SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 56 perc 45 másodperc
2020. július 2.

ISC Stormcast For Thursday, July 2nd 2020 https://isc.sans.edu/podcastdetail.html?id=7064, (Thu, Jul 2nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. július 2.

Setting up the Dshield honeypot and tcp-honeypot.py, (Wed, Jul 1st)

After Johannes did his Tech Tuesday presentation last week on setting up Dshield honeypots, I thought I'd walk you through how I setup my honeypots. I like to combine the Dshield honeypot with Didier Stevens' tcp-honeypot so I can capture more suspicious traffic. Today, I'll walk you through my setup using a VM hosted by Digital Ocean, though the steps would work for pretty much any cloud provider.

I'm using Digital Ocean because you can set up a simple VM that is more than adequate as a honeypot for $5/mo. So, let's get to it.

First off, I'm going to create a new droplet (you may have to create a new project first). It is pretty straight forward. 

As you can see, that gets you a VM with 1 processor and 1GB of RAM, but that will be plenty. Next, you get to choose which datacenter you want this VM running in. For this exercise, I'm choosing London, but my next one might be Bangalore or Singapore or Toronto (you know how those Canadians are).

There a few more decisions you need to make. I highly recommend that you upload an ssh public key rather than setting a root password, but once you've done all that, hit the button to create your VM and wait until it comes back with the public IP of said new VM.

Now, from wherever you intend to administer the VM from, slogin root@<ip of your VM>, and one of the first things I would do (assuming you used a public key) is to modify /etc/ssh/sshd_config and change PermitRootLogin to without-password (don't get me started on what a poor choice that was for the name for enforcing only key-based logins). From this point on, I'll mostly follow the instructions found on github for installing the Dshield honeypot on Ubuntu. Note, I can skip the step about installing openssh-server since that is already there by default. Before installing the honeypot, let's get the system current on patches

# apt update && apt full-upgrade -y && init 6

So, we're now up-to-date on patches. Personally, there are a few other things that I add now to help me administer the honeypot, like installing aide and apticron. I also tweak the settings for unattended-upgrades, and modify /etc/postfix/main.cf to set the interfaces line to loopback-only, but we have a reasonably minimal system, at this point. Next we'll get the install script from github (git is also already installed) and actually install the Dshield honeypot.

Then you can run dshield/bin/install.sh to do the actual install. A couple of things to beware of in doing the install. First, make sure you include the IP of the system from which you plan to administer the honeypot in the 'local' IPs. Trust me, I've locked myself out more than once by forgetting that, so learn from my mistakes. Then, I'm going to set this honeypot for manual update for reasons I'll explain below. Otherwise, I pretty much just take the defaults and paste in my e-mail and API key from my account page at isc.sans.edu. At this point, you actually should have a working Dshield honeypot, but as I mentioned above, I want to add another honeypot tool.

I've become a big fan of Didier Stevens' tcp-honeypot-3.py (he's going to rename it when he officially releases it sometime soon-ish, because it can also do UDP), but I'm using the 0.1.0 version from Feb 2020. He appears not to have checked into his github beta repo, so if you want to play with the version I'm using, I guess you could contact me or just wait for Didier's official release whenever that happens. I've actually made 2 minor modifications to the 0.1.0 version, the first is that I make it log to /var/log/tcp-honeypot-3/ and I've fixed the logging so that it shows src-dst rather than dst-src. The latter fix Didier has already incorporated, and I expect he'll have a way of doing the former by the time he releases.

I've also created a systemd unit file (no, I don't want to get into the religious wars about how good or awful systemd is, that's what all the Linux distros are going with, so that is what I'm using to make sure the tcp-honeypot starts up with the system). Again, I've shared it with Didier, but if you want to play with it now, I've temporarily put it up on my own github (though I will probably remove it if Didier includes it with his release), you can find it here.

