FireEye today released Commando VM, which according to the company, is a “first of its kind Windows-based security distribution for penetration testing and red teaming.”

When it comes to the best-operating systems for hackers, Kali Linux is always the first choice for penetration testers and ethical hackers.

However, Kali is a Linux-based distribution, and using Linux without learning some basics is not everyone’s cup of tea as like Windows or macOS operating systems.

Moreover, if you are wondering why there is no popular Windows-based operating system for hackers? First, because Windows is not open-source and second, manually installing penetration testing tools on Windows is pretty problematic for most users.

To help researchers and cyber security enthusiasts, cybersecurity firm FireEye today released an automated installer called Commando VM.

But don’t get confused with its name. Commando VM is not a pre-configured snapshot of a virtual machine image with many tools installed on a Windows system. It’s not even a complete distribution.

Instead, Commando VM is an automated installation script that turns your Windows operating system, running on a virtual machine (VM) or even on the base system, into a hacking machine.

“It is possible to archive the same result if you run the install script on the base machine. However, we strongly discourage this behavior. Commando VM downloads additional offensive and red team tools on Windows. Many of these tools are flagged by windows defenders as malicious. Therefore, we disable many Windows security features. Running Commando VM on the host will leave it vulnerable, and therefore strongly discouraged,” FireEye researcher confirmed The Hacker News via an email conversation.

But, I have to mention that Commando VM is not the first of its kind.

Available since 2015, PentestBox is a similar open-source tool, running which automatically installs all the security tools as a software package directly on your Windows computer.

Developed by Indian security researcher Aditya Agrawal, PentestBox has been designed to eliminate the requirement of virtual machines or dual boot environments on Windows.

Commando VM release 1.0 includes two different set-ups, one works on Windows 7 Service Pack 1 and another for users running Windows 10 operating system.

Commando VM offers a smooth working environment by automatically installing more than 140 tools, including Nmap, Wireshark, Remote Server Administration Tools, Mimikatz, Burp-Suite, x64db, Metasploit, PowerSploit, Hashcat, and Owasp ZAP, on your Windows machine.

images from Hacker News

EXCLUSIVE — While revealing details of a massive supply chain cyber attack against ASUS customers, Russian security firm Kaspersky last week didn’t release the full list all MAC addresses that hackers hardcoded into their malware to surgically target a specific pool of users.

Instead, Kaspersky released a dedicated offline tool and launched an online web page where ASUS PC users can search for their MAC addresses to check whether they were in the hit list.

However, many believe it is not a convenient way for large enterprises with hundreds of thousands of systems to know if they were targeted or not.

List of MAC Addresses Targeted in ASUS Supply Chain Attack

To solve this and help other cybersecurity experts continue their hunt for related hacking campaigns, Australian security firm Skylight’s CTO Shahar Zini contacted The Hacker News and provided the full list of nearly 583 MAC addresses targeted in the ASUS breach.

“If information regarding targets exists, it should be made publicly available to the security community so we can better protect ourselves,” Skylight said in a post shared with The Hacker News.

“So, we thought it would be a good idea to extract the list and make it public so that every security practitioner would be able to bulk compare them to known machines in their domain.”

Skylight researchers retrieved the list of targeted MAC addresses with the help of the offline tool Kaspersky released, which contains the full list of 619 MAC addresses within the executable, but protected using a salted hash algorithm.

They used a powerful Amazon server and a modified version of HashCat password cracking tool to brute force 583 MAC addresses in less than an hour.

“Enter Amazon’s AWS p3.16xlarge instance. These beasts carry eight (you read correctly) of NVIDIA’s V100 Tesla 16GB GPUs. The entire set of 1300 prefixes was brute-forced in less than an hour.”

ASUS Hack: Operation ShadowHammer

It was revealed last week that a group of state-sponsored hackers managed to hijack ASUS Live automatic software update server last year and pushed malicious updates to over one million Windows computers worldwide in order to infect them with backdoors.

As we reported last week, Kaspersky discovered the attack, which it dubbed Operation ShadowHammer, after its 57,000 users were infected with the backdoored version of ASUS LIVE Update software.

images from Hacker News

If your online e-commerce business is running over the Magento platform, you must pay attention to this information.

Magento yesterday released new versions of its content management software to address a total of 37 newly-discovered security vulnerabilities.

Owned by Adobe since mid-2018, Magento is one of the most popular content management system (CMS) platform that powers 28% of websites across the Internet with more than 250,000 merchants using the open source e-commerce platform.

Though most of the reported issues could only be exploited by authenticated users, one of the most severe flaws in Magento is an SQL Injection vulnerability which can be exploited by unauthenticated, remote attackers.

The flaw, which does not have a CVE ID but internally labeled “PRODSECBUG-2198,” could allow remote hackers to steal sensitive information from the databases of vulnerable e-commerce websites, including admin sessions or password hashes that could grant hackers access to the admin’s dashboard.

Affected Magento versions include:

• Magento Open Source prior to 1.9.4.1
• Magento Commerce prior to 1.14.4.1
• Magento Commerce 2.1 prior to 2.1.17
• Magento Commerce 2.2 prior to 2.2.8
• Magento Commerce 2.3 prior to 2.3.1

Since Magento sites not only store users’ information but also contain order history and financial information of their customers, the flaw could lead to catastrophic online attacks.

images from Hacker News

Facebook has introduced a new feature in its platform that has been designed to make it easier for bug bounty hunters to find security flaws in Facebook, Messenger, and Instagram Android applications.

Since almost all Facebook-owned apps by default use security mechanisms such as Certificate Pinning to ensure integrity and confidentiality of the traffic, it makes it harder for white hat hackers and security researchers to intercept and analyse network traffic to find server-side security vulnerabilities.

For those unaware, Certificate Pinning is a security mechanism designed to prevent users of an application from being a victim of network-based attacks by automatically rejecting the whole connection from sites that offer bogus SSL certificates.

Dubbed “Whitehat Settings,” the new option now lets researchers easily bypass Certificate Pinning on the Facebook-owned mobile apps by:

• Disabling Facebook’s TLS 1.3 support
• Enabling proxy for Platform API requests
• Using user-installed certificates

“Choose not to use TLS 1.3 to allow you to work with proxies such as Burp or Charles which currently only support up to TLS 1.2,” Facebook says.

images from Hacker News

Beware! If you are using UC Browser on your smartphones, you should consider uninstalling it immediately.

Why? Because the China-made UC Browser contains a “questionable” ability that could be exploited by remote attackers to automatically download and execute code on your Android devices.

Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than 500 million users worldwide.

According to a new report published today by Dr. Web firm, since at least 2016, UC Browser for Android has a “hidden” feature that allows the company to anytime download new libraries and modules from its servers and install them on users’ mobile devices.

Pushing Malicious UC Browser Plug-ins Using MiTM Attack

What’s worrisome? It turns out that the reported feature downloads new plugins from the company server over insecure HTTP protocol instead of encrypted HTTPS protocol, thus allowing remote attackers to perform man-in-the-middle (MiTM) attacks and push malicious modules to targeted devices.

images from Hacker News