Gathering Hosts:

This tool simply iterates over hosts on port 443 and 80 and runs a PoC to test if they are vulnerable to RCE. You can use Shodan to gather potential targets:

shodan download vbullet-443 'html:"vbulletin" port:443'
shodan parse vbullet-443.json.gz --fields ip_str > vbullet-443
shodan download vbullet-80 'html:"vbulletin" port:80'
shodan parse vbullet-80.json.gz --fields ip_str > vbullet-80

By default I provide both host files with 1k hosts each for those of you without a Shodan API key! 

https://github.com/Frint0/mass-pwn-vbulletin

Iran’s government-backed hackers are trying to infect US military veterans with malware with the help of a malicious website, researchers from security firm Cisco Talos reported on Tuesday.

The website, located at hiremilitaryheroes[.]com (pictured above), offers a fake desktop app for download, in the hopes that US military veterans would download and install it, presumably to gain access to job offerings.

But Cisco Talos researchers say the app only installs malware on users’ systems and shows an error message, indicating that the installation failed.

MALWARE IS AN INFOSTEALER+RAT COMBO

Behind the scenes, the malware continues to operate on victims’ computers, gathering information about the system’s technical specs, and sending the data to an attacker-controlled Gmail inbox.

The type of data the malware collects includes information on the system, the patch level, the number of processors, the network configuration, the hardware, firmware versions, the domain controller, the name of the admin, the account list, date, time, drivers, etc..

“This is a significant amount of information relating to a machine and makes the attacker well-prepared to carry out additional attacks,” said Warren Mercer, Paul Rascagneres, and Jungsoo An, the three Cisco Talos researchers who analyzed the malware.

But besides a data gathering component, the malware also installs a remote access trojan (RAT), a type of malware that can grant attackers access over an infected system.

According to the Cisco Talos report, the RAT component can run files downloaded from the internet, execute shell commands, and remove itself from a host’s computer, if needed.

HACKERS MOST LIKELY TARGETING ACTIVE SERVICEMEN, NOT VETERANS

In light of these, the hackers’ overall modus operandi appears to be to use the fake military veteran hiring website to infect victims and then select which target they want to go after and download additional payloads.

In an interview on deep background with ZDNet — because he was not authorized to speak on the record for the agency — a DHS cybersecurity analyst said that attackers are clearly going after military networks.

“The hackers are not targeting veterans, but rather soon-to-be veterans,” he said. “They’re targeting active servicemen looking for jobs for when their service ends.

“They [the hackers] are hoping that one of their targets would use a DOD system to download and run the malware,” he added. “Chances are low, but it’s worth a shot.

“Pretty clever approach, if I can say so.”

OPERATION LINKED TO TORTOISESHELL GROUP

Cisco Talos said it didn’t have any details about the methods hackers were using to spread links to this website, and trick victims into installing the malware. It may also be that researchers caught this site before it was actively spammed to veterans.

The Talos team also linked this campaign to the work of a recently discovered state-sponsored hacking group named Tortoiseshell, believed to be operating under the protection of the Iranian government.

Little is known about this group, whose operations only recently came to the forefront, following the publication of a Symantec report last week.

According to Symantec, the group has been previously seen engaged in supply-chain attacks on 11 IT providers based in Saudi Arabia. It is believed that the purpose of these attacks was to use these 11 companies’ infrastructures to drop malware on the networks of their respective customers.

More details about this group’s operations will likely surface in the next months. Fellow cyber-security vendor CrowdStrike tracks this group under a different name of Imperial Kitten, per this spreadsheet that aggregates data on all nation-state hacking operations.

In February 2019, US officials formally charged a former US Air Force intelligence agent with treason after she fled to Iran in 2013 and later worked to help Iran’s government hacking crews to target and hack former Air Force colleagues.

Exclusive: Another dating app fails to secure production server and puts users at risk.

Online dating app Heyyo has made the same mistake that thousands of companies have made before it — namely, it left a server exposed on the internet without a password.

This leaky server, an Elasticsearch instance, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase.

The leaky server was brought to ZDNet‘s attention last week by security researchers from WizCase, who asked us to help investigate this security incident. After we verified the data’s authenticity by contacting some of the users whose phone numbers were included in the database, we’ve reached out to Heyyo to notify the company of the leak.

