The whole story

The theft of the top-secret computer hacking tools from the CIA in 2016 was the result of the work culture in which the agency’s computer hackers “ which is used for the prioritized building cyber weapons at the expense of securing their own systems” as the internal report mentioned by Mike Pompeo.

The breach was committed by a CIA employee which was discovered a year after that happened and the information leaked by the Wikileaks in March 2017. The US officials said that the biggest unauthorized disclosure of classified information in the CIA’s History. The agency shut down some of the intelligence operations and alerting foreign adversaries that spy the agency’s techniques.

In October 2017 report the CIA’s Wikileaks task force that several pages of the missing of which are missing or redacted, portrays an agency that is concerned with the bulking up with the cyber arsenal which keeps those tools secure. The security procedures were “ Woefully lax” and the special unit which was designed and built the tools.

The task force has noted that they could not determine the size of the breach because the CIA hacking team disroot required the monitoring of who used its network, but it was concluded that the employee has stolen as much as 34 terabytes of information; it’s around 2.2 billion pages.

The CIA press secretary that denied the comment and said “CIA works for the incorporate best-in-class technologies which keep ahead of and defend against ever-evolving threats”

The hacking tool was developed by the CIA’s center for the Cyber intelligence that the agency’s most-sophisticated hacker which gain the access to the hard penetrate networks for the instance that was secretly activate the camera and the microphone on the foreign target’s tablet that steals the design plans of the foreign adversary’s advanced weapons systems.

Those employees who work under pressure to find the constant pressure for the vulnerabilities in commercial software and the other technologies as the former senior intelligence said.

The CIA hacker pursued that the ability to “audit” the network is to know the logging user and watching what they are doing, the better more detailed than it was actual.

The entire computer network was maintained by the contractors according to the report and the misunderstanding between the people who ran the unit and people who ran and maintained the network.

For suggestions please comment in the comment section.

The post CIA failed to protect the Top-secret hacking tools : Report appeared first on Vednam.

After discussing the new propagation module you might be in deep thought about what is new in this? This malware is the same as general malware functionality in that it steals sensitive information, which can contribute backdoor access and later used by several cyber attacker’s groups to disseminate different malware.

The First discovered in 2016 as per news circulate but maybe it comes earlier but the security system of the machine did not detect it well. This program basically runs in the background and starts with accessing the data and using current activities.

Once this malware enters your Machine then it gradually starts the activities to download various modules to perform different malicious tasks first in the machine and then after entire networks.

How TrickBot Modules spread?

The TrickBot Module is specially developed to steal sensitive data and then perform different malicious infections. It is totally different from the other malware in the spreading and activities performed in the background because it uses a different binary to perform the particular tasks during the activities it performs.

The first work TrickBot does is that it saves the windows executable malicious file in the hard drive which is known as the “TrickBot Loader”

Let’s take an example of Windows 7 and 10 because lots of users are very familiar with it.

If you are Windows 7, users can see the artifacts associated modules that are saved in the disk but in case of windows 10, the TrickBot modules can only be found in system memory.

Have you heard some of the ransomware cases in the last year, as sources say the TrickBot and ransomware operators have joined hands and do the work together to compromise the network so that ransomware can complete the work.

In research it was also mentioned, “ The artifacts which we discuss in windows 7 point are encrypted binaries and later during the operation, the encrypted TrickBot get decrypted and operated whole memories as TrickBot.”

How is the module used by TrickBot?

• Tab Module
• Mworm Module
• Mshare module

You can see the below chart on how to exploit the SMB vulnerabilities in the domain controller. The whole chart shows the flow and spread of the TrickBot modules.

Finally, The “mworm” is no longer usable and everyone is using “nworm”.The worm module activates the infections and spreads in the memory of the domain controller which are more complex and remain undetectable which is executed in background without any issue.

In 2020, The TrickBot is introduced with the new module “Nworm” propagation module and TrickBot stopped using “Mworm” module in the same environment.

A most important point the new module,”Nworm does not appear until the TrickBot infection don’t harm the AD atmosphere with DC as similar to the “Mworm”

If you have any suggestion let me know in the comment box. Thank you!!

