Author: admin

MongoDB Databases – Targeted by Cyber-criminals for Ransom

Posted on by admin
In December-2016, attackers were exploiting misconfigured open-source MongoDB databases and holding them for ransom. Bitcoin chart The ransomware attacks against MongoDB were first publicly reported by GDI Foundation security researcher Victor Gevers on Dec. Bitcoin exchange chart 27, 2016, and have been steadily growing ever since, with at least five different groups of hackers taking control of over 10,000 database instances.

Mongo databases which were not password protected have paid heavy price for this vulnerability. Well it was not a vulnerability. Vulnerability is a quality or state of being exposed to the possibility of being attacked or harmed. It was ignorance and when you ignore serious aspects like security, you have to pay unbearable price.
  • Above is a screenshot, which shows how hacker hacked into vulnerable mongo databases. Now after taking control of the database, they are simply removing the existing db and putting a ransom note in the table.
  • In above example, they removed the database and created a db name warning.
  • Here is ransom note in collection warning :

Send 0.1 Bitcoin to walletaddress 131qpnP9v2qGKbrAQirCZzunyw5x3dADsB and contact m3lk@sigaint.org to get your databases back.

Remedy :

Mongo DB admin must need to implement strong password for their databases as well as if code is on same server, they need to close the port 27017. They do not need an opened port for remote access if code is able to access database locally.

How WannaCry did the damage

Posted on by admin
WannaCry is the ransomware computer worm that targets computers running Microsoft Windows. Initially, the worm uses the EternalBlue exploit to enter a computer, taking advantage of a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. It installs DoublePulsar, a backdoor implant tool, which then transfers and runs the WannaCry ransomware package. It is also being called WanaCrypt0r 2.0.

Main Functionality

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

It was probably some kind of kill switch or anti-sandbox technique. Whichever it is, it has backfired on the authors of the worm, as the domain has been sinkholed and the host in question now resolves to an IP address that hosts a website. Therefore, nothing will happen on any new systems that runs the executable. This only applies to the binary with the hash listed above; there may well be new versions released in the future. The second argument to InternetOpenA is 1 (INTERNET_OPEN_TYPE_DIRECT), so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks.
After this check passes, the first thing the worm does is check the number of arguments it was launched with. If it was run with less than two arguments passed, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service (where the binary ran is itself with two arguments), starts that service, drops the ransomware binary located in the resources of the worm, and runs it.

If it was run with two arguments or more—in other words, if it was run as a service—execution eventually falls through to the worm function.
The initialization function called first calls WSAStartup() to initialize networking, then CryptAcquireContext() to initialize the crypto API so it can use a cryptographically-secure pseudo-random number generator. It then calls a function that initializes two buffers used for storing the worm payload DLLs, one x86 and one x64. It copies the payload DLLs from the .data section of the worm and then copies the entire worm binary after it.
The code of each payload DLL is very small, just getting the resource content (i.e. the worm binary), dropping to disk as C:\WINDOWS\mssecsvc.exe (this path is actually hardcoded) and executing it.

SMB Vulnerability

After initializing the functionality used by the worm, two threads are created. The first thread scans hosts on the LAN. The second thread gets created 128 times and scans hosts on the wider Internet.

The first thread (in charge of scanning LAN) uses GetAdaptersInfo() to get a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan.

The LAN scanning is multithreaded itself, and there is code to prevent scanning more than 10 IP addresses on the LAN at a time.

The scanning thread tries to connect to port 445, and if so creates a new thread to try to exploit the system using MS17-010/EternalBlue. If the exploitation attempts take over 10 minutes, then the exploitation thread is stopped.

The threads that scan the Internet generate a random IP address, using either the OS’s cryptographically secure pseudo-random number generator initialized earlier, or a weaker pseudo-random number generator if the CSPRNG failed to initialize. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is open, exploit attempts are made. This time, exploitation timeout for each IP happens not after 10 minutes but after one hour.

Auto Deployment with Gitlab CI/CD and Pipelines in Docker Containers

Posted on by admin
GitLab CI (Continuous Integration) service is to build and test the software whenever developer pushes code to repository. GitLab CD (Continuous Deployment / Delivery) is a software service that makes the changes of code in the staging / production which results in every day deployment of staging and production.

