How encryption can help protect your sensitive data – 10 minute mail

Here’s how encryption can help keep your data safe from prying eyes – even if your device is stolen or your cloud account is hacked

You probably store all kinds of sensitive information on your personal computer – or your smartphone, for that matter. For good measure, you may even store your data in the cloud. And like the responsible netizen that you are, you’ve probably secured access to your devices with a passphrase, a biometric lock or even a combination of both. That’s all well and good, but what if you lose your device or it is stolen? That’s where encryption comes in, adding an extra safeguard.

To be sure, encryption isn’t just limited to storing your data; you can also encrypt your communications and your web traffic, as well as your passwords. All of these can be considered best practices to secure your private data, and we’ll walk you through some of the choices you have.

Disk encryption

Most computers still have removable hard disks that aren’t soldered onto the motherboard; alternatively, as extra storage, people use external disks. That’s why having full-disk encryption is a great extra security layer; if you misplace your disk or it is stolen, then no one can access any of the information on it. The disk is fully encrypted, including all your data, your software and the operating system you’re running. Unless you can enter the key at boot-up, your whole computer essentially becomes quite an expensive paperweight. There are several commercial options with advanced features, open source projects and built-in options in most major operating systems.

When it comes to smartphones and tablets, the equivalent functionality to look for is device encryption, which is built into, and commonly enabled by default, on contemporary devices. There are many easily found online guides that explain checking for and, if necessary, enabling device encryption for Android or iOS devices.

Cloud encryption

Most of us use cloud storage for its ease of access – you can do it from anywhere at any time so long as you have an internet connection. Unfortunately, that accessibility introduces its own set of challenges. Over the years, cloud storage services have experienced security breaches, either due to human error or targeted attack by ne’er-do-wells. Therefore, encrypting your files before uploading them to the cloud should be a no-brainer.

Even if there is a breach or the cloud provider’s system is compromised, the data bad actors may obtain will be useless to them without the decryption key. You can choose from a variety of products based on your needs and the offered encryption features. Look at those that offer AES encryption at the very least. There are a number of free and commercial options, all with various limitations and a range of price options among the paid-for products and services.

Encrypt your web traffic

One of the easiest ways you start with is by setting up a Virtual Private Network (VPN), which works as an encrypted tunnel for internet traffic. Let’s say you’re working from a coffee shop and you are going to share some sensitive data with a client, a VPN will allow you to share that data over an encrypted network without anyone intercepting it. Another example is that you can securely access data stored on your home network even if you are physically on the other side of the globe. There are multiple types of VPNs to choose from and, if you’re not sure which one will suit your needs the best, you can check out our article on types of VPNs.

RELATED READING: Encryption 101: What is it? When should I use it?

Another way to protect your privacy involves using an anonymity network, such as Tor. The Tor network directs your traffic through a volunteer overlay network of relays and wraps it in multiple layers of encryption. The idea is, of course, to protect your identity and your browsing habits from anyone snooping around.

Another thing you should also always watch out for is that the website you’re accessing uses the HTTPS protocol. The S stands for secure and means that all the communication taking place between the visitor (you) and the webserver is encrypted. Most of the world’s top websites now use HTTPS by default.

Encrypt your messages

When it comes to messaging apps, you have a variety to choose from and while the most popular do offer end-to-end encryption, not all of them have it turned on by default. For example, to turn on end-to-end encryption in Facebook Messenger you have to start a secret conversation by clicking on the profile picture of the user and choosing “Go to secret conversation”; only after that do your messages with that specific recipient become encrypted. WhatsApp, for one, has the option turned on by default; so does Telegram, but it also provides an extra layer of security with its Secret Chat feature, which allows you to set self-destruct on the messages and files you send.

Signal remains one of the most highly rated options by cryptographers, due to its open-source code allowing extensive examination and easy auditing by area specialists. You can also encrypt your email communications as well, with the sender needing your public key to encrypt a message, so that only you can decrypt and read it using your private key, and you needing their public key so they can decrypt encrypted messages you send to them. Again, there are several options, with the most common being PGP or GPG, and S/MIME. There are several plug-ins for, or built-in options in, popular email apps. For example, Microsoft provides a handy guide on how to enable S/MIME in its Outlook email client.

Also worth considering is using a secure email platform, such as ProtonMail and others, that provides end-to-end email encryption. Some are “closed shop” in that you can only send encrypted emails to others using the service and “ordinary” emails to those with other providers, while some provide mechanisms to exchange encrypted messages regardless of the mail service of your interlocutors.

