SANS

Today's Microsoft patch Tuesday addresses 132 vulnerabilities. Nine of the vulnerabilities are rated as Critical, and 6 of these are listed as exploited prior in the wild.

In particular, CVE-2023-36884 includes a remote code execution vulnerability via Microsoft Word documents and was linked to the Storm-0978 threat actor.  Microsoft Threat Intelligence has a blog entry which discusses this situation. Take special note of the mitigations which are recommended, as updates will likely be released out-of-cycle for this one.

Other explited vulnerabilities include:

CVE-2023-35311 is a Microsoft Outlook Security Feature bypass which was being exploited in the wild which worked in the preview pane and bypasses security warning.

CVE-2023-32046 is an actively exploited privilege elevation vulnerability in Windows MSHTML which could be exploited by opening a sepcially crafted file in email or a malicious website.

CVE-2023-32049 is a security feature bypass vulnerability with Windows SmartScreen which was being exloited to prevent the Open File - Security Warning prompt when downloading/opening files from the Internet.

CVE-2023-36874 is an actively exploited privilege escalaton flaw which could allow threat actors to gain local administrator privileges.  Attackers would need to have local access to the targeted machine and the user be able to create folder and performance traces to fully exploit this vulnerability.

Microsoft also issued a high-impact advisory (ADV230001) where attackers where abusing the drivers being certified by Microsoft's Windows Hardware Developer Program (MWHDP) as a post-exploitation activity.  The implicated developer accounts were suspected, and Microsoft has taken steps to untrust drivers which were improperly certified.

 

