Blue Mockingbird , a cryptocurrancy mining campaign exploits web applications – Disposable mail news


Analysts at Red Canary, a cybersecurity firm have discovered a Monero cryptocurrency-mining campaign that exploits a deserialization vulnerability, CVE-2019-18935 in public-facing web applications built on ASP.NET web framework.

They named it “Blue Mockingbird”, it uses the decentralized vulnerability found in Progress Telerik UI front-end offering for ASP.NET AJAX for remote code execution.
AJAX (Asynchronous JavaScript and XML) is a tool used for adding the script to a webpage to be processed and executed by the browser.

This particular vulnerability CVE-2019-18935 is found in the RadAsyncUpload function, as stated by National Vulnerability Database. It is exploited by knowing the encryption key (by means of another attack or method).

The analyst traced backed the campaign to December and till April. The cybercriminals are using the unpatched versions of Telerik UI for ASP.NET, where the vulnerability has not been fixed and injecting the XMRig Monero-mining payload through the vulnerability and spreading it through the network.

XMRig is open-source and can be accumulated into custom tooling, as per the investigation by the analyst. Red Canary has discovered three unmistakable execution ways: Execution with rundll32.exe expressly calling the DLL trade fackaaxv; execution utilizing regsvr32.exe utilizing the/s command line choice, and execution with the payload arranged as a Windows Service DLL.

“Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” state researchers at Red Canary, in a writeup. “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.”

To set up persistence, Blue Mockingbird hackers should initially first gain login and hoist their privileges, which they do utilize different strategies; for example, utilizing a JuicyPotato exploit to raise benefits from an IIS Application Pool Personality virtual account to the NT AuthoritySYSTEM account. In another case, the Mimikatz apparatus (the authority marked version) was utilized to get login credentials.

After getting these logins and privileges, the Blue Mockingbird used multiple techniques like COR_PROFILER COM to execute DLL.

“To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” the writeup briefed.

In preventing threats like these that exploit vulnerabilities, patches for web servers, web applications, and dependencies of the applications are the best firewall.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers spy on Corporate networks via emails and FTP – Disposable mail news


Chinese security firm Qihoo 360 reported that since December 2019, a miscreants group has been hacking into DrayTek enterprise routers to record and spy on FTP ( File Transfer Protocol) and email traffic inside the corporate network.

Netlab the network security division of Qihoo published a report saying, they detected two different groups, each one exploiting a zero-day vulnerability in DrayTek Vigor-

  • Attack Group A – using load-balancing routers and 
  • Attack Group B – using VPN gateways. 

Qihoo did warn DrayTek about their zero-day vulnerability but the message was sent to the incorrect receiver and could not reach DrayTek. 

Although the company did learn about the zero-days but only after group B attacks in January and released the patches on February 10. The attacked models are discontinued routers, still, DrayTek released their patches as soon as they could. 

Qihoo reported the attacked models – DrayTek Vigor 2960, 3900, and 300B and said only 10,000 of these (active number) are running the vulnerable firmware version. 

 The Attack Groups

Amongst the two groups, Attack group A is quite ahead and advanced. 

It exploited a vulnerability in the RSA-encrypted login mechanism of DrayTek routers to insert malicious code in the username login fields through which the hackers could control the router. 

Now, the hackers could have used this access to launch DDos attacks or more but they used it as a spy device to record traffic coming over FTP and emails.

The recorded scripts were then uploaded to a remote server every Monday, Wednesday, and Friday at 00:00.Zdnet reports they recorded the data to access the login credentials of FTP and corporate email accounts. 

Qihoo named the second group of hackers as “Attack Group B”.
The second group used a different zero-day vulnerability, first disclosed by Skull Army blog in a 26 Jan post. The bad actors read it from the blog and began exploiting it in mere two days.

Zdnet reports, “Per Qihoo, the hackers used this second zero-day to execute code on vulnerable DrayTek devices by exploiting a bug in the “rtick” process to create backdoor accounts on the hacked routers. What they did with those accounts remains unknown”.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Google rewards 100,000$ in bug bounty prize! – Disposable mail news


Google has awarded 100,000 dollars prize to a Dutch researcher Wouter ter Maat for the Google Cloud Platform (GCP), for vulnerabilities found in the Google Cloud Shell.

Wouter ter Maat received 100 thousand dollars, Google’s very first annual Cloud Platform bug-bounty prize by finding a clever container escape and search for bugs.

