Teen Acquires $2.74M in Phishing Scam, EU’s Private Key Leaked, and Fuel Distribution Networks Crippling?
Friday, October 29th, 2021
Welcome to another edition of HN (Hacker News) Notes. Below you will find this week’s list of top articles that we felt needed to be shared.
Cheers!
William from Hacker News
This Week’s Featured Tools
DonPAPI - Dumping DPAPI Creds Remotely
DPAPI Dumping at its finest.1
Lots of credentials are secured using DPAPI.
Don’t know what DPAPI does? Check out the excerpt2 below:
In the event you aren’t familiar with DPAPI, this is an arcronym that stands for “Data Protection API.”
“Its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.This makes very easy to developer to save encrypted data in the computer without needing to worry how to protect the encryption key.”
This tool aims to locate the “secured” credentials using the following:
User Password
Domain DPAPI Backup Key
Local Machine DPAPI Key
Loot that this tool currently grabs includes:
Windows Credentials
Windows Vaults
Windows RDP Credentials
AdConnect (requires manual operation)
Wifi Key(s)
Internet Explorer Credentials
Chrome Cookies & Credentials
Firefox Cookies & Credentials
VNC Passwords
mRemoteNG Password (with default config)
Lorsrf - SSRF Parameter Bruteforce
Bruteforcing on hidden parameters to find SSRF vulnerabilities using GET and POST methods.3
Not sure what SSRF is? Here’s an excerpt from an awesome resourse4 to learn more about it below:
SSRF is an acronym that stands for “Server-Side Request Forgery.”
This vulnerability ”allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.”
LORSRF is a module that is built into the program scant3r, which allows for the attacker to search for “blind” SSRF parameter vulnerabilities.
This tool is unique to itself since not only does it search for blind vulnerabilities, but by differentiating itself from other tools, it’s one of the very few tools that perform this operation.
If you’re a bug bounty hunter or penetration tester, this could potentially be a valuable asset to use. It’s worth at least a quick peek, right?
A demo of the program running can be found here.
Attacks of the Week
Grief Ransomware Now Targets the NRA
Grief is a ransomware group, which reportedly has ties to the Russian-based Evil Corp, that has claimed to have stolen data from the National Rifle Association and published it online to its dark website.
Grief has posted and claimed to have hit the ever so infamous National Rifle Association, according to this Tweet from Brett Callow:
Despite the group displaying several different screenshots of Excel spreadsheets containing U.S. tax information and investment amounts, the NRA has yet to make any formal comment back on the situation.
What is the NRA?5
“While widely recognized today as a major political force and as America's foremost defender of Second Amendment rights, the NRA has, since its inception, been the premier firearms education organization in the world. But our successes would not be possible without the tireless efforts and countless hours of service our nearly five million members have given to champion Second Amendment rights and support NRA programs. As former Clinton spokesman George Stephanopoulos said, ‘Let me make one small vote for the NRA. They're good citizens. They call their congressmen. They write. They vote. They contribute. And they get what they want over time.’”
Stating that “It’s hard to shoot your way out of a cyberattack,” one security expert suggested that the NRA may not have gone far enough in taking defensive security measures to protect its sensitive data.
Teen Rakes in $2.74M Worth of Bitcoin in Phishing Scam
The abuse of Google Ads for a fake gift card site.
A teen had harvested 12,000 credit card numbers and 197 PayPal accounts on his computer and collected more than $440,000 in stolen money.
“He had received through his PayPal accounts between January and March 2020 a total of £323,000,” the case’s prosecutor, Sam Skinner, said, according to Lincolnshire Live. “These sums came into his account and were transferred into cryptocurrency.”
Police have found a large quantity of cryptocurrency, which included 48 Bitcoins and a smaller number of other coins. At the time they were worth £200,000, which in turn makes them worth £2 million now.
As stated in past episodes of these podcasts, it’s only a matter of time before these things begin to get traced. With quantum computing growing in the pattern that it is, we will begin to see this trend of people regretting their decisions… You will always get caught. It’s just a matter of time.
The largest questions are still at play: How can consumers verify that the websites they visit are legitimate? How can consumers validate transactions are legitimate?
Cyberattack Cripples Iranian Fuel Distribution Network
The incident triggered shutdowns at pumps across the country as attackers flashed the phone number of Supreme Leader Ali Khamenei across video screens.
An attack on the fuel distribution chain in Iran reportedly forced the shutdown of a network of filling stations Tuesday, leaving motorists stranded at pumps across the country and unable to fill up their tanks.
The incident disabled government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices, according to a report in The Times of Israel, which said that the Iran Supreme National Security Council confirmed the attack.
The filling stations targeted in the attack belong to the National Iranian Oil Products Distribution Company (NIOPDC), which has more than 3,500 stations across Iran and has been supplying oil products for more than 80 years, according to another report in BleepingComputer.
The incident echoed another critical-infrastructure attack that occurred in July against the Iran rail transportation system. Similarly, its attackers reportedly used the number “64411” – the phone number for the office of Supreme Leader Ali Khamenei.
Tuesday’s attack displayed a message reading “cyberattack 64411” on gas pumps when people tried to use their subsidy cards, according to the Times of Israel. In July’s attack, this number was displayed on screens and message boards at rail transportation stations, directing people to call it for more information about the attack.
Breaches and Leakes of the Week
EU’s Green Pass Vaccination ID Private Key Leaked
On Tuesday, several people reported that they found a QR code online that turned out to be a digital Covid certificate with the name “Adolf Hitler” written on it, along with a date of birth noted as Jan 1, 1900.
The following day, the ANSA reported that several underground vendors were selling passes signed with the stolen key on several Dark Web sites. The European Union held several meetings to investigate whether or not the stolen key was an isolated incident or not.
The private key that has since been leaked is now reported as revoked as of Wednesday, but there still are multiple reports of working certificates still being traded online.
As of now, the French and Polish authorities have found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler.
In essence, the Commission stated that the certificates were apparently generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.”
“According to the information available, the cryptographic keys used to sign certificates have not been compromised. This incident is caused by an illegal activity and not by a technical failure. Together with the Member States, we reaffirm our full trust in the EU Digital COVID Certificate system.”
Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018
In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure.
Last week, KrebsOnSecurity heard from a reader who was browsing Zales.com and suddenly found they were looking at someone else’s order information on the website, including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer’s credit card number.
When the reader failed to get an immediate response from Signet, KrebsOnSecurity contacted the company. In a written response, Signet said, “A concern was brought to our attention by an IT professional. We addressed it swiftly, and upon review, we found no misuse or negative impact to any systems or customer data.”
Signet commented:
“As a business principle we make consumer information protection the highest priority, and proactively initiate independent and industry-leading security testing. As a result, we exceed industry benchmarks on data protection maturity. We always appreciate it when consumers reach out to us with feedback, and have committed to further our efforts on data protection maturity.”
When Signet fixed similar weaknesses with its Jared and Kay websites back in 2018, the reader who found and reported that data exposure said his mind quickly turned to the various ways crooks might exploit access to customer order information.
https://www.kitploit.com/2021/10/donpapi-dumping-dpapi-credz-remotely.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PentestTools+%28PenTest+Tools%29
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dpapi-extracting-passwords
https://www.kitploit.com/2021/10/lorsrf-ssrf-parameter-bruteforce.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+PentestTools+%28PenTest+Tools%29
https://portswigger.net/web-security/ssrf
https://home.nra.org/about-the-nra/