjoyed

Wie deutsche Ermittler beschlagnahmte Smartphones knacken Wenn das Geschäft mit gewerbsmäßigem Smartphone-Hacking ein undurchschaubarer Wald ist, dann ist die Firma Cellebrite der Platzhirsch. Der Bestseller der israelischen Spytech-Firma ist ein Tablet-ähnliches Gerät namens UFED (Universal Extraction Forensics Device). Für mehrere tausend Euro können Käufer nicht nur Telefon-Passcodes knacken, sondern auch sensible Daten wie SMS, E-Mails, Fotos oder Telefonnummern von tausenden gesperrten Geräten abschöpfen. Einzige Voraussetzung: Der Ermittler muss das Zielgerät vor sich haben. Das macht die Firma für „digitale Forensik" zu einem Liebling unter Strafverfolgungsbehörden, die Smartphones zum Auslesen nur an das UFED anschließen müssen. Cellebrite ist jedoch umstritten, weil es seine Technologie auch an repressive Regime verkauft: Zum Kundenkreis der Hacking-Unternehmens zählen neben Bahrain wohl auch Russland, die Türkei und die Vereinigten Arabischen Emirate. Länder, die für ihre schlechte Bilanz in Sachen Menschenrechte berüchtigt sind und deren Regierungen Cellebrites Tools womöglich dafür verwenden, Oppositionelle auszuspionieren und unrechtmäßig zu inhaftieren. Doch nun hat ein Hack für einen gigantischen Leak bei einer der größten Spionage-Techfirmen gesorgt und Licht auf die schweigsame Industrie geworfen, in der Cellebrite die Marktführerschaft für sich beansprucht. Fünf Methoden, mit denen Hacker und Geheimdienste ein Smartphone knacken können Motherboard-Recherchen zeigen, dass nicht nur Strafverfolgungsbehörden in den USA und in anderen Ländern Millionen für die beliebte Cracking-Hardware ausgeben—sondern auch, dass sich mindestens ein halbes Dutzend deutscher Ermittlungsbehörden auf die Technologie von Cellebrite verlassen. Der Einsatz der Technik ist in Deutschland legal, trotzdem ist bisher wenig darüber bekannt. Zwar müssen Cellebrite-Kunden eigentlich eine richterliche Anordnung zum Knacken eines Geräts vorlegen, wenn sie ein Produkt von Cellebrite kaufen. Doch ein Blick auf den Markt für die Extraktionsgeräte zeigt, dass die Geräte auch auf dem Schwarzmarkt gehandelt werden und die Technologie somit leicht missbraucht werden kann. Ein UFED Touch liest ein Samsung-Smartphone aus. Bild: CellebriteIn einer 900 GB großen Datenbank, die ein Hacker Motherboard zugespielt hat, schlummern Login-Daten, Passwörter, sowie die Korrespondenz von deutschen Ermittlern mit den Smartphone-Hackern von Cellebrite, die über das Kundenportal My.Cellebrite abgewickelt wurde. Bei den meisten Treffern aus dem deutschen Raum handelt es sich um Anfragen von Ermittlern an den Cellebrite-Kundensupport und technischen Rat in Sachen Smartphone-Hacks. Der Fall gibt Einblick in einen wenig beachteten, aber nichtsdestotrotz wichtigen Teil der Polizeiarbeit: Die Kooperation mit externen Herstellern von Hacking-Tools im Alltag der Ermittler.Wenn Beamte mit Emojis kommunizieren „Hallo, können Navigiergeräte (TOM TOM) ausgewertet werden? Wenn ja, welches Kabel?", möchte ein Ermittler der Polizei Deggendorf im März 2011 wissen. Auch ein Forensiker des LKA Bayern brauchte im November 2012 Unterstützung: „Beim Physical Dump eines iPhone4 erhielt ich einen „Unexpected error". Das Display des Handys ist schwarz und das Gerät meldet sich beim Anschluss an die USB-Schnittstelle „Cellebrite Device" an…" Dank den gehackten Nachrichten wissen wir, dass die Bundespolizei ein ganz bestimmtes Cellebrite-Gerät zur Abschöpfung von Daten besitzt, das speziell für Geräte mit chinesischen Chipsätzen hergestellt wurde. Die Behörde beweist in dieser Nachricht zwar kein allzu stilsicheres Englisch, dafür aber den virtuosen Umgang mit Emojis: „Liebe Damen und Herren, ich habe die Chinex-Box getestet, aber sie funktioniert bei mir nicht :S In der Chinex-Anleitung steht, ich soll die Datenextraktion auf der UME über einen physischen Dump und dann chinesische Telefone durchführen, aber dafür gibt es keinen Eintrag :((( " Eine Nachricht der Bundespolizei aus dem Cellebrite-Datenleak. Geschwärzte Stellen: Motherboard Doch es geht auch trivialer: Das LKA Brandenburg kämpft im Oktober desselben Jahres damit, das UFED-System (das Gerät zur Datenextraktion von Smartphones) überhaupt auf einem neuen PC