Petya Ransomware: Outbreak, detection and prevention

Systems affected

Microsoft Windows OS platform.


European Government, financial, utilities, transportation and energy sectors have been hit by a large-scale ransomware campaign which is a new strain built from the previously discovered “Petya” ransomware bolstered by the eternal blue exploit. It has vastly impacted Russia and Ukraine, however, the attack has significantly spread in the wild across Europe and Asia in countries such as UK, Germany, France, Italy, the Netherlands, Spain, Denmark, Poland, India as well as the US. Petya ransomware is a malicious software created to shut down computer systems, encrypt system files and request a $300 Bitcoin ransom to a Bitcoin wallet, and then enforce victims to send a unique identifier to the email address [] to confirm the payment and get the decryption key.

Technical Details

As this is a new strain borrowing credible code from the “Petya” ransomware, it leverages the well known “EternalBlue” exploit targeting Windows SMBv1; a file-sharing service. The same exploit used by “WannaCry” ransomware to spread the infection in May 2017. Petya encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.


E-mail address:

IP addresses:


Hash (SHA1)

Malicious files:
myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

Alternate Solution

Researchers the worldover made a run to find a killswitch or loophole similar to the case of WannaCry however, a researcher from Cybereason discovered the vaccine/cure to the itch. It is to simply create a file called perfc in the C:\Windows folder and make it read only. For further reading refer this article-


CrashOverride Malware detection

Systems Affected

Industrial Controls Systems

The Summary

Public reports from ESET and Dragos claim to have discovered a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine and state it has been rediscovered in the wild. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors.

Here are a few pointers to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks.

For a downloadable copy of IOCs, see:

Technical Analysis

CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used in electric power control systems. The platform fundamentally abuses a targeted ICS system’s legitimate control systems functionality to achieve its intended effect. CrashOverride or similar malware could have implications beyond electrical power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:

  1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
  2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
  3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
  4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
  5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.


As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify the infection.


import “pe”
import “hash”

rule dragos_crashoverride_exporting_dlls
description = “CRASHOVERRIDE v1 Suspicious Export”
author = “Dragos Inc”
pe.exports(“Crash”) & pe.characteristics

rule dragos_crashoverride_suspcious
description = “CRASHOVERRIDE v1 Wiper”
author = “Dragos Inc”
$s0 = “SYS_BASCON.COM” fullword nocase wide
$s1 = “.pcmp” fullword nocase wide
$s2 = “.pcmi” fullword nocase wide
$s3 = “.pcmt” fullword nocase wide
$s4 = “.cin” fullword nocase wide
pe.exports(“Crash”) and any of ($s*)

rule dragos_crashoverride_name_search {
description = “CRASHOVERRIDE v1 Suspicious Strings and Export”
author = “Dragos Inc”
$s0 = “101.dll” fullword nocase wide
$s1 = “Crash101.dll” fullword nocase wide
$s2 = “104.dll” fullword nocase wide
$s3 = “Crash104.dll” fullword nocase wide
$s4 = “61850.dll” fullword nocase wide
$s5 = “Crash61850.dll” fullword nocase wide
$s6 = “OPCClientDemo.dll” fullword nocase wide
$s7 = “OPC” fullword nocase wide
$s8 = “CrashOPCClientDemo.dll” fullword nocase wide
$s9 = “D2MultiCommService.exe” fullword nocase wide
$s10 = “CrashD2MultiCommService.exe” fullword nocase wide
$s11 = “61850.exe” fullword nocase wide
$s12 = “OPC.exe” fullword nocase wide
$s13 = “haslo.exe” fullword nocase wide
$s14 = “haslo.dat” fullword nocase wide
any of ($s*) and pe.exports(“Crash”)

rule dragos_crashoverride_hashes {
description = “CRASHOVERRIDE Malware Hashes”
author = “Dragos Inc”

filesize < 1MB and
hash.sha1(0, filesize) == “f6c21f8189ced6ae150f9ef2e82a3a57843b587d” or
hash.sha1(0, filesize) == “cccce62996d578b984984426a024d9b250237533” or
hash.sha1(0, filesize) == “8e39eca1e48240c01ee570631ae8f0c9a9637187” or
hash.sha1(0, filesize) == “2cb8230281b86fa944d3043ae906016c8b5984d9” or
hash.sha1(0, filesize) == “79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a” or
hash.sha1(0, filesize) == “94488f214b165512d2fc0438a581f5c9e3bd4d4c” or
hash.sha1(0, filesize) == “5a5fafbc3fec8d36fd57b075ebf34119ba3bff04” or
hash.sha1(0, filesize) == “b92149f046f00bb69de329b8457d32c24726ee00” or
hash.sha1(0, filesize) == “b335163e6eb854df5e08e85026b2c3518891eda8”