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET and Visual Studio Elevation of Privilege Vulnerability %%cve:2023-33127%% No No - - Important 8.1 7.3 ASP.NET and Visual Studio Security Feature Bypass Vulnerability %%cve:2023-33170%% No No - - Important 8.1 7.3 Active Directory Federation Service Security Feature Bypass Vulnerability %%cve:2023-35348%% No No - - Important 7.5 6.5 Active Template Library Elevation of Privilege Vulnerability %%cve:2023-32055%% No No - - Important 6.7 5.8 Azure Active Directory Security Feature Bypass Vulnerability %%cve:2023-36871%% No No - - Important 6.5 6.0 Azure Service Fabric on Windows Information Disclosure Vulnerability %%cve:2023-36868%% No No - - Important 6.5 5.7 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability %%cve:2023-35320%% No No - - Important 7.8 6.8 %%cve:2023-35353%% No No - - Important 7.8 6.8 Guidance on Microsoft Signed Drivers Being Used Maliciously ADV230001 No Yes - - None     HTTP.sys Denial of Service Vulnerability %%cve:2023-32084%% No No - - Important 7.5 6.5 %%cve:2023-35298%% No No - - Important 7.5 6.5 MediaWiki PandocUpload Extension Remote Code Execution Vulnerability %%cve:2023-35333%% No No - - Important 8.8 7.7 Microsoft ActiveX Remote Code Execution Vulnerability %%cve:2023-33152%% No No - - Important 7.0 6.1 Microsoft Defender Elevation of Privilege Vulnerability %%cve:2023-33156%% No No - - Important 6.3 5.5 Microsoft DirectMusic Information Disclosure Vulnerability %%cve:2023-35341%% No No - - Important 6.2 5.4 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability %%cve:2023-33171%% No No - - Important 8.2 7.1 %%cve:2023-35335%% No No - - Important 8.2 7.1 Microsoft Excel Information Disclosure Vulnerability %%cve:2023-33162%% No No - - Important 5.5 4.8 Microsoft Excel Remote Code Execution Vulnerability %%cve:2023-33158%% No No - - Important 7.8 6.8 %%cve:2023-33161%% No No - - Important 7.8 6.8 Microsoft Failover Cluster Information Disclosure Vulnerability %%cve:2023-32083%% No No - - Important 6.5 5.7 Microsoft Failover Cluster Remote Code Execution Vulnerability %%cve:2023-32033%% No No - - Important 6.6 5.8 Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules ADV230002 No No Less Likely Less Likely Important     Microsoft Install Service Elevation of Privilege Vulnerability %%cve:2023-35347%% No No - - Important 7.1 6.2 Microsoft Message Queuing Denial of Service Vulnerability %%cve:2023-32044%% No No - - Important 7.5 6.5 %%cve:2023-32045%% No No - - Important 7.5 6.5 Microsoft Message Queuing Remote Code Execution Vulnerability %%cve:2023-32057%% No No - - Critical 9.8 8.5 %%cve:2023-35309%% No No - - Important 7.5 6.5 Microsoft ODBC Driver Remote Code Execution Vulnerability %%cve:2023-32038%% No No - - Important 8.8 7.7 Microsoft Office Elevation of Privilege Vulnerability %%cve:2023-33148%% No No - - Important 7.8 6.8 Microsoft Office Graphics Remote Code Execution Vulnerability %%cve:2023-33149%% No No - - Important 7.8 6.8 Microsoft Office Security Feature Bypass Vulnerability %%cve:2023-33150%% No No - - Important 9.6 8.3 Microsoft Outlook Remote Code Execution Vulnerability %%cve:2023-33153%% No No - - Important 6.8 5.9 Microsoft Outlook Security Feature Bypass Vulnerability %%cve:2023-35311%% No Yes - - Important 8.8 8.2 Microsoft Outlook Spoofing Vulnerability %%cve:2023-33151%% No No - - Important 6.5 5.7 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability %%cve:2023-32039%% No No - - Important 5.5 4.8 %%cve:2023-32040%% No No - - Important 5.5 4.8 %%cve:2023-35324%% No No - - Important 5.5 4.8 %%cve:2023-32085%% No No - - Important 5.5 4.8 %%cve:2023-35296%% No No - - Important 6.5 5.7 %%cve:2023-35306%% No No - - Important 5.5 4.8 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability %%cve:2023-35302%% No No - - Important 8.8 7.7 Microsoft Power Apps Spoofing Vulnerability %%cve:2023-32052%% No No - - Important 5.4 4.7 Microsoft SharePoint Remote Code Execution Vulnerability %%cve:2023-33157%% No No - - Critical 8.8 7.7 Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2023-33134%% No No - - Important 8.8 7.7 %%cve:2023-33160%% No No - - Critical 8.8 7.7 Microsoft SharePoint Server Security Feature Bypass Vulnerability %%cve:2023-33165%% No No - - Important 4.3 3.8 Microsoft SharePoint Server Spoofing Vulnerability %%cve:2023-33159%% No No - - Important 8.8 7.7 Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability %%cve:2023-35312%% No No - - Important 7.8 6.8 Mono Authenticode Validation Spoofing Vulnerability %%cve:2023-35373%% No No - - Important 5.3 4.8 OLE Automation Information Disclosure Vulnerability %%cve:2023-32042%% No No - - Important 6.5 5.7 Office and Windows HTML Remote Code Execution Vulnerability %%cve:2023-36884%% Yes Yes - - Important 8.3 8.1 Paint 3D Remote Code Execution Vulnerability %%cve:2023-32047%% No No - - Important 7.8 6.8 %%cve:2023-35374%% No No - - Important 7.8 6.8 Raw Image Extension Remote Code Execution Vulnerability %%cve:2023-32051%% No No - - Important 7.8 6.8 Remote Procedure Call Runtime Denial of Service Vulnerability %%cve:2023-33166%% No No - - Important 6.5 5.7 %%cve:2023-33167%% No No - - Important 6.5 5.7 %%cve:2023-33168%% No No - - Important 6.5 5.7 %%cve:2023-33169%% No No - - Important 6.5 5.7 %%cve:2023-33172%% No No - - Important 6.5 5.7 %%cve:2023-33173%% No No - - Important 6.5 5.7 %%cve:2023-32034%% No No - - Important 6.5 5.7 %%cve:2023-32035%% No No - - Important 6.5 5.7 %%cve:2023-35314%% No No - - Important 6.5 5.7 %%cve:2023-35318%% No No - - Important 6.5 5.7 %%cve:2023-35319%% No No - - Important 6.5 5.7 %%cve:2023-33164%% No No - - Important 6.5 5.7 Remote Procedure Call Runtime Information Disclosure Vulnerability %%cve:2023-35316%% No No - - Important 6.5 5.7 Remote Procedure Call Runtime Remote Code Execution Vulnerability %%cve:2023-35300%% No No - - Important 8.8 7.7 USB Audio Class System Driver Remote Code Execution Vulnerability %%cve:2023-35303%% No No - - Important 8.8 7.7 VP9 Video Extensions Information Disclosure Vulnerability %%cve:2023-36872%% No No Less Likely Less Likely Important 5.5 4.8 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability %%cve:2023-36867%% No No - - Important 7.8 7.0 Volume Shadow Copy Elevation of Privilege Vulnerability %%cve:2023-32054%% No No - - Important 7.3 6.4 Win32k Elevation of Privilege Vulnerability %%cve:2023-35337%% No No - - Important 7.8 6.8 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability %%cve:2023-35350%% No No - - Important 7.2 6.3 %%cve:2023-35351%% No No - - Important 6.6 5.8 Windows Admin Center Spoofing Vulnerability %%cve:2023-29347%% No No Less Likely Less Likely Important 8.7 7.6 Windows Authentication Denial of Service Vulnerability %%cve:2023-35329%% No No - - Important 6.5 5.7 Windows CDP User Components Information Disclosure Vulnerability %%cve:2023-35326%% No No - - Important 5.5 4.8 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability %%cve:2023-35340%% No No - - Important 7.8 6.8 Windows Clip Service Elevation of Privilege Vulnerability %%cve:2023-35362%% No No - - Important 7.8 6.8 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability %%cve:2023-33155%% No No - - Important 7.8 6.8 Windows Common Log File System Driver Elevation of Privilege Vulnerability %%cve:2023-35299%% No No - - Important 7.8 6.8 Windows CryptoAPI Denial of Service Vulnerability %%cve:2023-35339%% No No - - Important 7.5 6.5 Windows Cryptographic Information Disclosure Vulnerability %%cve:2023-33174%% No No - - Important 5.5 4.8 Windows DNS Server Remote Code Execution Vulnerability %%cve:2023-35344%% No No - - Important 6.6 5.8 %%cve:2023-35345%% No No - - Important 6.6 5.8 %%cve:2023-35346%% No No - - Important 6.6 5.8 %%cve:2023-35310%% No No Less Likely Less Likely Important 6.6 5.8 Windows Deployment Services Denial of Service Vulnerability %%cve:2023-35321%% No No - - Important 6.5 5.7 Windows Deployment Services Remote Code Execution Vulnerability %%cve:2023-35322%% No No - - Important 8.8 7.7 Windows Error Reporting Service Elevation of Privilege Vulnerability %%cve:2023-36874%% No Yes - - Important 7.8 6.8 Windows Extended Negotiation Denial of Service Vulnerability %%cve:2023-35330%% No No - - Important 7.5 6.5 Windows Geolocation Service Remote Code Execution Vulnerability %%cve:2023-35343%% No No - - Important 7.8 6.8 Windows Image Acquisition Elevation of Privilege Vulnerability %%cve:2023-35342%% No No - - Important 7.8 6.8 Windows Installer Elevation of Privilege Vulnerability %%cve:2023-32050%% No No - - Important 7.0 6.1 %%cve:2023-32053%% No No - - Important 7.8 6.8 Windows Kernel Elevation of Privilege Vulnerability %%cve:2023-35356%% No No - - Important 7.8 6.8 %%cve:2023-35357%% No No - - Important 7.8 6.8 %%cve:2023-35358%% No No - - Important 7.8 6.8 %%cve:2023-35360%% No No - - Important 7.0 6.1 %%cve:2023-35361%% No No - - Important 7.0 6.1 %%cve:2023-35363%% No No - - Important 7.8 6.8 %%cve:2023-35364%% No No - - Important 8.8 7.7 %%cve:2023-35304%% No No - - Important 7.8 6.8 %%cve:2023-35305%% No No - - Important 7.8 6.8 Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability %%cve:2023-32037%% No No - - Important 6.5 5.7 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability %%cve:2023-35315%% No No - - Critical 8.8 7.7 Windows Local Security Authority (LSA) Denial of Service Vulnerability %%cve:2023-35331%% No No - - Important 6.5 5.7 Windows MSHTML Platform Elevation of Privilege Vulnerability %%cve:2023-32046%% No Yes - - Important 7.8 6.8 Windows MSHTML Platform Security Feature Bypass Vulnerability %%cve:2023-35336%% No No - - Important 6.5 5.7 %%cve:2023-35308%% No No - - Important 6.5 5.7 Windows Netlogon Information Disclosure Vulnerability %%cve:2023-21526%% No No - - Important 7.4 6.4 Windows Network Load Balancing Remote Code Execution Vulnerability %%cve:2023-33163%% No No - - Important 7.5 6.5 Windows OLE Remote Code Execution Vulnerability %%cve:2023-35323%% No No - - Important 7.8 6.8 Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability %%cve:2023-35313%% No No - - Important 7.8 6.8 Windows Partition Management Driver Elevation of Privilege Vulnerability %%cve:2023-33154%% No No - - Important 7.8 6.8 Windows Peer Name Resolution Protocol Denial of Service Vulnerability %%cve:2023-35338%% No No - - Important 7.5 6.5 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability %%cve:2023-35297%% No No - - Critical 7.5 6.5 Windows Print Spooler Information Disclosure Vulnerability %%cve:2023-35325%% No No - - Important 7.5 6.5 Windows Remote Desktop Protocol Security Feature Bypass %%cve:2023-35332%% No No - - Important 6.8 5.9 Windows Remote Desktop Security Feature Bypass Vulnerability %%cve:2023-32043%% No No - - Important 6.8 5.9 %%cve:2023-35352%% No No - - Critical 7.5 6.5 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability %%cve:2023-35365%% No No - - Critical 9.8 8.5 %%cve:2023-35366%% No No - - Critical 9.8 8.5 %%cve:2023-35367%% No No - - Critical 9.8 8.5 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability %%cve:2023-35317%% No No - - Important 7.8 6.8 %%cve:2023-32056%% No No - - Important 7.8 6.8 Windows SmartScreen Security Feature Bypass Vulnerability %%cve:2023-32049%% No Yes - - Important 8.8 8.2 Windows Transaction Manager Elevation of Privilege Vulnerability %%cve:2023-35328%% No No - - Important 7.8 6.8 Windows Update Orchestrator Service Information Disclosure Vulnerability %%cve:2023-32041%% No No - - Important 5.5 4.8 Windows Win32k Elevation of Privilege Vulnerability %%cve:2023-21756%% No No Less Likely Less Likely Important 7.8 6.8 (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 