So, now I have both the Dshield honeypot on tcp-honeypot on the system, but the tcp-honeypot isn't actually capturing anything. The problem is, the Dshield honeypot is controlling the iptables rules. So, we'll need to modify those rules to allow traffic through to the tcp-honeypot. The reason I set the Dshield honeypot to manual updates is that any update to the Dshield honeypot, would wipe out these updates to the iptables rules. Johannes is working on an update to allow the "local" iptables rules to persist, so at some point, I'll be able to run auto update back on. He's also working on handling IPv6, too (which the current version of the honeypot disables completely on your VM). No pressure, Johannes, now that others know you are working on it there's no pressure to get it done soon. :-)

With the systemd unit file properly placed into /etc/systemd/system/, I can run 

# systemctl enable tcp-honeypot && systemctl start tcp-honeypot 

Now, let's see what all is listening on my honeypot, I'll quickly run lsof -Pni and I get the following

So, those python3 lines are the tcp-honeypot, the ones running as the cowrie user are the standard Dshield honeypot processes. I need to update the iptables rules to allow traffic through to the tcp-honeypot. I could do this in a couple of ways, but ultimately, we need to remember that the rules that the Dshield honeypot installed are located in /etc/network/iptables. So, we could modify that file, and then run iptables-restore < /etc/network/iptables. I actually chose to first run iptables-save > /etc/network/iptables, just to make sure that there was no difference between that file and what was live on the system. Then I added the 2 rules in the green box below to allow traffic through to the ports that tcp-honeypot is listening on and then ran the iptables-restore < /etc/network/iptables mentioned above. This way, I was reasonably certain I wouldn't lock myself out in the process.

And there you have it. My honeypot is now more flexible with both the standard Dshield honeypot and Didier's tcp-honeypot. Now if I see strange spikes in traffic to unknown ports, I can have tcp-honeypot listen on that port, update the appropriate rule above (for TCP or UDP) do the iptables-restore and I'll have a log where I can look at that traffic and hopefully figure out what the attackers are looking for.

I hope you found this useful, if you have questions or suggestions, feel free to comment here or e-mail me.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. július 1.

Elastalert with Sigma, (Wed, Jul 1st)

A couple of weeks ago, Remco wrote a post about Sigma(1). I’ve also been spending a good bit of time setting up Elastalert rules with Sigma and wanted to expand on his great post. We are going to set up an elastalert rule for sigma_zeek_smb_converted_win_atsvc_task(2).

 

Convert Rule

Sigmac -t elastalert -c ./elastic_schema_config_file.yml /tmp/sigma/rules/sigma_zeek_smb_converted_win_atsvc_task >>/etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml


 

Let's see what this rule is doing

This rule is looking at the bro_smb_files events where IPC$ and atsvc show up.

 

alert:

- debug

description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

filter:

- query:

    query_string:

      query: (event_type:"bro_smb_files" AND path.keyword:\\*\\IPC$ AND name:"atsvc")

index: '*:logstash-bro-*'

name: f6de6525-4509-495a-8a82-1f8b0ed73a00_0

priority: 3

realert:

  minutes: 0

type: any

 

query_key: ["source_ip", "destination_ip"]


 

Test it

On Security onion they have a command builtin called so-elastalert-test. 

#sudo so-elastalert-test -r /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml

 

1. Is the query running too slow?

2. Is it looking at the right data?

3. Are the results as expected?

 

elastalert_status - {'rule_name': '66a0bdc6-ee04-441a-9125-99d2eb547942_0', 'endtime': datetime.datetime(2020, 5, 29, 14, 51, 13, 474764, tzinfo=tzutc()), 'starttime': datetime.datetime(2020, 5, 28, 14, 51, 13, 474764, tzinfo=tzutc()), 'matches': 0, 'hits': 183990, '@timestamp': datetime.datetime(2020, 5, 29, 14, 53, 2, 609529, tzinfo=tzutc()), 'time_taken': 109.09370565414429}

 

If you are not getting any hits for the rule, expand the search to see if you have any true/false positives. On security onion manually, call the rule test and use the --days option. 