rule dragos_crashoverride_moduleStrings {
description = “IEC-104 Interaction Module Program Strings”
author = “Dragos Inc”
$s1 = “IEC-104 client: ip=%s; port=%s; ASDU=%u” nocase wide ascii
$s2 = “ MSTR ->> SLV” nocase wide ascii
$s3 = “ MSTR <<- SLV” nocase wide ascii
$s4 = “Unknown APDU format !!!” nocase wide ascii
$s5 = “iec104.log” nocase wide ascii
any of ($s*)

rule dragos_crashoverride_configReader
description = “CRASHOVERRIDE v1 Config File Parsing”
author = “Dragos Inc”
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
all of them

rule dragos_crashoverride_configReader
description = “CRASHOVERRIDE v1 Config File Parsing”
author = “Dragos Inc”
$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }
$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }
$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }
$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }
all of them

rule dragos_crashoverride_weirdMutex
description = “Blank mutex creation assoicated with CRASHOVERRIDE”
author = “Dragos Inc”
$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }
$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}
all of them

rule dragos_crashoverride_serviceStomper
description = “Identify service hollowing and persistence setting”
author = “Dragos Inc”
$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }
$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }
all of them

rule dragos_crashoverride_wiperModuleRegistry
description = “Registry Wiper functionality assoicated with CRASHOVERRIDE”
author = “Dragos Inc”
$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }
$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }
$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }
all of them

rule dragos_crashoverride_wiperFileManipulation
description = “File manipulation actions associated with CRASHOVERRIDE wip¬er”
author = “Dragos Inc”
$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
all of them


A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.


Properly implemented defensive techniques and common cyber hygiene practices increase the complexity of barriers that adversaries must overcome to gain unauthorized access to critical information networks and systems. In addition, malicious network activity should trigger detection and prevention mechanisms that enable organizations to contain and respond to intrusions more rapidly. There is no set of defensive techniques or programs that will completely avert all attacks however, layered cybersecurity defenses will aid in reducing an organization’s attack surface and will increase the likelihood of detection. This layered mitigation approach is known as defense-in-depth.


WannaCry Ransomware: All you need to know (updated)

What is WannaCry?

On 12 May 2017, over 200,000 attacks in at least 99 countries around the world have been reported in a large-scale ransomware campaign known as “WannaCry”.
The highest number of the infections have been recorded in Russia, however, the attack has significantly impacted organizations in other countries, particularly the UK where the National Health Service (NHS) has declared the event as a “major incident” due to the rendering of patient records, schedules, internal phone lines and emails inaccessible; In parallel, a European public transport system, a Saudi based telecom operator, a major European Automobile giant have all taken the hit. WannaCry exploits the NSA EternalBlue exploits to infect other connected Windows systems on the same network
This ransomware demands approximately 0.2-0.5 in Bitcoins per infected device to recover the files. Similar to it’s predecessors it features a countdown and threatens to double the ransom after three days and delete the files after seven days.  A realtime map of the infection can be found here-

Technical Analysis

WannaCry ransomware has been spreading as a worm over LAN and WAN networks by exploiting an SMBv2 remote code execution (RCE) vulnerability in Microsoft Windows (MS17-010). Microsoft patched the vulnerability on 14 March. The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Below the complete infection process described in the analysis published by the experts at the Cisco Talos team:

“An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.

“The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”

In layman’s terms (credit)

  • WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.
  • Once the document is opened, it downloads a second stage which is an unsigned executable. This executable contains the delivery method for infection, worm replication, and exploitation.
  • The malicious software beacons out to a domain hxxp:// to check if the website is up, if it is, it will not execute. This has since been sinkholed and if the website is up, will not actually execute. This means you can either use DNS to redirect to a legitimate site to ensure it stays up, or keep it as is since it’s been sinkholed and is currently up and running now. The malicious software should exit now upon checking as the kill switch is now active.

File Extensions used:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Protection: How to?