zu aktivieren. Bei der EDV-Beweissicherung der Polizei Sachsen-Anhalt Süd hat ein Mitarbeiter „folgendes Problem: Sony Ericsson C902 Auslesung im Speicherbereich SMS-Nachrichten. Ich habe zeitnah drei Geräte dieser Baureihe logisch ausgelesen. Bei zwei Geräten wird der Speicherbereich SMS-Nachrichten nicht ausgelesen…" So unterschiedlich reagieren die deutschen BehördenCellebrite unterhält eine Niederlassung in München und hat seinen Internetauftritt auf deutsch übersetzt. Auf der Website von Cellebrite findet sich jedoch kein Wort über die Zusammenarbeit mit deutschen Behörden—und das, obwohl die Firma ansonsten stolz seine Kunden in anderen Ländern aufführt und detailliert beschreibt, welche Behörden sich auf welche Hackingtools von Cellebrite verlassen. Cellebrite wollte die Zusammenarbeit mit deutschen Behörden auf Anfrage nicht kommentieren und veröffentlichte nach dem Hack lediglich eine Stellungnahme zu den gestohlenen Daten auf der Firmenwebsite. Obwohl der Einsatz solcher Datenextraktions-Tools mit dem entsprechenden richterlichen Beschluss legal ist, verhalten sich die betreffenden deutschen Polizeibehörden dazu befragt sehr unterschiedlich. Je nach Behörde geben sich die Ermittler mal offen, mal eher bedeckt oder verweigern sogar komplett die Auskunft über den Einsatz der Cellebrite-Produkte. Wir haben das bayerische LKA, die Bundespolizei, das LKA Brandenburg, das LKA Sachsen-Anhalt, das LKA Nordrhein-Westfalen und die Polizei Deggendorf in unseren Anfragen auch gebeten, uns Auskunft darüber zu geben, wie lange die Zusammenarbeit besteht und in welchen Fällen die Smartphone-Cracker eingesetzt werden. Die ausführlichste Antwort kommt aus MünchenDas LKA Bayern bestätigte Motherboard vergangene Woche, seit vier Jahren Kunde der Cellebrite GmbH zu sein. Drei von sechs angefragten Behörden wollten zu privaten Ermittlungswerkzeugen allerdings keine Auskunft geben. Die Bundespolizei antwortete uns: „In der Bundespolizei werden forensische Spezialwerkzeuge der Firma Cellebrite (...) eingesetzt. Weitergehende Auskünfte zu polizeilichen Methoden und Werkzeugen werden aus grundsätzlichen Erwägungen und aus ermittlungstaktischen Gründen nicht mitgeteilt." In einem Video bewirbt die Spytech-Firma die verschiedenen Arten von Daten, die aus einem Smarthone ausgelsen werden können. Bild: Cellebrite Wir haben die Behörden außerdem gefragt, ob sie in ihren Ermittlungen auf die Hacking-Produkte von Cellebrite und anderen Anbietern angewiesen sind oder ob sie auch auf eigene Entwicklungen zurückgreifen können. Das LKA Nordrhein-Westfalen teilte uns dazu per e-Mail mit: „Beim LKA NRW wie auch in den IT-Ermittlungsunterstützungsdienststellen der Kreispolizeibehörden in NRW werden unterschiedlichste Tools zur Sicherung von IT-Daten eingesetzt. Die Firma Celebrite (sic!) ist einer der Marktführer in Sachen Datensicherung von Mobiltelefonen. Ihre Soft- und Hardwareprodukte werden wie auch die anderer Firmen neben Eigenentwicklungen zur Datensicherung und –aufbereitung bei der Polizei eingesetzt. Statistiken, welche Produkte wie oft eingesetzt werden existieren nicht." Auch das LKA Bayern führt keine Statistik darüber, in welchen Fällen die Tools zum Einsatz kommen—man verwende allerdings „zahlreiche Programme von unterschiedlichen Software-Herstellern". Ob das Bayerische Landeskriminalamt auf den Kauf solcher Werkzeuge zur Datenextraktion angewiesen ist oder über selbst entwickelte Software zur Datenextraktion verfügt, wollten die Ermittler nicht sagen—eine solche Information könne die „Effizienz und Funktionsfähigkeit der polizeilichen Arbeit" beeinträchtigen. Wir können also festhalten, dass die Cellebrite-Produkte in mehreren Fällen nur einen Teil des dazugekauften Repertoires digitaler Forensiker darstellen. Unklar ist bislang, wer die anderen Anbieter sind, auf deren Tools sich deutsche Polizisten sich beim Knacken eines Smartphones verlassen—und wie viel Geld an sie fließt. Update vom 1.2. 2017: In einer früheren Version hieß es, die Daten aus dem Hack hätten Aufschluss über die Ausgaben von US-Behörden an Cellebrite gegeben. Tatsächlich stammt die Information über die Ausgaben aus einem Freedom of Information Act-Request, über den Motherboard zuvor berichtet hatte.

