Tuesday 22 June 2021

OSINT - Green Pass & dati personali

 


Il Presidente del Consiglio, Mario Draghi, il 17 giugno 2021, ha firmato il Decreto che definisce le modalitĂ  di rilascio delle Certificazioni verdi digitali COVID-19 che faciliteranno la partecipazione ad eventi pubblici, l’accesso alle strutture sanitarie assistenziali (RSA) e gli spostamenti sul territorio nazionale. 
Con la firma del Dpcm si realizzano le condizioni per l’operativitĂ  del Regolamento Ue sul “Green Pass”, che a partire dal prossimo 1° luglio garantirĂ  la piena interoperabilitĂ  delle certificazioni digitali di tutti i Paesi dell’Unione. In tal modo, sarĂ  assicurata la piena libertĂ  di movimento sul territorio dell’Unione a tutti coloro che avranno un certificato nazionale valido.

Qualche giorno dopo la firma, i cittadini italiani hanno iniziato a ricevere un SMS da parte del Ministero della Saluti con il quale venivano informati della disponibilitĂ  della Certificazione Verde Covid-19 (noto anche come Green Pass).

Come riportato all'interno dell'SMS, è possibile scaricare il Pass collegandosi al sito del Governo Italiano relativo al Digital Green Certificate (dgc.gov.it) e utilizzando l'AUTHCODE riportato nell'SMS oppure lo si può trovare all'interno dell'App IO o Immuni.

Sull'onda di questa entusiasmante notizia, nonchè spinti dall'ormai pervasiva voglia di condivisione che ci contraddistingue, tantissimi cittadini italiani hanno iniziato a condividere sui social la notizia relativa alla ricezione del Green Pass. Qualcuno è andato ben oltre, pensando fosse utile, oltre ad informare conoscenti e non di aver ricevuto il Green Pass, condividere lo il QR Code ricevuto.


Questa bellissima opera d'arte realizzata riempiendo il riquadro con quadratini di colore nero e spazi bianchi "collocati a caso" (non è proprio così ma ho pensato fosse simpatico raccontarlo in questo modo), oltre ad avere il suo perchè a livello di estetico, contiene importanti informazioni sulla nostra persona.

Qualcuno potrebbe obiettare che solamente le autorità hanno gli strumenti per leggere il contenuto di questo magnifico disegno digitale. Purtroppo, per vostra sfortuna non è così!

Il progetto è stato sviluppato a livello europeo e l’Italia, come altre nazioni europee, lo ha adattato alle proprie esigenze.


Pertanto l'App VerificaC19 e si esclusivamente italiana ma deriva dall’app europea EU Digital COVID Certificate Verifier App. Quanto detto vale anche per la parte server che deve "leggere ed interpretare" il significato dei quadratini neri e degli spazi bianchi.

Il codice sorgente dell'algortimo che consente di leggere le informazioni contenuti all'interno di questo QR Code è opensource e pubblicamente disponibile sul repositori GitHub del Governo Italiano (https://github.com/ministero-salute).


L'App VerificaC19 Ă¨ disponibile gratuitamente sullo store di Google ed Apple, ma il singolo cittadino non ha alcun vantaggio ad utilizzarla. 


Come sopra dimostrato, facendo ricerche sui social network mirate ad individuare immagini contenenti QR Code riferiti ai Green Pass, sono state recuperate divere foto.

Ho utilizzato una delle immagini pubblicate per valutare i dati personali che è possibile estrarre dal QR Code.  




Le informazioni fornite dall'App VerificaC19 dopo aver scansionato il QR Core, sono abbastanza poche. Come possiamo vedere, vengono riportati solamente dati essenziali, validitĂ  o meno del certificato, Nome e Cognome del soggetto e Data di Nascita.


Come detto in precedenza, ogni nazione europea basandosi sul progetto comunitario ha sviluppato la propria App, definendo le informazioni contenute nel QR Code da visualizzare quando questo viene scansionato.