Google also announced, that then it will be increasing the payouts for annual Google Cloud Platform prizes in its Vulnerability Reward Programme (VRP).
It will offer prizes to the top six vulnerability reports in GCP products submitted in 2020 with a cash prize of up to 313,337 dollars. The first place would win 313,337 dollars and the sixth place will end up with a thousand dollars.
In order to be eligible, the bug hunters will have to submit a public write-up with the word limit of 31,337 words.

 The Bug-

Google Cloud Shell is an interactive shell environment for Google Cloud Platform. It is a Linux with a browser-based front, that allows administrators to use various resources in the Google Cloud Platform.

Ter Maat noticed several issues in the cloud shell, the way it interacts with resources and authentication problems.

 “When the Cloud Shell instance is done starting a terminal window is presented to the user,” ter Maat wrote in his write-up published in December. “Noteworthy is the fact that the gcloud client is already authenticated. If an attacker is able to compromise your Cloud Shell, it can access all your GCP resources.”

The researcher could connect to resources after launching the Cloud Shell, and as very few processes were running he was able to enter a container, escape it and access the full host by examining the file system.
“I noticed that there were two Docker UNIX sockets available,” explained ter Maat. “One in ‘/run/docker.sock’, which is the default path for our Docker client running inside the Cloud Shell (Docker inside Docker); the second one in ‘/google/host/var/run/docker.sock.’”

 “This second socket was revealed to be a host-based Docker socket, as indicated by its pathname.
Anyone who can communicate with a host-based Docker socket can easily escape the container and gain root access on the host at the same time,” the researcher noted, adding that he could do that by just writing a quick script.

“After running it you will find that all containers inside the pod will automatically reboot. Now all containers run in privileged mode,” said ter Maat.

Researchers say, if malicious actors gain control of privileged containers, the possibilities for abuse are seemingly endless. They can view software and exploit their vulnerabilities, codes can be re-written, coin miners can be executed and effectively hidden and much more.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Government based hacking groups are attacking Microsoft Exchange Servers – Disposable mail news


Various government-backed hacking groups and APTs are targeting and exploiting a vulnerability in Microsoft Exchange email servers. The vulnerability was patched last month February 2020.

Volexity, a UK cyber security firm was the first to discover these exploitation attempts on Friday. But neither did they share the names of the hacking groups nor did they comment further on the matter. It is rumoured that the hacking groups are “the big players” but nothing has been confirmed yet. The vulnerability is identified as CVE-2020-0688.

Microsoft released fixes for this on Feb 11 and asked system admins to install the fixes as soon as possible to ward of attacks.
After the release of the patch, things remained calm only to escalate after two weeks when Zero-Day Initiative reported the bug to Microsoft and published a detailed report on the vulnerability and how it worked.
Security researchers used this report to craft proof-of-concept exploits to test their own servers and create detection rules.

And as soon as all this info became public, hackers started playing attention and when all this information was easily available they took advantage of the vulnerability.

“On February 26, a day after the Zero-Day Initiative report went live, hacker groups began scanning the internet for Exchange servers, compiling lists of vulnerable servers they could target at a later date. First scans of this type were detected by threat intel firm Bad Packets.” reports Zdnet.

Volexity said, these scans turned into actual attacks.

APTs – “advanced persistent threats,” were the first to exploit this bug to attack. APTs are state sponsored hacking groups.
Security Researchers say, this vulnerability could become quite popular among ransomware attackers.

It is not easy to exploit CVE-2020-0688 vulnerability. Only expert hackers can abuse this bug as they need the credentials for an email account on the Exchange server- but it will not stop ransom gangs and APTs as these are well versed in phishing mail campaigns and gain credentials through the same.

Companies and organizations which have had previous phishing and malware attacks, are adviced to update their Exchange email servers with the bug fix as soon as possible.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Windows 10 Users Beware! TrickBots’ Prevalence And Conveyance Escalates in Devices – Disposable mail news

Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.

7-9>


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Reserve Bank of India Experiences a Technical Glitch; NEFT and RTGS Go Down for Half a Day! – Disposable mail news

Electronic money transfer is something that has changed the way people used to transact. It has offered a way more convenient method that goes along the lines of modernity and the need of recent times.

The most widely used and popular mediums of transferring money between bank accounts in India are NEFT and RTGS. While NEFT has neither minimum nor maximum limits, RTGS is designed for heavier sums of money with 2 lac being the minimum amount and 10 lac being the maximum per day.