 

#docker exec -it so-elastalert bash -c ‘elastalert-test-rule /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml --days 25’

 

You may have false positives from your administrator's desktops talking to other systems, and you will need to adjust the alert to not match on these IP’s. Once you are happy with the results, we need to add it to our alert/IR platform. In this case, we are going to send it to TheHive.

 

At the bottom of sigma_zeek_smb_converted_win_atsvc_task.yml you want to add TheHive config. The MITRE Tags are not being transferred to the elastalert rule, and we’ll add them manually.

 

===

hive_connection:

  hive_host: https://ip

  hive_port: 9443

  hive_apikey:key

 

hive_alert_config:

  title: ' Sigma Remote Task Creation via ATSVC Named Pipe {match[source_ip]} -- {match[destination_ip]}'

  type: 'alarm'

  source: 'Sigma'

  description: 'Alert : {match[source_ip]}

  severity:2

  tags: ['elastalert', 'attack.lateral_movement', 'attack.persistence', 'attack.t1053','car.2013-05-004','car.2015-04-001', 'sigma']

  tlp: 1

  status: 'New'

  follow: True

  sourceRef: '{match[source_ip]}{match[destination_ip]}'

 

hive_observable_data_mapping:

  - ip: '{match[source_ip]}'

  - ip: '{match[destination_ip]}'

===

 

Now restart elastalert service and you should start getting alerts on any of these matches.

#so-elastalert-restart


 

(1)https://isc.sans.edu/diary/rss/26258

(2)https://github.com/Neo23x0/sigma/blob/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. július 1.

ISC Stormcast For Wednesday, July 1st 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7062, (Wed, Jul 1st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 30.

ISC Snapshot: SpectX IP Hitcount Query, (Tue, Jun 30th)

SpectX was the subject of an ISC post on SpectX4DFIR back in late April. Raido from SpectX provides us with a query to count hits from IPs during different time intervals.

This can be one way of detecting possible bots and automated queries. Running the query below will tell you:

  1. On how many different days do we have hits from a particular IP (column ‘days’)?
  2. On how many different days did we see this IP every hour, 24 hours in a row (column ‘full_days’)?
  3. During how many different hours did we get hits from this IP? (column ‘hours’)?

I ran the query below, slightly modified from Raido’s original, against the April 2020 log file for holisticinfosec.io. You can run this on any log file that contains timestamps and IP-addresses, just change the path, pattern and field names accordingly.

LIST('file:/C:/logs/holisticinfosec.io-ssl_log-Apr-2020') | parse(pattern:$[/user/patterns/apache/apacheLog.sxp]) | select(hour:timestamp[1 hour], clientIp) | group(hour, clientIp) | select(day:hour[24 hour], clientIp, hours:count(*)) | group(day, clientIp) | select(clientIp, days:count(*), full_days:count(hours = 24), hours:sum(hours)) | group(clientIp) | sort(full_days desc)

The results as seen in Figure 1 provided immediate insights.

Figure 1: SpectX IP hitcount query result

As promised, these IPs as noted in the results per Figure 1 are all making constant calls to my site, all day, every day. Each are calling my index.xml file, some appear to be RSS readers or scrapers, which is fairly routine. Seems like a lot of needless connect and compute cycles for a low traffic, static site such as mine.
Some of these IPs are definitely of ill repute however. 173.212.239.212, originating out of Nuremberg, Bavaria scored a near perfect 99 of 100 for fraudulent behavior and malicious activity based on recent actions according to IPQSFigure 2 bears this out.

Figure 2: IPQS declares badness

This is useful little query to quickly detect possible bots and automated queries. Hopefully you’ve already downloaded SpectX and given a try after a last post. Load it back up and feed a log. If you want a copy of the log as utilized for this post, let me know via socials or email.

Cheers…until next time.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 30.

ISC Stormcast For Tuesday, June 30th 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7060, (Tue, Jun 30th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 29.

Sysmon and Alternate Data Streams, (Mon, Jun 29th)

Sysmon version 11.10, released a couple of days ago, adds support for capturing content of Alternate Data Streams.

