Authentic8 Blog Author: Amir Khashayar Mohammadi

Amir Khashayar Mohammadi is a Computer Science and Engineering major who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors.

ActiveX Data Leaks: Making Bad (Non-) Browsers Worse

Outdated browsers and browser plugins. People use them, forget about them, they become outdated, and their machine gets compromised. It’s a story almost as old as the web browser. The problem is, people never learn and never update - or, in this case, get rid of the problematic plugin.

List of Plugins

Source: sploit.io

ActiveX, a framework native to Internet Explorer, was introduced in 1996. Still supported in Windows 10, it allows an attacker to steal data and fully take over the victim’s machine when that person visits a page that contains a particular set of scripts.

How relevant is this exploit in 2019? In an unscientific survey among software engineers about ActiveX and if it still played a role, we got answers like this, from Zachary S. in San Francisco: "I think it’s dead. I hope it’s dead. It should be killed if it’s not dead."

Unfortunately, it’s not. According to NetMarketShare ("Market share statistics for Internet

How Watering Hole Attacks Target the Financial Sector and Government Agencies

Websites of governments, regulatory bodies and financial authorities are preferred targets for "watering hole" attacks on finance, investment and compliance professionals. These online resources make it easy for attackers to target their victims. How do such attacks work?

*

Watering hole attack infographic

Source: GoldPhish

So-called watering hole (a.k.a. "water holing") attacks are probably the most economical of online exploits. Instead of identifying and tracking down individual targets one-by-one, the threat actors first research and identify a vulnerable website frequently sought out by key professionals in the targeted industry or organization.

In the second step, they install an exploit kit that may allow the attackers to target that site’s users even more selectively, for instance based on their IP number. Like lions hidden in the savannah grass, they then lay and lurk.

Once their prey shows up at the "water hole", the victim’s locally installed browser takes care of the rest. Because the browser is designed to indiscriminately fetch and execute code from

VPN & Privacy: What Nobody Told You

Large-scale privacy violations on the web have become commonplace. Social media platforms and app or service providers have been shelling out, some intentionally, others unintentionally, user data to third parties hand over fist.

While such incidents may have a numbing effect on some users, others take them as a reminder to seek better protection against surveillance and tracking threats on the internet. After all, service providers selling our data to third parties is not a new development. This post provides more in-depth background on how ISPs use VPN to spy on you.

Third parties taking advantage of VPN’s many flaws for nefarious purposes is so real that earlier this month, two U.S. senators (Ron Wyden and Marco Rubio) raised alarm in a bipartisan letter [PDF] to the director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs.

In the light of all this, what doesn’t cease to amaze me is how many

Quick Dissections: Collections 2 - 5

You’ve seen the headlines about a loot archive of stolen credentials called "Collection #1" that was leaked online in January. This collection contains 772,904,991 entries, one of the most significant credential leaks yet. The credentials are all stored within an email:cleartext_password format, making credential stuffing attacks relatively easy without having to worry about deciphering hashes.

As worrisome for potential targets as this can be, this post doesn’t deal with this particular pile of data (read Troy Hunt’s analysis of "Collection #1" leak here). Instead, I’ll take a closer look at why there’s a “#1” next to the collection name. While #1 is a massive heap of data, it’s only the tip of the proverbial iceberg. There are five collection archives in total, containing a total of 1TB worth of raw credential data waiting to be downloaded by attackers. So what’s in Collections 2 - 5?

What About Collections 2 - 5?