API services have changed and taken the digital world works API helped to make digital coins to make payments wallets to all the e-commerce websites and social networks. API is the best way for anything. There are two teams of APIs: the red team and the blue team that are responsible for making hard security in the field of the cybersecurity market.

Best API services that are available in the market of cybersecurity in 2020.

Google API Safe Browsing 

Safe browsing is Google’s highly respected cybersecurity program which helps to protect users from accessing the phishing domains, challenging sites, and web pages that are infected with malware/virus.

Automatically test pages that are against the safe browsing database by using the safe browsing API which allows detecting the type of threat affecting the webpage. This feature is useful for the user to detect and warn the user before moving to any dangerous website which can avoid the sharing of infected links within their own company.

Features You Get : 

• Proactive scanning and monitoring
• It has the ability to check for other Sites URLs in the Quttera database.
• Hosted and Run in the cloud
• Full-in-depth scan results.
• Integrations REST API returning XML,JSON and YAML based responses.
• Run the multithreading for faster scan speed.

GreyNosie API

The mind behind the GreyNoise is Andrew Morris was interviewed a few days back and they discuss the whole insight. The security researcher as well as the private and public entity which are using GreyNoise to analyze the security-related data from the internet. The system which is developed by Andrew himself has capabilities to collect and analyze the data from several scanners included Shodan.io which palace above several data centers in the world by their own network scanner.

Cloudflare API

When we talk about Cloudflare it was a tremendous job by this company and it influences the cybersecurity sector because it builds a list of cybersecurity APIs without including them. As you read or use Cloudflare on your server basically it uses a proxy-based service that can allow you to improve the company’s site efficiency and protect the device by the cyber attackers.

It provides security to  Domain, DNS and SSL encryption, VPN and successful anti-DDoS solution to concentrate o the powerful high-end DNS and web application firewalls(WAF)

Features of Cloudflare APIs:

• SSL management feature
• Adjust the account security level
• WAF rule configuration
• Tweak ANtiDDoS setting
• DNS firewall management
• Manage the user accounts, role, member, and the subscriber.
• Adjust the account security level
• You set up customs filters.

AlienVault API

This company is the most relied -on threat intelligence firm which is used by security researchers. The API service which provides direct access from their OTX to all critical threat intelligence. You can use all its features which you got online applications.

The Alienvault OTX API is the part of the ALienVAult project which allows you to find threats to your environment with regular threats indicator modified.

Features of Alien APIs :

• The Entries over 19 million threat indicators.
• DirectConnect SDKs(Python, Java, Go)
• Support for Direct Connect Agents
• The support which can old-fashioned HTTP API requests, such as using curl
• Thousands of live API usage examples.

The post Popular Cyber Security APIs for 2020 | What are benefits ? appeared first on Vednam.

What is Chafer APT?

A few days back cyber experts found the traces in new cybercrime campaigns known as chafer advanced persistent threats (APT) group. This group has been active since 2014 and has done many middle east cyber attacks. This group has a recent record of 2018 and last was 2019 targeted many Saudi and Kuwait organizations.

Whole Uncovered Story of attack :

According to cyber experts, this group has been active since 2014 but recently he has targeted middle east countries like Saudi and Kuwait. The last attack was in 2018 and 2019 targeted several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used custom-built tools known as bevy as well as “living off the land “ tactics used. 

The “Living off the land tools” has the feature of a target environment that is abused by the cyber attacker to achieve persistence. 

According to Bitdefender’s analysis “Researcher have found threat conducted by this actor in the middle east region back in 2018”.The campaigns based on several tools, including “living off the land” tools, which makes the attribution difficult, there are different hacking tools and a custom-built backdoor. The attackers find the victims affected by the air transport and government sector in the middle east the whole attack is based on proper analysis.

The researcher at work and find out how many companies are going to affect each country. They also say the data is more than we expect and what we get after the analysis report.