The Istanbul-based software company behind the app failed to respond to our inquiry for nearly a week, and the leaky server was only taken down today, after ZDNet reached out yesterday to Turkey’s Computer Emergency Response Team (CERT).

LEAKED INFORMATION

During the time it took us to secure the server, Heyyo’s backend leaked some of the most sensitive type of information online. The breadth of the leaked information is staggering, to say the least. Except for private messages, all other Heyyo user data was available on the company’s Elasticsearch server. This included the likes of:

  • Names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Gender
  • Height
  • Profile pictures and other images
  • Facebook IDs for users who linked their profiles
  • Instagram IDs for users who linked their profiles
  • Longitude and latitude
  • Who liked a user’s profile
  • Liked profiles
  • Disliked profiles
  • Superliked profiles
  • Blocked profiles
  • Dating preferences
  • Registration and last active date
  • Smartphone details

PRODUCTION SERVER; NOT AN OLD BACKUP

During the time we looked at the database, it also became clear that the server was a live production system and not an older server used for tests or storing backups.

The number of registered users grew from 71,769 to 71,921 in the time we looked at the data. We also registered a test account, and we saw it appear on the server within seconds.

The presence of this information online, accessible in a database without a password, is a danger for all of the app’s users.

To show how intrusive the leak could be, we performed a simple test. We took the details of three random users, and in a few minutes, using Google search queries and simple OSINT (open-source intelligence) scripts downloaded from GitHub, we easily tracked down and linked the three users to their real-life identities, LinkedIn profiles, social media accounts, and even posts they made on niche internet forums.

Since we’re talking about a dating website, this type of information could be used for stalking or extorting users with information about their dating life and habbits. This is not a hypothetical scenario. These types of extortion campaigns have happened in the past, especially after the Ashley Madison data breach.

Currently, it is unclear if any malicious third-parties have also spotted Heyyo’s leaky server besides the WizCase crew, so we don’t know if anyone else might have downloaded all this information. Only an investigation from Heyyo’s staff could confirm if this data has fallen in the wrong hands,and if users are in any danger.

Heyyo now joins a long list of online dating services that have failed to secure servers. The list includes Ashley Madison, Jack’d, Grindr, Romeo, Recon, 3Fun, HaveAFling, HaveAnAffair, HookUpDating, and Luscious.

A repository for the CSRF vulnerabilities found in LayerBB 1.1.3 with a proof of concept.

CVECVE-2019-16531

Packet Strom Linkpacketstormsecurity.com/files/154549/

Exploit-DB Linkexploit-db.com/exploits/47403

Proof of Concepts:

https://github.com/0xB9/LayerBB-1.1.3-CSRF

Ever wanted to combine the individual CSRF POCs in Burp into a single HTML? Or ever wished that Burp generated CSRF POCs combining two or more requests? Look no further!

Multi-step CSRF POC extension for Burp combines two or more requests into a single HTML POC. This extension also gives you an option to generate the multi-step POC using form-based, XHR or jQuery based HTML.

Getting Started

Installing the extension

  • Download Jython standalone JAR into a directory.
  • Select this directory in Burp suite’s “Java Environment” which can be reached from “Extender” -> “Options”.
  • Download the latest release from releases and load it into Burp by going to “Extender” -> “Extensions” -> click “Add” and select the downloaded extension JAR file.

Using the extension

Generating a new multi-step CSRF POC

  • Once loaded, select a few requests in Burp’s “HTTP history” tab.
  • Right-click and select “Multi-Step CSRF POC” -> “Generate new Multi-Step CSRF POC”.

Adding to existing CSRF POC

  • Make sure an existing Multi-step CSRF POC window is open.
  • Select one or more requests in Burp’s “HTTP history” tab.
  • Right-click and select “Multi-Step CSRF POC” -> “Add to existing POC” and select the POC window to which the new request(s) need to be added to.