https://motherboard.vice.com/de/article/wie-deutsche-ermittler-beschlagnahmte-smartphones-knacken

Original Post from Security Affairs Author: Pierluigi Paganini

Security firm revealed that China-linked APT group Turbine Panda conducted cyber-espionage operations aimed at various aerospace firms for years.

Security researchers at Crowdstrike conducted long-running cyber-espionage operations aimed at various aerospace firms. According to the experts the cyber espionage operations begun in January 2010, after the state-owned enterprise Commercial Aircraft Corporation of China (COMAC) selected U.S.-based CFM International to provide a custom engine (LEAP-1C) for its C919 aircraft. The researchers attributed the attacks to a China-linked threat actor tracked as TURBINE PANDA who targeted multiple companies that manufactured the C919’s components between 2010 and 2015. The operations are traceable back to the MSS Jiangsu Bureau, the same unit blamed for the 2015 U.S. Office of Personnel Management (OPM) breach. 

“However, the C919 can hardly be seen as a complete domestic triumph, because it is reliant on a plethora of foreign-manufactured components. Likely in an effort to bridge those gaps, the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919’s various components.” reads a blog post published by Crowdstrike.

Researchers noticed that in August 2016, both COMAC and AVIC became the main shareholders of the Aero Engine Corporation of China (AECC/中国航空发动机集团), which produced the CJ-1000AX engine. Experts claim that CJ-1000AX is quite similar to the LEAP-1C, its dimensions and turbofan blade design demonstrate it.

Researchers suspect that the aircraft maker benefited information obtained through cyberespionage campaigns carried out over the years.

“The actual process by which the CCP and its SOEs provide China’s intelligence services with key technology gaps for collection is relatively opaque, but what is known from CrowdStrike Intelligence reporting and corroborating U.S. government reporting is that Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs.” continues Crowdstrike.

The hackers targeted multiple companies that were involved in the supply of components for the project, including Honeywell and Safran.

The Turbine Panda cyberespionage group used multiple malware to compromise the systems of the target organizations, the researchers reported the involvement of the PlugX RAT, the Winnti backdoor, and the Sakula malware.

Researchers identified a HUMINT element to the JSSD’s espionage operations against the targets in the aerospace industry that were involved in the project.

