The Wannacry authors also want their Bitcoin Cash

Tuesday, March 27, 2018

The 12th of May 2017 was a day for many of us which we will not easily forget. Wannacry was one of those incidents which had a major impact upon public opinion. Taking advantage of the already famous EternalBlue vulnerability, the programme maliciously managed to encrypt the files of thousands of computers asking in exchange for a ransom of $300 of bitcoins. The question is, what happened to these ransoms paid by the victims?

The balance of the addresses
The three identified Bitcoin addresses managed to raise more than 51 bitcoins (available here, here and here). To date, more than half a million dollars have been exchanged. However, the design of the ransom collection system could be improved. Presenting the same address to different victims made it difficult for the attackers to determine which victim had made the payment. Taking into account that the Bitcoin transactions remain registered in a chain of blocks within Bitcoin, the victims could impersonate other victims who had paid by taking credit for a particular transaction.

#CyberSecurityPulse: PyeongChang Olympics: A New False Flag Attack?

Tuesday, March 20, 2018

A postmortem of the Olympic Destroyer malware used in the PyeongChang Olympics attack reveals a deliberate attempt by adversaries to plant a false flags when it comes to attribution, according to researchers. Days after the crippling attack on the backend networks tied to the Winter Olympic Games, a chorus of security experts attributed the attacks to everyone from Russia, Iran, China and groups such as Lazarus, the nation-state backed gang linked to North Korea. However, security experts now believe a skilled and mysterious threat actor behind the malware intended to sow confusion among those attempting to assign attribution to the attack. "Perhaps no other sophisticated malware has had so many attribution hypotheses put forward as the Olympic Destroyer," said Vitaly Kamluk, researchers with Kaspersky Lab who co-authored a report released on the attacks. "Given how politicized cyberspace has recently become, the wrong attribution could lead to severe consequences and actors may start trying to manipulate the opinion of the security community in order to influence the geopolitical agenda."

In the days proceeding the attack a steady stream of theories emerged that were later debunked and ruled inconclusive. "How the industry responded was a disaster," Kamluk said. "There was too much finger pointing with no certainty." Beyond the Lazurus false flag, researchers said Russian-speaking cyber espionage group Sofacy (also known as Fancy Bear and APT28) was also imprecisely implicated in the attack. Other bits of malware code linked Chines-affiliated cyber espionage groups APT3 (Gothic Panda), APT10 (MenuPass Group), and APT12 (IXESHE).

New plugins for FOCA: HaveIBeenPwned and SQLi

Monday, March 19, 2018

Following the publication of Foca OpenSource, a lot of people are now enthusiatic about the idea of adding new plugins or improving existing ones. On this occasion, we present two new plugins to get even more out of FOCA.

In a joint effort between the Laboratory team and CSAs team, mainly, at the hands of José Sperk and Carlos Ávila, we have set to work to improve a plugin  which has been in high demand: the one of SQLinjection. To do this, we have decided to interact with one of the most utilised hacking tools in the market, the famous SQLMap. From this, we have advanced with the development of a plugin which allows us to detect and exploit SQL injection vulnerabilities in web applications, using REST-JSON API of SQLMap, but from a friendlier and more well-known graphic environment, such as that of the FOCA.

The following video shows you how to download and utilise the SQLI plugin in FOCA, taking into account that previously you must download and install SQLMap on your computer to launch the scans from there.

If you prefer or you have installed SQLMap on another computer, you can also select "Remote Server API" and connect from the FOCA OpenSource to launch scans remotely

As if that was not enough, we have also created another new haveibeenpwned plugin for Foca which interacts through the APIs and with In this way, the email addresses which you find whilst analyzing the metadata with FOCA OpenSource, can be directly consulted from the application against those two data bases. Likewise, if you have a file with an address list which you want to verify, you can do it directly from this plugin. The following video shows how it works.

Finally, we have released the source code for PluginApi.dll, in charge of communicating the plugins with FOCA, providing different options to make the most of the results of the analyses of which we carry out.

Remember that if you want to add new plugins, we have provided several examples that contain everything you need to develop a new one. All of this is available in our FOCA market, where you are welcome to participate with your proposals.

Claudio Caracciolo
Team Leader of the CSA and the Bs. As. Research Office at ElevenPaths
Innovation and Laboratory

#CyberSecurityPulse: Biggest-Ever DDoS Attack Hits Github Website

Monday, March 5, 2018

At the end of 2016, a DDoS attack on DynDNS blocked major Internet sites such as Twitter, Spotify and PayPal. The Mirai botnet was used to take advantage of the full bandwidth of thousands of Internet-connected devices. However, last Wednesday 28th of February we witnessed the largest DDoS attack ever seen on the GitHub website, reaching a record 1.35 Tbps and 126.9 million packets per second.

Interestingly, the attackers did not use any botnets, but misconfigured Memcached servers to amplify the attack. Memcached operation is based on a distributed hash table. To prevent misuse of Memcached servers, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use. In this sense, Akamai estimates that at least 50,000 servers are vulnerable.

New tool: “Web browsers HSTS entries eraser”, our Metasploit post exploitation module

This module deletes the HSTS/HPKP database of the main browsers: Chrome, Firefox, Opera, Safari and wget in Windows, Mac and Linux. This allows an attacker to perform man in the middle attacks once a target has been compromised. It is available from the post exploitation module in Metasploit project.