May 18, 2017

Things to know about WannaCry

The goal of this notification is to try to give meaningful and concise answers for the popular #WannaCry attack

1-) What is WannaCry (WCRY)? How does it possibly harm my infrastructure?

In April 2017, a hacker group called “TheShadowBrokers” leaked National Security Agency’s (NSA) hacking toolkit FUZZBUNCH, which included many working exploit techniques one of which is called EternalBlue. 

When EnternalBlue is used with DOUBLEPULSAR payload, which is also included in the toolkit, against a target system, it resulted complete ownage by running commands on the target system with Administrator rights through the SMB service. The Microsoft Windows operating system weakness that EternalBlue abuses was patched with MS17-010 (CVE-2017-0144), however, it was also started to be used by a ransomware called WannaCry.

In short, when WannaCry ransom-ware spreads on an internal network, it scans the whole network to find machines that hasn’t been MS17-010 patched. When it finds one, it infects that machine, encrypts the files, asks for money to decrypt and moves on infecting other machines; rinse and repeat.

May 3, 2017

Phishing Domain Detection with Machine Learning

What is Phishing?

Phishing is a form of fraud in which the attacker tries to learn sensitive information such as login credentials or account information by sending as a reputable entity or person in email or other communication channels.
Typically a victim receives a message that appears to have been sent by a known contact or organization. The message contains malicious software targeting the user's computer or has links to direct victims to malicious websites in order to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
Phishing is popular between attackers, since it is easier to trick someone into clicking a malicious link which seems legitimate than trying to break through a computer’s defense systems. The malicious links within the body of the message are designed to make it appear that they go to the spoofed organization using that organization’s logos and other legitimate contents.

Apr 24, 2017

How Companies Are Hacked via Malicious Javascript Code?

JavaScript is dangerous. Maybe you’ve heard this sentence several times before. Actually, being dangerous or not dangerous is true under different circumstances. JavaScript can be dangerous if the proper precautions aren’t taken. It can be used to view or steal personal data even you don’t realize what’s going on. And since JavaScript is so ubiquitous across the web, we’re all vulnerable.
JavaScript is good for the most part, but it just happens to be so flexible and so powerful that keeping it under control can be difficult. It all end up with how JavaScript actually works.

Apr 17, 2017

Deep Web and Black Market


The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard search engines for any reason. The opposite term to the deep web is the surface web.
What is inside the deep web? Let's take a look at the figure below.

Apr 11, 2017

What is the biggest threat of stolen accounts?

There are more than 4 billion hacked emails/passwords available on the internet and underground forums. So, how attackers use hacked emails & passwords for malicious purposes?
NormShield searches the internet from many sources for whether there is leaked e-mail of your employees or not.
In the simplest form, email list of employees can be used for phishing attack or to brute-force to login forms. The phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card number, social security number, or bank account credentials, that the legitimate organization already has. This type of attack can reveal information about employees which have little awareness. The disclosed information may be personal information or may be information which has high importance for the company. These types of attacks are widely used today.

Apr 3, 2017

Domain Shadowing

What is Domain Shadowing?
C:\Users\FST-NS\AppData\Local\Microsoft\Windows\INetCacheContent.Word\domain-management-services.jpgThe concept of domain shadowing has first appeared in 2011, and domain shadowing attack is defined as the creating new subdomains to intervene in traffic flow by attackers.
Domain shadowing is the process of creating subdomains by domain owners using credentials. Subdomains are created for legitimate domains. For cyber criminals, domain shadowing is creating  thousands of subdomains by generally capturing user information with phishing.
The number of uniquely produced domains may be almost unlimited, because many users have multiple domains. Thus, it’s shown as a way to prevent classical detection methods like IP or websites blocking.
C:\Users\FST-NS\AppData\Local\Microsoft\Windows\INetCacheContent.Word\godaddy-accounts-compromised.jpgAnother IP blocking and blacklist detection escape method is fast-flux. This technique quickly converts a domain or DNS entry to a wide IP address list. When domain shadowing is utilized, subdomains associated with a single domain are rotated.
Based on recent data, one-third of the perceived 10,000 fake subdomains were linked to GoDaddy. This indicates that GoDaddy users are at risk.

Mar 27, 2017

How Companies are Hacked via Basic CMS Vulnerabilities

What is CMS?

CMS (Content Management Systems) is a computer application that supports the creation and modification of digital content [1]. Basically, we use it for website management and preparation. Over time, many organizations have developed their own custom CMS software. With the increase of these software, in 1995, CNET developed the idea that the market of this system could be established by agreement with Vignette in order to develop its own CMS system. In the process, the concept of Content Management System has become a sector and has continued to thrive[1][2].

Content Management System (CMS) is a valid umbrella definition for all of the systems that covers all systems where dynamic content management is a requirement. Moreover, there are many open source or commercial tools implemented that can be classified as CMSs. Some of the popular CMS applications can be listed as; WordPress, Joomla, Drupal, Magento, PHP Nuke, Post Nuke, Mambo Server, DCP portal, Xoops etc [3]. These applications have different characteristics within themselves. For example, WordPress uses the PHP programming language while DotNetNuke uses .NET technology.