Connect with us

Cybersecurity

Facebook Bounty Hunter Wins $10,000 By Finding Backdoor

Published

on

Facebook bounty hunter Orange Tsai received $10,000 after finding someone installed a backdoor, according to betanews. Tsai was able to penetrate a Linux-based staff server to discover a piece of malware was stealing passwords and usernames.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Facebook noted that the backdoor did not compromise any user information.

Tsai, who works for Devcore in Thailand, used a reverse lookup to find files.fb.com running the Accellion Secure File Transfer service that is prone to some vulnerabilities.

Bounty Hunter Installed Malware

Facebook claims a security researcher installed the malware who was trying to gain the bounty.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Tsai executed remote code on the server to gain control of it using an SQL injection vulnerability. This was the point where Tsai found the password-stealing PHP scripts.

Reginaldo Silva, a Facebook security engineer, said the company appreciates Tsai’s work. The company used a third party software they do not fully control. Facebook ran the software isolated from systems hosting the data that people share with Facebook as a way to have better security, Silva said.

Facebook determined the activity came from another researcher who participates in the company’s bounty program. Neither bounty hunter was able to undermine other parts of the company’s infrastructure, Silva said. He called it a “double win” when two researchers assess the system, and one reports what they found and receives a bounty, but neither researcher was able to expand the access.

Tsai Orange Relates Exploit

Facebook began the “Bug Bounty Program” in 2012, Tsai noted in a Devcore blog.

Tsai noted that server side vulnerabilities are “cooler to take over” than client-side vulnerabilities. Both vulnerability types are critical in a penetration test, Tsai noted.

In searching for vulnerabilities, Tsai first determines how big the company’s “territory” is on the Internet, then attempts to find an entrance. Initial steps are:
• What can be found by Google Hacking?
• How many B Class and C Class IP addresses are being used?
• Whois And Reverse Whois?
• What domain names are used and what are their internal domain names?
• What are equipment vendors preferred techniques?
• Are there Github or Pastebin data breaches?

Tsai noted there are common security issues in large corporations.
1. “Network Boundary” is hard to take care of. When a company’s scale has expanded, tens of thousands of computers, servers and routers make it impossible for the MIS to have a perfect protection mechanism. Luck is often on the attacker’s side since an attacker only has to find a small weak spot. A susceptible server on the “border” will grant access to the internal network.
2. Lack of knowledge of “Networking Equipment” protection. The majority of this equipment does not provide delicate SHELL controls, and only the user interface can configure them. The protection oftentimes is built on the Network Layer, but users might not notice if 0-Day or 1-Day attacks compromise these devices.
3. “Breached Database,” known as “Social Engineering Database” has emerged in China. The leaked data sometimes lowers the difficulty of penetration. The attacker only has to connect to the breached database, find a user credential with VPN access, and they can penetrate the internal network.

When the scope of the breach can be large enough that the Key Man’s password can be discovered in the breached data, the victim company’s security diminishes.

The Search Begins

Tsai found domain names of Facebook and also tried Reverse Whois which yielded an interesting domain name: tfbnw.net. This apparently stood for “The Facebook Network.”

Tsai then found the following server through public data; vpn.tfbnw.net.

In accessing vpn.tfbnw.net, the Juniper SSL VPN login interface offered no vulnerability to be directly exploited.

Tsai enumerated vpn.tfbnw.net’s C Class IPs to find some interesting servers such as:
• Mail Server Outlook Web App
• F5 BIGIP SSL VPN
• CISCO ASA SSL VPN
• Oracle E-Business
• MobileIron MDM

The information on those servers led Tsai to believe the C Class IPs were important.

A special server among the C Class IPs was:

Facebook image 1

Login Interface of files.fb.com

Based on the Footer and logo, the login interface was Accellion’s Secure File Transfer (FTA). FTA allows secure file transfer, syncing and online file sharing, in addition to integration with Single Sign-on mechanisms that include Kerberos, LDAP and AD. The Enterprise version supports SSL VPN service.

The next thing Tsai did was to search the Internet for public exploits. HD Moore made the latest one public on Rapid7 Advisory: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE – 2015-2857).

The version leaked from “/tws/getStatus” can determine whether this vulnerability is exploitable. When Tsai discovered files.fb.com, the defective v0.18 already had updated to v0.20. Tsai believed there should still be security issues in FTA and began to seek 0-Day on FTA products.

Black-box testing did not yield vulnerabilities, so Tsai tried white-box testing. After gathering source codes from prior FTA versions, research proceeded.

Also read: The Facebook Hacker 2016 Cup is underway

FTA Product

Tsai noted the following about FTA product:
1. Web-based user interfaces mainly were composed of Perl & PHP.
2. IonCube encrypted the PHP source codes.
3. There were lots of Perl Daemons in the background.

Tsai first attempted to decrypt IonCube encryption. The IonCube version that FTA used was not up to date, and ready-made tools could not decrypt it.

Tsai thought Rapid7 should have gotten the easier vulnerabilities following a simple review. Finding the vulnerabilities easy to exploit required further investigation.