Encrypt your passwords

Password managers are a popular choice for people who don’t want to (or can’t) memorize all their passwords while refraining from recycling them. A password manager functions as a vault that stores all of your passwords: it is secured like a bank vault is, but in this case, it uses fiendish mathematics instead of steel-reinforced concrete.

Most of the cloud-based services keep a copy of your vault on their servers protected with heavy-duty encryption, and, for an extra layer of security, allow their users to use multi-factor authentication (MFA). It is a much more secure way to store your passwords than on sticky notes or docs in your computer or even using a one-password-fits-all solution.

Final thoughts

Although at first glance you may think that the number of things you can do to secure your digital existence is a bit overwhelming, but you should never underestimate the value of good cybersecurity measures securing your digital existence. As the old saying goes, an ounce of prevention is worth a pound of cure, and in the digital world that goes double. A responsible approach to securing your data today can save you from a huge migraine in the future.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Calls FBI Comments on Lack of Help Unlocking Florida Shooter’s iPhone an ‘Excuse to Weaken Encryption’

The United States FBI and Attorney General William Barr in January asked Apple to unlock the iPhones used in a mass shooting at a naval air station in Pensacola, Florida, a capability that Apple has said time and time again that it does not have.


Today, the FBI confirmed that it was able to access shooter Mohammed Alshamrani’s device, with FBI director Christoper Wray claiming that the FBI received “effectively no help” from Apple. Attorney general William Barr said it was a “great disappointment” that Apple refused to help investigators. From Barr:

“Apple has made a business and marketing decision to design its phones in a way that only the user can unlock the contents no matter what the circumstances. In cases like this, where the user is a terrorist, or in other cases where the user is a violent criminal, a human trafficker, a child predator, Apple’s decision has dangerous consequences for the public safety and the national security and is in my judgment unacceptable.”

Apple issued a statement in response, which was shared by Bloomberg‘s Mark Gurman. In the statement, Apple details the steps that it took to assist the FBI, providing iCloud backups, account information, and transactional information for multiple accounts just hours after the attack.

The terrorist attack on members of the US armed services at the Naval Air Station in Pensacola, Florida was a devastating and heinous act. Apple responded to the FBI’s first requests for information just hours after the attack on December 6, 2019 and continued to support law enforcement during their investigation. We provided every piece of information available to us, including ‌iCloud‌ backups, account information and transactional data for multiple accounts, and we let continuous and ongoing technical and investigative support to FBI offices in Jacksonville, Pensacola, and New York over the months since.

Apple went on to say that the comments made by Wray and Barr about the company’s lack of help are little more than an “excuse to weaken encryption.”

On this and many thousands of other cases, we continue to work around-the-clock with the FBI and other investigators who keep Americans safe and bring criminals to justice. As a proud American company, we consider supporting law enforcement’s important work our responsibility. The false claims made about our company are an excuse to weaken encryption and other security measures that protect millions of users and our national security.

It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers. There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.

Customers count on Apple to keep their information secure and one of the ways in which we do so is by using strong encryption across our devices and servers. We sell the same iPhone everywhere, we don’t store customers’ passcodes and we don’t have the capacity to unlock passcode-protected devices. In data centers, we deploy strong hardware and software security protections to keep information safe and to ensure there are no backdoors into our systems. All of these practices apply equally to our operations in every country in the world.

As it has done in multiple prior disputes with U.S. law enforcement officials, Apple reiterated that there is no such thing as a backdoor designed only for the good guys. Weakening encryption in Apple devices would leave them vulnerable to attack from malicious entities, which could compromise not only customer data, but also national security.

Apple says that customers can count on the company to keep their information secure with strong encryption, letting law enforcement officials know once again that it does not plan to budge from its position.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Lucy: A File Encryption Android Malware that for Ransomware Operations – Disposable mail news


A malware that attacks Android smartphones has increased its Maas (malware-as-a-service) operations with file encryption capabilities to carry out ransomware attacks.

The malware, according to cybersecurity experts, is called “Lucy.” The Lucy gang is a group of Russian hackers who became famous two years ago by launching the Black Rose Lucy service, a malware that allowed Botnet attacks on android smartphones.

According to Checkpoint Research, “Because the Android accessibility service can mimic a user’s on-screen click, this is the crucial element for Black Rose to carry out malicious activities. Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges.” 

The Lucy service allows its users to attach files on vulnerable devices, which ask for $500 as a ransom in the browser window. The message says that it comes from the FBI, and the user must pay the ransom because he is found guilty of storing adult content on his android smartphone.

The FBI note here aims to frighten the victims into paying the ransom to hackers. The hackers demanding payment from their victims based on legal consequences is blackmail, as it is entirely unethical. The victims are blackmailed for storing pornographic content and visiting adult websites.

