Forwarded from BlackBox (Security) Archiv
The Eye on the Nile
Phishing attack on government opponents in Egypt - with apps from the Play Store
Specialists reveal a sophisticated phishing attack in Egypt. Android apps that made it into the Play Store without catching the eye were involved.
Back in March 2019, Amnesty International published a report that uncovered a targeted attack against journalists and human rights activists in Egypt. The victims even received an e-mail from Google warning them that government-backed attackers attempted to steal their passwords. https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/
According to the report, the attackers did not rely on traditional phishing methods or credential-stealing payloads, but rather utilized a stealthier and more efficient way of accessing the victimsโ inboxes: a technique known as โOAuth Phishingโ. By abusing third-party applications for popular mailing services such as Gmail or Outlook, the attackers manipulated victims into granting them full access to their e-mails.
Recently, we were able to find previously unknown or undisclosed malicious artifacts belonging to this operation. A new website we attributed to this malicious activity revealed that the attackers are going after their prey in more than one way, and might even be hiding in plain sight: developing mobile applications to monitor their targets, and hosting them on Googleโs official Play Store.
After we notified Google about the involved applications, they quickly took them off of the Play Store and banned the associated developer.
๐๐ผ Read more:
https://research.checkpoint.com/the-eye-on-the-nile/
#Egypt #pishing #attacks #research #android #apps #playstore
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
Phishing attack on government opponents in Egypt - with apps from the Play Store
Specialists reveal a sophisticated phishing attack in Egypt. Android apps that made it into the Play Store without catching the eye were involved.
Back in March 2019, Amnesty International published a report that uncovered a targeted attack against journalists and human rights activists in Egypt. The victims even received an e-mail from Google warning them that government-backed attackers attempted to steal their passwords. https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/
According to the report, the attackers did not rely on traditional phishing methods or credential-stealing payloads, but rather utilized a stealthier and more efficient way of accessing the victimsโ inboxes: a technique known as โOAuth Phishingโ. By abusing third-party applications for popular mailing services such as Gmail or Outlook, the attackers manipulated victims into granting them full access to their e-mails.
Recently, we were able to find previously unknown or undisclosed malicious artifacts belonging to this operation. A new website we attributed to this malicious activity revealed that the attackers are going after their prey in more than one way, and might even be hiding in plain sight: developing mobile applications to monitor their targets, and hosting them on Googleโs official Play Store.
After we notified Google about the involved applications, they quickly took them off of the Play Store and banned the associated developer.
๐๐ผ Read more:
https://research.checkpoint.com/the-eye-on-the-nile/
#Egypt #pishing #attacks #research #android #apps #playstore
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_ES
Forwarded from BlackBox (Security) Archiv
You are not anonymous on Tor - Last February, my Tor onion service came under a huge Tor-based distributed denial-of-service (DDoS) attack
I spent days analyzing the attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.)
While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address.
I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine.
As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor !!
๐ก Threat Modeling
There are plenty of documents that cover how Tor triple-encrypts packets, selects a route using a guard, relay, and exit, and randomizes paths to mix up the network traffic. However, few documents cover the threat model. Who can see your traffic?
๐ ๐๐ผ https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html
#tor #onion #service #zeroday #DDoS #attacks #anonymous #poc #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
I spent days analyzing the attack, developing mitigation options, and defending my server. (The Tor service that I run for the Internet Archive was down for a few hours, but I managed to keep it up and running through most of the attack.)
While trying to find creative ways to keep the service up, I consulted a group of friends who are very active in the network incident response field. Some of these are the people who warn the world about new network attacks. Others are very experienced at tracking down denial-of-service attacks and their associated command-and-control (C&C) servers. I asked them if they could help me find the source of the attack. "Sure," they replied. They just needed my IP address.
I read off the address: "152 dot" and they repeated back "152 dot". "19 dot" "19 dot" and then they told me the rest of the network address. (I was stunned.) Tor is supposed to be anonymous. You're not supposed to know the IP address of a hidden service. But they knew. They had been watching the Tor-based DDoS. They had a list of the hidden service addresses that were being targeted by the attack. They just didn't know that this specific address was mine.
As it turns out, this is an open secret among the internet service community: You are not anonymous on Tor !!
๐ก Threat Modeling
There are plenty of documents that cover how Tor triple-encrypts packets, selects a route using a guard, relay, and exit, and randomizes paths to mix up the network traffic. However, few documents cover the threat model. Who can see your traffic?
๐ ๐๐ผ https://www.hackerfactor.com/blog/index.php?/archives/896-Tor-0day-Finding-IP-Addresses.html
#tor #onion #service #zeroday #DDoS #attacks #anonymous #poc #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Forwarded from BlackBox (Security) Archiv
You are not anonymous on Tor
๐ ๐๐ผ https://t.me/BlackBox_Archiv/1252
#tor #onion #service #zeroday #DDoS #attacks #anonymous #poc #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
๐ ๐๐ผ https://t.me/BlackBox_Archiv/1252
#tor #onion #service #zeroday #DDoS #attacks #anonymous #poc #thinkabout
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Forwarded from BlackBox (Security) Archiv
Powerhouse VPN products can be abused for large-scale DDoS attacks
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack โin what security researchers call a reflected/amplified DDoS attack.
https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-large-scale-ddos-attacks/
#powerhouse #vpn #abuse #ddos #attacks
๐ก@cRyPtHoN_INFOSEC_FR
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.
This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.
The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.
Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack โin what security researchers call a reflected/amplified DDoS attack.
https://www.zdnet.com/article/powerhouse-vpn-products-can-be-abused-for-large-scale-ddos-attacks/
#powerhouse #vpn #abuse #ddos #attacks
๐ก@cRyPtHoN_INFOSEC_FR
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@BlackBox_Archiv
๐ก@NoGoolag
ZDNet
Powerhouse VPN products can be abused for large-scale DDoS attacks
Around 1,500 Powerhouse VPN servers are exposed online and ready to be abused by DDoS groups.
Forwarded from BlackBox (Security) Archiv
Let's Encrypt's performance is currently degraded due to a DDoS attack
Our services' performance is currently degraded due to a Distributed Denial of Service (DDoS) attack, which we are working to mitigate.
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/6044830be2838505358d3108
#letsencrypt #ddos #attacks
๐ก@cRyPtHoN_INFOSEC_FR
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Our services' performance is currently degraded due to a Distributed Denial of Service (DDoS) attack, which we are working to mitigate.
https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/6044830be2838505358d3108
#letsencrypt #ddos #attacks
๐ก@cRyPtHoN_INFOSEC_FR
๐ก@cRyPtHoN_INFOSEC_EN
๐ก@cRyPtHoN_INFOSEC_DE
๐ก@BlackBox_Archiv
๐ก@NoGoolag
Forwarded from BlackBox (Security) Archiv
ndss2021_1C-3_23159_paper.pdf
430.5 KB
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.
Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf
#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
๐ก @nogoolag ๐ก @blackbox_archiv
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues exist in currently deployed contact discovery methods.
Our study of three popular mobile messengers (WhatsApp, Signal, and Telegram) shows that, contrary to expectations, largescale crawling attacks are (still) possible. Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal. For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1C-3_23159_paper.pdf
#contact #messenger #telegram #whatsapp #signal #crawling #attacks #study #pdf
๐ก @nogoolag ๐ก @blackbox_archiv
Forwarded from BlackBox (Security) Archiv
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (Interesting quotes and conclusion)
๐ก All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042
Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).
Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.
๐กSignal:
Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signalโs users, at least for profile pictures.
๐กTelegram:
For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegramโs rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.
๐ก Comparison WhatsApp | Signal | Telegram:
With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.
๐ก Conclusion:
Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attackerโs perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]
#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
๐ก @nogoolag ๐ก @blackbox_archiv
๐ก All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers (PDF)
https://t.me/BlackBox_Archiv/2042
Both WhatsApp and Telegram transmit the contacts of users in clear text to their servers (but encrypted during transit), where they are stored to allow the services to push updates (such as newly registered contacts) to the clients. WhatsApp stores phone numbers of its users in clear text on the server, while phone numbers not registered with WhatsApp are MD5-hashed with the country prefix prepended (according to court documents from 2014 [2]).
Signal does not store contacts on the server. Instead, each client periodically sends hashes of the phone numbers stored in the address book to the service, which matches them against the list of registered users and responds with the intersection. The different procedures illustrate a trade-off between usability and privacy: the approach of WhatsApp and Telegram can provide faster updates to the user with less communication overhead, but needs to store sensitive data on the servers.
๐กSignal:
Our script for Signal uses 100 accounts over 25 daysto check all 505 million mobile phone numbers in the US. Our results show that Signal currently has 2.5 million users registered in the US, of which 82.3 % have set an encrypted user name, and 47.8 % use an encrypted profile picture. We also cross-checked with WhatsApp to see if Signal users differ in their use of public profile pictures, and found that 42.3 % of Signal users are also registered on WhatsApp (cf. Tab. IV), and 46.3 % of them have a public profile picture there. While this is slightly lower than the average for WhatsApp users (49.6 %), it is not sufficient to indicate an increased privacy-awareness of Signalโs users, at least for profile pictures.
๐กTelegram:
For Telegram we use 20 accounts running for 20 days on random US mobile phone numbers. Since Telegramโs rate limits are very strict, only 100,000 numbers were checked during that time: 0.9 % of those are registered and 41.9 % have a non-zero importer_count. These numbers have a higher probability than random ones to be present on other messengers, with 20.2 % of the numbers being registered with WhatsApp and 1.1 % registered with Signal, compared to the average success rates of 9.8 % and 0.9 %, respectively. Of the discovered Telegram users, 44 % of the crawled users have at least one public profile picture, with 2 % of users having more than 10 pictures available.
๐ก Comparison WhatsApp | Signal | Telegram:
With its focus on privacy, Signal excels in exposing almost no information about registered users, apart from their phone number. In contrast, WhatsApp exposes profile pictures and the About text for registered numbers, and requires users to opt-out of sharing this data by changing the default settings. Our results show that only half of all US users prevent such sharing by either not uploading an image or changing the settings. Telegram behaves even worse: it allows crawling multiple images and also additional information for each user. The importer_count offered by its API even provides information about users not registered with the service. This can help attackers to acquire likely active numbers, which can be searched on other platforms.
๐ก Conclusion:
Mobile contact discovery is a challenging topic for privacy researchers in many aspects. In this paper, we took an attackerโs perspective and scrutinized currently deployed contact discovery services of three popular mobile messengers: WhatsApp, Signal, and Telegram. We revisited known attacks and using novel techniques we quantified the efforts required for curious serv[...]
#contact #messenger #telegram #whatsapp #signal #crawling #attacks #comment #conclusion
๐ก @nogoolag ๐ก @blackbox_archiv
Telegram
BlackBox (Security) Archiv
All the Numbers are US: Large-scale Abuse of Contact Discovery in Mobile Messengers
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues existโฆ
Contact discovery allows users of mobile messengers to conveniently connect with people in their address book.
In this work, we demonstrate that severe privacy issues existโฆ