Let’s find the campaign Strategies :

A particular way of doing something behind the cyberattacks against the companies of Kuwait and Saudi Arabia finds some same track as the researcher says. According to the source the cyberattacks on the victims from Kuwait were more sophisticated as the cybercriminals were able to move on the network. As the researcher believes that the attackers infarct the victims by sending infected documents with shellcode and that was potentially sent via spear-phishing emails.

The attacker managed to create a user account on the victim’s machine and perform several malicious actions inside the network using the account that they created on victims machine that was an unusual behavior performed on some account that basically the attackers plan to make us believe that they are doing this. Basically their plan was to engage us at that certain point.

Once the attacker has access inside the company server then they install the backdoor (imjpuexa.exe) that was act like service of that machine but it was basically backdoor for the attacker. Even the attackers have done several exercises like network-scanning and credential gathering which helps the attacker to move inside the network. The attacker used the tool name as CrackMapExec.exe , these tools work multifunctioning like network scanning, credential sumping, account discovery, and code injection.

They also use the custom tool like the PLINK tool (known as wehsvc.exe).PLINK is the command-line connection tool mostly used for automated operations. This tool is mostly used to preserve campaign original functionality with some advanced key features such as the possibility to uninstall any service and run as a window service.

The researcher said that the attack on victims in Saudi Arabia was not as elaborate because the attackers did not manage to exploit the victim or they didn’t’ get information of interest.

According to the Research team” we believe initial compromise was achieved through social engineering and a RAT was loaded and executed twice in different name forms (Drivers.exe and driver_x64.exe). The researcher said the user is being tricked into running these applications.

How RAT is involved in attacks?

RAT program is written in Python language and converted into a standalone executable. It is similar to the other RATs tools which security researchers documented previously but this time it is customized for the particular attack. This is not common for the cyber attacker to create and modify according to victims or user needs. It needs a whole analysis of that particular victim. They may change the way the RAT communicates with the server C2C and they can add the other feature that was not necessary.

Different RAT components that were used at the different process. The First component (snmp.exe) works as a backdoor and second (imjpuexa.exe) as you see the target attacks in Kuwait.

As the source says the cyber attacker used “living off the land “ tools in both campaigns.

The post Middle East Government hits by Chapher APT with latest Cyber-Espionage Attack appeared first on Vednam.

The Vulnerability named strandhogg 2.0 (named after the Norse term for a hostile takeover)affects the android versions which are similar to version 9.0 or latest

According to Norwegian security firm Promon, it’s the same name of  “evil twin” to the earlier bug. Both the vulnerabilities discovered six months apart.

How did Strandhogg 2.0 trick?

Strandhogg 2.0 works by tricking the victims and let them feel that they are using the right app and then the user enters the same password on that vulnerable app while the user is unaware of the next action of the app. This app has the capability to hijack the other app permissions to steal sensitive user data like photos, contact, and also track the victim’s real-time Geo-location.

As the Founder and Chief technology officer at Promon said “ The bug is more dangerous than its predecessor because it’s undetectable”.

What is the Good news about?

The Promon chief said “ There is no evidence that a cyber attacker has used the bug in recent active hacking campaigns”.

What is the fear About this Bug?

There is no good way to detect the attack. The extreme fear is that the bug could still be abused by the cyber attacker in the future. The hacker can easily access your all phone data and you are not aware of that.

The promon has denied sharing more details until Google could fix this “Critical-rated “ vulnerability.

A spokesperson from Google said “The company saw no evidence of active exploitation and we appreciate the work of the researcher. We released the patch for this vulnerability. The Google play protect an app screening service is built-in to android devices that basically blocks the apps that exploit the strandhogg 2.0 vulnerability “

How Standhogg 2.0 works?

This works by abusing Android’s multitasking system which keeps an eye on the tabs or the app recently opened, the maximum use app that allows the user to switch back and forth. The Victims have to download a malicious app that seems to look alike as a normal app that can exploit the Strandhogg 2.0 vulnerability. When the installation is completed just after the victim opens the legitimate app at the same time malicious apps quickly hack the app and inject malicious content in its app, just show you the fake login windows.

When victims enter their password on the fake overlay of the application, their password is stolen and saved to the hacker server. After that the real app appears as the login was real.