“In February 2014, one of our own blogs described the relationship between cyber activity in 2012 against Capstone Turbine and an SWC targeting Safran/Snecma carried out by TURBINE PANDA, potentially exposing the HUMINT-enabled cyber operations described in some of the indictments.” reads the report published by the experts. “As described in the ZHANG indictment, on 26 February 2014, one day after the release of our “French Connection” blog publicly exposed some of TURBINE PANDA’s operations, intel officer XU texted his JSSD counterpart, cyber director CHAI, asking if the domain ns24.dnsdojo.com was related to their cyber operations. That domain was one of the few controlled by cyber operator lead LIU, and several hours after CHAI responded to XU’s text that he would verify, the domain name was deleted”

According to the report, in November 2013, the JSSD Intelligence Officer Xu Yanjun recruited a Safran Suzhou insider named Tian Xi.

Tian Xi delivered the Sakula malware to the target company using a USB drive with the Sakula malware on it, in January 2014.

Despite Xu Yanjun, the Sakula developer Yu Pingan, and two individuals working as insiders have been arrested, the cyber espionage campaigns have not ceased.

“Even with the arrest of a senior MSS intelligence officer and a valuable malware developer, the potential benefits of cyber-enabled espionage to China’s key strategic goals has seemingly outweighed the consequences to date,” Crowdstrike concludes. “Similar to the procedure for developing the C919, the JV is currently taking bids for an aircraft engine that will be used until a Chinese-Russian substitute can take its place; this appears likely to be the CJ2000, an upgraded version of the CJ-1000AX used in the C919.”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – China Turbine Panda, cyberespionage)

The post China-linked cyberspies Turbine PANDA targeted aerospace firms for years appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini China-linked cyberspies Turbine PANDA targeted aerospace firms for years Original Post from Security Affairs Author: Pierluigi Paganini Security firm revealed that China-linked APT group Turbine Panda conducted cyber-espionage operations aimed at various aerospace firms for years.

Original Post from Security Affairs Author: Pierluigi Paganini

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Once again thank you!

Expert released PoC for Outlook for Android flaw addressed by Microsoft Hundreds of million computers potentially exposed to hack due to a flaw in PC-Doctor component NASA hacked! An unauthorized Raspberry Pi connected to its network was the entry point Trump secretly ordered cyber attacks against Iran missile systems CVE-2019-10149: Return of the WiZard Vulnerability: Crooks Start Hitting Free proxy service runs on top of Linux Ngioweb Botnet OpenSSH introduces a security feature to prevent Side-Channel Attacks US DHS CISA warns of Iran-linked hackers using data wipers in cyberattacks WeTransfer incident: file transfer emails were sent to unintended email addresses Anonymous Belgium hacker identified after dropping USB drive while throwing Molotov cocktail Iran denies attack against its infrastructure has ever succeeded Microsoft warns of attacks delivering FlawedAmmyy RAT directly in memory OSX/Linker, a new piece of Mac malware that exploits Gatekeeper bypass SocialEngineered forum hacked and data leaked online European law enforcement agencies arrested 6 individuals involved in $27M cryptocurrency theft Lake City agreed to pay $500,000 in ransom, is the second case in Florida in a week Malspam campaign spreads LokiBot & NanoCore via ISO image files Operation Soft Cell – Multiple telco firms hacked by nation-state actor Silex malware bricks thousands of IoT devices in a few hours Cisco addressed critical flaws in Cisco Data Center Network Manager Crooks stole millions from Bitrue Cryptocurrency Exchange Flaws in EA Games Login exposed accounts of 300 Million Gamers to hack Flaws in the BlueStacks Android emulator allows remote code execution and more Similarities and differences between MuddyWater and APT34 US-based Cloud Solution Provider PCM Inc. hacked Cloud Hopper operation hit 8 of the worlds biggest IT service providers Italian data protection watchdog fines Facebook over Cambridge Analytica scandal Regin spyware involved in attack against the Russian tech giant Yandex Attunity data leak: Netflix, Ford, TD Bank data exposed by Open AWS Buckets Talos discovered Spelevo EK, an exploit kit spreading via B2B Website

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 220 – News of the week appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini Security Affairs newsletter Round 220 – News of the week Original Post from Security Affairs Author: Pierluigi Paganini A new round of the weekly SecurityAffairs newsletter arrived!