When the content of an ADS is text and less than 1 Kb, the content will be logged in the event log.

Here is an example with a download of a file using Microsoft Edge: an ADS named Zone.Identifier will be created for the downloaded file.

With modern browsers, the Zone.Identifier ADS also contains the referrer (ReferrerUrl) and URL for the download (HostUrl), which can be useful for forensics.

I used the following config file for my tests:

<Sysmon schemaversion="4.32">
  <HashAlgorithms>md5,sha256</HashAlgorithms>
  <DnsLookup>False</DnsLookup>
  <ArchiveDirectory>sysmonarchive</ArchiveDirectory>

  <EventFiltering>
    <FileCreateStreamHash onmatch="exclude"/>

    <CreateRemoteThread onmatch="include"/>
    <DnsQuery onmatch="include"/>
    <DriverLoad onmatch="include"/>
    <FileCreate onmatch="include"/>
    <FileCreateTime onmatch="include"/>
    <FileDelete onmatch="include"/>
    <ImageLoad onmatch="include"/>
    <NetworkConnect onmatch="include"/>
    <PipeEvent onmatch="include"/>
    <ProcessAccess onmatch="include"/>
    <ProcessCreate onmatch="include"/>
    <ProcessTerminate onmatch="include"/>
    <RawAccessRead onmatch="include"/>
    <RegistryEvent onmatch="include"/>
    <WmiEvent onmatch="include"/>
  </EventFiltering>
</Sysmon>

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 29.

ISC Stormcast For Monday, June 29th 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7058, (Mon, Jun 29th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 28.

tcp-honeypot.py Logstash Parser &#x26; Dashboard Update, (Sun, Jun 28th)

This is an update for logstash and dashboard published in January for Didier's tcp-honeypot.py honeypot script. The parser has been updated to follow the Elastic Common Schema (ECE) format, parsing more information from the honeypot logs that include revised and additional dashboards.

tcp-honeypot Log Analysis from Discover

tcp-honeypot Dashboard Summary

The file tcp-honeyport parser can be downloaded here and the dashboard JSON here.

[1] https://isc.sans.edu/forums/diary/ELK+Dashboard+and+Logstash+parser+for+tcphoneypot+Logs/25702
[2] https://www.elastic.co/guide/en/ecs/current/ecs-reference.html
[3] https://handlers.sans.edu/gbruneau/elastic.htm

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 28.

Video: YARA's BASE64 Strings, (Sat, Jun 27th)

In diary entry YARA's BASE64 Strings, I explain the new BASE64 feature in YARA (we're at version 4.0.2 now).

Here is a video showing this new feature:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 26.

Share the Mic in Cyber, (Fri, Jun 26th)

Today, we deviate a bit from our usual content. Instead of featuring content from one of our handlers, we are instead including pointers to some notable blogs and other content from black and brown cybersecurity practitioners.

Please send us pointers to other blogs to add. The order of the listings below does not reflect a ranking. And follow the #sharethemicincyber hashtag on Twitter/Linkedin.

Lavine A Oluoch https://medium.com/@lavineaoluoch

Tyrone E. Wilson (Cover6 Solutions) https://www.cover6solutions.com/cybersecurity-blog/

Dominique West (Security in Color) https://www.securityincolor.com/

Marcus J. Carey https://twitter.com/marcusjcarey

Chris Ross (SpecterOps) https://www.xorrior.com/

Jules Okafor (Revolution Cyber) https://twitter.com/julesmgmt

Deirra J. Footman https://www.ccieby30.com/links

Keirsten Brager https://www.keirstenbrager.tech/

Lodrina Cherne https://twitter.com/hexplates

Quiessence Philips https://www.itsquiessence.com/blog

Amelia Estwick https://twitter.com/drcyberace

Doug Bryant Jr (Intrusion Diversity Systems) https://intrusionds.com/blog/

O'Shea Bowens (Null Hat Security) https://nullhatsecurity.org/blog/

Yolonda Smith https://yolonda.io/blog

Elan Wright https://dfirdiva.com/

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 26.