The worst thing is that Strandhogg 2.0 doesn’t need android permission to run and also hijacks the permissions of the app that have access to everything to victims’ data like contacts, photos, and messages.

If the permission is granted then malware creates a highly dangerous risk.

Once the permission is granted then the malware is allowed to upload the entire text messages conversations and also the hacker defeats the two-factor authentication protection.

Researchers have found a major vulnerability in every version of Android that mainly pretends to be the legitimate app to steal the user’s personal information like passwords and other data.

How to get out of it?

If you don’t update the latest Android security update then it will affect your personal data theft or you open a gate for the vulnerable Strandhogg 2.0. The new Google security update can fix this vulnerability.

If you don’t update the latest Android security update then it will affect your personal data theft or you open a gate for the vulnerable Strandhogg 2.0. The new Google security update can fix this vulnerability.

The post Android bug : Strandhogg 2.0 Steals user Sensitive data appeared first on Vednam.

Messenger Apps of Android are targeted by WolfRAT Malware

The team of Cisco Talos Intelligence has found this android malware in the wild. This malware especially targets the Messenger apps of android phones. The most popular apps are used these days as a messenger are Facebook, Messenger, WhatsApp, and line.

The details shared by researchers on their blog is this malware loosely based on the leaked malware DenDroid.Time to time the malware seems to have gone in the improvement stage to target the users. Time to time the improvement is done in the code script of this malware but the old code blocks, classes are still inside the android package.

How?

Firstly the malware targets the messaging and chat apps on android. The data steal being done by the screenshot of the chats whenever the apps are open. Most new Malware that exploits Android Accessibility suite to access data. The Screenshots are then uploaded to the C2 Server of the Malware.

The virus reaches the devices through fake and malicious updates done on the targeted devices. There are tricks to mimic the Google service to install the malware in the victim machine.

If Fail, what next?

The Malware will start the main service if all the request permissions and the devices admin privileges are granted. If not, then it launches an ACTION_APPLICATION_SETTING to activate the Plan B access to the user permissions.

Which Country Affected Right Now?

According to the researcher and news, It is currently active in Thailand. The researcher thinks that WolfRAT malware is still active but from the organization it was declared Inactive. 

At present, the malware is actively targeting the android user in Thailand. The threat actors have released open-source platforms for codes and packages. After finding the roots of this malware we consider that it has capabilities of data-stealing in larger mass and it will be a big threat in the future.

The post WolfRAT Malware affects Android Apps target Messenger Apps appeared first on Vednam.

DDoS attack on ESET

From the sources, ESET researcher Lukas revealed details about an android app that used to target the ESET website with DDoS attacks.

The app appeared  “updates for android which seems like a new update. The main thing it was linked with a website i-updater.com that was really fascinating. It seems that it is not harmful and that may cause thousands of downloads.”

According to ESET analysis, the malicious app has an inbuilt ability to load and execute malicious JS on the target device. This may really not happen it appeared online in late 2019. Hence, it was avoided by the google play store’s security.

What really it effect

As the result came, it turned the devices of all its users into its “botnet”.The interesting part is that it displayed the ads on the devices which helps to hide app icons and in between the app start downloading malicious javascript from the attacker’s server to run on user’s devices.

However, the availability to execute JS is what the attackers used to wages a DDoS attack

“The DDoS attack starts with the machines who compromised while receiving a command to load the vulnerable script that specifies the targeted domain. When the script is loaded, the machine starts making requests to the targeted domain.”

This all happens till they don’t reach the ESET website, the team of ESET detected the source behind the attack.

Take Down the App

After finding the threat, the ESET team got in touch with Google who eventually removed the app from the play store. The researcher also checks the website i-updater.com remained up as it was not malicious. When the team checks the website it appeared as a blank page. The site is fully cleaned and no traces are found of threat and malicious script.

Conclusions came after that the attacker may go underground and rebuild the site in a new manner.

The post ESET Website under DDoS attack by Malicious Android App appeared first on Vednam.