To make the ransom more serious and believing, the hackers say that they have the victim’s photograph and location, which they have posted on the FBI’s criminal investigation website. The ransom should be paid within three days of the notification, if not, the penalty triples, says the message warning.

It may sound strange, but the hackers don’t demand cryptocurrency payments. Instead, they ask for credit card credentials, which is odd because, in most of the cases, the ransom is asked in terms of cryptocurrency as it is easy to cash in.

According to Check Point Research’s 2010 data, “The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android’s accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Zoom Accused of Misleading Users With ‘End-to-End Encryption’ Claims

Zoom is facing fresh scrutiny today following a report that the videoconferencing app’s encryption claims are misleading.


Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever.

However, an investigation by The Intercept reveals that Zoom secures video calls using TLS encryption, the same technology that web servers use to secure HTTPS websites:

This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.

As the report makes clear, for a Zoom meeting to be end-to-end encrypted, the call would need to be encrypted in such a way that ensures only the participants in the meeting have the ability to decrypt it through the use of local encryption keys. But that level of security is not what the service offers.

When asked by The Intercept to comment on the finding, a spokesperson for Zoom denied that the company was misleading users:

“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point… The content is not decrypted as it transfers across the Zoom cloud.”

Technically, Zoom’s in-meeting text chat appears to be the only feature of Zoom that is actually end-to-end encrypted. But in theory, the service could spy on private video meetings and be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Zoom told The Intercept that it only collects user data that it needs to improve its service – this includes IP addresses, OS details, and device details – but it doesn’t allow employees to access the content of meetings.

Last week, Zoom’s data sharing practices were criticized after it emerged that the service was sending data to Facebook without disclosing the fact to customers. The company subsequently updated the app to remove its Facebook log-in feature and prevent the data access.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WildPressure targets industrial-related entities in the Middle East – 10 minute mail

In August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with known campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.

The compilation timestamps for all these files is the same – March 2019. This is coherent with the fact that we registered no infections before May 31, 2019, so the compilation dates don’t seem to be spoofed. For their campaign infrastructure the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service.

The malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as well. Inside the encrypted communications within the HTTP POST requests we found several interesting fields. One of them shows the malware version – 1.0.1. A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.

The only encryption implemented is the RC4 algorithm with different 64-byte keys for different victims. Also, the developers were kind enough to leave RTTI data inside the files. Kaspersky products detect this malware as Backdoor.Win32.Agent. For more information, please contact: [email protected]

Why we call it Milum and why it’s of interest

All the aforementioned C++ Trojans are compiled as standalone PE files, originally named Milum46_Win32.exe. The word ‘milum’ is used in the C++ class names inside the malware, so we named the Trojan after it.

Another distinctive characteristic is that the malware exports lots of zlib compression functions, such as zlibVersion(), inflate() or deflate(). This compression is needed for C2 communication, but in reality there is no need to export them in the case of a standalone application.

The JSON configuration fields are not limited to just the version and programming language; the campaign operators also use target IDs that are found in the samples. Among them, we found HatLandM30 and HatLandid3 – neither of which we are familiar with. The following table provides Milum samples that have similar PE header compilation timestamps but different target IDs:

Milum46_Win32.exe sample MD5 hash Timestamp (GMT) clientid
0C5B15D89FDA9BAF446B286C6F97F535 2019.03.09 06:17:19 839ttttttt
17B1A05FC367E52AADA7BDE07714666B 2019.03.09 06:17:19 HatLandid3
A76991F15D6B4F43FBA419ECA1A8E741 2019.03.09 06:17:19 HatLandM30

Rather than describing all the configuration fields one by one, we have gathered them together in the following table, with all the main characteristics for this malware family:

Programming language C++ with STL functions used mostly to parse JSON data and exception handling.
Configuration data Base64-encoded JSON data in PE resources. Includes timeouts, C2 URLs and keys for communication, including RC4 64-byte key.
Network protocol Trojan transmits compressed JSON data in HTTP POST requests with gzip, base64-encoded and RC4 encrypted.
Beacon data Encrypted JSON contains the malware version “1.0.1”, Epoch timestamp and client id. It also has specific fields such as “vt” and “ext” that correspond to programming language “c++” and file extension “exe”. If our hypothesis is correct, this suggests that non-C++ Trojan versions may be planned, if not already implemented.
Persistence HKCU autorun system registry keys Run and RunOnce.
Encryption The communication encryption used is RC4 with the 64-byte key stored in the configuration data.
Compression For compression the Trojan uses an embedded gzip code. For some reason gzip functions are exported from PE, although the samples are standalone executables, not DLLs.