Safari 16.5.1 iOS 16.5.1 and iPadOS 16.5.1 iOS 15.7.7 and iPadOS 15.7.7 macOS Ventura 13.4.1 macOS Monterey 12.6.7 macOS Big Sur 11.7.8 watchOS 9.5.2 watchOS 8.8.1 CVE-2023-32439 [critical] ChatGPT-CVSS: 7.8 *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. x x x x         CVE-2023-32434 [important] ChatGPT-CVSS: 9.0 *** EXPLOITED *** Kernel
An integer overflow was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.   x x x x x x x CVE-2023-32435 [critical] ChatGPT-CVSS: 8.0 *** EXPLOITED *** WebKit
A memory corruption issue was addressed with improved state management.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.     x          

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A long time ago, I created a Docker container with all Didier's tools and called it DSSuite[1]. Didier is updating his toolbox regularly with new releases or brand-new ones. It was time to update the container. I also fixed broken dependencies (some Python libraries were missing).

How to use it?

$ docker pull rootshell/dssuite:latest $ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py sample.vir A: word/vbaProject.bin  A1:       420 'PROJECT'  A2:        68 'PROJECTwm'  A3: M   32862 'VBA/AutoOpen'  A4: m     938 'VBA/ThisDocument'  A5:      2626 'VBA/_VBA_PROJECT'  A6:       570 'VBA/dir'

Enjoy!

