Connect with us

Cybersecurity

Facebook Bounty Hunter Wins $10,000 By Finding Backdoor

Published

on

Facebook bounty hunter Orange Tsai received $10,000 after finding someone installed a backdoor, according to betanews. Tsai was able to penetrate a Linux-based staff server to discover a piece of malware was stealing passwords and usernames.

Facebook noted that the backdoor did not compromise any user information.

Tsai, who works for Devcore in Thailand, used a reverse lookup to find files.fb.com running the Accellion Secure File Transfer service that is prone to some vulnerabilities.

Bounty Hunter Installed Malware

Facebook claims a security researcher installed the malware who was trying to gain the bounty.

Tsai executed remote code on the server to gain control of it using an SQL injection vulnerability. This was the point where Tsai found the password-stealing PHP scripts.

Reginaldo Silva, a Facebook security engineer, said the company appreciates Tsai’s work. The company used a third party software they do not fully control. Facebook ran the software isolated from systems hosting the data that people share with Facebook as a way to have better security, Silva said.

Facebook determined the activity came from another researcher who participates in the company’s bounty program. Neither bounty hunter was able to undermine other parts of the company’s infrastructure, Silva said. He called it a “double win” when two researchers assess the system, and one reports what they found and receives a bounty, but neither researcher was able to expand the access.

Tsai Orange Relates Exploit

Facebook began the “Bug Bounty Program” in 2012, Tsai noted in a Devcore blog.

Tsai noted that server side vulnerabilities are “cooler to take over” than client-side vulnerabilities. Both vulnerability types are critical in a penetration test, Tsai noted.

In searching for vulnerabilities, Tsai first determines how big the company’s “territory” is on the Internet, then attempts to find an entrance. Initial steps are:
• What can be found by Google Hacking?
• How many B Class and C Class IP addresses are being used?
• Whois And Reverse Whois?
• What domain names are used and what are their internal domain names?
• What are equipment vendors preferred techniques?
• Are there Github or Pastebin data breaches?

Tsai noted there are common security issues in large corporations.
1. “Network Boundary” is hard to take care of. When a company’s scale has expanded, tens of thousands of computers, servers and routers make it impossible for the MIS to have a perfect protection mechanism. Luck is often on the attacker’s side since an attacker only has to find a small weak spot. A susceptible server on the “border” will grant access to the internal network.
2. Lack of knowledge of “Networking Equipment” protection. The majority of this equipment does not provide delicate SHELL controls, and only the user interface can configure them. The protection oftentimes is built on the Network Layer, but users might not notice if 0-Day or 1-Day attacks compromise these devices.
3. “Breached Database,” known as “Social Engineering Database” has emerged in China. The leaked data sometimes lowers the difficulty of penetration. The attacker only has to connect to the breached database, find a user credential with VPN access, and they can penetrate the internal network.

When the scope of the breach can be large enough that the Key Man’s password can be discovered in the breached data, the victim company’s security diminishes.

The Search Begins

Tsai found domain names of Facebook and also tried Reverse Whois which yielded an interesting domain name: tfbnw.net. This apparently stood for “The Facebook Network.”

Tsai then found the following server through public data; vpn.tfbnw.net.

In accessing vpn.tfbnw.net, the Juniper SSL VPN login interface offered no vulnerability to be directly exploited.

Tsai enumerated vpn.tfbnw.net’s C Class IPs to find some interesting servers such as:
• Mail Server Outlook Web App
• F5 BIGIP SSL VPN
• CISCO ASA SSL VPN
• Oracle E-Business
• MobileIron MDM

The information on those servers led Tsai to believe the C Class IPs were important.

A special server among the C Class IPs was:

Facebook image 1

Login Interface of files.fb.com

Based on the Footer and logo, the login interface was Accellion’s Secure File Transfer (FTA). FTA allows secure file transfer, syncing and online file sharing, in addition to integration with Single Sign-on mechanisms that include Kerberos, LDAP and AD. The Enterprise version supports SSL VPN service.

The next thing Tsai did was to search the Internet for public exploits. HD Moore made the latest one public on Rapid7 Advisory: Accellion File Transfer Appliance Vulnerabilities (CVE-2015-2856, CVE – 2015-2857).

The version leaked from “/tws/getStatus” can determine whether this vulnerability is exploitable. When Tsai discovered files.fb.com, the defective v0.18 already had updated to v0.20. Tsai believed there should still be security issues in FTA and began to seek 0-Day on FTA products.