Let’s dig a little deeper inside

The most popular sample in our telemetry was:

SHA256 a1ad9301542cc23a04a57e6567da30a6e14eb24bf06ce9dd945bbadf17e4cf56
MD5    0c5b15d89fda9baf446b286c6f97f535
Compiled     2019.03.09 06:17:19 (GMT)
Size   520704
Internal name       Milum46_Win32.exe

This application exists as an invisible toolbar window. The main malicious functions are implemented in a separate thread. Milum decodes its configuration data and, besides timeouts, it gets the parameters “clientid” and “encrypt_key” to use in RC4 encryption.

Example of the decoded and beautified configuration data. The “clientid” field differs in every sample observed

The following table describes the different configuration parameters:

Config parameter Parameter features
shortwait Pause in milliseconds between C2 communication working cycles
clientid Unique ASCII target name
encrypt_key RC4 encryption key for JSON-based C2 communications
relays – url Full URL to send HTTP POST beacon and GET commands
relays – key Unique ASCII key for each C2 to communicate with it

The operators can run the Trojan using the key (“b” or “B”) as the first argument and the file name as the second. In this case, Milum will delete the file sent as a parameter. Then the Trojan will create the C:ProgramDataMicappWindows directory and parse its configuration data to form the beacon to send to its C2.

To send the beacon, Milum uses the HTTP POST request with three parameters as enumerated in the table below.

Beacon parameter Parameter values
md Clientid from config, with prefix 01011 and random five-character ASCII suffix
nk Key from config to communicate with C2, differs for each server
val Compressed, encrypted and encoded command JSON data

The first two parameters are taken from the configuration data. The third one is encrypted and after decryption, decompression, decoding and beautifying, it looks like this:

Decoded and beautified JSON beacon to C2. In this case, the connection to the first server was unsuccessful

There are several fields worth mentioning here. We referred above to different programming languages besides C++: “vt” seems to reference a programming language and “ext” a file extension. The only reason that we could think of for keeping these is if the attackers have several Trojans, written in different languages, to work with the same control server.

Regarding the “command” field, the control servers were inaccessible at the time of the analysis, so we don’t have commands from them. However, we analyzed the command handlers in Milum’s code as described below:

Code Meaning Features
1 Execution Silently execute received interpreter command and return result through pipe
2 Server to client Decode received content in “data” JSON field and drop to file mentioned in “path” field
3 Client to server Encode file mentioned in received command “path” field to send it
4 File info Get file attributes: hidden, read only, archive, system or executable
5 Cleanup Generate and run batch script to delete itself
6 Command result Get command execution status
7 System information Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName <>’Windows Defender’”)
8 Directory list Get info about files in directory: hidden, read only, archive, system or executable
9 Update Get the new version and remove the old one

Who was attacked?

According to our telemetry, the Milum Trojan was exclusively used to attack targets in the Middle East from at least the end of May 2019.

Number of detections for one of the samples from September 2019

We were able to sinkhole one of the WildPressure C2 domains (upiserversys1212[.]com) in September 2019. The vast majority of visitor IPs were also from the Middle East, and we believe the rest were network scanners, TOR exit nodes or VPN connections.

C2 domain sinkholing also shows active infections mostly from the Middle East

And who’s behind it?

To date we haven’t observed any strong code- or victim-based similarities with any known actor or set of activity. Their C++ code is quite common, regarding configuration data and communication protocol malware uses base64-encoded JSON-formatted configuration data stored in the binary’s resource section and parses it with Standard Template Library (STL) functions. However, these commonalities are not conclusive enough for attribution and our hypothesis is that they are merely coincidence. We would continue to monitoring this activity

To sum up

To date, we don’t have any data regarding Milum’s spreading mechanism. A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst. Any similarities should be considered weak in terms of attribution, and are may simply be techniques copied from previous well-known cases. Indeed, this “learning from more experienced attackers” cycle has been adopted by some new interesting actors in recent years.

We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations.

Indicators of compromise

Files MD5
0C5B15D89FDA9BAF446B286C6F97F535
17B1A05FC367E52AADA7BDE07714666B
A76991F15D6B4F43FBA419ECA1A8E741
Original file names are Milum46_Win32.exe; on the target side they exist as system32.exe

URLs
upiserversys1212[.]com/rl.php
37.59.87[.]172/page/view.php
80.255.3[.]86/page/view.php


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WildPressure targets industrial-related entities in the Middle East – 10 minute mail

In August 2019, Kaspersky discovered a malicious campaign distributing a fully fledged C++ Trojan that we call Milum. All the victims we registered were organizations from the Middle East. At least some of them are related to industrial sector. Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with known campaigns. Nor have we seen any target intersections. In fact, we found just three almost unique samples, all in one country. So we consider the attacks to be targeted and have currently named this operation WildPressure.