Other Features

The extension supports,

  • reordering the requests in CSRF POC window.
  • modifying the requests in the Multi-step CSRF POC window and regenerating HTML.
  • removing added requests.
  • copying the generated HTML code to clipboard.
  • exceptions are displayed in the bottom most text area while stack trace for the exceptions are displayed in the “Errors” tab for the extension.

https://github.com/wrvenkat/burp-multistep-csrf-poc

For full details check: https://www.martinvigo.com/email2phonenumber

Demo: https://www.youtube.com/watch?v=dfvqhDUn81s

Basic info

This tool helps automate discovering someone’s phone number by abusing password reset design weaknesses and publicly available data. It supports 3 main functions:

  • “scrape” – scrapes websites for phone number digits by initiating password reset using the target’s email address
  • “generate” – creates a list of valid phone numbers based on the country’s Phone Numbering Plan publicly available information
  • “bruteforce” – iterates over a list of phone numbers and initiates password reset on different websites to obtain associated masked emails and correlate it to the victim’s one

Setup

email2phonenumber was developed on Python 2.x

You will need couple 3rd party libraries: BeautifulSoup and requests. These can be easely installed with pip

pip install beautifulsoup4 requests

Usage

Scrape websites for phone number digits

python email2phonenumber.py scrape -e target@email.com

Generate a dictionary of valid phone numbers based on a phone number mask

python email2phonenumber.py generate -m 555XXX1234 -o /tmp/dic.txt

Find target’s phone number by resetting passwords on websites that do not alert the target using a phone number mask and proxies to avoid captchas and other abuse protections

python email2phonenumber.py bruteforce -m 555XXX1234 -e target@email.com -p /tmp/proxies.txt -q

https://github.com/martinvigo/email2phonenumber

OSS Vulnerability Scanner for Windows Platform

DetExploit is software that detect vulnerable applications and not-installed important OS updates on the system, and notify them to user.

As we know, most of cyberattacks uses vulnerability that is released out year before.

I thought this is huge problem, and this kind of technology should be more powerful than technology that will detect unknown malwares or exploits.

Also this project is my theme of Mitou Jr project in Japan.

I wish and work hard to make this an huge OSS (Open Source Software) project, to help these days society.

Requirements

How to run

Executable Build is not available now.
It is planned to be availble on stable release.

# Install requirements
C:\path\to\DetExlopit>pip install -r requirements.txt
# Move to src directory
C:\path\to\DetExlopit>cd src
# Run CUI version using python (PATH needs to be configured if not.)
C:\path\to\DetExlopit\src>python main.py
# Run GUI version using python (PATH needs to be configured if not.)
C:\path\to\DetExploit\src>python gui.py

Supported Database

https://github.com/detexploit/DetExploit

Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.

It provides several options to try to bypass certain filters and various special techniques for code injection.

XSSer has pre-installed [ > 1300 XSS ] attacking vectors and can bypass-exploit code on several browsers/WAFs:

 [PHPIDS]: PHP-IDS
 [Imperva]: Imperva Incapsula WAF
 [WebKnight]: WebKnight WAF
 [F5]: F5 Big IP WAF
 [Barracuda]: Barracuda WAF
 [ModSec]: Mod-Security
 [QuickDF]: QuickDefense
 [Chrome]: Google Chrome
 [IE]: Internet Explorer
 [FF]: Mozilla's Gecko rendering engine, used by Firefox/Iceweasel
 [NS-IE]: Netscape in IE rendering engine mode
 [NS-G]: Netscape in the Gecko rendering engine mode
 [Opera]: Opera 

Installing:

XSSer runs on many platforms. It requires Python and the following libraries:

  python-pycurl - Python bindings to libcurl
  python-xmlbuilder - create xml/(x)html files - Python 2.x
  python-beautifulsoup - error-tolerant HTML parser for Python
  python-geoip - Python bindings for the GeoIP IP-to-country resolver library

On Debian-based systems (ex: Ubuntu), run:

  sudo apt-get install python-pycurl python-xmlbuilder python-beautifulsoup python-geoip

On other systems such as: Kali, Ubuntu, ArchLinux, ParrotSec, Fedora, etc… also run:

  pip install geoip 

Source libs:

https://github.com/epsylon/xsser

It’s not a Patch Tuesday, but Microsoft is rolling out emergency out-of-band security patches for two new vulnerabilities, one of which is a critical Internet Explorer zero-day that cyber criminals are actively exploiting in the wild.

Discovered by Clément Lecigne of Google’s Threat Analysis Group and tracked as CVE-2019-1367, the IE zero-day is a remote code execution vulnerability in the way Microsoft’s scripting engine handles objects in memory in Internet Explorer.

The vulnerability is a memory-corruption issue that could allow a remote attacker to hijack a Windows PC just by convincing the user into viewing a specially crafted, booby-trapped web-page hosted online, when using Internet Explorer.