We are going to achieve following tasks using GitLab’s CI/CD

  • 1. Once the code is pushed into repository, make the runner build our application’s Docker container.
  • 2. Once the container is built, push to our project’s GitLab registry.
  • 3. Deploy the container to our production server.
To achieve these tasks, follow the steps below.

Step 1. Create a gitlab Runner

Go to your project repository in gitlab. Open settings > CI/CD > Runners. Here you can create runner for your process. to install gitlab runner on your linux system, follow the guide.

Step 2. Configure gitlab-ci.yml file

Create a .gitlab-ci.yml file in root directory of your project and push the file into repository. Here is the example of .gitlab-ci.yml file
Variables:
  • TEST_BUCKET: mar-now-test
Stages:
  1. lint
  2. unit
  3. build
  4. deploy
Lint Job:
  • Stage: lint
  • Image: node:8.9
  • Tags: docker
  • Script:
    • npm install
    • npm run lint
  • Cache: node_modules/
Unit Job:
  • Stage: unit
  • Image: node:8.9
  • Tags: docker
  • Script:
    • npm install
    • wget -q -O – https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add –
    • echo “deb http://dl.google.com/linux/chrome/deb/ stable main”
    • apt-get update -y
    • apt-get install -y google-chrome-stable xvfb
    • xvfb-run -a npm run test:ci
  • Cache: node_modules/
Build Dev Job:
  • Stage: build
  • Image: node:8.9
  • Tags: docker
  • Script:
    • npm install
    • npm run build:dev
  • Cache: node_modules/
  • Artifacts: dist/* (expires in 1 week)
  • Only: master
Deploy Dev Job:
  • Stage: deploy
  • Image: python:latest
  • Tags: docker
  • Dependencies: build-dev
  • Script:
    • pip install awscli
    • aws s3 cp ./dist s3://$TEST_BUCKET –recursive –acl public-read
  • Only: master
  • Environment: development
The stages property simply allows you to define the order in which the jobs should be executed. In this instance, the jobs are “build” and “deploy”. You could name these anything you’d like. Generally, you’d have a “test” job as well to handle your functional and unit tests and maybe a specific job for building a staging container.

Step 3. Deployment

status of Pipeline

If you have successfully set up the Runner, you should see the status of the last commit change from pending to running, passed or failed.[

If you click on the status of the job, you will be able to see its log. This is very important, because this way you check what went wrong when your task is failed.

Once status is success, it deploys the build with pushed code in a docker container. Everytime code is pushed, it creates a separate container with updated code. Whole process is automated and that is the beauty of it.

Sh00t – Security Testing Tool for Manual Penetration Testers

Posted on by admin
Sh00t is a Testing Environment for Manual Security Testers. It acts as a task manager to let testers focus on performing security testing. The biggest advantage is, it helps to create bug reports with customizable bug templates.

Its one of the feature is to work as a Dynamic Task Manager to replace simple editors or task management tools that are NOT meant for Security. It has automated, customizable Security test-cases Checklist to replace Evernote, OneNote or other tools which are NOT meant for Security. It manages custom bug templates for different purposes and automatically generate bug report as well as it supports multiple Assessments & Projects to logically separate one’s different needs.
Installation Guide on Linux servers :

Using Virtual env wrapper

  1. Make sure you have Python 3. You can check by running the command:

    which python3

    If you get the path of Python, you have Python 3 on your system. If not, install it from the official Python website.

  2. Install virtualenvwrapper:

    pip install virtualenvwrapper

  3. Find the shell file:

    whereis virtualenvwrapper.sh

  4. Suppose the file is located at /usr/local/bin/virtualenvwrapper.sh, load it using:

    source /usr/local/bin/virtualenvwrapper.sh

  5. Create a virtual environment using Python 3:

    mkvirtualenv sh00t -p /usr/bin/python3

  6. Clone the project from GitHub:

    git clone https://github.com/pavanw3b/sh00t.git

  7. Go inside the project directory and install the dependencies:

    cd sh00t
pip install -r requirements.txt

  8. Migrate the database:

    python manage.py migrate

  9. Create a superuser to log in:

    python manage.py createsuperuser

  10. Import 174 Security Test Cases from OWASP Testing Guide (OTG) and Web Application Hackers Handbook (WAHH):

    python reset.py

  11. Start the sh00t server:

    python manage.py runserver 0.0.0.0:8000

  12. Access the application in your browser:

    http://127.0.0.1:8000/

    Log in using the credentials created in the previous steps.