  • Ensure that all systems including clients and servers running Microsoft Windows have applied the official patch (MS17-010), which closes the affected SMB server vulnerability.
  • Disable SMB v1.0 for good.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Review network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity and consider blocking the IOCs listed on this blog along with blocking the CnCs.
  • Consider restricting connections on the following ports 445/139/3389 as applicable.

Known & confirmed CnC’s (C2 onion/tor domains)

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52ma.onion
  • sqjolphimrr7jqw6.onion

Other known C2 domains:


Other known CnCs:


Email senders source IP:


Malicious Email sender address:


Registry key:

  • HKEY_LOCAL_MACHINE\Software\WanaCrypt0r


  • C:\Windows\mssecsvc.exe
  • C:\Windows\tasksche.exe


  • Csscript.exe //nologo m.vbs

Files created:

  • %TEMPT%\m.vbs
  • %TEMP%\b.wrny
  • %TEMP%\c.wrny
  • taskse.exe
  • taskdl.exe
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe

YARA signatures

rule Wanna_Cry_Ransomware_Generic {


description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”



$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”


$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8


/*The following Yara ruleset is under the GNU-GPLv2 license ( and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {


description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “

date = “2017/05/12″


$ms17010_str1=”PC NETWORK PROGRAM 1.0″


$ms17010_str3=”Windows for Workgroups 3.1a”



$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”


all of them


Malware Samples (credit)

Latest Update: WannaCry 2.0 with no killswitch discovered

The hackers have released an updated variant with no killswitch functionality.

The killswitch has been readied. The domains are:


Buckle up because its not over yet!
The worrying factor is we could end up seeing other malwares piggybacking off this campaign. Also, the malware can be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download.

Two words for you: “Patch” your systems and “disable” SMB v1.

Top 30 Cyber Attacks of 2016

Every Year we are witnessing a huge surge in Cyber Attacks worldwide from APT’s, to headless worms, targeted attacks, Ransomware, machine-to-machine attacks to DDoS, the attacks are becoming more and more diverse with Malwares piggybacking each other and collaborative approach towards exploiting vulnerabilities. Gartner predicts there will be 6.8 billion connected devices in use in 2016, a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion connected devices. The Cyber criminals had a hey-day in 2016 and will continue to do so in 2017 as well. With an increased concentration on Drive-by attacks, the emergence of “Internet of Things” is elevating the challenges poised not just to Organizations but, it brings the battle to our Homes.

These are the Top 30 Cyber Attacks faced globally in the bygone year. These attacks have been listed here based on a criteria that includes Target, Magnitude and complexity.