Tra quelle presenti negli store, alcune di queste permettono di estrarre informazioni molto piĂą dettagliate sul contenuto del QR Code di quanto faccia l'App italiana VerificaC19.


Per concludere, visto quanto fin qui riportato e dimostrato, diventa superfluo ribadire che pubblicando il QR Code del vostro GeenPass mette a rischio i vostri dati personali. Chiunque capace di operare nel campo OSINT - Open Source Intelligence e SOCMINT - Social Media Intelligence potrĂ  raccogliere e usare le vostre informazioni personali a suo piacimento. 


Fate attenzione a cosa pubblicate! I vostri dati personali sono importanti!!



Tuesday 11 September 2018

Microsoft Power Query…The Hacker’s Power


Microsoft has been introducing useful innovations in Office suite, making it easier to use, providing a better "user-experience" and trying to make this product increasingly open to various data sources.
Let's talk about Microsoft Power Query feature. This add-in for Microsoft Excel helps to improve business intelligence experience in self-service mode, simplifying collaboration, discovery and access to data from a wide range of sources, OData, Web, Hadoop and more[1].
Importing data from a web page in a tabular way has never been so simple (see Microsoft example[2]). Furthermore, it is possible to save and / or export the query within a specific file having the extension “.iqy”.

In order to offer the chance to better understand what we are talking about, the image on the left shows the icon of the file containing the query of the data will be imported and in the right image the contents of the file.


Cyber ​​Criminals have been able to exploit this feature for them self and using these files as attachment to Phishing emails.
What has been said is the most up-to-date I can be and to support this I am quoting the Palo Alto analysis[3], about the new threat actor group "darkhydrus" that targeted middle east government.
In July 2018 Cyber ​​Threat Intelligence Team of Palo Alto, known as the  “Unit 42”, nalyzed a cyber attack where its peculiarity is hidden behind the use of a particular type of file attached to spear-phishing emails. Inside a password-protected RAR archives there was a Microsoft Power Query file (.iqy).

To demonstrate how is easy for an attacker to exploit this Microsoft's feature, a simulation will be made, rebuilding an attack that using Microsoft Power Query files.

The image below is a reconstruction of how a phishing mail would present itself to the recipients.

Double click on the file it will run Microsoft Excel.


An alert will inform the user of a potential security issue.


This kind of alert may seem unusual, also for a newbie user.
Attackers always know how to improve their capabilities, so they have come up with a new way to create documents that do not suspect users and that an analysis of security systems are legal, even if they conceal malicious artifacts to download and run fraudulent content.

Microsoft offers the opportunity to save files in Excel format that contain within them the web query, and therefore the content of the ".iqy" file. 


Attackers understood that this way will make the documents attached to the mail much more credible than before.

ATTACK SIMULATION
In order to demonstrate the potentiality of this attack, a small script was created to execute the calculator, saved in a ".dat" file. Finally, this file was uploaded to a remote server and the path was imported into an Excel file via Microsoft Power Query.

Below is an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

As you can see from the image below, the email is quite credible. The attached Excel file, in turn, has no fraudulent content because the URL contained within it is a component of the Microsoft Power Query feature.

A reconstruction of how the phishing mail is presented to the recipients.

When opening the "test.xlsx" file, a security warning will be displayed to inform the user that the file has disabled content.
This could trigger an alarm bell for the user. Cyber criminals know that users may notice that this is an evil email, for this reason in targeted phishing campaigns, emails "mimics" to come from a colleague's mail box or external entities with whom the target has a frequent business relationship.
In this case the victim will be more inclined to underestimate the alert displayed and to enable the content.


The image above shows how the file looks after its execution. It is useful to point out to the reader that the excel sheet to the view does not present anything that could make one think of fraudulent contents hidden inside it.
The text  “#RIF!”, located inside cell A1,  in some way could lure the user to think that the empty sheet and the text string  “#RIF!” Is a problem caused by the deactivated contents.
In the following image we can see that, by enabling the contents, a second alert signals to the user that another application will be executed.