Black-box testing did not yield vulnerabilities, so Tsai tried white-box testing. After gathering source codes from prior FTA versions, research proceeded.

Also read: The Facebook Hacker 2016 Cup is underway

FTA Product

Tsai noted the following about FTA product:
1. Web-based user interfaces mainly were composed of Perl & PHP.
2. IonCube encrypted the PHP source codes.
3. There were lots of Perl Daemons in the background.

Tsai first attempted to decrypt IonCube encryption. The IonCube version that FTA used was not up to date, and ready-made tools could not decrypt it.

Tsai thought Rapid7 should have gotten the easier vulnerabilities following a simple review. Finding the vulnerabilities easy to exploit required further investigation.

Tsai discovered seven vulnerabilities that included the following:
• Cross-Site Scripting x 3
• Pre-Auth SQL Injection leads to Remote Code Execution
• Known-Secret-Key leads to Remote Code Execution
• Local Privilege Escalation x 2

Tsai reported vulnerabilities to the Accellion Support Team. Once the vendor was patched, Tsai sent these to CERT/CC which assigned four CVEs for the vulnerabilities.
• CVE-2016-2350
• CVE-2016-2351
• CVE-2016-2352
• CVE-2016-2353

Tsai noted there will be additional details published after full disclosure policy.

Using Pre-Auth SQL Injection to Write Webshell

Using Pre-Auth SQL Injection to Write Webshell

After assuming control of the server, Tsai checked whether the server environment was friendly. To remain on the server, it was necessary to be aware of the restrictions, logs, environments, etc. and not be detected.

Tsai found restrictions on the server.
1. Firewall outbound connection unavailable, including TCP, UDP, port 53, 80 and 443
2. Remote Syslog server
3. Audit logs enabled

While the outbound connection was not available, the ICMP Tunnel was working. Tsai could control the server with a webshell as this was merely a Bug Bounty Program.

In gathering vulnerability details to report to Facebook, Tsai found some strange things on the web log. These included strange PHP error messages that appeared to be caused by modifying codes online.

PHP error log

PHP error log

Tsai followed the PHP paths in error messages and discovered suspicious WEBSHELL files form prior “visitors:

Webshell on facebook server

Webshell on facebook server

The hacker created a proxy on the credential page to log Facebook employee credentials. The passwords were stored under the web directory to allow the hacker to use WGET occasionally.

Apart from the logged credentials, there were contents of letters seeking files from FTA. The logged credentials rotated regularly.

There were about 300 logged credentials from Feb. 1 to 7. There were primarily two modes in FTA for user login.
Tsai reported proofs to the Facebook Security Team.

Screenshots, timelines and logs were provided in addition to vulnerability details.

There were two periods the hacker operated the system based on the server logs, one in early July and the other in mid-September. The first one was a server “dorking” while the second was more severe. Keyloggers were also deployed.

The July incident occurred just before the CVE-2015-2857 exploit. Whether or not it was an invasion of 1-day exploitation or unknown-0 ones is not known.

Featured image from Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this.
Loading...

3.9 stars on average, based on 8 rated postsLester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.




Feedback or Requests?

Bitcoin

BlockState Interview Part One: Institutional Investment Framework Story

Published

on

The mainstream media narrative has shown an uncompromisingly negative bias towards institutional crypto investment of late and it only seemed fair that we got in touch with some people who have professional expertise in the field.

BlockState is a platform that aims to deliver a modular blockchain-based legal and technological infrastructure for financial institutions which combats the low interest and return rates offered by traditional asset classes.

We spoke to the three co-founders: Paul Claudius, Michael Weber and Samuel Brack regarding the nature of the project. In addition to how they met and how it all started, their current status, and their plans for the future.

BlockState in Brief

On their website, the BlockChain team states that their intention is to provide “a technological and legal bridge between blockchain technology and financial markets.”.

It is an infrastructural platform upon which organisations within these sectors build or inform their own solutions – and is unashamedly focused towards providing products for the institutional investment crowd.

On the One Hand…

When asked about the ethics, technological approach and modus operandi of BlockState, Managing Director Paul Claudius was eager to provide a comprehensive, dichotomised summary.

“On the one hand we are creating the basis for institutional investors to access the digital assets markets.