Date Target Description Attack Type Domain/Industry
16/02/2016 Spotify Hundreds of Spotify Premium account details are compromised and leaked online by an unknown hacker. A number of separate data dumps containing email addresses, passwords, account types and renewal dates appear online. Bruteforce Music Streaming
21/10/2016 DynDNS A distributed denial of service attack against Dyn, the dynamic DNS service, affects the availability of dozens of major websites and Internet services this morning, including Twitter and Reddit. DDoS Internet Services
16/01/2016 KickassTorrents KickassTorrents ( is taken down by a DDoS attack. DDoS Torrent Tracker
17/01/2016 Crelan Belgian bank Crelan is the last victim of fraudsters, with a damage of over EUR 70 million (around $75,8 million). Account Hijacking Finance
30/01/2016 Pastebin is taken down by a huge DDoS attack. DDoS Online Services
29/01/2016 HSBC HSBC is hit by an apparent DDoS attack on its online banking system. DDoS Finance
04/04/2016 US Government and Commercial Networks FBI unusually warns that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, has compromised and stolen sensitive information from various government and commercial networks since at least 2011. Targeted Attack Government
04/04/2016 Trump Hotel Collection The Trump Hotel Collection suffers another breach of its credit card system. POS Malware Industry: Hotel and Hospitality
05/04/2016 50 Million Turkish Citizens Turkish authorities investigate the alleged leak of nearly 50 million citizens’ sensitive, personal data (almost two-thirds of the country’s 75 million-strong population). According to reports, a database that was uploaded online appeared to have been stolen in 2009 from a state agency which issues national ID cards. Unknown Government
12/04/2016 and affiliates websites including An unknown hacker offers a database containing emails and passwords of 3.8 million of Naughty America porn accounts for a mere $300 Unknown Adult Sites
10/03/2016 Bangladesh Central Bank Reuters reports that unknown hackers were able to breach the Bangladesh Bank’s systems and steal its credentials for payment transfers, using them to transfer money to entities in the Philippines and Sri Lanka. The hackers were able to get away with a bounty of about $80 million, but a spelling mistake helped prevent a further nearly $1 billion theft. Account Hijacking Finance
10/03/2016 21st Century Oncology US cancer clinic 21st Century Oncology admits that a breach on its systems may have exposed private information on 2.2 million patients and employees. The breach happened in November 2015 but the FBI asked 21st Century to hold off from disclosing the incident until a thorough investigation had been completed. Unknown Healthcare
14/03/2016 Several high profile websites including The New York Times, the BBC, MSN, and AOL Several security vendors including Trend Micro and Malwarebytes reveal the details of a large scale malvertising campaign targeting high profile sites, including The New York Times, the BBC, MSN, and AOL Malvertising Media
05/05/2016 Several databases Another massive breach discovered. A trove of 272.3 million accounts belonging to several services including, Google, Microsoft is put on sold on the dark web. Unknown Unknown
15/03/2016 Bayley’s Outdoor equipment retailer Bailey’s Inc. notifies its customers that an attacker may have stolen payment card information of 250,000 customers from the company website and that the length of the breach was longer than once thought (between Dec. 1, 2011 and Jan. 26, 2016). Unknown Industry: Retail
07/05/2016 Several Banks Worldwide OpIcarus continues and the Anonymous take down other banks across the world, including: The Central Bank of the Dominican Republic, the Guernsey Financial Services Commission, the Central Bank of Maldives, the Dutch Central Bank, the National Bank of Panama, the Central Bank of Kenya, the Central Bank of Mexico and the Central Bank of Bosnia and Herzegovina. DDoS Finance
27/05/2016 MySpace A hacker hiding behind the email address publishes a database containing 360 million records belonging to MySpace. The database is the alleged result of a breach occurred in 2013. Unknown Social Network
30/05/2016 Tumblr 65 million passwords of Tumblr are on sell on the underground. The company admitted to have suffered a breach on May 12. Unknown Social Network
04/10/2016 Suspected Russian hackers are believed to have been skimming credit card information of Republican donors for the past six months. The NRSC is among more than 5,900 e-commerce sites victims of the same attack. Malware Org: Political Party
14/10/2016 Evony Gaming LeakedSource reveals that Evony Gaming suffered a massive breach involving the usernames, email addresses, unsalted MD5 and SHA-1 passwords and IP addresses of 33 million gamers. Unknown Industry: Video Games
20/10/2016 Several Top Indian Banks Details of more than 3.2 million cash cards of customers of top Indian banks (Visa, Mastercard, RuPay) have reportedly been stolen in what could be one of the biggest financial data breaches in the country. While it is unclear who is behind the alleged operation, reports suggest that unauthorised transactions can be traced to various locations in China. Malware Finance
18/10/2016 AdultFriendFinder Adult dating and entertainment company FriendFinder Networks has reportedly been hacked in a massive data breach exposing more than 412 million accounts and user credentials collected over two decades. The breach is believed to have occurred in October with email addresses and passwords from six adult-oriented FriendFinder Networks websites (including and dumped online. Local File Inclusion Adult Site
15/11/2016 (Kerala government’s civil supplies department) Confidential personal records of over 34 million residents in the Indian state of Kerala are compromised, after an Indian man living in Tokyo posts them on Facebook after the Indian government failed to address security flaws in website Unknown Government
23/11/2016 US Navy Hackers manage to get their hands on personal and sensitive information of over 130,000 US Navy officials after a laptop of an HPE Navy contactor is hacked. The breach was acknowledged on October, 27th. Unknown Military
26/11/2016 Deutsche Telekom 900,000 Deutsche Telekom customers are knocked off the internet when their routers are hit by a malware attack launched through the Mirai Botnet exploiting a SOAP Remote Execution Vulnerability. Malware ISP
30/11/2016 Android 4 and Android 5 Users Researchers at Check Point Software Technologies uncover a new malware variant called Gooligan that to date has hacked one million Google accounts worldwide by rooting the user’s Android device, at an alarming rate of some 13,000 devices per day. Malware Individuals
29/11/2016 European Commission The European Commission (EC) is the target of a distributed denial of service (DDoS) that leads to a breakdown in internet services for hours. DDoS Org: Politics (EU Institution)
10/07/2016 Dating/Matchmaking Website hacked. Which suffered 2 Million accounts dumped online, including clear text passwords. Unknown Dating
20/05/2016 Bank in Ecuador Third victim of the SWIFT hack: bank in Ecuador was also the victim of a similar attack in 2015 which saw cybercriminals stealing around $9 Million. Targeted attack Finance
13/06/2016 iMesh 51 Million user accounts for iMesh, a now defunct file sharing service, are put on sale on the dark web. Unknown  

