Miners, miners everywhere!

It is evident that cryptocurrencies are fashionable. The price increase of, for example, Bitcoin with respect to last year is exponential, as can be seen in the following Coinbase graph:

Everyone, including cybercriminals, want to take advantage of this hype, and we have detected that, just as the price increase of Bitcoin or Monero (widely used in cybercrime) has been exponential, so has the activity of attacks related to the distribution of miners who plan to compromise computers and get our electricity for free.

So far this year we have detected an increasing tendency to distribute miners. Through a specific technique, they use vulnerabilities in the insecure processes of “deserialization” of Java objects to, after exploiting them, download and execute the miner on the compromised server or computer. These vulnerabilities, although not new, are trying to be exploited by numerous groups of criminals. [Read more…]

(Cyber) III Cold War: Hack the vote?

As you now, the DHS (Department of Homeland Security) along with the ODNI (Office of the Director of National Intelligence) formally accused Russia of meddling in the past US presidential elections with techniques from the burning information warfare and various cyberattacks. Let’s take a (somewhat delayed) look at this.
It is not the first time that USA launches accusations of this caliber, it did so when it accused China of stealing trade secrets in 2014. An accusation of this kind could involve, officially or unofficially, attacks on Russian IT infrastructures that posed a headache for Putin and his allies. According to statements in the NYT taking this type of action would involve too much risk with elections less than a month away; cyberattacks by a power like Russia against the US electronic voting system could wreak havoc. It should also be noted that the electoral system is still not considered a critical infrastructure of the nation, although it may increase their criticality shortly.
[Read more…]

Malcom: Practical exercise on traffic analysis

Malcom (Malware Communication Analyzer) is a tool I have been using for quite some time now and, even though it is quite well documented in several sites, I thought convenient to dedicate an article because on its latest actualizations it has become more stable and consistent.

Its main objective is to analyze the network traffic connections in a graphic way while simultaneously crossing data with public or private malware feeds in order to identify malicious nodes (C&C servers, for example); how the malware tries to communicate with them and analyze possible behavior patterns, understand P2P networks or to observe DNS Fast-Flux type infrastructures.


[Read more…]

Increasement of RFI attacks using Google

(Please note this post was originally published past 10th January in the Spanish version of SAW but we find it relevant —and couldn’t find time to translate until now— ;)

Lately, we are detecting a significant increase of Remote File Inclusion [1] attacks in which the same pattern is repeated in the payload of the attack. In these, the URL of injection used is always the same: http://www.google.es/humans.txt. Although the content of this file is not malicious, the amount and frequency of alerts that are detected show that there is a reconnaissance attacks campaign underway.

The attacking IP addresses are located worldwide (up to 10 countries have been detected, including Spain), which may indicate that one or more botnets are behind this attack. On average, over a period of 10 days, each one of these IP has attacked about 12 targets, generating between 2000 and 5000 alerts each one.

[Read more…]

Vulscan 1.0

Recently, Marc Ruef @mruef (Computec.ch) has released a new enhanced version of Vulscan, a Nmap script that he already presented in 2010, with basic Vulnerability Scanner capabilities.... Leer Más

Mimikatz extension for Metasploit

(Please note this post was published last 6th may 2013 in the Spanish version of this blog)... Leer Más

Introduction to Darknets

A Darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers o services. I.e., externally no packet should be directed to that address space.... Leer Más

Safe Delete Meterpreter Module

It has recently been added to Metasploit (master branch) a module that can be interesting to delete files downloaded in a victim computer thru a meterpreter session.... Leer Más