Last week we released an advisory for a vulnerability discovered in the RiskNet Acquirer application. This software is a fraud management solution developed to protect major financial institutions including banks and payment processors.
RiskNet Acquirer is what we often refer to as a "thick client". This particular thick client communicated with exposed web services that in-turn interacted with a database on the backend. The communication with the web services utilised transport layer encryption. We used a tool called Echo Mirage to hook into the application and find out exactly what information is sent and received "under the hood" (inside of the encrypted tunnel) and to get a general picture of how things work together.
During a recent investigation, SpiderLabs was presented with evidence that appeared to be contradictory. Evidence from firewall logs and remediation actions taken by the client did not tally with the evidence collected from the compromised system. This blog post discusses how SpiderLabs investigators analysed systems to explain this.
I recently performed an internal penetration test where the NTDS.dit file got me thousands of password hashes. After compromising unpatched Microsoft Windows computers on the client’s domain, I gained access to a number of domain accounts. Below I’ll explain how I did it.
The client had two domain controllers, one Windows 2003 and one Windows 2008. One of the domain accounts obtained via other means (not described by this post) had rights to log-on locally on both domain controllers.
It's time again for another TrustKeeper Scan Engine update. This release contains over 30 new tests vulnerabilities in Cisco ASA/IOS, JIRA, jQuery, Microsoft Windows, Oracle Database/MySQL, and more. This release also contains default credential checks for both WordPress and Cisco ASA SSL VPN (aka: AnyConnect).
Enhancements to the top-level operating system detection logic are also included in this release, which now take much more service level information into account. A special thanks goes out to the Critical.IO project for the availability of their Internet scan data sets, which were of great use when making these improvements.
As always, this release contains improvements to existing vulnerability tests and their associated evidence to better aid in verfication and remediation efforts.
This week's episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about Stuxnet on ISS, Facebook scans for Adobe, MacRumours, SEA hits Vice, bitcash.cz, Cracked gets cracked, Loyaltybuild, No Nukes in JP, OWASP AppSec USA, SRs Last SLR and more!
Will you be at the OWASP Foundation’s AppSec USA event next week in New York City? If so, be sure to stop by our booth, number one, for a chance to win a Pebble Smartwatch.
And don’t miss presentations by some of SpiderLabs’ own builders, breakers and/or defenders discussing their own unique insights into application security:
Most of us thought this would be an easy month with only eight bulletins to deal with and only three listed as critical. Unfortunately, there is evidence of one vulnerability mentioned in those bulletins being actively exploited in the wild and a second zero-day, which isn't even covered in this month's bulletins, being used by bad guys.
What has become known as the TIFF zero-day detailed in Security Advisory 2896666 was not patched this month. Microsoft released a Fix-It to help mitigate this actively exploited vulnerability. An actual patch for it will be out as soon as it is ready and will probably be an out-of-band patch that will come out well before December’s Patch Tuesday.
The second zero-day was found just days ago, and it is also being actively exploited in the wild. However in this case Microsoft was able to include a full patch in this month's batch of bulletins. You can read about it as MS13-090 down below.
This week's episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and features stories about MS 0-day, Millions in bitcoins lost via inputs.io, CorporateCarOnline, Bug Bounties for everyone, Add five to the Cyber Most Wanted, Adobe breach grows again, NSA and cyber split?, healthcare.gov DDoS, Australia and Indonesia FIGHT!, LA Cyber and more!
Matthew Jakubowski (@jaku) contributed to the writing of this blog post.
This post is part two of a three-part series (read the first part here). Parts one and two detail the malware aspects of our hack with contributions from myself, Matt Jakubowski and Daniel Chechik. In part three, our colleague Garret Picchioni will publish more technical details about the onsite and wireless portions of the attack.
To summarize part one: we wrote some platform-independent malware and, after a couple of hiccups, installed it on Adam’s wife’s machine and were waiting for our connection to her machine to come back. Eventually, late that night, we once again received a connection to her machine, which is where our story continues.