File Sharing


Applications security: Testing scenarios

Security testing is a crucial part of commissioning an application in your enterprise environment. The IT security team needs to have a robust arsenal of test cases when it comes to application security testing before the actual Go-live.
This is the acid test for the application development team. Ideally you will put the application through two kinds of tests depending on whether it is an internal application or a web facing application. The web facing applications need to go through the pentest as well.
Security testing for Applications can be done at various stages of the enterprise SDLC namely during the analysis & design phase, development phase and post testing maintenance phase. However, in this blog I will be covering test scenarios specifically undertaken during the “Testing phase”.

Below are the testing scenarios for both internal and web facing public applications:

Security Testing Test Scenarios
1. Check for SQL injection attacks
2. Secure pages should use HTTPS protocol
3. Page crash should not reveal application or server info. Error page should be displayed for this
4. Escape special characters in input
5. Error messages should not reveal any sensitive information
6. All credentials should be transferred over an encrypted channel
7. Test password security and password policy enforcement
8. Check application logout functionality
9. Check for Brute Force Attacks
10. Cookie information should be stored in encrypted format only
11. Check session cookie duration and session termination after timeout or logout
11. Session tokens should be transmitted over secured channel
13. Password should not be stored in cookies
14. Test for Denial of Service attacks
15. Test for memory leakage
16. Test unauthorized application access by manipulating variable values in browser address bar
17. Test file extension handing so that exe files are not uploaded and executed on server
18. Sensitive fields like passwords and credit card information should not have auto complete enabled
19. File upload functionality should use file type restrictions and also anti-virus for scanning uploaded files
20. Check if directory listing is prohibited
21. Password and other sensitive fields should be masked while typing
22. Check if forgot password functionality is secured with features like temporary password expiry after specified hours and security question is asked before changing or requesting new password
23. Verify CAPTCHA functionality
24. Check if important events are logged in log files
25. Check if access privileges are implemented correctly

Penetration Testing Test Scenarios
1) Check if web application is able to identify spam attacks on contact forms used in the website.
2) Proxy server – Check if network traffic is monitored by proxy appliances. Proxy server make it difficult for hackers to get internal details of the network thus protecting the system from external attacks.
3) Spam email filters – Verify if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with in-build spam filters which needs to be configured as per your needs. These configuration rules can be applied on email headers, subject or body.
4) Firewall – Make sure entire network or computers are protected with Firewall. Firewall can be a software or hardware to block unauthorized access to system. Firewall can prevent sending data outside the network without your permission.
5) Try to exploit all servers, desktop systems, printers and network devices.
6) Verify that all usernames and passwords are encrypted and transferred over secured connection like https (SSL).
7) Verify information stored in website cookies. It should not be in readable format.
8) Verify previously found vulnerabilities to check if the fix is working.
9) Verify if there is no open port in network.
11) Verify all telephone devices.
12) Verify WIFI network security.
13) Verify all HTTP methods. PUT and Delete methods should not be enabled on web server .
14) Password should be at least 8 character long containing at least one number and one special character.
15) Username should not be like “admin” or “administrator”.
16) Application login page should be locked upon few unsuccessful login attempts.
17) Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password”.
19) Verify if special characters, html tags and scripts are handled properly as an input value.
20) Internal system details should not be revealed in any of the error or alert messages.
21) Custom error messages should be displayed to end user in case of web page crash.
22) Verify use of registry entries. Sensitive information should not be kept in registry.
23) All files must be scanned before uploading to server.
24) Sensitive data should not be passed in urls while communicating with different internal modules of the web application.
25) There should not be any hard coded username or password in the system.
26) Verify all input fields with long input string with and without spaces.
27) Verify if reset password functionality is secure.
28) Verify application for SQL Injection.
29) Verify application for Cross Site Scripting.
31) Important input validations should be done at server side instead of JavaScript checks at client side.
32) Critical resources in the system should be available to authorized persons and services only.
33) All access logs should be maintained with proper access permissions.
34) Verify user session ends upon log off.
35) Verify that directory browsing is disabled on server.
36) Verify that all applications and database versions are up to date.
37) Verify URL manipulation to check if web application is not showing any unwanted information.
38) Verify memory leak and buffer overflow.
39) Verify if incoming network traffic is scanned to find Trojan attacks.
40) Verify if system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
41) Verify if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or single computer with continuous requests due to which resources on target system gets overloaded resulting in denial of service for legit requests.