The post Nworm : New TrickBot malware updates appeared first on Vednam.

This happens as usually happened with BHIM payment, when the member of the team left an unencrypted backup of the JRD website on an unsecured Amazon Web Service S3 bucket.

The company mentioned that around or more than 2,700 used data have been accessed, also affecting the joomla.org website.

Impact On Joomla

The best part is that the company said it was confirmed that no financial or sensitive data that has been exposed in the breach. The Internal team of Joomla is tracing the footprints and finding the attacker footmarks for the incident.

There is some list which the backup consists of :

• Full Name
• Business Address
• Company URL
• Nature of the Business
• IP address
• Business Email Address
• Business Phone Number
• Encrypted credentials(Hashed)
• Newsletter subscription preferences

The Company Statement came “ The Most of data was public since users submitted their data with the intention of being part in a public directory. Private data was also included in the breach”

The Audit also specifies that there is a superuser account through which these attacks did but they removed and disable the superuser accounts.

The company also mentioned that there is no authority to the third-party for the access of the database and even though it prompts for reset passwords immediately if the same password is used for unauthorized logins.

The lastly mentioned the apologies for the issues and committed to providing the best security infrastructure for the community.

The Joomla team takes over the data breach and also convenience their user not to worry about the attack and we will figure out for the best data protection system which helps in the future to protect the user data.

The post Joomla Data Breach around 2,700 users were affected appeared first on Vednam.

While investigating the data leak we found it was around 132 GB data which is linked with Bigfooty.com, a website and mobile application mainly made for the Aussie Rules Football where around 100,000 members joined in that.

Although going deep in investigating, a Security officer found that the data leaked not only contain personal information. Some of them are anonymous users and some people private messages seen by the security officer which contain email addresses, passwords, and usernames for the site and the live streams

If the cyber attacker has known your data from the database they may have got useful credential stuffing to attack the other sites.

Finding the whole user messages it contains personal threats and racist content, which could be used for the cyber attacker to blackmail that user.

The security officer said” The private messages are fully exposed and it was leaked and you can’t trace back to the specific users. The leak data contains high-profile users like an Australian police officer and government employees “

The private information that belongs to the individuals may include the chat and email address that was enough for the cyber attacker to blackmail and damage the reputation of high profile or even normal users also.

When we talk about the technical term it was also mentioned that the site includes the IP address, Server and OS information, GPS data, and access logs that may allow hackers to compromise the part of IT infrastructure.

The leak was closed by the Australian Cybersecurity center after a short period of time and BigFooty didn’t respond after that.

The security office has seen more accidents and leaks at two popular money-saving websites and perhaps most time it happens with the adult live streaming site.

The post 70 Million records Leaked from Aussie Football Site appeared first on Vednam.

The Moscow headquarter vendor has not been in the working state of the companies for the past few months. The reports come from the Washington Post and Wall Street Journal that basically claimed that the product may be used by the Russian intelligence to harvest the data potentially with the Pc firms.

The New york times has another story that in the past month “the Kaspersky Lab software was compromised by the kremlin hacker and using the software as a tool. After that, the federal bureau banned all the products.

Kaspersky lab denied the media point and released a statement “ The media is circulating the older incidents that happened in 2015”.

Now the question arises on the NSA team, who took all the classified data and first how they were able to disable the Kaspersky Lab Software when they detected the new versions of APT-malware which is associated with the US Spy agency.

Let’s Go Deep 

The story does not end here” The detection for the malware, the user downloaded and installed the pirated software on his machine as it was indicated as illegal according to the cyber law but they did it. Every Pirated software carries a keygen with him to crack the activation but the keygen also activates the backdoor for the cyber attacker to enter in the machine.

Kaspersky claims” If malware or keygen runs on the system with Kaspersky security enabled then it is not possible that software will never detect that. If you want to run the keygen first you need to disable the Kaspersky security. The third-party access make the user’s machine to open the backdoor and the attacker get open path”

If the same user re-enables the Kaspersky lab software that detects the new malicious code which is sent to the vendor servers for analysis. When the suspected malicious source code found from the analyst the archive was deleted from the systems and it was not shared with the third party.