Per reports, National Electronic Funds Transfer (NEFT) and Real-Time Gross Settlement (RTGS) were disrupted for more than half a day. The signs of this started to show from Monday midnight.

Sources mention that this happened because of a technical glitch in the systems of the Reserve Bank of India. Nevertheless, NEFT and RTGS have been reinstated after inactivity of 12 hours.

Several reports reveal that the main issue allegedly was grappled by the Indian Financial Technology and Allied Services (IFTAS), which is an RBI affiliated branch when the “disaster recovery site” was being moved from locale A to B.

Sources impart that the NEFT transactions have as of now been brought back. The “end-of-day” RTGS transactions of the previous day are being worked on to get them to reach completion but the “start-of-day” for RTGS hasn’t ensued yet. Still, the restoration of RTGS is expected soon.

The setup for NEFT was established and supported by the Institute for Development and Research in Banking Technology. People will now be able to use this medium for online transferring of funds and money 24×7. Meaning that holidays or weekends would never come in the way of money transfers and funds would be transferred any day and at any time at all.

NEFT and RTGS are the most commonly used routes for online transfer of funds.

The former medium facilitates a provision for limitless one-to-one transfer of money from and to individuals and corporates with an account in any bank branch in the country. The latter, however, has the aforementioned limits and is a continuous and real-time settlements of fund transfers.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers Attack IOTA’s Trinity Wallet, Company Shuts Down the Network – Disposable mail news


The hackers attacked the IOTA’s cryptocurrency wallet and stole all the funds. The theft happened by exploiting a vulnerability in the IOTA’s networks.
Attack took place on 12th February 2020, and the company informed about the incident via its official account on twitter. The tweet said that the IOTA is presently investing an attack on its trinity wallet. IOTA has advised its users not to share or use the Trinity Wallet on their desktop until the case has been solved. According to the news, the IOTA is currently working with cybersecurity experts and law agencies to go to the roots of the problem that has caused the cryptocurrency theft.

The company, on its official website, announced that because of the theft of funds, it has shut down its ‘Coordinator’ node for a while to protect the users. The Coordinator works as a final checkpoint for safety assurance of the transactions that take place on IOTA’s network.
According to the company, the decision to shut down the Coordinator node is to protect any further fraudulent transactions that might take place on IOTA’s network. IOTA says that the hackers chose to attack the high profile accounts first, and then moved on to smaller accounts, and so on until the transactions were stopped by the coordinator.

“The attack pattern analysis showed that the halt of the coordinator interrupted the attacker’s attempts to liquidate funds on exchanges,” said the IOTA’s official website. “The stolen funds have been purposely and repeatedly merged and split to obfuscate the investigation, and with the current token exchange rate as well as exchanges’ KYC limits in mind. We received additional feedback from more exchanges (not all yet), confirming that none of the identified transactions has been received or liquidated.”

As of now, IOTA’s network system is still not active, and the company is still investigating the issue.
Cybersecurity experts and members of the IOTA say that the hackers found a vulnerability in the Trinity wallet and were thus able to launch the attack. IOTA hasn’t announced anything about the amount stolen but the experts believe it to be around $1 Million IOTA coins or more.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

120 Million Medical Records Leaked! Global Medical Report Sheds More Light. – Disposable mail news

Along with cyber-security within your phones and other devices, you must make sure the hospital you go to has enough cyber-protection as well!

The obnoxiousness of cyber-criminals is escalating by the hour. As if stealing data of organizations and loosely selling largely famous tech giants’ data online wasn’t enough, hackers have now thrown on the internet personal medical details of more than 120 million Indian patients, per sources.

With the leakage of these personal medical records, they have also been made available online for cyber-cons to exploit.

In a recent “Global Report” on “Medical Data Leak” it was acutely mentioned that in the enormous number of records that got leaked, the affected patients’ X-rays, MRIs and images of CT scans were the major components.

According to sources, the first such report was published by a German cyber-security firm in October 2019. According to the actions taken by several countries’ governments as a response to the publishing of the first report, the succeeding report segregated countries into the categories of “good”, “bad” and “ugly”.

It may or may not come as a shock to many, but India was a “proud winner” of the second position in the “Ugly” category right after the United States of America.

As stated by the succeeding report, the state of Maharashtra is positioned right at the top if we consider the number of “data troves” (308, 451 troves) that are available online providing access to more than 69 million images.

