While investigating the data leak we found it was around 132 GB data which is linked with Bigfooty.com, a website and mobile application mainly made for the Aussie Rules Football where around 100,000 members joined in that.

Although going deep in investigating, a Security officer found that the data leaked not only contain personal information. Some of them are anonymous users and some people private messages seen by the security officer which contain email addresses, passwords, and usernames for the site and the live streams

If the cyber attacker has known your data from the database they may have got useful credential stuffing to attack the other sites.

Finding the whole user messages it contains personal threats and racist content, which could be used for the cyber attacker to blackmail that user.

The security officer said” The private messages are fully exposed and it was leaked and you can’t trace back to the specific users. The leak data contains high-profile users like an Australian police officer and government employees “

The private information that belongs to the individuals may include the chat and email address that was enough for the cyber attacker to blackmail and damage the reputation of high profile or even normal users also.

When we talk about the technical term it was also mentioned that the site includes the IP address, Server and OS information, GPS data, and access logs that may allow hackers to compromise the part of IT infrastructure.

The leak was closed by the Australian Cybersecurity center after a short period of time and BigFooty didn’t respond after that.

The security office has seen more accidents and leaks at two popular money-saving websites and perhaps most time it happens with the adult live streaming site.

The post 70 Million records Leaked from Aussie Football Site appeared first on Vednam.

What is Chafer APT?

A few days back cyber experts found the traces in new cybercrime campaigns known as chafer advanced persistent threats (APT) group. This group has been active since 2014 and has done many middle east cyber attacks. This group has a recent record of 2018 and last was 2019 targeted many Saudi and Kuwait organizations.

Whole Uncovered Story of attack :

According to cyber experts, this group has been active since 2014 but recently he has targeted middle east countries like Saudi and Kuwait. The last attack was in 2018 and 2019 targeted several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used custom-built tools known as bevy as well as “living off the land “ tactics used. 

The “Living off the land tools” has the feature of a target environment that is abused by the cyber attacker to achieve persistence. 

According to Bitdefender’s analysis “Researcher have found threat conducted by this actor in the middle east region back in 2018”.The campaigns based on several tools, including “living off the land” tools, which makes the attribution difficult, there are different hacking tools and a custom-built backdoor. The attackers find the victims affected by the air transport and government sector in the middle east the whole attack is based on proper analysis.

The researcher at work and find out how many companies are going to affect each country. They also say the data is more than we expect and what we get after the analysis report.

Let’s find the campaign Strategies :

A particular way of doing something behind the cyberattacks against the companies of Kuwait and Saudi Arabia finds some same track as the researcher says. According to the source the cyberattacks on the victims from Kuwait were more sophisticated as the cybercriminals were able to move on the network. As the researcher believes that the attackers infarct the victims by sending infected documents with shellcode and that was potentially sent via spear-phishing emails.

The attacker managed to create a user account on the victim’s machine and perform several malicious actions inside the network using the account that they created on victims machine that was an unusual behavior performed on some account that basically the attackers plan to make us believe that they are doing this. Basically their plan was to engage us at that certain point.

Once the attacker has access inside the company server then they install the backdoor (imjpuexa.exe) that was act like service of that machine but it was basically backdoor for the attacker. Even the attackers have done several exercises like network-scanning and credential gathering which helps the attacker to move inside the network. The attacker used the tool name as CrackMapExec.exe , these tools work multifunctioning like network scanning, credential sumping, account discovery, and code injection.

They also use the custom tool like the PLINK tool (known as wehsvc.exe).PLINK is the command-line connection tool mostly used for automated operations. This tool is mostly used to preserve campaign original functionality with some advanced key features such as the possibility to uninstall any service and run as a window service.

The researcher said that the attack on victims in Saudi Arabia was not as elaborate because the attackers did not manage to exploit the victim or they didn’t’ get information of interest.

According to the Research team” we believe initial compromise was achieved through social engineering and a RAT was loaded and executed twice in different name forms (Drivers.exe and driver_x64.exe). The researcher said the user is being tricked into running these applications.

How RAT is involved in attacks?

RAT program is written in Python language and converted into a standalone executable. It is similar to the other RATs tools which security researchers documented previously but this time it is customized for the particular attack. This is not common for the cyber attacker to create and modify according to victims or user needs. It needs a whole analysis of that particular victim. They may change the way the RAT communicates with the server C2C and they can add the other feature that was not necessary.

Different RAT components that were used at the different process. The First component (snmp.exe) works as a backdoor and second (imjpuexa.exe) as you see the target attacks in Kuwait.

As the source says the cyber attacker used “living off the land “ tools in both campaigns.

The post Middle East Government hits by Chapher APT with latest Cyber-Espionage Attack appeared first on Vednam.

Finding deep news it comes that AIS is the Thailand largest GSM mobile Network which has almost “40.23 million customers” as of 2018. The database is maintained and controlled by the subsidiary Advanced Wireless Network(AWN). It has the combination of DNS query logs and NetFlow logs that appears to be an AWN customer. If someone got all this data then it is easy to create a user track of internet surfing. After this information comes then the Thailand national CERT Team (ThaiCERT) be in action and contact AIS and secure the database.