By clicking on the "Yes" button, the attack take place and the calculator will be started on the victim system.


In order to demonstrate the pervasiveness that this attack may have, the script created previously has been published on pastebin, then the same procedure was followed, including the URL of the "paste", using Microsoft Power Query into an Excel file.

Above is an excerpt of the query contained in the "iqy" file in case it is exported from the Excel file.

The result was not good! The script has been read and calc.exe application has been executed.




Further tests were done by publishing the same script inside HTML web page and into a blog, the result was the same.
The content of the scripts was read and executed by Microsoft Power Query.
It should be noted that while sites like pastebin may be blocked by corporate URL filtering systems, other sites, having a high reputation, are not and therefore the risk of an infection starts to rise.

The most effective system to prevent cyber attacks remain awareness and information sharing. The user is the weak link in the chain, the one who, if he has had a training based on a structured awareness program, could block an intrusion by identifying those that are the newest and most refined social engineering techniques.

We need to train employees and managers in order to make them conscious and aware about all emails coming from outside.



[1] https://support.office.com/it-it/article/introduzione-a-microsoft-power-query-per-excel-6e92e2f4-2079-4e1f-bad5-89f6269cd605
[2] https://support.office.com/it-it/article/connettersi-a-una-pagina-web-power-query-b2725d67-c9e8-43e6-a590-c0a175bd64d8
[3] https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Monday 14 May 2018

The Magic Mirror Project



This story started one year ago, when I went to MakerFair in Rome, an event created bt Make magazine to celebrate arts, crafts, engineering, science projects and the Do-It-Yourself (DIY) mindset.

There, my eyes has been catched by the Magic Mirror, a mix between a mirror and a computer. I asked a lot of information regarding the object and I remember I thought: "I want to build one of this by myself"

During my way home was impossible for me to forgot that object. Arrived at home I switched on my computer and I started to googling how to build it. I was very busy at those time, so I read a lot and stored everything in my mind in order to use this information in the future.

At the end of the last year I went back to my open projects and I decided to complete it.

First of all I jot down in a paper every component i needed.

  • 1 Raspberry Pi 3
  • 1 Monitor HDMI, LCD or Led between 15 and 19 inc.
  • 1 Magic Mirror Software (to develop)
  • 1 Plexiglas tails
  • Mirror's film
  • ...and something useful to use like a minor

I made some research and at the end I decided to use Android as OS because I am very able to develop apps for this environment, so everything would have been faster.

So, I found a good custom Android ROM and I installed it in the Raspberry Pi 3.


I decided which features I'd like to have in my Magic Mirror and I started developing and Android's App for my Magic Mirror.

I decided, as base, to have the time, date, icon weather and relative temperature degrees. Then I decided to add a services to have the daily news.

In the meantime looked for a HDMI monitor that could fit well with my goal.
I found and bougth it and when I finished Magic Mirror app has been the time to test it.


The result looks like pretty good.
The next step was to dismantle the monitor's plastic cover in order to kepp only the panel.
I did it and then I measured its size in order to buy the plexiglass sheet.



I found a plexiglas sheet bigger than I need, so I have to cut the it.
But this task has not been the most difficult part...the hardest has been to apply the mirror's film in the best way as possible.

Of course, I have not been able to do the best job ever and as you can see there are some little bubbles.
The next step has been to fix the plexiglas with the monitor and this has been very easy thanks to the film cut longer than the need.

At the end this is the result! Me and my girlfriend mirrored into the Migic Mirro! :)



The last step was to have a suitable and beautiful frame for the Magic...and voilĂ  the frame!!


There you can see the back of the Magic Mirror, with the monitor, its switch, the Raspberry and part of the cables.








At the end, this is my Magic Mirror!


Next steps? Integrate it with a microphone, a speaker and Google Assistant!