Per sources, the second position is Karnataka with 182, 865 data troves providing access to more than 13 million images!

Researchers found out that the number of data troves that are available online has risen exponentially especially speaking in terms of India.

What exactly induced the leakage isn’t as widely known as all that but the first report clearly insinuated that the leak was in a way prompted by the servers of the “Picture Archiving and Communications Systems (PACS)” as the leaked information is mostly stored there.

The problem possibly was that the servers aren’t as secure as they should be and are connected to the public internet network which makes them easily susceptible.

This leakage is really disconcerting because you can’t simply get hold of who those patients are. They could be ANYONE, ranging from common men to big shots!
Apart from that, these medical records could pose threats like extortion, identity theft, and the list is unending.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Mobile Banking Malware On The Rise, 50% Hike In Attacks! WhatsApp a Dependable Medium? – Disposable mail news

According to studies, with an increase of 50% malware attacks have known no bounds in the past year. Most common of all happen to be malware that steals users’ financial data and bank funds.

The banking malware is on the rise in India. According to several sources, over 35% of organizations and institutions in India have been affected by such attacks in 2019 alone.

Among the most common types of malware that India often faces, that steal photographs and contact details from the phone, Adware is a big name as it generates ads on your phone to make money for some other party.

Another variant that isn’t all that trendy in India is a malware that kicks off surveillance on the target’s phone, tracks its GPS location and snips their personal data. What’s more, they could even control your microphone and other mobile phone operations.

What makes banking malware scary is its ability to steal data while the target’s on their phone making payments. Unaware of any malicious activity, the user would have let some cyber-con know all their bank credentials.

WhatsApp is becoming an accessory in the procedures of banking malware. Despite the hefty encryption that’s done on the chat app, hackers keep finding creative ways to exploit even the most minute of vulnerabilities.

In a recent zero-vulnerability case, the malware which was on the video-file message got transmitted as it is onto the receiver’s device.

To make sure that you don’t get malware installed on your device via WhatsApp, keep cleaning all the data and do not open any doubtful files and links.

Phishing attacks are among other common tactics of hackers to attack users and their devices. Suspicious emails, if opened could help the hackers kick off malware in the mailbox and then the attack goes in a way that takes the target to a website and asks them to fill in their personal information.

Downloading apps from third-party stores and straight from the internet is a strict no! Do not open any suspicious files and treat each link and file with equal distrust. If you’re not sure who the sender is, do not consider the file at all, be it on text message or on email.

Connecting to unauthorized or unknown Wi-Fi networks could also pose security issues. With the tag of free networks to lure you in, “man-in-the-middle” attacks could easily be launched.

Mobile phone security is as paramount as the security of your house or any other electronic device. There has got to be a set of security measures in place to work if anything goes south.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Can you find a bug in Xbox Live? Microsoft will pay you, if you do! – Disposable mail news

Think you’re an expert at Xbox? Think you can find a bug in Xbox Live? Well, Microsoft might pay you some bucks.

Microsoft has launched an official bug bounty hunt for the Xbox Live network in order to improve the program and services. The bug hunters will be paid up to 20,000 dollars but the payment will depend on the severity of the security issue and the minimum amount will start from 500 dollars.

Microsoft in their bug bounty program is looking for serious security and other vulnerability issues like accessing unauthorized codes and not connection problems. The bounty program covers a wide range of vulnerabilities but with strict restrictions, for example, they will not cover issues such as DDoS issues and URL Redirects and disqualify anyone who tries to phish or social engineer Xbox users and engineers and moves within (laterally inside) Xbox network while searching for bugs.

Usually, security researchers are the ones who gain most from bug bounty programs but Microsoft has announced that anyone can submit bug issues regardless of their background.

 Program manager at the Microsoft Security Response Center (MSRC), Chloé Brown, said in the blog post announcing the bug bounty program, that submissions will need to give proof of concept (POC).

“The Xbox bounty program invites gamers, security researchers, and technologists around the world to help identify security vulnerabilities in the Xbox network and services, and share them with the Microsoft Xbox team through Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear and concise proof of concept (POC) are eligible for awards up to US$20,000.”

This is not Microsoft’s first bounty program, they have earlier launched similar programs for Microsoft Edge browser, their “Windows Insider” preview builds, Office 365 and many others with rewards up to 15,000 dollars. But their biggest one remains for serious vulnerabilities found in the company’s Azure cloud computing service where security researchers can earn up to 300,000 dollars for a super-specific bug.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.