ISC Stormcast For Friday, June 26th 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7056, (Fri, Jun 26th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 25.

Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release., (Thu, Jun 25th)

As mentioned during our "Tech Tuesday" session, the session itself was not recorded. Instead, I will be releasing three "stand alone" videos covering the major parts of the workshop.

The videos will be broken up into three parts:

- Introduction. What is DShield and the Internet Storm Center (to be released later today).

- Installing the honeypot. See blow for this video

- Using the DShield / Internet Storm Center Data (to be released tomorrow)

All videos will be available on our YouTube channel

The instructions from the hands-on exercises are available at https://isc.sans.edu/techtuesday .

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 25.

ISC Stormcast For Thursday, June 25th 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7054, (Thu, Jun 25th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 24.

Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th)

Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.

It has been known for some time[2] that even on fully patched systems, Windows still handles Shell Link files with externally loaded icons in an interesting (and quite unsafe) way. Specifically, the OS won’t just load external icon files from local drives, but it will try to do so from remote paths specified in a UNC format as well. What is less known is that the OS will try to do the same even for paths specified as URLs. This means that every time Windows tries to load the icon (it will do so when the LNK file is displayed by File Explorer), a remote connection will be initiated by it to a remote machine and if the icon specified by the UNC or URL path exists, it will be downloaded and displayed.

This, by itself, might actually sound like an interesting feature rather than anything else, however since there appear to be nearly no limits on what paths may be specified for the remote icon file, one may cause Windows to do some surprising things by simply browsing to a specially crafted LNK file. Things such as download an arbitrary file to the local drive (there don’t appear to be any checks in place with regards to size or type of the file which Windows is willing to download) or initiate a SMB connection to an arbitrary remote machine. As you can probably imagine, a hypothetical malicious actor might take advantage of this behavior quite easily.

Probably the most straightforward way to misuse it would be to craft a special LNK file, ZIP it and send it out in a phishing e-mail, or upload the LNK to a network file share used by multiple users (if one had access to it). Under such conditions, just browsing to the LNK file might cause the OS of the victim to do something unintended, such as exhaust bandwidth or space on a local drive by downloading a very large file, download a malicious executable, or try to authenticate against a remote server. I’ve mentioned this issue in passing during my SANS@MIC talk last week[3], but thought I’d try to provide a deeper explanation of what causes it and how it may be leveraged in this diary.

The potential for misuse of LNK icon loading lies in a lack of checks when it comes to the contents of ICON_LOCATION StringData section of the Shell Link structure[4].

Due to this lack of checks, it is possible to create a LNK file, which specifies a URL or UNC path as the ICON_LOCATION instead of a local path. It seems that the same may be done with the IconEnvironmentDataBlock structure, but for simplicity’s sake, we will demonstrate the principle using ICON_LOCATION section.

If an arbitrary URL/UNC is specified as the ICON_LOCATION, then, when a folder in which the LNK is located is opened in File Explorer, the OS will attempt to download the file specified by the URL using a HTTP GET request or to download the file by accessing the UNC path over SMB. This will happen without the need for a user to click on anything.

In order to demonstrate this behavior, I've created couple of LNK files, which show this issue in practice and illustrate why this might be dangerous. For the sake of simplicity, most of the files only contain the SHELL_LINK_HEADER and STRING_DATA sections, with ICON_LOCATION being the only STRING_DATA section present.

Before we delve into the example shown above, let’s start slowly, and show that a shortcut, which doesn’t point to any target file, will actually “work” in Windows (i.e. that its icon will be loaded). The following picture shows the internal structure of a LNK file normal.lnk, which doesn’t link to any other file and has its icon set to C:\Windows\SysWOW64\OneDrive.ico.

In this case, the following icon will indeed be loaded from the local path and displayed if the folder, in which is LNK is placed, is browsed to using File Explorer (this is conditional upon the two bytes preceding the path being set to its length as this is required by the ICON_LOCATION format).