“Investment banks can’t simply open a wallet on their phone and start buying crypto-assets. They need a range of services and processes in place to make sure that they abide by regulation and their internal requirements.”

The BlockState consensus is that there are insufficient frameworks in place to mitigate the obstacles faced by companies unfamiliar with the many intricacies of the crypto-space at present.

This is not to mention the prohibitive nature of the past progression of technological and regulatory standards, which are largely non-standardized.

… And On the Other

The ‘other hand’ to which Paul refers to is the lack of blockchain or cryptocurrency integration at product or service levels within the institutional market.

For this reason: BlockState posits the second half of its service as an offering to:

“help institutions leverage blockchain to improve their existing processes… helping them tokenize financial products and using smart contracts to govern their execution… [to] save massive amount of resources while making their systems more transparent and efficient.”

In theory all transactions will be immutably recorded on the blockchain, which will ensure that all parties involved can access this data and that all transactions will be processed quickly.

Performance can distinguish a winning cryptocurrency from a useless dud.

The Three Musketeers

In addition to Paul Claudius, we got the opportunity to speak to fellow founding members Michael Weber and Samuel Brack.

Paul specialises in Strategy and Business Development, whilst Michael’s role is to take the lead on Product Development and Project Management duties. Their specialisms are Strategy and Business Development, and Product Development / Project Management (respectively).

Samuel Brack is the cryptocurrency brains of the operation and performs something of a hands-on position, donning the title of Chief Technology Officer. He sits in a more hands-on position, acting as Chief Technology Officer (CTO) for BlockState.

Before BlockState

Paul recalls that the executive leadership team had “all already knew each other” before the BlockState project even began.

Whilst he and Michael Weber had made acquaintance whilst studying together at the ESPC Europe business school, Michael had met up with Samuel Brack as they were co-founding partners on a prior blockchain based project entitled ‘Goodcoins’.

Whilst they have sold their stake in Goodcoins since, Samuel at least considers his time on the project to have equipped him a knowledge which has been brought forth to BlockState.

Beginners Luck?

On a more personal level: Paul Claudius described his first interaction with the world of cryptocurrency as being the moment in 2012 in which a friend had recommended Bitcoin to him as a potential investment.

He has not disclosed exactly how much Bitcoin he purchased in 2012 but if story is true, considering the token’s contemporary value of $13: Paul would have made a profit of a whopping 51614.53% on his investment. No matter the amount invested.

Products, Pains and Peers

Michael Weber (product lead and project management professional) broke down the trio of primary services / product lines that BlockChain focuses on as being “asset management, dept capital, and derivatives” – with a perceived overlap between the three.

This is as well as the ability for tailoring packages for clients from these tested specialisms.

If these products names appear distinctive yet simple, then you would be correct. Of course, this is one of the main objectives of marketing – however it does not help a company to distinguish itself from its peers.

“While most focus on very specific needs, our infrastructure integrates solutions at every level of the financial product lifecycle, from issuance to reporting always with a view to improving current products on the market.”

This isn’t an easy task however, with obstacles to full-automation rearing their heads alongside undesirably long payment clearance times,

“Some of the major pain points specific to the asset management and derivatives markets and resource consuming operations are settlement and clearing, which can take up to 30 days… with manual processes like getting signatures and manual transactions.”

With a Little Help From My Friends

The three musketeers of BlockState with whom we have already spoken are supposed to possess their own unique-yet-compatible inventories of skills and experience. If the team has any luck it will prove a winning combination.

Three men cannot rule an empire alone however and as the popular idiom goes: successful leaders fill the gaps in their expertise by surrounding themselves with knowledgeable advisors. Following this, BlockState boast a roster of advisors who may just fit the bill for now.

They include (according to Paul):

  • “Patrick Storchenegger, co-founder of the Ethereum Foundation in Zug, is our advisor on legal questions. He brings years of experience from blockchain, capital market law and international tax and business consultancy…
  • “Andrea Voinea, who helped to structure the first Gold Exchange Traded Fund, is a seasoned professional from the asset management market…
  • “Ludwig Schrittenloher, who spent nearly six years at Credit Suisse, offers a breadth of knowledge in DCM and structuring…
  • “[and] Martin Schröder, currently a Director in an investment firm, is an expert in derivatives and also very knowledgeable in capital markets and structuring.”