Original Post from FireEye Author: Randi Eitzman

Introduction

Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into “blocks” so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the “chain” in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine’s computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called “pools” that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool’s chance of mining a new block. When a new block is mined, the pool’s participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.

Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.

Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called “ring signatures,” which shuffles users’ public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what’s called a “memory-hard” hashing algorithm called CryptoNight and, unlike Bitcoin’s SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI

Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor “Mon£y” was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

Unlimited builds

Builder GUI (Figure 4)

Written in AutoIT (no dependencies)

FUD

Safer error handling

Uses most recent XMRig code

Customizable pool/port

Packed with UPX

Works on all Windows OS (32- and 64-bit)

Madness Mode option

Figure 3: Monero Madness

Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor “kent9876” advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

Written in C/C++

Build size is small (about 100–150 kB)

Hides miner process from popular task managers

Can run without Administrator privileges (user-mode)

Auto-update ability

All data encoded with 256-bit key

Access to Telegram bot-builder

Lifetime support (24/7) via Telegram

Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor “TH3FR3D” offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

Written in C# (Version 1.0.1.0)

Browser stealer for all major browsers (cookies, saved passwords, auto-fill)

Monero miner (uses minergate.com pool by default, but can be configured)

Filezilla stealer

Desktop file grabber (.txt and more)

Can download and execute files

Update ability

USB spreader functionality

PHP web panel

Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor “ups” selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

Written in C++ (no dependencies)

Miner component based on XMRig

Easy cryptor and VPS hosting options

Web panel (Figure 7)

Uses TLS for secured communication

Download and execute

Auto-update ability

Cleanup routine

Receive remote commands

Perform privilege escalation

Features “game mode” (mining stops if user plays game)

Proxy feature (based on XMRig)

Support (for €20/month)

Kills other miners from list

Hidden from TaskManager

Configurable pool, coin, and wallet (via panel)

Can mine the following Cryptonight-based coins:

Monero

Bytecoin

Electroneum

DigitalNote

Karbowanec

Sumokoin

Fantomcoin

Dinastycoin

Dashcoin

LeviarCoin

BipCoin

QuazarCoin

Bitcedi

Linux Build Specifics

Issues running on Linux servers (higher performance on desktop OS)

Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)

Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor “MeatyBanana” was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

Configurable miner pool and port (default to minergate)

Compatible with both 64- and 86-bit Windows OS

Hides from the following popular task managers:

Windows Task Manager

Process Killer

KillProcess

System Explorer

Process Explorer

AnVir

Process Hacker

Masked as a system driver

Does not require administrator privileges

No dependencies

Registry persistence mechanism

Ability to perform “tasks” (download and execute files, navigate to a site, and perform DDoS)

USB spreader

Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

Degradation in system performance

Increased cost in electricity

Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims’ computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it’s configured to use while running, and the number of machines mining on the victim’s network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company’s network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

User endpoint machines

Enterprise servers

Websites

Mobile devices

Industrial control systems

Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.

In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company’s cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.

In February 2018, Bleeping Computer also reported on hackers who breached Tesla’s cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.

Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.

Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.

On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive’s AuthedMine.

In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.

In late 2017, FireEye researchers observed Trickbot operators deploy a new module named “testWormDLL” that is a statically compiled copy of the popular XMRig Monero miner.

On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking

In-Browser

FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage’s source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor’s CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension’s code that allowed for the mining of Monero using users’ computers and without getting their consent.

During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive’s script being embedded within the site’s footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).

In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.

Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.

A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.

Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google’s DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive’s fees.

In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.

Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims’ computers.

In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:

In March 2014, Android malware named “CoinKrypt” was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.

In March 2014, another form of Android malware – “Android.Trojan.MuchSad.A” or “ANDROIDOS_KAGECOIN.HBT” – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including “Football Manager Handheld” and “TuneIn Radio.” Variants of this malware have reportedly been downloaded by millions of Google Play users.