As we’ve mentioned, the ICON_LOCATION string may contain a URL/UNC instead of local path, and it is therefore possible to use it to point to a remote server. The following picture demonstrates the internal structure of “external-icon.lnk” file, which has the ICON_LOCATION set to the URL https://untrustednetwork.net/images/un1.ico.

In this case, the following icon will be loaded from the remote server and displayed if the folder in which is LNK is placed is opened in File Explorer.

Since the only limitation when it comes to the ICON_LOCATION string seems to be that it has to end in “.ico” in order for Windows to try to access it, it is possible to craft a LNK, which will cause the OS to make an (almost) arbitrary HTTP GET request. One might use this fact in several ways.

One, which comes to mind, is user tracking through monitoring HTTP requests. To achieve this, the malicious actor would only have to ensure that a LNK file, which loads an icon from server under his control, was placed in a folder, which would be opened in File Explorer on a regular basis (such as the Desktop folder). The following picture shows the internal structure of a file, which demonstrates this principle by having the ICON_LOCATION set to the URL https[:]//untrustednetwork[.]net/loggerscript.php?usertrackingid=1&ending=hit.ico.

If a folder containing such a file was opened (or if the LNK was placed on the Desktop), it would indeed result in Windows sending the relevant HTTP GET request. As the following log from a webserver shows, tracking the public IP address of a specific user would be quite simple in such a scenario.

While on the subject of generating arbitrary request to remote servers, a much more useful way to take advantage of the behavior of Windows in context of an attack or pentest/red team engagement would of course be to use a UNC path instead of a URL and capture hashes/use the requests for SMB relay attack.

The last side effect of the way loading of icons for LNKs is handled worth mentioning is the potential to force Windows to download an arbitrary (i.e. potentially malicious) file to the machine, on which a folder containing a specially crafted LNK is opened.

The following picture shows the internal structure of a file “eicar-downloader.lnk”, which demonstrates this principle by having the ICON_LOCATION set to the URL https[:]//untrustednetwork[.]net/misc/eicar.exe?.ico. As you may have guessed, the file it points to is the EICAR test file[5] with an EXE extension.

The resulting HTTP GET request will lead to the download of EICAR test file to somewhere within the path %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache (on a W10 machine) with the name eicar[1].exe.

This should of course result in a warning from any anti-malware solution installed on the machine. A malicious actor could however use the same technique to make Windows download a real malicious file, which would not be detected by AV (or any other data).

By itself, this technique can’t lead to the execution of the downloaded file, but since the target path to which the file will be downloaded is known beforehand, it is fairly simple to create a LNK, which will cause Windows to download an executable from a remote server and which will also execute it when launched. This means that one may create a very simple downloader without the need to actually download anything, which has some (though admittedly limited) potential for both malicious actors and red teamers.

To show how easy it may be to craft such a LNK file I’ve created one, which causes the Process Explorer to download from a Microsoft server and which, when “launched”, causes the following command (and therefore the downloaded binary) to execute.

C:\Windows\System32\cmd.exe /c "cd %USERPROFILE%\AppData\Local\Microsoft\Windows\INetCache & dir /s /B procexp*.exe | cmd.exe /k"

If you’d like to try this out yourself, you may download the file and some of the other LNKs mentioned above from https://untrustednetwork.net/files/ISC/2020/iconic_lnks.zip. Since there one of them is the “EICAR downloader”, the archive is encrypted with the usual password (i.e. “infected”).

The last thing I believe is worth mentioning is that Microsoft is aware of the issue and from what I understand, there have even been some mitigations for it implemented into Windows 8 and Windows 10. These were however afterwards negated by later updates.

Since it seems that we’ll be left without a patch for this issue for the foreseeable future (and since malicious LNK files are quite common in malspam attachments), one of the reasonable defenses against attackers misusing the techniques mentioned above as well as others, which are dependent on LNKs, would be a good level of security awareness among end users. Including the concept malicious shortcut files in security awareness trainings might therefore not be a bad idea.
On a technical side, one additional thing which might be used to mitigate risks related to malicious shortcuts would be to block or quarantine any e-mails with attached archives, which contain (only) LNK files.