Estimated Time of ETN

Looking not to the past or present, but forward to what the future may hold for BlockState (or at least, what they plan to happen), we asked Paul Claudius some closing questions in an attempt to reach some conclusions on what may come next…

“At the end of September, we will launch the CTF15 Exchange Traded Note, and it will also be listed on a major European Stock Exchange – to be announced soon…”

An Exchange Traded Note (or ETN) is “a type of unsecured, unsubordinated debt security”

Final Words

Perhaps more exciting even is the fact that the team are currently in the process of preparing the launch of an ‘Equity Token Sale’, issued as part of the company’s equity in a public sale.

According to Paul, it will be “one of the first companies ever to tokenize their equity in a fully regulated and compliant manner, driving the adoption of security tokenization in the financial space.”

Paul, Simon and Michael parted our discussion by asking to remind readers of a forthcoming event at which all three will be attending: the Delta Summit in Malta, which takes place from October 3rd to the 5th.

Stay tuned for the second part of this interview coming soon: in which the team will deliver their commentary on recent news, the present situation; and future predictions on the market and industry.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.4 stars on average, based on 8 rated posts




Feedback or Requests?

Continue Reading

Bitcoin

Bitcoin Network Faced One-Two Punch of Inflation and DoS Threats

Published

on

Bitcoin Core has emerged seemingly unscathed from a major vulnerability that threatened to shut down parts of the network in a denial-of-service (DoS) attack. But apparently, the bug was even worse than originally thought. According to a Bitcoin Core Full Disclosure Report, the issue included an “inflation vulnerability,” one in which if seized upon could have bolstered the supply of bitcoin beyond the famous 21 million coin ceiling. By pouring more coins into the supply, the hackers would have diminished the value of the circulating bitcoins.

The decision to expose only the lesser extreme part of the bug to the public was deliberate. According to the report:

“In order to encourage rapid upgrades, the decision was made to immediately patch and disclose the less serious Denial of Service vulnerability, concurrently with reaching out to miners, businesses, and other affected systems while delaying publication of the full issue to give times for systems to upgrade. On September 20th a post in a public forum reported the full impact and although it was quickly retracted the claim was further circulated.”

Double-Edged Sword

The strategy was a success and the bug is no longer a threat, as evidenced by more than 50% of the bitcoin mining hashrate having been upgraded to the patched nodes with no known attempts to “exploit this vulnerability.”

Here’s what we know, according to the report –

“A developer by the title earlz independently discovered and reported the vulnerability to the Bitcoin Core security contact email.”

Meanwhile, on social media, a contributor identified as a Bitcoin Cash developer who goes by the handle “Awemany” was cheered on Reddit for discovering and reporting the bug and cementing their place in “bitcoin’s history book.” Awemany in a blog post pointed to bitcoin developer Matt Corallo, whose 2016 pull request in an attempt to accelerate validation times led to what Awemany characterized as “one of the most catastrophic bugs in Bitcoin ever.”

The bottom line is that the bug was discovered and the threat has been lifted. It’s both a reminder of the risks associated with the consensus mechanism and a demonstration of good faith among the decision makers.

While it’s mostly the future of ETH that has been contemplated of late, given the plummeting of the No. 2 cryptocurrency’s value this year along with the confidence of investors, bitcoin has its own issues. In an exclusive interview with CCN, Sheffield Clark, who is at the helm of bitcoin ATM maker Coinsource, pointed to potentially “stagnant” mainstream adoption of bitcoin amid a lack of regulatory framework to help resolve issues like extreme volatility.

Featured image courtesy of Shutterstock.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

4.6 stars on average, based on 62 rated postsGerelyn has been covering ICOs and the cryptocurrency market since mid-2017. She's also reported on fintech more broadly in addition to asset management, having previously specialized in institutional investing. She owns some BTC and ETH.




Feedback or Requests?

Continue Reading

Cyberespionage

North Korea is now Targeting Crypto Users with Macs

Published

on

AppleJeus Malware Hack

The Lazarus group has earned quite a reputation for themselves in cyber-security circles.

This group of North Korean hackers have been responsible for some of the most well known intrusions in the past few years. For example, they were behind the Sony Pictures hack in 2014, the Bangladesh central bank heist in 2016 and the Wannacry ransomware outbreak in 2017.

It is safe to say that these are quite effective operators.

However, with the popularity of cryptocurrencies, the Lazarus group has changed their attack vectors and are targeting every day users with Malware.