The Company also claimed that no further detections were received from the user in 2015 and there is no more incident happening after that date, except “Duqu 2.0”.

The Kaspersky lab software never created any detection method for the non-malicious document based on keywords like “top secret” and “classified “.

The main point is still doubtable that Kaspersky claimed that the incident happened in 2014 and most different reports claimed the incident in 2015.

After all the Kaspersky lab put their efforts to prove it’s being clean. So the company decided to launch the Global Transparency Initiative under which its plan to offer the source code for the independent third party review.

The post Kaspersky Lab : NSA contractor Victimizes the PC appeared first on Vednam.

The NTT Company which is mainly based on Communication and telecom Services. The company also provides cloud, network, and data center services to the biggest companies in the world.

The parent company.NTT Group Ranked in the top 100 companies in the world.

On Thursday, the company claims that it detected an unauthorized attack on the Active Directory services. 

According to the official statement “When team research about the attack they found the hacker used the diversion to attack the company data breach. The Hackers first hacked the cloud server (Server B ) which is located in the Singapore data center, after that the attackers found the path to attack the internal server (Server A) and that was the admin user database handler server known as Active Directory (AD) Server.

The Attacker did not stop there and they finally compromised the information management server (Server C) that is used for NTT’s cloud and hosting customers.

Server C is the main target for the attacker where they breached and stole data of 621 Customers.

NTT released a press note of the Global threat Intelligence Report  where it was mentioned that the technology sector was the most attacked worldwide in 2019. It also said that the cyber attacker is using multi-function attack tools which are included with artificial intelligence/machine learning capabilities. and use the automation techniques to increase the chance of successful attacks to 21%.

NTT customer data was stolen in May and it was clearly shown the compromise for the server to move inside the company network.

If all the above-claimed statement is right then all Telecomm companies have to worry before the attacker are active on their network. The company needs to find the core security backdoor and minimize the attacks on the user data.

The post Data Breach : 600+ data of NTT Telecom customer are stolen appeared first on Vednam.

Finding deep news it comes that AIS is the Thailand largest GSM mobile Network which has almost “40.23 million customers” as of 2018. The database is maintained and controlled by the subsidiary Advanced Wireless Network(AWN). It has the combination of DNS query logs and NetFlow logs that appears to be an AWN customer. If someone got all this data then it is easy to create a user track of internet surfing. After this information comes then the Thailand national CERT Team (ThaiCERT) be in action and contact AIS and secure the database.

What is AWN?

According to the source, AWN is a provider of wired as well as wireless network service and telecommunication network provider. This company started in 2005 according to website information. AWN is the subsidiary company of Advanced info Service (AIS).

AWN’s network connects directly with AIS which has only upstream peers. When the ThaiCERT contacted AIS about the exposed database then the database went offline.

When did that data leak start?

Based on the source story, the data was first hit on May 1 and then after May 7, 2020. There was not a single server left exposed on the internet without any authentication.AIS has been notified about the exposed database.

How Much Data Leaked?

Overall it would be 8.3 billion documents which are around 4.7 Terabyte data. On May, 21st,2020 8,336,189,132 Documents were stored in the database, and data contained NetFlow data and DNS Query logs. When they found it was roughly logged for only 8 days but why? 

Why they stopped logging after 8 Days questions are still open. Team perception is that they got more data than they entered to capture. Forensic says they logged roughly 2,538 DNS seconds per second for that period of time.

What do they get from data?

A lot of information can come out if they really follow the documents and data. They basically know your whole query generated on the internet and after that they are also able to know your personal information.

Based on the DNS queries it might be possible that they identify the person whole data because of DNS capture whole information of machine and queries. For example :

• They use android TV is connected with internet
• They use apple devices are connected with internet 
• They use windows devices and the software you use with cloud connectivity.
• They use Antivirus.
• They even use your social media account also.
• They read you google chrome or other browser saved information and history.

The post 8 billion Thai internet records leaked ! appeared first on Vednam.