[1] https://isc.sans.edu/diary/DSSuite+A+Docker+Container+with+Didiers+Tools/24926

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An Intrustion Detection System (IDS) can be helpful to identify suspicious activity. The information recieved from these tools needs to be tuned to the environment so the tool can highlight what is unusual. When looking at honeypot data, it is anticipated to see internet scanners and malicious traffic. What's the point of looking at IDS data for a honeypot? Well, it can be useful to test and IDS or compare different IDS tools. In my lab environment, network data is captured and analyzed with Suricata[1] (via Corelight[2]) and is also behind a Palo Alto[3] firewall.

Figure 1: Example Dashboard of Suricata IDS data

Figure 2: Example Dashboard of Palo Alto threat data

Suricata Data

Let's take a look at the last three (3) months of Suricata alert data. The data is split up into categories and signatures.

alert.signature alert.category Count Percentage ET DROP Dshield Block Listed Source group 1 Misc Attack 144228 30.16% ET DROP Dshield Block Listed Source group 1 Unknown Classtype 54374 16.28% ET SCAN Potential SSH Scan Attempted Information Leak 22889 8.19% ET SCAN MS Terminal Server Traffic on Non-standard Port Attempted Information Leak 14903 5.81% ET INFO SSH-2.0-Go version string Observed in Network Traffic - Inbound Misc activity 6572 2.72% GPL TELNET Bad Login Potentially Bad Traffic 6066 2.58% ET SCAN Potential SSH Scan Unknown Classtype 4287 1.87% ET INFO SSH-2.0-Go version string Observed in Network Traffic - Inbound Unknown Classtype 3929 1.75% ET CINS Active Threat Intelligence Poor Reputation IP group 84 Misc Attack 3363 1.52% ET SCAN Suspicious inbound to MSSQL port 1433 Potentially Bad Traffic 3315 1.52% GPL TELNET Bad Login Unknown Classtype 3016 1.41% ET 3CORESec Poor Reputation IP group 18 Misc Attack 2767 1.31% ET CINS Active Threat Intelligence Poor Reputation IP group 81 Misc Attack 2701 1.30% ET CINS Active Threat Intelligence Poor Reputation IP group 83 Misc Attack 2514 1.22% ET SCAN Sipvicious Scan Attempted Information Leak 2448 1.20% ET SCAN Sipvicious User-Agent Detected (friendly-scanner) Attempted Information Leak 2420 1.21% ET CINS Active Threat Intelligence Poor Reputation IP group 78 Misc Attack 2305 1.16% ET 3CORESec Poor Reputation IP group 17 Misc Attack 2263 1.15% ET CINS Active Threat Intelligence Poor Reputation IP group 77 Misc Attack 2113 1.09% ET 3CORESec Poor Reputation IP group 19 Misc Attack 1997 1.04%

Figure 3: Suricata Top 20 Signatures

We see a variety of alerts related to Emerging Threats (ET) [4] and many of these are related to DShield honeypot data [5]. This is not a big surprise in this case since this data is directly generated from DShield honeypot traffic. Collective Intelligence Network Security (CINS) entries are also similar using a variety of network sensors and other network data to generate their reputation lists. Some consumers of this data may simply user these signatures to block suspicious sources when using Suricata or other products as an Intrusion Prevention System (IPS).

Looking at this list, we can see a few items of note:

• Potential SSH Scan
• MS Terminal Server Traffic on Non-Standard Port
• TELNET Bad Login
• Suspicious Inbound to MSSQL port 1433
• Sipvicious Scan
• Sipvicious User-Agent Detected (friendly-scanner)

SSH and telnet attacks are very common and anticipated. How about the least common signatures seen?