The compilation timestamps for all these files is the same – March 2019. This is coherent with the fact that we registered no infections before May 31, 2019, so the compilation dates don’t seem to be spoofed. For their campaign infrastructure the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service.

The malware uses the JSON format for configuration data and as a C2 communication protocol over HTTP as well. Inside the encrypted communications within the HTTP POST requests we found several interesting fields. One of them shows the malware version – 1.0.1. A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.

The only encryption implemented is the RC4 algorithm with different 64-byte keys for different victims. Also, the developers were kind enough to leave RTTI data inside the files. Kaspersky products detect this malware as Backdoor.Win32.Agent. For more information, please contact: [email protected]

Why we call it Milum and why it’s of interest

All the aforementioned C++ Trojans are compiled as standalone PE files, originally named Milum46_Win32.exe. The word ‘milum’ is used in the C++ class names inside the malware, so we named the Trojan after it.

Another distinctive characteristic is that the malware exports lots of zlib compression functions, such as zlibVersion(), inflate() or deflate(). This compression is needed for C2 communication, but in reality there is no need to export them in the case of a standalone application.

The JSON configuration fields are not limited to just the version and programming language; the campaign operators also use target IDs that are found in the samples. Among them, we found HatLandM30 and HatLandid3 – neither of which we are familiar with. The following table provides Milum samples that have similar PE header compilation timestamps but different target IDs:

Milum46_Win32.exe sample MD5 hash Timestamp (GMT) clientid
0C5B15D89FDA9BAF446B286C6F97F535 2019.03.09 06:17:19 839ttttttt
17B1A05FC367E52AADA7BDE07714666B 2019.03.09 06:17:19 HatLandid3
A76991F15D6B4F43FBA419ECA1A8E741 2019.03.09 06:17:19 HatLandM30

Rather than describing all the configuration fields one by one, we have gathered them together in the following table, with all the main characteristics for this malware family:

Programming language C++ with STL functions used mostly to parse JSON data and exception handling.
Configuration data Base64-encoded JSON data in PE resources. Includes timeouts, C2 URLs and keys for communication, including RC4 64-byte key.
Network protocol Trojan transmits compressed JSON data in HTTP POST requests with gzip, base64-encoded and RC4 encrypted.
Beacon data Encrypted JSON contains the malware version “1.0.1”, Epoch timestamp and client id. It also has specific fields such as “vt” and “ext” that correspond to programming language “c++” and file extension “exe”. If our hypothesis is correct, this suggests that non-C++ Trojan versions may be planned, if not already implemented.
Persistence HKCU autorun system registry keys Run and RunOnce.
Encryption The communication encryption used is RC4 with the 64-byte key stored in the configuration data.
Compression For compression the Trojan uses an embedded gzip code. For some reason gzip functions are exported from PE, although the samples are standalone executables, not DLLs.

Let’s dig a little deeper inside

The most popular sample in our telemetry was:

SHA256 a1ad9301542cc23a04a57e6567da30a6e14eb24bf06ce9dd945bbadf17e4cf56
MD5    0c5b15d89fda9baf446b286c6f97f535
Compiled     2019.03.09 06:17:19 (GMT)
Size   520704
Internal name       Milum46_Win32.exe

This application exists as an invisible toolbar window. The main malicious functions are implemented in a separate thread. Milum decodes its configuration data and, besides timeouts, it gets the parameters “clientid” and “encrypt_key” to use in RC4 encryption.

Example of the decoded and beautified configuration data. The “clientid” field differs in every sample observed

The following table describes the different configuration parameters:

Config parameter Parameter features
shortwait Pause in milliseconds between C2 communication working cycles
clientid Unique ASCII target name
encrypt_key RC4 encryption key for JSON-based C2 communications
relays – url Full URL to send HTTP POST beacon and GET commands
relays – key Unique ASCII key for each C2 to communicate with it

The operators can run the Trojan using the key (“b” or “B”) as the first argument and the file name as the second. In this case, Milum will delete the file sent as a parameter. Then the Trojan will create the C:ProgramDataMicappWindows directory and parse its configuration data to form the beacon to send to its C2.

To send the beacon, Milum uses the HTTP POST request with three parameters as enumerated in the table below.