How to Lock Firefox browser proxy settings and prevent domain users from bypassing the Network proxy

This blog specifically speaks about locking proxy settings on Firefox web browser. This method will prevent the users from bypassing your network proxy/content filter. It has been a cumbersome task for System Admins/Security engineers to prevent the domain users in their organization from tampering with the proxy settings in Firefox browser as Mozilla Firefox is not a proprietary Microsoft software and thus cannot be centrally managed by the AD group policy, the GPO settings will not be pushed to the computers running Mozilla Firefox and users will have a field day having an option to bypass the network proxy.

Ideally to make this work, vendors like websense have articles wherein, they require you to download and push a non-proprietary, custom AD plugin which, might not go down well with experienced System Admins/security team.

The method that I have depicted here requires no additional third party tool or plugin to make this work.

To begin with, locate the Mozilla Firefox folder under “C:\Program Files (x86)\Mozilla Firefox”. It is a multi pronged process and you will need to ready 3 files which are basically script based configuration .cfg, .JS and .ini files.

Creating mozilla.cfg configuration file

Firstly, create a notepad file with the following script content-

// Set Firefox Default homepage

// Disable default browser check
pref(“”, false);
pref(“browser.startup.homepage_override.mstone”, “ignore”);

// Disable application updates
pref(“app.update.enabled”, false);

// Disable the ‘know your rights’ button from displaying on first run
pref(“browser.rights.3.shown”, true);

// Disable the request to send performance data from displaying
pref(“toolkit.telemetry.prompted”, 2);
pref(“toolkit.telemetry.rejected”, true);

// Set the default proxy settings HTTP
lockPref(“network.proxy.http”, “”);
lockPref(“network.proxy.type”, 1);
lockPref(“network.proxy.no_proxies_on”, “localhost,”);
lockPref(“network.proxy.share_proxy_settings”, true);

Please note that this script has 6 sub-parts in it, namely-

  1. Set Default homepage
  2. Disable Application updates
  3. Disable the ‘know your rights’ button from displaying on first run
  4. Disable the request to send performance data from displaying
  5. Set the default proxy settings HTTP

Please note that the syntax is very crucial here and any mismatch will render the configuration to not work. Once the script is pasted on the notepad file, save it as “mozilla.cfg” and place it under the parent directory “C:\Program Files (x86)\Mozilla Firefox”.


Creating “override.ini” file

The second step is to create the override.ini file to disregard the default Mozilla flow. You will have to again locate the override.ini file which will be in in a sub-directory within the parent directory “C:\Program Files (x86)\Mozilla Firefox\browser”.

Again use notepad to create/make changes to override.ini, the content of the file should be as such-


Save the file in the same sub-directory “C:\Program Files (x86)\Mozilla Firefox\browser” with a .ini extension.



Creating “local-settings.js” file

The “local-settings.js” file has to be created again using notepad and stored in “C:\Program Files (x86)\Mozilla Firefox\defaults\pref”. This is a java script which acts as a callout function for interlinking the 3 created files as it is not a structured program we are dealing with. The contents of the local-settings.js file are as shown below-

pref(“general.config.filename”, “mozilla.cfg”); pref(“general.config.obscure_value”, 0); pref(“browser.rights.3.shown”, true);

Once done, save it in “C:\Program Files (x86)\Mozilla Firefox\defaults\pref”.


Now you are ready to test it, close all instances of Firefox on the PC, log off and log back in as the user and test browsing on Firefox.

You can check the proxy settings by going to Firefox Menu>Options>Advanced>Network>Settings, you will see that the proxy settings will be grayed out and it will locked with your corporate proxy settings.



Now to push it to all users/computers in your organization, you can create a package in SCCM with the 3 files and push it to the entire domain.

Note: I tested this method on a Windows 7 professional SP1 machine with Mozilla Firefox version 40.0.3

Kali Linux “chroot” install on Android OS

Ola people! Thanks for the great response on my previous post for Kali install in an emulator environment.

