9/27/2024

CyberChannel: Week of 9/22/24

Telegram's Privacy Policy Shift Raises Concerns

Telegram has updated its privacy policy to share user IP addresses and phone numbers with law enforcement upon receiving a valid court order. This change marks a significant departure from Telegram's previous stance, which only allowed for the disclosure of such information in cases involving terrorism suspects. This comes a month after the arrest and indictment of Pavel Durov, Telegram's co-founder.

The new policy expands the scope of data sharing to include situations where users are suspected of violating Telegram's Terms of Service. This could potentially include activities such as spreading hate speech, promoting illegal content, or engaging in other harmful behaviors. Telegram has emphasized that it will continue to fight for user privacy and only disclose information when legally required.

However, the new policy has raised concerns among privacy advocates. Some argue that it could lead to increased surveillance of users and make it easier for governments to track their activities. Others worry that the change could make Telegram less attractive to users who value privacy.

Kaspersky's Forced Removal and Replacement Raises Questions

In response to a US government ban, Kaspersky has taken the drastic step of deleting its antivirus software from US customers' computers. This unexpected move has left many users confused and concerned about their security.

Instead of simply removing its software, Kaspersky has replaced it with UltraAV, another antivirus product. The move is likely a direct consequence of the US government's decision to ban Kaspersky products from federal government networks due to concerns about potential ties to the Russian government. While Kaspersky has repeatedly denied any such connections, the ban has had a significant impact on the company's business.

Kia Dealer Portal Flaw Poses Serious Security Risk

A serious vulnerability has been discovered in Kia's dealer portal, which could potentially allow attackers to remotely exploit millions of Kia vehicles. The flaw could provide unauthorized access to critical car functions, posing a significant safety risk. The flaw also exposed sensitive personal information of car owners, including their name, phone number, email address, and physical address, potentially enabling attackers to register themselves as secondary users on the affected vehicles.

The vulnerability could be exploited to remotely unlock doors, start engines, or even control other vehicle systems. This could have serious consequences for both car owners and the general public. Kia has acknowledged the issue and is working on a patch to address the vulnerability.

Cyberattack Forces Kansas Water Plant to Manual Operations

A cyberattack on a Kansas water treatment facility has forced them to switch to manual operations, highlighting the growing concern about cyber threats targeting critical infrastructure.

The attack disrupted the facility's computer systems, making it impossible for operators to monitor and control the water treatment process. As a result, the facility was forced to revert to manual procedures, which are more time-consuming and prone to errors.

This incident underscores the importance of protecting critical infrastructure from cyberattacks. A successful attack on a water treatment facility could have serious consequences for public health and safety.

Islamophobic Cyberattack Disrupts UK Railway Stations

A cyber security incident targeting passengers at several key railway stations in the UK has resulted in an arrest. The incident involved displaying Islamophobic messages on the Wi-Fi login pages of stations like Manchester Piccadilly, Birmingham New Street, and several London terminals.

The culprit, identified as an employee of Global Reach Technology, a company providing Wi-Fi services to Network Rail, was apprehended based on suspicion of offenses under the Computer Misuse Act 1990 and the Malicious Communications Act 1988. Thankfully, no passenger data was compromised during the attack.

Android Malware Necro Infects Millions of Devices

A new Android malware called Necro has infected over 11 million devices through the Google Play Store via malicious advertising SDKs used by seemingly legitimate apps, Android game mods, and altered versions of popular software such as Spotify, WhatsApp, and Minecraft. Necro can steal sensitive information, such as login credentials and credit card details. It can also install other malware on infected devices. The malware was able to bypass Google Play's security measures and infect a large number of devices.

This incident serves as a reminder that users should be cautious about downloading apps from the Google Play Store. It is important to only download apps from trusted developers and to be aware of the potential risks associated with installing apps from unknown sources.

Romcom Malware Resurfaces with New Variant

A resurgence of "Romcom" malware has been observed, using a variant of the Snipbot banking trojan. This highlights the ongoing threat of malware targeting online banking credentials and the need for robust security measures when conducting financial transactions online.

"Romcom" malware is a family of malicious software that targets online banking customers. The malware is designed to steal login credentials and other sensitive information. It can also be used to transfer funds to unauthorized accounts.

The Snipbot banking trojan is known for its ability to evade detection by security software. The malware is being distributed through email attachments and malicious websites.