 Suricata alert.signature Suricata alert.category Count Percentage ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 10 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 12 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 13 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 14 Misc Attack 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 17 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 7 Unknown Classtype 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 8 Misc Attack 1 0.00% ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi Attempted Information Leak 1 0.00% ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices Attempted Information Leak 1 0.00% ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1 Attempted Administrator Privilege Gain 1 0.00% ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1 Attempted Administrator Privilege Gain 1 0.00% ET EXPLOIT Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M3 A Network Trojan was detected 1 0.00% ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995) Attempted Administrator Privilege Gain 1 0.00% ET EXPLOIT Linksys E-Series Device RCE Attempt Attempted Administrator Privilege Gain 1 0.00% ET CINS Active Threat Intelligence Poor Reputation IP group 52 Misc Attack 530 0.11% ET EXPLOIT Possible Vacron NVR Remote Command Execution Unknown Classtype 1 0.00% ET CINS Active Threat Intelligence Poor Reputation IP group 93 Misc Attack 529 0.11% ET MALWARE BPFDoor V2 UDP Magic Packet Inbound A Network Trojan was detected 1 0.00% ET DROP Spamhaus DROP Listed Traffic Inbound group 3 Misc Attack 529 0.11%

Figure 4: Top 20 least common Suricata signatures

These are a bit more interesting that may call for further investigation since they're less seen, even for a device we anticipate to be attacked regularly.

Palo Alto Data

Now digging into the last three (3) months of Palo Alto Threat log data.

Palo Alto Threat Signature Count Percentage SSH2 Login Attempt 788446 83.97% Suspicious HTTP Evasion Found 29816 3.18% Non-RFC Compliant TELNET Traffic on Port 23 28997 3.09% SSH2 Failed Login Attempt 18040 1.92% SSH User Authentication Brute Force Attempt 15273 1.63% Compromised username found in inbound Telnet login 8881 0.95% Ncrack RDP scan 6062 0.65% SIPVicious Scanner Detection 5410 0.58% Possible HTTP Malicious Payload Detection 4300 0.46% Suspicious File Downloading Detection 3395 0.36% Suspicious TLS Evasion Found 3380 0.36% LinkSys E-series Routers Remote Code Execution Vulnerability 3057 0.33% Microsoft Communicator INVITE Flood Denial of Service Vulnerability 2207 0.24% ZGrab Application Layer Scanner Detection 1993 0.21% Non-RFC Compliant DNS Traffic on Port 53/5353 1631 0.17% ELF File 1263 0.13% DNS ANY Request 1159 0.12% DER Encoded X509 Certificate 1023 0.11% Hypertext Preprocessor PHP File 907 0.10% trojan/Linux.mirai.dxxe 814 0.09%

Figure 5: Top 20 most common Palo Alto threats

These threats are more specific and not necessarily related to a particular threat list/feed. Let's take a look at the least common threats.

Palo Alto Signature Count Percentage DoS/Linux.xorddos.c 1 0.00% GTPv1-C Create PDP Context Request Message 1 0.00% Tunneling:zhangsh08.com 1 0.00% BZIP2 2 0.00% Bash Remote Code Execution Vulnerability 2 0.00% JavaServer Pages JSP File 2 0.00% Kolibri WebServer HTTP GET Request Buffer Overflow Vulnerability 2 0.00% Shellshock Bash Remote Code Execution Vulnerability 2 0.00% Suspicious or malformed HTTP Referer field 2 0.00% TP-Link Archer Router Command Injection Vulnerability 2 0.00% Virus/Linux.WGeneric.dymlyv 2 0.00% Virus/Linux.WGeneric.dyoqem 2 0.00% Virus/Linux.WGeneric.dypncj 2 0.00% Windows Executable 2 0.00% new:ap-5590.com 2 0.00% new:nar7878.com 2 0.00% new:qphgcrh.cn 2 0.00% Encrypted ZIP 3 0.00% Non-RFC Compliant HTTP Traffic on Port 80 3 0.00% ASUS/Netcore Router Default Credential Remote Code Execution Vulnerability 4 0.00%

Figure 6: Top 20 least common Palo Alto Threats

Comparing Attack Data and Signatures

There was only one "ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02" signature alert, which should give some good data points to pivot with.

Figure 7: Suricata alert data for Possible NTP DDoS attack

Looking into the Palo Alto data, the traffic logs are seen that may correlate, but no specific threat data showed up in the collected logs.

Figure 8: Traffic logs from Palo Alto nearest to Suricata alert

Luckily, I also collect full PCAPs of my honeypot using tcpdump. While there have been issues noted with some of these captures in the past[7], it can be useful in just these kinds of sutations since no additional information is logged directly by the honeypot itself.