[1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=LNK
[2] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/you-down-with-lnk/
[3] https://www.youtube.com/watch?v=Fb2Z3bw-oJ8
[4] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943
[5] http://2016.eicar.org/86-0-Intended-use.html

-----------
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 24.

VMware security advisory VMSA-2020-0015, (Wed, Jun 24th)

VMware issued a new security advisory yesterday - VMSA-2020-0015[1]. It covers patches (in some cases still pending) for 10 different CVEs with a use-after-free vulnerability in ESXi, Workstation and Fusion being the most important one (CVSSv3 base score of 9.3).

[1] https://www.vmware.com/security/advisories/VMSA-2020-0015.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 24.

ISC Stormcast For Wednesday, June 24th 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7052, (Wed, Jun 24th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 23.

Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider, (Mon, Jun 22nd)

This post was written by SANS.edu graduate student Karim Lalji in cooperation with Johannes Ullrich.

“Cyberbunker” refers to a criminal group that operated a “bulletproof” hosting facility out of an actual military bunker. “Bullet Proof” hosting usually refers to hosting locations in countries with little or corrupt law enforcement, making shutting down criminal activity difficult. Cyberbunker, which is also known as “ZYZtm” and “Calibour”, was a bit different in that it actually operated out of a bulletproof bunker. In September of last year, German police raided this actual Cybebunker and arrested several suspects. At the time, Brian Krebs had a great writeup of the history of Cyberbunker [1].


Figure 1: “Seized” banner placed on the Cyberbunker website

According to the press release by State Central Cybercrime Office of the Attorney General over 2 petabytes of data were seized including servers, mobile phones, hard drives, laptops, external storage and documents. One of the sites, C3B3ROB, seized by the state criminal police listed over 6000 darknet sites linked to fraudulent bitcoin lotteries, darknet marketplaces for narcotics (with millions of Euros in net transactions for Marijuana, Hashish, MDMA, Ecstasy), weapons, counterfeit money, stolen credit cards, murder orders, and child sexual abuse images [2].

Several individuals involved with Cyberbunker are currently undergoing a criminal trial in Germany. To pay for legal expenses, the principles behind Cyberbunker sold the Cyberbunker IP address space to the Dutch company Legaco. Legaco agreed to route the Cyberbunker IP address space to one of our honeypots for two weeks, to allow us to collect some data about any remaining criminal activity trying to reach resources hosted by Cyberbunker.

The IP address space included 185.103.72.0/22, 185.35.136.0/22, and 91.209.12.0/24, which comes down to about 2300 IP addresses. We collected full packets going to the IP address space and set up listeners (mostly web servers) on various ports.

Traffic Summary


Figure 2: Traffic volume to Cyberbunker IP addresses.

Across all IP addresses, we received about 2 MBit/sec of traffic. The traffic did not target all IP addresses at the same rate. Instead, IP addresses used for popular web sites received more traffic.


Figure 3: Countries of origin Cyberbunker traffic.

The "heat map" above shows the geographic distribution of incoming bytes where the source IPs reside in the CyberBunker networks. Moderate amounts of traffic are generated from Iran, various European countries as well as Mexico. Interestingly, the highest amount of traffic was generated from Brazil.

IRC Bot Traffic

Port 80 traffic was directed to a web server. We noted immediately that some of the traffic was not HTTP traffic, but instead IRC traffic. Bots sometimes use port 80, hoping it will evade firewall rules and inspection.

The following image shows several IP addresses accessing a subset of destinations within the CyberBunker scope as logged by Apache. The payload shows an IRC "USER" command along with what appears to be a series of computer names.


Figure 4: IRC Traffic Sample

Close to 2000 unique computer names and over 7000 unique source IPs that follow a similar request pattern are present in the traffic sample collected. When a single "computer name" was isolated with timestamps, the intervals between requests were exactly 1min and 30sec - indicating automation and potential C2.