Tsai discovered seven vulnerabilities that included the following:
• Cross-Site Scripting x 3
• Pre-Auth SQL Injection leads to Remote Code Execution
• Known-Secret-Key leads to Remote Code Execution
• Local Privilege Escalation x 2

Tsai reported vulnerabilities to the Accellion Support Team. Once the vendor was patched, Tsai sent these to CERT/CC which assigned four CVEs for the vulnerabilities.
• CVE-2016-2350
• CVE-2016-2351
• CVE-2016-2352
• CVE-2016-2353

Tsai noted there will be additional details published after full disclosure policy.

Using Pre-Auth SQL Injection to Write Webshell

Using Pre-Auth SQL Injection to Write Webshell

After assuming control of the server, Tsai checked whether the server environment was friendly. To remain on the server, it was necessary to be aware of the restrictions, logs, environments, etc. and not be detected.

Tsai found restrictions on the server.
1. Firewall outbound connection unavailable, including TCP, UDP, port 53, 80 and 443
2. Remote Syslog server
3. Audit logs enabled

While the outbound connection was not available, the ICMP Tunnel was working. Tsai could control the server with a webshell as this was merely a Bug Bounty Program.

In gathering vulnerability details to report to Facebook, Tsai found some strange things on the web log. These included strange PHP error messages that appeared to be caused by modifying codes online.

PHP error log

PHP error log

Tsai followed the PHP paths in error messages and discovered suspicious WEBSHELL files form prior “visitors:

Webshell on facebook server

Webshell on facebook server

The hacker created a proxy on the credential page to log Facebook employee credentials. The passwords were stored under the web directory to allow the hacker to use WGET occasionally.

Apart from the logged credentials, there were contents of letters seeking files from FTA. The logged credentials rotated regularly.

There were about 300 logged credentials from Feb. 1 to 7. There were primarily two modes in FTA for user login.
Tsai reported proofs to the Facebook Security Team.

Screenshots, timelines and logs were provided in addition to vulnerability details.

There were two periods the hacker operated the system based on the server logs, one in early July and the other in mid-September. The first one was a server “dorking” while the second was more severe. Keyloggers were also deployed.

The July incident occurred just before the CVE-2015-2857 exploit. Whether or not it was an invasion of 1-day exploitation or unknown-0 ones is not known.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Cybersecurity

The Pirate Bay is Hijacking PCs to Stealth-Mine Cryptocurrency

Published

on

For the second time in as many months, The Pirate Bay has been caught mining cryptocurrency on your computer without consent. The torrent platform was actually test-driving cryptocurrency mining in your browser – no doubt a lucrative revenue stream.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

The Pirates Are At It Again

The Pirate Bay has been caught using software called Coinhive, a JavaScript library that essentially serves as a cryptocurrency miner. It basically connects to visitors’ computers to mine Monero, one of the world’s most profitable cryptocurrencies.

The news was later confirmed by Bleeping Computer, which reported that,”The Pirate Bay, the internet’s largest torrent portal, is back at running a cryptocurrency miner after it previously ran a short test in mid-September.”

Estimates indicate that the scheme has earned the pirates a total of $43,000 over a three-week period.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Users had no way to opt their computers out of being test-driven by the torrent network. Back in September, The Pirate Bay got away by telling people it was just a test. The site’s owners cannot use the same excuse this time around.

CoinHive advises websites to let their visitors  know their browser is being used to mine cryptocurrency.

“We’re a bit saddened to see that some of our customers integrate CoinHive into their pages without disclosing to their users what’s going on, let alone asking for their permission,” the company said.

The good news is most ad-blockers and antivirus programs will block CoinHive, given its recent abuses. That means not all visitors of The Pirate Pay were being used as a conduit for mining Monero.

Monero Joins Global Crypto Rally

The value of Monero (XMR) shot up nearly 8% on Friday, and was last seen trading at $94.17. With more than 15.2 million XMR tokens in circulation, the total market cap for Monero is $1.4 billion, according to CoinMarketCap. That’s enough for ninth on the global cryptocurrency list.

Twelve cryptos have now crossed the $1 billion valuation mark. A handful of others have made their way north of $500 million.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Breaches

Ethereum Notches Two-Month High as Bitcoin Offspring Triggers Volatility

Published

on

Digital currency Ethereum climbed to a two-month high on Monday, taking some of the heat off Bitcoin and Bitcoin Cash, which have slumped since the weekend.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Ethereum Forges Higher Path

Concerns over Bitcoin created a favourable tailwind for Ethereum (ETH/USD), which is the world’s No. 2 digital currency by total assets. Ether’s price topped $340.00 on Monday and later settled at $323.54. That was the highest since June 20.

At its peak, ether was up 10% on the day and 70% for the month of August.

The ETH/USD was last down 2.2% at $315.02, according to Bitfinex. Prices are due for a brisk recovery, based on the daily momentum indicators.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

Fractured Bitcoin Community

Bitcoin and its offshoot, Bitcoin Cash, retreated on Monday following a volatile weekend. The BTC/USD slumped at the start of the week and was down more than 3% on Tuesday, with prices falling below $3,900.00. Just last week, Bitcoin was trading at new records near $4,500.00.