Now you are ready for action. Add your project and find the imported checklist under Case Master and Module Master. Verify your developed project follows the checks or not.

VLC Vulnerability – Tempered Subtitles can give complete control of the system remotely

Posted on by admin

Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and Strem.io.

It’s common to see subtitle files (usually a .srt or .sub) included in torrents and other less-than-legal movie downloads, so people tend to simply ignore them. You can load this file into most video players to display subtitles in the chosen language synced to the video. Check Point says that there are roughly 200 million installations of video players vulnerable to this exploit including VLC, Kodi, Popcorn-Time, and Stream.io.

Details can be found here:

Solution: Download Subtitle Hack Fix

Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.

In the case of VLC, the attacker can leverage a memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.

A fix for VLC is available as the latest version 2.2.5.1 which is present on the VideoLan website. The same is the case for Stremio.

SambaCry Vulnerability – Remote Code Execution Vulnerability in Linux

Posted on by admin

SambaCry – Remote Code Execution Vulnerability

A seven-year-old remote code execution vulnerability that is affecting Samba versions 3.5.0 and higher is making news this week. The vulnerability is billed as the WannaCry equivalent for *nix operating systems, and some are even calling it SambaCry since it affects the SMB protocol implementation and is potentially wormable, which can cause it to spread from system to system.

A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code, typically as root.

Points:

  • CVE-2017-74942 has a CVSS score of 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
  • This vulnerability is the Linux version of WannaCry, appropriately named SambaCry. A malicious Samba client that has write access to a Samba share could use this flaw to execute arbitrary code, typically as root.
  • The flaw allows a malicious client to upload a shared library to a writable share and then cause the server to load and execute it with the privileges of smbd (typically root).
  • This flaw affects all versions of Samba from 3.5.0 onwards, except for the most recent releases of Samba 4.6.4, 4.5.10, and 4.4.14.

Exploit Samba Vulnerability:

https://github.com/opsxcq/exploit-CVE-2017-7494

Solution:

Updating Samba will fix this vulnerability.

One step towards changing the world

Posted on by admin

Research Team is working to make this place better and safer

Once upon a time, an old man walked down a Spanish beach at dawn, he saw ahead of him what he thought to be a dancer. The young man was running across the sand, rhythmically bending down to pick up a stranded starfish and throw it far into the sea.

The old man gazed in wonder as the young soul again and again threw the small starfish from the sand into the water. The old man approached him and asked why he spent so much energy doing what seemed a waste of time. The young man explained that the stranded starfish would die if left until the morning sun. “But there are thousands of miles of beach, and miles and miles of starfish. How can your effort make any difference?” The young man looked down at the small starfish in his hand, and as he threw it to safety in the sea, said, “It makes a difference to this one!”

Our research team is doing the same work in the ocean of websites. Their efforts are definitely making a difference to one.

Web security is as much essential as web development these days, but many web-based applications are not taking it seriously. You are not mugged till now, it doesn’t mean robbers do not exist. Our security research and analysis team picks random servers from the internet and finds the vulnerabilities. They act like ethical hackers and inform them about vulnerabilities.

One of the vulnerabilities we found was in the site asapp.com. Asapp is built by a team of leading scientists, software engineers, and designers. We reported them and got a reply from their young and dynamic founder and advisor Marcus Westin. First he did not believe, but when we showed him proof, he was surprised. He wanted to know how it was possible for us to hack into their system. Our security researchers not only showed him the steps, they also suggested their team fix the vulnerability.

Another incident was with the site mypokert.com. It is a site to play poker online. When we sent an email about their vulnerable site, they did not believe, but two months later we got an email from site owner Kirill about their site being hacked, and it was exactly the same way we mentioned in the mail. But now it was too late. Their data could not be recovered. The hacker dropped all the databases.

When they asked for our help, we provided solutions to make their site more secure and robust on the security front.

Security Header – Ignored X-Frame Options

Posted on by admin

What is Clickjacking

Clickjacking is a malicious technique that tricks a web user into clicking on something different from what they perceive, potentially revealing confidential information or allowing attackers to take control of their computer while interacting with seemingly harmless web pages.

For example, an attacker may create a web page with a button labeled “Click here for a free iPod.” On top of this page, the attacker places an invisible iframe containing the user’s email account, aligning the “delete all messages” button directly over the “free iPod” button. When the user clicks the “free iPod” button, they actually trigger the “delete all messages” action. This hijacking of user clicks is why the technique is called Clickjacking.