I pen this blog to cover the alternate method of install which infact is the chroot install. So what is chroot install? In layman’s terms it is running Kali Linux on a rooted Android device. Getting Kali to run on ARM platform has been tricky for quite sometime until now. In this method, we will be using Linux deploy to install/boot Linux on your Android and VNC client to access the GUI on your device.


1. Rooted Android device

2. SuperSU app on your Android device (Can be found on playstore)

2. Linux deploy

3. VNC client

What device have I used?

I’m using a Samsung Note 3 rooted, running OS 4.4.2

Easiest method to root your Android device:

Disclaimer: I’m not responsible for the damage to your device incurred during the rooting procedure.

KINGO root is the real king when it comes to ease of rooting your android device. Just go to, download and install the app, connect your android device to the PC/Laptop and follow the screen instructions.

Lets begin:

Once rooted, install SuperSU app on your android device, it is to grant superuser/root access to certain apps on your phone.

Install Linux deploy and VNC client on the phone.

Give SU access to Linux deploy by using SuperSU app.

Configuring Linux deploy:

Below screenshots will show you the configuration I have used on my phone.







Once done, fire up the installation on Linux deploy. Please make sure you have a good internet connection for the Kali package download.




























Congratulations! Kali linux is now installed.
Now go to VNC client and create a profile to access your Kali install below is how you do it-

Username is “root” which was already mentioned during the Linux deploy config and default password is “toor”.


Start kali and mount the drives.

Now connect using VNC and voila Kali appears!


Alright, that is job half done. What you have is the base install of Kali, you can upgrade to a full-install or selective install depending on your requirement.

Go to terminal and type “sudo -s” and “apt-get update”



To install the entire Kali tool set, hit the command “apt-get install kali-linux -yq” or “apt-get install kali-linux-full -yq”





You might run into issues where space is a constraint or face issues while running an upgrade with the apt-get command or if it takes exceptionally long time due to internet speed, it could result in an interrupted package install. For this, you have to run the following command to fix it-

“sudo dpkg –configure -a” if it doesn’t fix it automatically then run the following command “sudo apt-get install -f” and then try running “sudo dpkg –configure -a”.




If all else is fine, the installation will complete in due time.
It takes quite sometime for the install to complete but, you will see kali tools appearing.


Well my friends you now have the ability to use kali tools to test and exploit wireless networks but, what about wired networks? Would it not be amazing if you can use your phones to conduct full fledged pentests and exploits? Hell yeah!!
Keep watching this space as my next post will cover exactly that!
Until then cheerios!


Industrial control systems security

Why SCADA security?

Numerous instances of security breach and data exfiltration at the SCADA/ICS environments the world over have caused more than a flutter, these attacks have happened in quick succession as if a string of beads has been broken. There are numerous pathways for intruding the haven of control systems environment.

pathways to controlsys

Let us take a look at the highlights of this critical vertical and the ones that made headlines.

  • It was a Trojan program inserted into SCADA system software that caused a massive natural gas explosion along the Trans-Siberian pipeline in 1982. A newspaper reported the resulting fireball yielded “the most monumental non-nuclear explosion and fire ever seen from space.”
  • A former hacker interviewed by PBS Frontline advised that “Penetrating a SCADA system that is running a Microsoft operating system takes less than two minutes.”
  • Stuxnet one of the most successful Malwares specifically targeting industrial control systems compromises the Iran nuclear centrifuges.
  • Stuxnet variants are released in succession in the form of Flame, Duqu, etc. The extent of the damage caused by these worms is still unknown as the security vendors are yet to completely analyze these sophisticated worms.
  • Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed “Night Dragon,” according to reports from security vendor McAfee.
  • Italian researcher Luigi Auriemma published 34 ICS vulnerabilities. The documentation also includes a section on “Fix” and this is filled with “No Fix” for certain products, there is exploit code in the wild that will compromise systems housing these vulnerable systems.
  • Stuxnet revisited the Russian Nuclear program in Nov 2013.
  • Hacktivists like SEA, Anonymous, lulzsec are targeting Oil and gas industry and a country wide alert has been flagged by the Oil and gas giants and nations to secure and constantly scrutinize their SCADA networks.
  • The NSA toolkit published by der Spiegel consists of so-called “implant” items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a “firmware persistence implant” for taking over Cisco PIX and ASA firewalls.
  • Several key vulnerabilities have been discovered in the Honeywell SCADA/ICS systems previously for example, a vulnerability of CVSS score 7.5 was discovered on May 21, 2012 (source: Honeywell took 1 year to release a patch to fix this vulnerability.
  • A new vulnerability, CVE-2013-0108, was discovered in Honeywell industrial control systems (ICS), continuing the growing trend of SCADA and building control issues on March 12, 2013. Exploitation of this vulnerability could allow partial loss of availability, integrity and confidentiality, and could be exploited remotely to affect systems deployed in the government facilities and commercial facilities sectors, as reported by security vendor Rapid7/Metasploit (source:

“The Risks involved in integrating SCADA with Business Network are numerous and it needs to be driven by a strong business need and justification.”