Bitcoin Cash, which emerged after the Aug. 1 hard fork, climbed to new records on Saturday, but has been in free-fall ever since. The BTH was down another 20% on Tuesday to $594.49, according to CoinMarketCap. Its total market value has dropped by several billion over the past two days.

Analysts say that a “fractured” Bitcoin community has made Ethereum a more attractive bet this week. The ether token has shown remarkable poise over the past seven days, despite trading well shy of a new record.

Other drivers behind Ethereum’s advance are steady demand from South Korean investors and growing confidence in a smooth upgrade for the the ETH network. The upgrade, which has been dubbed “Metropolis,” is expected in the next several weeks. Its key benefits include tighter transaction privacy and greater efficiency.

Ethereum Prices Unaffected by ICO Heist

Fin-tech developer Enigma was on the receiving end of a cyber-heist on Monday after hackers took over the company’s website, mailing list and instant messaging platforms. The hack occurred three weeks before Enigma’s planned Initial Coin Offering (ICO) for September 11.

In addition to defacing the company’s website, the hackers pushed a special “pre-sale” ahead of the ICO. While many users realized it was a scam, 1,492 ether tokens – valued at $495,000 – were directed into the hackers’ cryptocurrency wallet by unsuspecting backers.

The irony in all this is that Engima is a cryptography company that prides itself on top-notch security protocols. The company issued a statement that its servers had not been compromised.

ETH/USD (Bitfinex)

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Cybersecurity

Spotting a Well-Made Investment Scam

Published

on

For every reasonably safe investment, there are 1000 scams and 10,000 reasonably toxic investments. Self-served advertising via social media and search engines exacerbates the problem – people sometimes click ads they think were search results, or, as humans are intended to, simply consumes the content on the screen instead of paying attention to where they’re being redirected to.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

In this article we will review a recent example of a well-executed investment scam.

The intended victim, who did not actually get scammed but alerted this author to the hustle, was led to believe that the above image was redirecting to a CNN news article. This is the actual URL the link went to:

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

http://cnn.com-cat.press/anonymous-is-going-after-global-stock-market/?aref=http%3A%2F%2Ftrck.anony.trade%2Fsite%2Fredirectpage%3Fsid%3D99462%26hv%3Dgjalu5988de395a461839785307%26hid%3D264193#!

Now if you visit com-cat.press, all you see is a directory listing. This site’s entire purpose is to make people believe they are visiting legitimate .com websites, when in fact they are visiting others. It doesn’t always have to be a scam, sometimes it is simple an advertisement, but often enough it is a definite funnel to a scam. In this case, here’s where you wind up, at a place that looks an awful lot like CNN Money:

Again, this is not a real article on CNN. This is promotion for 10Markets.eu.

10Markets.eu is extremely professional looking. The platform looks to capture your details even just for demo trading. Most traders expect hurdles, so one can imagine tons of phone numbers and e-mail addresses entered:

The demo trading screen never loaded for this analyst, but the phone number is fake anyway. Took it from a coffee shop in Germany. Funnily, it appears the German exchange code is 030 in the first place, but you can’t edit that part. They also don’t allow you to visit the site at all if you’re in North America.

The tipster was clever enough to find out if 10Markets.eu was a registered broker or not. They’re not. According to ForexBrokerz.com:

10Markets is a forex and CFD broker that is headquartered in Scotland [sic] and supports the popular MetaTrader 4 platform. It is not licensed by any authority and there is not much information about the trading conditions on its website. What is worse, this broker is present in the warning lists of UK’s FCA, Australia’s ASIC and Cyprus’ CySEC, so we don’t recommend doing business with 10Markets.

There are review websites which help. Regarding 10Markets, we came up with this one.

The tipster happens to have been our own Jonas Borchgrevink. He is equipped with years of experience in website publishing, and this is why he quickly noticed that he was not reading a CNN article. The sad fact is that a high percentage of people who read that article believe it to be real, and a percentage of those people end up getting scammed. As such, here is a checklist for new trading outfits that you haven’t used or heard about before:

  • Always try to get phone support right away. Before creating an account. If no one answers or there is anything suspicious, this is a scam.
  • Always search for “[EXCHANGE NAME]” + “scam,” and read carefully any results that come up. Most scams could stop at one person if others listened to that one.
  • In the US, you can use FINRA to check the legitimacy of an exchange or broker. In the UK, you have FCA. Many countries have sites like these, and it’s important to check the one from the country where the broker does business.
  • Use ad blockers at least when legitimately searching for financial solutions.
  • Check the URL! For every legitimate exchange website, there are a few fake ones designed to steal your account information.

In The Event That You Spot A Scam

Tattle! Spread the word far and wide, not just so others don’t get scammed, but also to give authorities the jump on the thieves. Otherwise, they may exit and get away with all the money before anyone stops them.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Continue Reading

Trending