Phishing

We also identified various phishing sites that are still receiving traffic. These phishing sites attempt to impersonate RBC (Royal Bank of Canada), Apple, Paypal, and others.

The domain apple-serviceauthentication.com.juetagsdeas.org continued to receive hits during the analysis period. Running a DIG command against this domain resulted in an NXDOMAIN response; however URLScan.io indicated that the IP address hosting this site belongs to the malicious network in question under the name ?ZYZtm.? At the time of the analysis, 54 other domains appear to be in the phishing category are associated with the single IP address of 185.35.138.158. One of the hosts on this IP address is psrepair.3utilities.com which, according to URLScan.io screenshot feature, shows a credential harvesting page for Chase Bank.


Figure 5: Phishing Page (via urlscan.io)

Ad Network

The webserver we configured to receive the traffic destined to the Cyberbunker IPs received traffic looking for banner ads placed with the ?getmyads.com? ad network. Like many legitimate businesses, criminals advertise their services on other websites via banner ads and referral links. The site being advertised is often communicated as part of the URL to retrieve the appropriate banner, or to credit the correct advertiser. Strings included in the ad requests suggest that the network was used to advertise adult services, and in some cases, these sites may have been associated with the sexual abuse of children. Distributing material depicting the sexual abuse of children was one of the charges levied against the proprietors of Cyberbunker.

At the time we collected our data, most of the requests for these URLs originated from the ?Majestic? search engine.

According to archive.org, getmyads.com was most active from 2016 to 2018, with some updates made late in 2019. It appeared to provide a multi-level marketing style ad network at times, which provided generous referral fees. The last update made in 2019 shows a ?Seized Back By the Government of Cyberbunker? banner, likely in response to the German government placing ?seized? notices on various Cyberbunker related sites following the raid.


Figure 6: getmyads.com image retrieved from archive.org

Other Traffic

The analysis also uncovered other notable behavior such as encrypted binary HTTP communication tied to known malware signatures and presumed to be C2 communication, backscatter from what appears to be previous DDoS attacks and DNS resolution of sites that host illicit pornography (involving animals). Additional details can be found in the SANS Reading Room paper. [3]

[1] https://krebsonsecurity.com/2019/09/german-cops-raid-cyberbunker-2-0-arrest-7-in-child-porn-dark-web-market-sting/
[2] https://gstko.justiz.rlp.de/de/startseite/detail/news/News/detail/landeszentralstelle-cybercrime-der-generalstaatsanwaltschaft-koblenz-erhebt-anklage-gegen-acht-tatve/
[3] https://www.sans.org/reading-room/whitepapers/threathunting/real-time-honeypot-forensic-investigation-german-organized-crime-network-39640

Karim Lalji | LinkedIn 
Johannes Ullrich | LinkedIn | Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 23.

ISC Stormcast For Tuesday, June 23rd 2020 https://isc.sans.edu/podcastdetail.html&#x3f;id=7050, (Tue, Jun 23rd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2020. június 22.

Comparing Office Documents with WinMerge, (Mon, Jun 22nd)

Sometimes I have to compare the internals of Office documents (OOXML files, e.g. ZIP container with XML files, …). Since they are ZIP containers, I have to compare the files within. I used to do this with with zipdump.py tool, but recently, I started to use WinMerge because of its graphical user interface.

WinMerge is a free Windows tool to compare files.

It is capable of comparing files stored inside archives: this is exactly what Office documents like .docx, .xlsm, … are.

First I have to change a setting so that WinMerge will recognize archive files like ZIP files based on their content too, and not only their extension.

Then I open the 2 Word documents. The first .docx file is a Word document with the text "This is test 1", the second Word document is an edited copy with the text "This is test 2".

I make sure that all comparisons are visible, and expand all subfolders:

It is not a surprise that document.xml is one of the files that is different: it contains the words I typed into the document and then altered:

WinMerge can also be used to compare XML files:

And then it is easier to see the changes I made:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.