Beacon parameter Parameter values
md Clientid from config, with prefix 01011 and random five-character ASCII suffix
nk Key from config to communicate with C2, differs for each server
val Compressed, encrypted and encoded command JSON data

The first two parameters are taken from the configuration data. The third one is encrypted and after decryption, decompression, decoding and beautifying, it looks like this:

Decoded and beautified JSON beacon to C2. In this case, the connection to the first server was unsuccessful

There are several fields worth mentioning here. We referred above to different programming languages besides C++: “vt” seems to reference a programming language and “ext” a file extension. The only reason that we could think of for keeping these is if the attackers have several Trojans, written in different languages, to work with the same control server.

Regarding the “command” field, the control servers were inaccessible at the time of the analysis, so we don’t have commands from them. However, we analyzed the command handlers in Milum’s code as described below:

Code Meaning Features
1 Execution Silently execute received interpreter command and return result through pipe
2 Server to client Decode received content in “data” JSON field and drop to file mentioned in “path” field
3 Client to server Encode file mentioned in received command “path” field to send it
4 File info Get file attributes: hidden, read only, archive, system or executable
5 Cleanup Generate and run batch script to delete itself
6 Command result Get command execution status
7 System information Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName <>’Windows Defender’”)
8 Directory list Get info about files in directory: hidden, read only, archive, system or executable
9 Update Get the new version and remove the old one

Who was attacked?

According to our telemetry, the Milum Trojan was exclusively used to attack targets in the Middle East from at least the end of May 2019.

Number of detections for one of the samples from September 2019

We were able to sinkhole one of the WildPressure C2 domains (upiserversys1212[.]com) in September 2019. The vast majority of visitor IPs were also from the Middle East, and we believe the rest were network scanners, TOR exit nodes or VPN connections.

C2 domain sinkholing also shows active infections mostly from the Middle East

And who’s behind it?

To date we haven’t observed any strong code- or victim-based similarities with any known actor or set of activity. Their C++ code is quite common, regarding configuration data and communication protocol malware uses base64-encoded JSON-formatted configuration data stored in the binary’s resource section and parses it with Standard Template Library (STL) functions. However, these commonalities are not conclusive enough for attribution and our hypothesis is that they are merely coincidence. We would continue to monitoring this activity

To sum up

To date, we don’t have any data regarding Milum’s spreading mechanism. A campaign that is, apparently, exclusively targeting entities in the Middle East (at least some of them are industrial-related) is something that automatically attracts the attention of any analyst. Any similarities should be considered weak in terms of attribution, and are may simply be techniques copied from previous well-known cases. Indeed, this “learning from more experienced attackers” cycle has been adopted by some new interesting actors in recent years.

We should also be cautious regarding the true targeting of this new set of activities, as it is probably too soon to jump to conclusions. The targeted nature seems to be clear, but the targeting itself might be limited by our own visibility. The malware is not exclusively designed against any kind of victim in particular and might be reused in other operations.

Indicators of compromise

Files MD5
0C5B15D89FDA9BAF446B286C6F97F535
17B1A05FC367E52AADA7BDE07714666B
A76991F15D6B4F43FBA419ECA1A8E741
Original file names are Milum46_Win32.exe; on the target side they exist as system32.exe

URLs
upiserversys1212[.]com/rl.php
37.59.87[.]172/page/view.php
80.255.3[.]86/page/view.php


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Encryption Flaws Allow Hackers to Steal Vehicles without Leaving a Trace – Disposable mail news

New vulnerabilities were revealed earlier this week in the encryption frameworks utilized by immobilizers, the radio-enabled gadgets within cars that usually communicate at short range with a ‘key fob’ to easily unlock the car’s ignition and permit it to start as discovered by researchers from KU Leuven in Belgium and the University of Birmingham in the UK. 

Issues were particularly identified in Toyota, Hyundai, and Kia who utilize and further implement a Texas Instruments encryption system called DST80.

Aside from these, a couple of other influenced vehicles incorporate Camry, Corolla, and RAV4; Kia Optima, Soul, and Rio; the full rundown of vehicles that the researchers have found to have the cryptographic defects in their immobilizers is below:

In spite of the fact that the list likewise incorporates the Tesla S, the researchers announced the DST80 vulnerability to Tesla a year ago, and the company pushed out a firmware update that blocked the assault.

Toyota has affirmed that the cryptographic vulnerabilities the researchers discovered are genuine. 

Be that as it may, their technique likely isn’t as simple to pull off as the “relay” attacks that thieves have utilized over and overused to steal luxury cars and SUVs. Those, by and large, require just a couple of radio devices to expand the range of a key fob to open and start a victim’s vehicle. One can pull them off from a reasonable distance, even though the walls of a structure. 