P. Diddy Gossip Used to Spread Malicious Software

A sophisticated remote access trojan (RAT) named "PdiddySploit" has been targeting victims using the celebrity gossip surrounding the arrest of P. Diddy. The RAT is designed to give attackers complete control over infected devices. It can be used to steal sensitive information, spy on victims, and launch further attacks. The attackers behind "PdiddySploit" are using a variety of social engineering tactics to lure victims into clicking on malicious links or downloading infected files.

These tactics include sending emails that appear to be from celebrities or news organizations. The emails often contain sensational headlines or offers of exclusive content. Once victims click on the malicious link or download the infected file, their devices are compromised.

9/24/2024

Password Cracking With Hashcat

 _._     _,-'""`-._
(,-.`._,'(       |\`-/|
    `-.-' \ )-`( , x x)
          `-    \`_`"'-

Hashcat is a command line interface password cracking tool for over 300 hashing algorithms. Hashcat can utilize five possible attack modes including brute-force, dictionary attacks, and more. We will be focusing on dictionary attacks, a more simple and faster attack mode that compares the hashed password to a wordlist rather than brute-force methods which can take a large amount of time and computer resources due to the attacks method of running combinations of random characters through trial and error.

We will be using the rockyou.txt password list. This password list was compiled back in 2009 after a major data breach at RockYou, a social media app and advertising network. The list contains over 14 million unique passwords that are commonly used amongst the general public and is a staple wordlist in the hacker community. You can view and download other password lists from here.

Passwords are usually discovered as hashes. Password hashing is the practice of algorithmically turning a plain-text password into ciphertext, or an irreversibly obfuscated version of itself, as a means of blocking against the threat of password breaches. This process helps secure passwords from the naked eye. There are many types of hashing algorithms including MD5, SHA-1, SHA-256, and hundreds of others. As mentioned earlier, Hashcat can crack over 300 different types of hashing algorithm. Below is a collection of downloadable hashed passwords which can be utilized for practice with Hashcat and the rockyou.txt password list. You can also hash your own passwords using online resources such as the All Hash Generator on Browserling.com.

Hashed Password Samples:
MD5Password.txt
SHA1Password.txt
SHA256Password.txt
CRC32Password.txt
NTLMPassword.txt

Hashcat can be downloaded on various operating systems but is included in the Kali Linux distro. We can crack our first MD5 hashed password in the samples above using the below command in our terminal:

hashcat –m 0 *path to MD5Password.txt* *path to rockyou.txt*

The first option of the command, "-m 0", sets the type of hash you are attempting to crack, 0 being MD5. You can view all the Hashcat hashing algorithms and their dedicated #'s using the command "hashcat --help". For example, 100 is to be used for SHA-1 hashes. If you do not know the hashing algorithm used in the password you are attempting to crack, you can use a hash identifying tool like hash-identifier which is included in Kali Linux distros. 

The second option, "*path to MD5Password.txt*", directs Hashcat to the hashed password file path. For example /home/USERNAME/Downloads/MD5Password.txt, where USERNAME is your username. The final option of the command is the path to the wordlist you are running the attack against. Kali Linux includes many default wordlists, including rockyou.txt, in the /usr/share/wordlists path. Please note that you will need to unzip the rockyou.txt.gz directory on your machine if you haven't already by using the gunzip command.

Let's run the command and see what Hashcat comes up with:

hashcat -m 0 /root/Downloads/MD5Password.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 5 4600H with Radeon Graphics, 1425/2914 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

6104df369888589d6dbea304b59a32d4:blink182                 
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 6104df369888589d6dbea304b59a32d4
Time.Started.....: Tue Sep 24 15:54:28 2024 (0 secs)
Time.Estimated...: Tue Sep 24 15:54:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     9780 H/s (0.06ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344385 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> letmein
Hardware.Mon.#1..: Util: 66%

Started: Tue Sep 24 15:53:52 2024
Stopped: Tue Sep 24 15:54:30 2024

Success! After a few seconds we can see the hashed password, blink182, has been cracked at the line highlighted in orange. Blink-182 fans beware, your password isn't fooling even the most amateur of hackers out there.

Try using Hashcat with the other sample hashed passwords in this post, or hash your own passwords using the All Hash Generator on Browserling.com and see if your passwords are vulnerable to dictionary attacks using the rockyou.txt or other common wordlists. To learn more about Hashcat and it's other features, visit their Wiki here.