Friday 12 January 2018

, , , , , , , ,

DDE Attack


In the recent weeks we are more and more often reading news that talks about attacks that exploit DDE technology, Botnets that exploit the DDE attack, Ransomware that are distributed via DDE attack and so on.
Well, this is the right time to clarify this technology and this new attack way.

Let's start from the basics, what is DDE?
DDE, which stands for Dynamic Data Exchange, it is an interprocess communication system (IPC) introduced for the first time in 1987 with Windows 2.0.
This technology and its functionality have been largely supplanted by OLE - Object Linking and Embedding. However, DDE is still used due to its simplicity.

Like macros, DDE is a legitimate feature of Microsoft Office and allows to share a set of data between applications. For example, you could create a Word document linked to an Excel document so that the data in the first one will be updated automatically whenever are you changing Excel spreadsheet data.

In which way this attack is bring out?
Performing a DDE attack is very simple. Just add the string {DDEAUTO} to call the DDE feature, , in the text of a Microsoft Word document, followed by the command you want to run, all within the braces.

Can it be used only in Office documents?
No, not only Microsoft Office documents.
This attack can also pull off via Outlook, by sending an email, an email or an appointment, known as "calendar" in company jargon.


Now we are going to create a formatted content using Microsoft Outlook's "Rich Text Format" (RTF) and insert the malicious code inside it and save it as email. Next step will be to attach this one to the email we'd like to send, write a a title and a text to attracting victim's attention and push it to open it.


What can you do with this attack?

In which DDE attack would be used:

  • to send a computer in Denial Of Service (DOS) by running countless instances of a specific software until the available resources are saturated;
  • running software or scripts that could give full control of the computer to the attacker;
  • download malware to use to exfiltrate data.


How to recognize fraudulent content?
When you are opening the file, a warning message is showed to you. It is warning yo that the file has an external contents and asks for confirmation to continue.


If your chiose has been "YES", a new message will be displayed asking if you want to run a specified application. The in example below the command / application quoted is "cmd.exe".


However, it should be noted that the information concerning the execution of the command can be hidden or omitted by editing the syntax of the malicious code.

How to defend yourself?
When the warning message realated external contents has popped out, clicking "No" block the attack attempted.


You can also defend yourself better by changind setting and display all messages in text format.
However, this workaround involves the deactivation of all formatting, colors and images from all incoming e-mails and consequently some contents could not be rendered.

Why this new attack?
Cyber criminals are starting to use DDE technology because it is different from macro and because they are always looking for new ways to mislead the victim.
For years we are witnessing attacks based on the macro but fortunately you can disable this technology and therefore prevent malicious content from being automatically performed when the file is opened.
This new way, though it has some limits dictated by the interaction with the user, could lead an untrained or careless person to think that it is an error that occurred due some file's errors.
In the last weeks this new attack way has grown exponentially thanks to the fact that you do not have to send attached to the email documents of Microsoft Office or PDF, but just attach another email or a "calendar".


Please note, this article was created in the end of October 2017, but only at this time I have been able to publish it.

Thursday 22 June 2017

, , , , , , , ,

Coin Miner Attacks using Image File


I am here to tell about the "story of an image"...

Well, let's gooooooooo!!

Watching the picture below, what you can tel about it? Is it a simple image?


...and in the following picture?

YES!! They are the same picture, the first one is what you can see when you open it. The second one, is what you can see if you open it using for example a simple text editor.

Today I want to tell you about a malware that I discovered during my activity as researcher, malware hunter and malware Analyst.
It uses an image (JPG file) with embed a shellcode in order to infect the Linux System.



Shellcode Analysis:

Image reported above show part of image coded file and embedded shellcode in clear text.

Second line, command "crontab", is a time-based job scheduler in Unix-like computer operating systems.

"Crontab" option "-r" is present only in some Linux distro like Debian, Centos and Redhat. I can image that this malware is focused to Linux distro quoted above.


