On March 26, after the two weeks of the breach, DN shut down the services for the good urging users to move their site to the new dark web hosting providers. It was mentioned that around 7,600 websites which are an approx third of all dark web portals went down.

DATA LEAKED

A hacker called him KingNull uploaded the file of DH’s stolen database on a file-hosting portal.

According to the cursory analysis of the total overall data dump, the leaked data includes 3,671 e-mail addresses and 8,580 private keys, and 7,205 account passwords for the .onion (dark web) domains.

The main point they leaked the database which has sensitive information on the owner and several users that have darknet domains.

The leaked data can be used to tie the user of leaked email which has a certain dark web portal.

The information which is leaked may help to track the specific user and helps the government to take legal action if anyone is taking part in illegal activities on these darknet users.

That is an important point for the user of the dark web portal “ if the site owner moves their dark web portals to the other hosting provider and they don’t change the passwords then it may be affected again”. If the hacker has access to the new accounts because they cracked the DH hashed password previously that may help them again to take over.

Overall the threats intelligence firms and law enforcement team are finding the clues but the hacker has left no clues. The IP address is only the last option but they don’t find it in dumped data.

HACKED DH SECOND TIME AGAIN

In March 2020, it was the second time DH hacked and suffered the data breach. The first incident happened in November 2018 where the site backend database server was breached and deleted all sites. Around 6,500 sites were wiped at that time and no data was ever leaked.

This was not only the story that happened with DH hosting in the year 2017 some other hacker collective tool down freedom Hosting when they discovered hosting provider was sheltering child abuse portals.

The DH hosting still planned to launch the services but this time they made some more improvements and that was the main priority.

The post Dark Web Hosting provider database leaked by Hacker appeared first on Vednam.

The cyber attackers have exploited the critical vulnerabilities in the SaltStack which is an open-source framework.

This is mainly used for the implementation of data center systems and it’s automatic services.

From Cisco, it was also mentioned that the Cisco Modeling Labs Corporate Edition (CML) is also vulnerable to attacks that is because it has the same version of Saltstack and that helps to run the vulnerable Salt Master installation.

The information we gather is “CML basically used by the user to simulate Cisco Devices and third-party devices. The VIRAL-PE that helps users to create infra and test the virtual networks in a development and test the environment easily.”

Cisco Product Vulnerable 

There is mainly two product which is affected by the vulnerabilities :

• Cisco Virtual Internet Routing Lab Personal Edition(VIRl-PE)
• Cisco Modeling Labs Corporate Edition (CML)

The main Server Compromised

From the report of the company the Attacker can manage to compromise six infrastructure to take control :

• us-1.virl.info
• us-2.virl.info
• us-3.virl.info
• us-4.virl.info
• vsm-us-1.virl.info
• vsm-us-2.virl.info

We Got an image from the news that shows a device where the salt-master service is enabled :

Where Cisco lacks in security :

The vulnerabilities that can bypass the authentication as CVE-2020-11651 and a directory traversal that is identified as CVE-2020-11652.

The above two is the flaws can allow the attackers to gain the authority to access the entire file system of the servers that are configured in SaltStack,

CVE-2020-11651: Bypass authentication Vulnerable
CVE-2020-11652: Traversal Directory Vulnerable 

On May 7, 2020, Cisco updated the compromised server and check all the vulnerabilities which can be fixed by the patch like the authentication bypass vulnerabilities(CVE-2020-11651) and the directory traversal vulnerabilities (CVE-2020-11652) that mainly affect the Saltstack severs.

After that Cisco released two essential updates for the VIRL-PE services and that was related to the product Cisco Modeling Labs Corporate Edition. The Security experts claimed that the security flaws on any version of services before the updates.

The SaltStack we mainly meant to observe and help to update the servers with their automatic process with the help of a remote execution engine it also allows us to run commands on multiple systems by utilizing the master node that applies changes to target the servers.

Cisco is not only companies that are attacked by cybercriminals by using these vulnerable, but earlier the attackers have also attacked other popular companies as well using the security flaws.

The post Cisco server hacked by exploiting SaltStack Vulnerabilities. appeared first on Vednam.

The Exim is a mail transfer agent(MTA) software that was developed by the University of Cambridge which is mainly used on the Unix-operating System. It also comes with many popular Linux distributions like Red Hat and Debian. It is thought to run on millions of Email servers globally.

NSA warned that organizations for the failed patch CVE-2019-10149 that was recently fixed in June 2019 that may be at risk from the famous Sandworm Group.

The Cyber attacker exploits the victim by using Exim software on their public-facing MTAs by sending the command in  ‘MAIL FROM field of an SMTP(Simple Mail Transfer Protocol) message.

The attackers which unauthenticated take remote and send a specially crafted email to execute commands with the root privileges and allow the cyber attackers to install the malicious program, change the data, and create new accounts.

When the CVE-2019-10149 patch is exploited by the sandworm group and after that, they target the machine where they download and execute the shell script from the domains which are under sandworm group control.

When the new script executed by the attacker then some changes they can do like:

• Update SSH Configuration
• Add privileged users
• Disable the Network security setting

This is all the above done to enable additional remote access that can execute an additional script in the shell to keep enable of follow-on exploitation.

The NSA mentioned and called organizations for the upgrade of the Exim and install 4.93 or the newer version. The NSA also asked to use network-based security devices to detect and block CVE-2019-10149 the attempts of exploitation.

The Sandworm is known for the most sophisticated state hacking outfit. This is also predicted that it may be linked to the BlackEnergy malware that we used for attacks in Ukrainian power stations in 2015 and 2016 which basically cause the major outrage during winter. The campaigns are especially against the NATO members and European Government in 2019

The post Email Servers Hacked by Russian Military : NSA appeared first on Vednam.

Security personnel has launched a review of Huawei’s involvement in Britain’s 5G network.

The recent announcement that America would place additional laws on the telecommunications departments. Uk Government also confirmed that the National Cyber Security Centre (NCSC) was on the hunt to find any impact they could find on the UK’s network.

After the newspaper revealed that Borish Johnson is going to reduce Huawei’s involvement in Britain’s 5G network in the period of coronavirus outbreak.

The prime minister of the UK also announced that he would draw back the plans that would reduce China’s Product utilization in our UK’s infrastructure development.

The Government gave a hint to the companies whose product is used in UK’s infrastructure development to be used when it is necessary and basically UK’s don’t being treated as hostile by Russia and China’s product.

The Prime Minister said, “This is right to be concerned about buying the local technology and that will be better for our country, the main motive is to protect our technology base”.

According to the report, the main point is putting Huawei in review mode because of the UK’s decision to get the company out of the system.

In talking about Britain’s 5G Network “ Huawei has been taken out of our system, we can no longer trust the company or vendor in a country that has an appalling record of theft. We don’t put our vital communications strategies in their hands”.

The UK’s Government doesn’t want to take risks and ties its communication network with the untrusted vendor.

A former cabinet minister warned previously that” If there is any reason to suspect on the intelligence-sharing relationship with the Five eyes partner will damage then that should automatically determine the government decision on the future of our 5G network”

A spokesperson for the Government said: 

“The security and resilience of our networks are of paramount importance.”

“The US also announce additional sanctions against the Huawei”

The post Britain’s 5G Network are under review due to Huawei’s involvement. appeared first on Vednam.