The researchers built up their key cloning technique by purchasing an assortment of immobilizers’ electronic control units from eBay and reverse engineering the firmware to break down how they communicated with key fobs. They regularly saw it far as too simple to even consider cracking the secret value that Texas Instruments DST80 encryption utilized for authentication. 

Anyway, the issue lies not in DST80 itself however in how the carmakers implemented it: The Toyota fobs’ cryptographic key depended on their serial number, for instance, and furthermore openly transmitted that serial number when checked with an RFID reader. What’s more, Kia and Hyundai’s key fobs utilized 24 bits of randomness instead of the 80 bits that the DST80 offers, making their secret values simple to figure.

At the point when the affected carmakers and Texas Instruments were reached out for comments, Kia and Texas Instruments didn’t respond. 

Be that as it may, Hyundai noted in a statement that none of its affected models are sold in the US. Toyota reacted in an explanation that “the described vulnerability applies to older models, as current models have a different configuration.” 

In any case, the researchers have chosen to distribute their findings to uncover the genuine condition of immobilizer security and permit car owners to choose for themselves if it’s sufficient. Protective car owners with hackable immobilizers may choose, like whether or not to utilize a steering wheel lock or not.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

KrØØk: Serious vulnerability affected encryption of billion+ Wi‑Fi devices – 10 minute mail

ESET researchers uncover a previously unknown security flaw allowing an adversary to decrypt some wireless network packets transmitted by vulnerable devices

ESET Research has published its latest white paper, KrØØk – CVE-2019-15126: Serious vulnerability deep inside your Wi-Fi encryption. This blogpost summarizes that white paper, authored by researchers Miloš Čermák, Robert Lipovský and Štefan Svorenčík. For more information, readers can also refer to our dedicated webpage.

ESET researchers discovered a previously unknown vulnerability in Wi-Fi chips and named it KrØØk. This serious flaw, assigned CVE-2019-15126, causes vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication. In a successful attack, this allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device.

KrØØk affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t yet been patched. These are the most common Wi-Fi chips used in contemporary Wi-Fi capable devices such as smartphones, tablets, laptops, and IoT gadgets.

Not only client devices but also Wi-Fi access points and routers with Broadcom chips were affected by the vulnerability, thus making many environments with unaffected or already patched client devices vulnerable anyway.

Our tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to KrØØk. This totaled to over a billion Wi-Fi-capable devices and access points, at a conservative estimate. Further, many other vendors whose products we did not test also use the affected chipsets in their devices.

The vulnerability affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption.

Kr00k is related to KRACK (Key Reinstallation Attacks), discovered in 2017 by Mathy Vanhoef, but also fundamentally different. In the beginning of our research, we found KrØØk to be one of the possible causes behind the “reinstallation” of an all-zero encryption key, observed in tests for KRACK attacks. This followed our previous findings that Amazon Echo was vulnerable to KRACK.

We responsibly disclosed the vulnerability to chip manufacturers Broadcom and Cypress, who subsequently released updates during an extended disclosure period. We also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all potentially affected parties – including affected device manufacturers using the vulnerable chips, as well as any other possibly affected chip manufacturers – were aware of Kr00k.

According to our information, patches for devices by major manufacturers have been released by now. To protect yourself, as a user, make sure you have applied the latest available updates to your Wi-Fi-capable devices, including phones, tablets, laptops, IoT devices, and Wi-Fi access points and routers. As a device manufacturer, please inquire about patches for the KrØØk vulnerability directly with your chip manufacturer.

These findings were presented publicly for the first time at the RSA Conference 2020.

Special thanks to our colleagues Juraj Bartko and Martin Kaluznik, who greatly contributed to this research. We’d also like to commend Amazon, Broadcom, and Cypress for their good cooperation on dealing with the reported issues and ICASI for their assistance in informing as many of the impacted vendors as possible.



Miloš Čermák and Robert Lipovsky


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

What DNS encryption means for enterprise threat hunters – 10 minute mail

The dawn of the DNS over HTTPS era is putting business security and SOC teams to the challenge

In one way, the proliferation of domain name service (DNS) attacks throughout the world has helped to raise awareness about a deep problem in the “plumbing” of the internet. The infrastructure behind the DNS suffers from a lack of built-in security that is putting internet users at risk.