Figure 9: PCAP data that generated Suricata alert

Since we have the full packet capture, we can also compare this with the Suricata rule [8].

alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2;)

The rule appears to be from late 2017, but for whatever reason this information wasn't logged by the Palo Alto. There could be several reasons for this, like any tool:

• Palo Alto did not have this traffic content identified as an alert on the day/time of the event
• This may have not been deemed suspicious traffic by Palo Alto
• Information was not logged properly
• Resource contraints caused problems processing or storing the data
• The Suricata rule may not be accurate

An IDS can help identify traffic of interest, but must be tailored to the environment. In addition, different tools have different results. Testing your tools by replicating traffic of interest can help identify whether they work as desired. This is also an interesting comparison between different tools, of which Suricata has more community supplied content. Community supplied rules may not always be accurate, although that does not mean this was the case in the last NTP example.

[1] https://suricata.io/
[2] https://corelight.com/
[3] https://www.paloaltonetworks.com/
[4] https://rules.emergingthreats.net/open/suricata-5.0/
[5] https://www.dshield.org/block.txt
[6] https://cinsarmy.com/active-threat-intelligence/
[7] https://isc.sans.edu/diary/Network+Data+Collector+Placement+Makes+a+Difference/29664
[8] https://github.com/seanlinmt/suricata/blob/master/files/rules/emerging-dos.rules

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In diary entry "Deobfuscating a VBS Script With Custom Encoding", I decoded a reader submitted VBS script with custom encoding of the payload.

Here is the command to extract the encoded payload:

In my previous diary entry, I figured out how to decode this payload by reversing the VBS decoding routine.

In this diary entry, I will show you how to figure out which encoding method that was used through statistical analysis. This can be useful if you don't have access to the decoding routine.

First, I pipe the encoded string into my byte-stats.py tool. This tool calculates many statistical values for the data it receives as input (it handles the input as a stream of bytes):

I can see that there are only 26 unique values. All printable, and the most prevalent are uppercase letters. With option -r, I can generate a range of values:

So the encoded payload consists of all the uppercase letters, and nothing else.

26 values is not enough to encode a payload like a VBS script (unless the script is very short).

As 26 is not enough, the encoding must use more than one letter to encode a character.

I will start with a simple hypothesis: 2 letters are used to encode a single character. 2 letters gives use 26 * 26 = 676 possibilities, that's more than enough to encode each possible byte value (256 distinct values). I will call such a pair of 2 letters a token.

My tool python-per-line.py can be used to split the payload into tokens of 2 letters. This is done with Python function Chunkify, one of the functions defined by python-per-line.py.

I use it like this (headtail.py is used to limit the output to a single screenshot):

So python-per-line.py applies the given Python expression to each line of input it receives. Variable line contains a line of the text input file, Python expression Chunkify(line, 2) splits the line into a list of strings that are 2 characters long. When a Python expression returns a list in stead of a string, python-per-line.py will print each item of the list on a separate line.

After tokenizing the payload into 2 characters-long tokens, I want to calculate the frequency of each token. This can be done with my tool count.py. count.py takes text files as input, and calculates the frequency of each line (how many times each line appears). Option -t (totals) produces some extra statistics:

Since each token appears on a single line, the output of count.py gives us statistics for the tokens.

unique,256: this means that there are 256 unique tokens. That's already very useful information to help with the decoding, because 256 is exactly the number of unique values a single byte can have. Thus it is indeed possible in this case, that 2 letters are used to encode a single byte.

singles,189: this means that out of the 256 unique tokens, there are 189 unique tokens that appear just once.

multiples,67: this means that out of the 256 unique tokens, there are 67 unique tokens that appear more than once.

total,1009: there are 1009 tokens in total.

And I can also see that token EK appears only once and that token IZ is the most frequent, it appears 66 times.

To translate tokens into byte values, we need a translation table. For example, token AA could represent byte value 0x00, token AB could represent byte value 0x01, and so on ...

But that's not the case here, since token AA does not appear in the payload.