Third line of shellcode get seconds and transform them in days from 1970, then store them in a variable named"days". 
Sum the value 983 to "days" variable and assign this value to variable named"days2".
Then "days" variable will have the first 10 elements of MD5's digest of  "days2" .

Into shellcode's snippet reported below it is listing processes and concatenate other commands like xargs and awk.
The last one searches files that have text that match the pattern, when a line or text matches, awk performs a specific action on that line/text. In this case concatenating "print $2", it return the second item (proces' ID) and then kill it.

Using command "pkill -f", shellcode kills processes which matches the pattern for any part of the command line

This shellcode's snippet is used to kill any others miner that had infected the machine, in order to be the only one to use it.

"DoMiner" function using Curl command download into "tmp" folder a file image JPG named "car-498167.jpg" from website  "imagehousing[dot]com" and rename this image with "days" variable's value.

Then skips the first 2931 byte and save it again.
After this task file's permission is changed with execution privileges and in the end it use "nohup" command line-utility which allows to run command/process or shell script that can continue running in the background after you logout from a shell.
Sleep and then remove everyone file with name "days" and "daybefore".


NOTE: No part of source code file named "daybefore.jpg" has been created. Only a variable was created using this name.
Why put this shellcode line? Are there typographical error?

Carry on downloading image file "car-498167.jpg" using browser. It looks like the first one.

A quick analysis shows that it doesn't contains evil shellcode or evil artifacts, but I discovered a very interesting information.


As you can read, it is packed with UPX packer, version 3.91. 

I create a bash script in order execute it in debug mode, download image and skip 2931 byte as wrote into source code.

Below you can see my bash script and its result in terms of files.

Note: "12days" and "13days" are names that personally I decided to appoint to this images.

Above you can see both file, the first one (the image file) and the second one (executable file) that is the first one without 2931 bytes. Below you can take a look to the files size.

I used UPX packer to unpack ELF file. Below is reported a screenshot that contains details (format, compression ration, actual and future file size) about ELF executable file.

Now it's time to unpack ELF executable file

Below are reported details about ELF's file.




Shellcode In-depth Analysis:

Working on it and downloading "car-498167.jpg" image I noted that server returns a different image based on "User Agent".
The attacker can return the right file only if the system is x64 and is one of Linux distro reported above.
If it seems incredible take a look to the screenshot reported below. Request was made with Slackware distro.




Analyzing shellcode my attention was attract from string like the follow:
"4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC".

It is not a string base64 encrypted, what of it?

I retrieved a pastebin file where was present part of this shellcode, where I found the same strings.

As you can see, in this shellcode's snippet, if doesn't exist a file named "AnXqV" "Minerd CryptoCurrency" it is going to download and save into "tmp" folder with file named "AnXqV".
Then execution permission is assigned to this file.
At the end a command named "cryptonight" is running.

NOTE: CryptoNight is a proof-of-work algorithm. It is designed to miner bitcoin and to be suitable for ordinary PC CPUs.

According with handbooks every miner use a different command's format. In case reported above 
command "-a cryptonight -o stratum+tcp://URL:PORT -u WALLET_ADDRESS -p x" is used to run miner. So, string "4Ab9s1RRpueZN2XxTM3vDWEHcmsMoEMW3YYsbGUwQSrNDfgMKVV8GAofToNfyiBwocDYzwY5pjpsMB7MY8v4tkDU71oWpDC" is a Monero's wallet address.



ELF file In-depth Analysis:

Analyzing ELF file I was able to retrieve more information about malware's type, its author and the URLs reached out.

Who create this software have nickname "fireice-uk", below there is a screenshot of his github's account.


Also was possible to retrieve URL that are contacted by this miner


Checking domain owner, like in a fairy tail, website is liked to the Miner's developer (Fireice-UK)


Malware's developer embedded the miner developed by "fireice-uk". If the two person are different, why malware's developer have to use and include a miner developer my another person?

Below you can find evidence about matching between information extracted from ELF's file and source code created by "fireice-uk".

In my opinion who developed malware and miner could be the same person.