What is AWN?

According to the source, AWN is a provider of wired as well as wireless network service and telecommunication network provider. This company started in 2005 according to website information. AWN is the subsidiary company of Advanced info Service (AIS).

AWN’s network connects directly with AIS which has only upstream peers. When the ThaiCERT contacted AIS about the exposed database then the database went offline.

When did that data leak start?

Based on the source story, the data was first hit on May 1 and then after May 7, 2020. There was not a single server left exposed on the internet without any authentication.AIS has been notified about the exposed database.

How Much Data Leaked?

Overall it would be 8.3 billion documents which are around 4.7 Terabyte data. On May, 21st,2020 8,336,189,132 Documents were stored in the database, and data contained NetFlow data and DNS Query logs. When they found it was roughly logged for only 8 days but why? 

Why they stopped logging after 8 Days questions are still open. Team perception is that they got more data than they entered to capture. Forensic says they logged roughly 2,538 DNS seconds per second for that period of time.

What do they get from data?

A lot of information can come out if they really follow the documents and data. They basically know your whole query generated on the internet and after that they are also able to know your personal information.

Based on the DNS queries it might be possible that they identify the person whole data because of DNS capture whole information of machine and queries. For example :

• They use android TV is connected with internet
• They use apple devices are connected with internet 
• They use windows devices and the software you use with cloud connectivity.
• They use Antivirus.
• They even use your social media account also.
• They read you google chrome or other browser saved information and history.

The post 8 billion Thai internet records leaked ! appeared first on Vednam.

What is Encryption?

Encryption is the method that encodes data that can’t be read by the third party or cybercriminals. Encryption uses the algorithm to scramble or encrypt data and then uses the same methods in reverse order to unscramble and decrypt the information or data. The data you send is as plain text but in between search engines transform plain text in the ciphertext and send it to the receiver end and decrypt there to the original.

The basic forms of Encryption are done by switching the letter but when cryptography gets advanced. There are more steps that use difficult encryption systems that can change the algorithm feature of a computer and hence it really protects from cyberattacks for data theft.

How does It work? 

Encryption uses algorithms that scramble the information. This method transmits the data to the receiving end and the receiving end able to decrypt the data by a key. There are lots of methods or algorithms which are used to encrypt and decrypt the data.

How the Encryption Key Generated?

The encryption key is usually generated with a random number generator or using computer algorithms that mimic random number generators. The other way that computers can create keys is the user mouse movement to create unique roots. Modern Machines that have forward secrecy involved that generate a fresh key for every new session and that can make you put in another layer of security.

Terms used During searching Encrypt Terms :

Algorithms: When we talk about this term means the procedure that the encryption process follows mainly has a code or cipher. There are many algorithms to manage encryption methods. There are some examples like Triple DES,RSA, and Blowfish are encryption algorithms. The most effective solution depends on encryption goals and level of security.

Cipher:  This algorithm is used for encryption and Decryption. In these algorithms there are steps that are followed as a procedure to encrypt information. There are mainly two types of cipher: Block Cipher and Stream cipher.

Decryption: The process of switching unreadable or encrypted ciphertext to readable or plain text.

Cryptanalysis: The basic study of ciphers and cryptosystems to find the weakness in them that would allow access to the information without knowing the key or algorithms.

Key: Random string of bits created specifically for scrambling and unscrambling data. Basically used to encrypt and decrypt data. Each anniversary key is unique and created via algorithms to make sure that it can’t be predicted. Whenever, longer keys are harder to predict and crack. The Length of the key is 128 bits for symmetric key algorithms and 2048 for public key-algorithms.

• Public Key: This key has the encryption key to publish and available to anyone use.The only way to decrypt the message of the decryption key that enables it to read the message which is available only to the receiver.
• Private Key: the private key is also known as the Symmetric key and the encryption and decryption keys are the same. Both ends have the same key before they can achieve secure communication.

Frequency Analysis: This method is used to crack the cipher. Those who know the frequency of letters or groups of letters in ciphertext will able to decrypt the encryption. The main point is that some letters occur more often than others, the frequency of letters can revel parts of encrypted messages.It is effective when you use the old encryption method but ineffective against modern encryption.

How do search Engines encrypt and use data encryption methods?

While the Search engine uses multiple encryption methods to ensure maximum security. When you are on a search engine you are requesting the website to search through SSL (Secured socket layer) which is the best way for a website to deal with sensitive information like the financial and user information.

When we talk about the SSL means these encryption methods use public and private keys together to create secure connections. Google and other search engines track user data and use the encrypt the information of user’s data.

The Best part is that user’s information is more protected because these search engines like google and other use temporary keys that will expire for security purpose. That means if someone tries to access your information your searches get self-destructed.

The post What is Encryption ? How Does it work ? appeared first on Vednam.