“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft says in its advisory.


The vulnerability affects Internet Explorer versions 9, 10, 11, and though users should always deploy updates for every installed software when available, it is highly recommended to use an alternative, more secure web browsers like Google Chrome or Mozilla Firefox.


Microsoft said this vulnerability is being actively exploited in the wild by attackers but did not reveal any further details about the exploit campaign.


Google recently also detected a widespread iPhone hacking campaign that indiscriminately targeted users for over two years, but Apple accused the tech company of creating a false impression of “mass exploitation.”

Microsoft also released a second out-of-band security update to patch a denial-of-service (DoS) vulnerability in Microsoft Defender, an anti-malware engine that ships with Windows 8 and later versions of Windows operating system.


Discovered by Charalampos Billinis of F-Secure and Wenxu Wu of Tencent Security Lab and tracked as CVE-2019-1255, the vulnerability resides in the way Microsoft Defender handles files and exists in Microsoft Malware Protection Engine versions up to 1.1.16300.1.


According to an advisory published by Microsoft, an attacker could exploit this vulnerability “to prevent legitimate accounts from executing legitimate system binaries,” but in order to exploit this flaw, the attacker would “first require execution on the victim system.”


The security update for Microsoft Defender is automatic, and therefore will be applied automatically through the Microsoft Malware Protection Engine within the next 48 hours. The flaw has been addressed in the Microsoft Malware Protection Engine version 1.1.16400.2.


Since both the security updates are part of Microsoft’s emergency updates and one of which even addresses the flaw being exploited in the wild right now, users are advised to deploy them as soon as possible.

A team of Canadian cybersecurity researchers has uncovered a sophisticated and targeted mobile hacking campaign that is targeting high-profile members of various Tibetan groups with one-click exploits for iOS and Android devices.


Dubbed Poison Carp by University of Toronto’s Citizen Lab, the hacking group behind this campaign sent tailored malicious web links to its targets over WhatsApp, which, when opened, exploited web browser and privilege escalation vulnerabilities to install spyware on iOS and Android devices stealthily.


“Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas,” the researchers say.


What’s more? The researchers said they found “technical overlaps” of Poison Carp with two recently discovered campaigns against the Uyghur community in China—the iPhone hacking campaign reported by experts at Google and the Evil Eye campaign published by Volexity last month.

Based on the similarities of the three campaigns, researchers believed that the Chinese government sponsors Poison Carp group.

Poison Carp campaign exploits a total of 8 distinct Android browser exploits to install a previously undocumented fully-featured Android spyware, called MOONSHINE and one iOS exploit chain to stealthily install iOS spyware on ‘users’ device—none of which were zero days.

“Four of the MOONSHINE exploits are clearly copied from working exploit code posted by security researchers on bug trackers or GitHub pages,” the report says.

Researchers observed a total of 17 intrusion attempts against Tibetan targets that were made over that period, 12 of which contained links to the iOS exploit.

Once installed, the malicious implant allows attackers to:

  • gain full control of victims device,
  • exfiltrate data including text messages, contacts, call logs, and location data,
  • access the ‘device’s camera and microphone,
  • exfiltrate private data from Viber, Telegram, Gmail, Twitter, and WhatsApp,
  • downloads and install additional malicious plugins.

Besides this, researchers also observed a malicious OAuth application that the same group of attackers used to gain access to its ‘victims’ Gmail accounts by redirecting them to a decoy page designed to convince them that the app served a legitimate purpose.

Among the victims that were targeted by the Poison Carp hackers between November 2018 and May 2019 include the Private Office of Tibetan Buddhist leader the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, Tibetan human rights groups, and individuals holding senior positions in their respective organizations.

Though this is not the first case attempting to target Tibetan government, the researchers say the new Poison Carp campaign is “the first documented case of one-click mobile exploits used to target Tibetan groups.”

“It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community,” the report reads.

After the disclosure of iPhone hacking campaign, Apple released a statement last month confirming that the iOS campaign targeted the Uyghur community and saying that the company patched the vulnerabilities in question in February this year.

Since none of the iOS and Android vulnerabilities exploited in the campaign is zero-day, users are highly recommended always to keep their mobile devices up-to-date to become a victim of such attacks.

Bad Authentication data.