The challenges in securing ICS/DCS networks are numerous and daunting, the primary concern being the lack of personnel who understand control systems engineering and IT security at the same time, this mix is quite unique and rare.

controlsys cybersec

The other concerns that remain are-

  • SCADA or ICS Systems are not designed with Security in Mind.
  • It is not about securing just the PHD servers but the entire ICS network.
  • Limited number of professionals with right competency are available. IT needs to know control systems environment and Plant operations need to understand the IT perspective.
  • Collaboration and support from professional community is still in its nascent stages.
  • Can’t use existing security infrastructure to secure ICS. There are multiple access points in ICS by design…radio, wireless, Fieldbus, etc.
  • It is difficult to implement or change anything with the ICS network without affecting real-time systems. Time lines, time stamped data and availability are crucial
  • Terminal devices have limited computing and memory resources


How to run Kali linux on Android phone using PC emulator and kali mini ISO image

Being a kali linux user, this very topic caught my eye when I read the tweet by Nicolas Ibrahim saying that he was able to install kali linux on his android phone using limbo PC emulator, unrooted. So I looked on the web to find if there is any write up about the same and having found nothing elaborate and useful, I accomplished it myself and here it is, the detailed walk-through for your perusal. Have fun folks!

Before we begin, let me give you a heads up, this is a time consuming process.

The very first step to this project is to have an Android phone running OS 4.1 +, although I have read that android 2.1+ is sufficient, I have used a Samsung Note 3 with the latest kitkat OS. It does not need to be rooted. Yes you heard me right, not root required.

Moving on, we have to remember that the majority of the android phones available now in the market are not 64 bit supportive they are all meant for 32 bit OS. hence, the OS needs to be 32 bit. period.

We begin by downloading the appropriate ISO image from the official kali linux website which you can find here- please make sure you download the 32 bit version which states Kali Linux 1.0.6 32 Bit Mini ISO as shown below-

kaliNext, we need a PC emulator for Android and we choose to install the limbo PC emulator, it is interesting to note that it has been removed from Google play store so you will have to search for other alternatives like sourceforge. Once downloaded and installed on your mobile device, you are ready for the real deal.

Run the Limbo PC emulator on your mobile device, and configure it with the following parameters as shown in the figures below-



Make sure that the mini ISO image of Kali linux is saved/copied onto the Mobile device. And point the ISO image under CDROM option.


You will also need to allocate space for hard disk, this will be a collective figure and it will be split  into swap and primary storage later. Select the Network configuration to be “User” to use the default card/settings on the mobile device. Set Boot from device to be default so post installation, it will automatically boot from the hard disk.

Screenshot_2014-05-23-17-54-21No changes to the Advanced configuration.



“Start” the emulator and you will see the installation window



The easiest way to proceed would be the auto install but, I suggest manual install.




Screenshot_2014-05-23-18-18-22Sometimes it could be an issue with finding the right mirror for the download but, trial and error always wins. (For latest mirror links refer official Kali website)



But in most cases, with the auto install, it will find the nearest available mirror and download the packages.

Packages being downloaded

Setting up the root account


Installation continues..



starting up the partitioner..

Guided partitioning..



Auto allocation of disk space, it allots swap and ext automatically but, you can manually change that as well.


Writing the partitions



Quick glance at the installer menu…



Almost there..



Congrats you now have kali linux on your android phone.

A couple of things to note:

1. You might face issues with installing additional software packages but, don’t be perturbed, remember you can skip them and install them individually post installation.

2. Once installation is completed, if the machine does not automatically boot, go to your machine in limbo PC emulator and point the boot device to Hard disk.

3. If you face boot loader issues, you can skip it and manually fix it at a later stage

4. For additional troubleshooting, try to tweak the CPU settings, allocated RAM, etc.