The latest report now has the hackers using MacOS malware to hoover up information from those cryptocurrency users who work on Macbooks.

“AppleJeus”

This was the first time that the Lazarus group has developed malware to target Mac users. Indeed, Mac operating systems are far less susceptible to Malware than Windows based systems.

It was a surprise for researchers at Kaspersky Lab to have learned about the latest Lazarus attempt to target users with there macOS malware. They have labelled it “AppleJeus”.

This was first spotted on machines that were being used by cryptocurrency company in Asia. Indeed, this is no coincidence as the Lazarus group has often targeted cryptocurrency related businesses and exchanges in South Korea.

How Does it Work?

AppleJeus hides itself inside the code of a seemingly legitimate piece of cryptocurrency trading software called Celas Trade Pro. The user will download the app from the website of the developer. When it is first downloaded, there are no signs that anything could be off. The app appears to operate normally.

Celas Trade Screenshot

Screenshot of Celas Trade, the offending program. Source: kaspersky labs

Once the app is installed on the device, it will request to update the software. This sort of request is present in authentic software and as such will not trigger any alerts. However, there is malicious code that is inside of this update.

The moment that the update is installed, it will scan the computer and gather as much information as possible. This will then be sent back the hacker’s server so that they can make a decision on whether the person is worth attacking.

If they think that there is valuable information (or cryptocurrency) on the machine then they will instruct the software to install a trojan called “Fallchill”. For those who do not know, Trojans are malicious malware that will install a “backdoor” into the machine

Fallchill is a particularly robust trojan and can gather a great deal of information from the machine. This includes data such as financial information, login credentials and of course, information about cryptocurrency trading accounts.

Once the hackers have this personal information, they can either access your online accounts or they can conduct other spear phishing attacks against you. It is indeed a troubling development and according to Vitaly Kamluk of Kaspersky:

“For macOS users this case is a wakeup call, especially if they use their Macs to perform operations with cryptocurrencies”

So now that you know North Korea is actively trying to get their hands on your cryptocurrency, how do you protect yourself?

Keeping Safe from AppleJeus

The most effetive way to protect yourself from this Malware is to make sure that you only download software that is well known and reputable. This of course goes without saying but it is far too often that relatively inexperienced cryptocurrency traders will avoid doing their research.

The researchers have recommended that people and businesses do not download the software of Celas Trade. Even though they appear to have a a good reputation and verified digital certificates, this cannot be fully trusted.

You should also consider investing in some effective anti-malware software that you should use to scan all files that you have downloaded. This should be done even if you trust the source because hackers have been known to infiltrate trusted websites.

Cryptocurrency Security 101

Even if you are unlucky enough to have your machine infected with crypto grabbing malware, basic crypto security best practices will still protect you.

If you do a great deal of online trading with your cryptocurrency then it is essential that you secure your accounts with 2 factor authentication. This way, you are at least able to reduce the number of attack vectors.

You should always secure your large cryptocurrency holdings in hardware wallet. This is because the wallets operate external from the machine and hence the trojan cannot read your private key information.

Caution and a healthy does of scepticism will protect you from the an unhealthy does of AppleJeus.

Featured Image via Fotolia.

Important: Never invest (trade with) money you can't afford to comfortably lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here. Trade recommendations and analysis are written by our analysts which might have different opinions. Read my 6 Golden Steps to Financial Freedom here. Best regards, Jonas Borchgrevink.

Rate this post:

Important for improving the service. Please add a comment in the comment field below explaining what you rated and why you gave it that rate. Failed Trade Recommendations should not be rated as that is considered a failure either way.
2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this.
Loading...

5 stars on average, based on 3 rated postsNic is an ex Investment Banker and current crypto enthusiast. When he is not sitting behind six screens trading Bitcoin, he is maintaining his numerous mining rigs.




Feedback or Requests?

Continue Reading

Recent Comments

Recent Posts

A part of CCN

Hacked.com is Neutral and Unbiased

Hacked.com and its team members have pledged to reject any form of advertisement or sponsorships from 3rd parties. We will always be neutral and we strive towards a fully unbiased view on all topics. Whenever an author has a conflicting interest, that should be clearly stated in the post itself with a disclaimer. If you suspect that one of our team members are biased, please notify me immediately at jonas.borchgrevink(at)hacked.com.

Trending