The risk arises when a server does not return an X-Frame-Options header. This HTTP header indicates whether a browser is allowed to render a page in a <frame>, <iframe>, or <object>. By using it, sites can prevent clickjacking by ensuring their content is not embedded in other sites.

X-Frame-Options Header

Set the X-Frame-Options header for all responses containing HTML content. The possible values are:

  • DENY – Prevents any domain from framing the content. Recommended unless framing is specifically needed.
  • SAMEORIGIN – Allows only the current site to frame the content.
  • ALLOW-FROM uri – Permits the specified URI to frame the page (e.g., ALLOW-FROM http://www.example.com). Note: this may fail if the browser does not support it.

Examples of Configuration

Apache:

Header always set X-Frame-Options SAMEORIGIN
Header set X-Frame-Options DENY
Header set X-Frame-Options "ALLOW-FROM https://example.com/"

Nginx:

add_header X-Frame-Options SAMEORIGIN;

IIS: Add the following to your site’s Web.config file:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Using the X-Frame-Options header properly helps protect your website from clickjacking attacks.

Who’s using React js?

Posted on by admin

ReactJS: Transforming Modern Web and Mobile Applications

The digital world is evolving rapidly, and keeping up with trends can be challenging. However, industry leaders are continuously adapting to new technologies and frameworks. Major apps like Facebook, Instagram, Netflix, and others are constantly enhancing their user experience and embracing innovative solutions.

Recently, ReactJS has gained significant attention due to its impressive features and versatility. For those unfamiliar, ReactJS offers numerous advantages that have made it extremely popular among developers. Its lightweight representation of the document (Virtual DOM) allows for highly efficient and dynamic web applications, similar to frameworks like NodeJS and other JavaScript tools.

The proof of ReactJS’s popularity can be seen in the major apps that rely on it. Here are some of the most impressive applications built with ReactJS:

Facebook

  • Utilizes dynamic charts that render to <canvas> instead of HTML.

Instagram

  • Uses React for geo-location features, Google Maps APIs, and improving search accuracy.
  • Built as a single-page web app entirely with React.

Netflix

  • Implements React in their platform Gibbon, designed for low-performance TV devices.
  • Benefits include improved startup speed, runtime performance, and modularity.

New York Times

  • React powers interactive galleries, allowing users to filter photos spanning 19 years.
  • Efficient re-rendering enhances user experience.

Khan Academy

  • Many parts of the platform are currently built using ReactJS.

WhatsApp

  • Uses ReactJS for building user interfaces, along with Underscore.js and Velocity.js.
  • The all-new WhatsApp Web app leverages React for seamless functionality.

If your web or mobile application aims to leverage modern technologies and deliver a superior user experience, investing in ReactJS or React Native is highly worthwhile.

Security Header : Why X-XSS Protection is important

Posted on by admin

What is X-XSS Protection?

The HTTP X-XSS-Protection response header is a security feature supported by Internet Explorer, Chrome, and Safari that helps prevent pages from loading when a reflected cross-site scripting (XSS) attack is detected.

This header activates the built-in XSS filter in most modern browsers. It is typically enabled by default, but this header ensures the filter is active for a specific website even if a user has disabled it. The header is supported in IE 8+ and in Chrome (since Chrome 4, although support for the header may vary in older versions).

Header Values and Behavior:

  • X-XSS-Protection: 0 – Disables the XSS filter.
  • X-XSS-Protection: 1 – Enables the filter; scripts coming from the request are filtered, but the page still renders.
  • X-XSS-Protection: 1; mode=block – Enables the filter and, when an attack is detected, blocks the page from being rendered entirely.

Examples of Implementation:

Django:

SECURE_BROWSER_XSS_FILTER = True

Nginx:

add_header X-XSS-Protection "1; mode=block";

Apache:

Header always set X-XSS-Protection "1; mode=block"

Important Considerations:

While the XSS filter can provide a layer of defense, it is not foolproof. There are known bypasses, and the filter may have limitations in certain contexts. Relying solely on the X-XSS-Protection header is not sufficient for comprehensive XSS prevention; proper input validation and output encoding are essential.

References and Further Reading:

Awards & Recognition's

Let's Discuss Your Project!

Share the details of your project like scope or business challenges. Our team will carefully study them and then we’ll figure out the next move together.