Decades of work on the Domain Name System Security Extensions (DNSSEC) specifications have been ongoing in a concerted effort to find a better way of securing the DNS while keeping it flexible enough for upscaling into enterprise, and even larger, networks. DNSSEC uptake, however, has been sluggish in most countries. Perhaps out of impatience for the incremental successes of DNSSEC, some have begun turning to new methods to secure DNS traffic, such as DNS over TLS (DoT), DNSCrypt, DNSCurve and, most recently, DNS over HTTPS (DoH).

Currently, we are witnessing a battle for control over the DNS with a push for securing the DNS over HTTPS. Since, traditionally, DNS requests and replies are sent in plain text, security operations center (SOC) teams overseeing corporate networks are able to monitor the domains being queried and block users from accessing malicious domains. Plain text DNS requests are certainly less private but intelligence from the DNS level has always been a critical data source for supervising the security of a network.

With the introduction of DoH, DNS requests are encrypted via the HTTPS protocol, thus hiding them from the easy purview of network defenders. Leaving aside other aspects of DoH, such as privacy and centralization of control over the internet, let’s discuss how the security of private and public networks is affected.

Loss of visibility challenges business security

For SOC teams, the negative effect of DoH is that it blindsides them to malware communication that can more easily masquerade as normal HTTPS traffic in the network. As DNS pioneer Dr. Paul Vixie emphasized in an interview with ESET Security Evangelist Tony Anscombe:

As a network operator…I need to see what my users and applications and devices are doing in DNS in order to know which one of them is an intruder, which one of them is malware, which one of them is part of a botnet, which one of them is a poisoned supply chain…I have to be able to see that in order to keep my network secure, and so anybody who comes along with a project like DNS over HTTPS that says ‘Yeah, we want to make it impossible for the network operator to interfere with DNS operations’, they don’t understand my life at all.

Malware often communicates to a command and control (C&C) server via HTTP and HTTPS – identified by the MITRE ATT&CK knowledge base as a standard application layer protocol technique. ESET Research, for example, observed PolyglotDuke – a then newly discovered downloader employed by the Dukes (APT29) in Operation Ghost – fetching C&C URLs from social media services such as Twitter and Reddit, and then contacting those C&C servers to drop the MiniDuke backdoor on victim computers.

As a means of hiding the malicious nature of this communication, the Dukes encoded the C&C URLs by using character sets from different languages, specifically Japanese, Cherokee, and Chinese – hence ESET dubbing this downloader as “PolyglotDuke”.

What if malware could hide its communication behind DoH? In fact, Proofpoint researchers found a new sextortion module update of the PsiXBot malware that uses Google’s DoH service to fetch C&C IP addresses, which allows attackers to hide the DNS query behind HTTPS. The Dukes and other threat actors could potentially expand their toolkits to use DoH, which would obviously help towards hiding C&C communications in the future from the eyes of IT administrators.

DNS encryption, while bringing some good, disables some of your protections. This affects primarily network-based security solutions, underscoring the importance of having a quality, multi-layered endpoint security solution in place.

Gaining visibility into malware communicating via encrypted DNS

SOC teams are well-advised to stay informed about the latest efforts of Mozilla, Google and others to provide DoH. In this way, IT admins can update the software and configurations of network traffic inspection devices to block access to new DoH services as they arise. Google, for example, offers DoH over certain stable addresses that admins can block at the firewall level.

Blocking or disabling known DoH services, however, is only a first step toward detecting malicious uses of encrypted DNS requests in your corporate network. More advanced SOC teams should be using an endpoint detection and response (EDR) tool that enables them to identify and capture malicious-looking DNS query events, among many other types of events, and to investigate connections to malicious C&C servers.

In terms of monitoring DoH traffic from Firefox and Chrome browsers, one way for SOC staff to maintain visibility is by installing custom security certificates on endpoints and routing browser traffic via a proxy. This would enable setting up a network traffic inspection solution that understands DoH, can conduct HTTPS inspection for inline decryption, inspection, logging, etc., and forward any events to an EDR tool for further analysis.

Note that while some browsers do check for pinned certificates, a locally installed security certificate can override the usual checks. Neither Firefox nor Chrome browsers at the time of this writing, however, are checking for pinned certificates.

There are other options for dealing with DoH. Similar to setting up internal DNS servers, enterprises can also set up internal DoH servers that allow for seeing all requests. Alternatively, DoH can simply be turned off, as Mozilla offers for their Firefox browser.

The technical solutions for addressing the security issues of the DoH protocol are varied. Going forward, what is crucial for the success of any SOC team is to learn to appreciate the increased capabilities that this new protocol can lend to malicious actors as well as its cascading effects on network security. In this way, a suitable security policy concerning the use of DoH can be set in place for your business and enforced by your SOC team.

Author: René Holt, PR content writer for ESET



Guest Writer


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.