In April 2014, Android malware named “BadLepricon,” which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.

In October 2014, a type of mobile malware called “Android Slave” was observed in China; the malware was reportedly capable of mining multiple virtual currencies.

In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.

In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.

Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.

Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim’s machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames

california_540_tax_form_2013_instructions.exe

state_bank_of_india_money_transfer_agency.exe

format_transfer_sms_banking_bni_ke_bca.exe

confirmation_receipt_letter_sample.exe

sbi_online_apply_2015_po.exe

estimated_tax_payment_coupon_irs.exe

how_to_add_a_non_us_bank_account_to_paypal.exe

western_union_money_transfer_from_uk_to_bangladesh.exe

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe

how_to_open_a_business_bank_account_with_bad_credit_history.exe

apply_for_sbi_credit_card_online.exe

list_of_lucky_winners_in_dda_housing_scheme_2014.exe

Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

In May 2017, Proofpoint reported a large campaign distributing mining malware “Adylkuzz.” This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.

Security researchers with Sensors identified a Monero miner worm, dubbed “Rarogminer,” in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.

In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

Available free or at low-cost

No maintenance, just upload the crypto-miner app

Harder to block as blacklisting the host address could potentially impact access to legitimate services

Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).

Figure 10: Cryptocurrency miner detection activity per month

Figure 11: Commonly observed pools and associated ports

Figure 12: Top 10 affected countries

Figure 13: Top five affected industries

Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.

Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

Blocking domains known to have hosted coin mining scripts

Blocking websites of known mining project websites, such as Coinhive

Blocking scripts altogether

Using an ad-blocker or coin mining-specific browser add-ons

Detecting commonly used naming conventions

Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.

Outlook

In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors’ primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Randi Eitzman How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners Original Post from FireEye Author: Randi Eitzman Introduction Cyber criminals tend to favor cryptocurrencies because they provide…

Original Post from Security Affairs Author: Pierluigi Paganini

Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.

Security researchers at Kaspersky Lab linked the recent supply-chain attack that hit ASUS users (tracked as Operation ShadowHammer) to the “ShadowPad” threat actor. Experts also linked the incident to the supply chain attack that targeted CCleaner in September 2018. The Operation ShadowHammer was dcampaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019. iscovered in January 2019, attackers used a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue. 

According to Kaspersky, threat actors tampered with a legitimate binary that was initially compiled in 2015 and that was digitally signed to avoid detection.

The malicious code injected in the binaries allows to fetch and install a backdoor used in the attack to control the compromised systems.

“It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.” reads the analysis published by Kaspersky.

“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”

The supply chain attack was very sophisticated and very targeted, the backdoor was designed to be installed on only 600 select devices, identified through their MAC address.

Some of the MAC addresses targeted by the hackers were rather popular, such as i.e. 00-50-56-C0-00-08 that belongs to the VMWare virtual adapter VMNet8 and is shared by all users of a certain version of the VMware software for Windows.

Another MAC address used in the attack was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter designed by Huawei for the USB 3G modem, model E3372h.

During their investigation, experts found other digitally signed binaries from three other vendors in Asia. The binaries are signed with different certificates and a unique chain of trust, but experts pointed out that the way the binaries were trojanized was the same in the three cases.

“The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code.” continues the analysis. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”

Experts found many similarities between non-ASUS-related cases and the ASUS supply chain attack, such as the algorithm used to calculate API function hashes, and the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.

The investigators also found a connection between the ASUS attack to the ShadowPad backdoor that was first detected in 2017 and that was attributed to the Axiom group (also known as APT17 or DeputyDog).

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer the code used in the CCleaner attack has many similarities with the code used by the Axiom group.

Experts at Kaspersky noticed that the malicious code used in the Operation ShadowHammer have reused algorithms from multiple malware samples, including many of PlugX RAT, a backdoor used by many Chinese-speaking hacker groups.

“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker.” Kaspersky concludes. 

“How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,”

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Asus Supply Chain attack, ShadowPad )

The post Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer Original Post from Security Affairs Author: Pierluigi Paganini Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.