The translation table can be stored inside the decoding routine or it can be stored inside the payload itself. Since the payload is encoding a VBS script, it is very unlikely that all possible byte values are present in the unencoded script (for example, most control characters will not be used). Thus if the encoded payload would not contain a translation table, we would no see all 256 possible tokens. Since we do see all 256 possible tokens in this payload, I'm going to work with the hypothesis that the payload contains a translation table.

First test I will make, is check if the translation table is stored first in the encoded payload. So I select the first 256 tokens ([:256]) and calculate statistics:

That's more good news: the first 256 tokens only appear once. So this could be a translation table. Let's check the remaining tokens (e.g., the tokens that follow the first 256 tokens):

And here we only have 67 unique tokens: so it's likely that the first 256 tokens define the translation table, and the remainder is the encoded payload.

The tokens that appear the most freqently are: IZ, GC, OC.

Let's see how we can translate these.

So this is our translation table:

Token EK is the first in the translation table, and RK is the last one. Again, I'll work with a simple hypothesis: that the list of tokens in the translation table is just sequential: that EK represents byte value 0x00, TT value 0x01, and finaly, that RK represents byte value 0xFF (255).

I will use Python's enumerate function to prefix each token with its index:

And one more step, I will also add the ANSI representation (chr(index)):

So with my hypothesis, for example, token WK represents byte value 0x09 and that's the TAB character.

Let's grep for the most prevalent tokens (IZ, GC, OC)

So the most prevalent tokens represent letter e, the space character, and letter r. Which is more or less in line with the prevalence of characters in English texts (and by extension, scripts).

What rests me to do, is write a decoding routine, and that is what I did in my previous diary entry.

To summarize: this encoding method was rather simple, as it confirmed simple hypotheses. A token is a pair of 2 uppercase letters, each token represents a byte value, the first 256 tokens of the encoded payload define the translation table, the translation table is sequential, the remainder of the encoded payload is the encoded script.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

After 6 years, I have returned to the world of operating technologies. One of my main concerns at that time regarding the use of new technologies was to seek access control via the network to the different devices that make it up, because unlike the world of information technologies where access is sought to be widespread and there are multiple ways to perform access control at the application and network level, the world of industrial control has limitations depending on the version of the supervision and control protocols that are supported.

This cybersecurity requirement is mandatory for sectors such as electricity under the active standards NERC CIP-003-8 and NERC CIP-005-7. The suggested architecture to implement is based on the Purdue Enterprise Reference Architecture taken for the SANS ICS410 course, which we can see in figure 1. Its components are:

Figure 1: SANS ICS410 reference model based on Purdue Enterprise Reference Architecture.

Let's discuss the details for each level:

PURDUE LEVEL DESCRIPTION EXAMPLES

Level 5: Enterprise Networks

Services at the corporate level that assist specific business divisions and individual users. Typically, these systems are housed within the company's data centers.

Servers providing:

• Active Directory (AD)
• Internal email
• Corporate Billing System
• Real-time Backup solutions

Level 4: Business Networks

Information technology networks specifically tailored for business users at localized sites. These networks provide connection to the enterprise's wide area network (WAN) and may also allow local internet access. However, direct internet access should not be granted beyond this level.

• IT workstations
• File and print servers (We should only have print servers, but unfortunately there are still lots of file servers out there)
• Phone systems
• Backup Active Directory

IT/OT BOUNDARY (DMZ)

Level 3: 

Site-Wide Supervisory

Monitoring, supervisory, and operational support for all or part of the regions covered by the company

• Engineering workstations
• Human to machine interfaces (HMIs)
• Data lake systems for analytics
• Historians

Level 2: Local Supervisory

Observation and managerial oversight for an individual process, cell, line, or a Distributed Control System (DCS) solution. Processes should be segregated based on function, type, or risk, ensuring they remain distinct from each other.

• HMIs
• Historians
• Local Control room

Level 1: Local Controllers

Apparatus and systems designed to offer automated regulation of a process, cell, line, or a Distributed Control System (DCS) solution. Contemporary Industrial Control System (ICS) solutions frequently integrate Levels 1 and 0.

• Programmable Logic Controllers (PLCs)
• Control processors
• Remote terminal units (RTUs)
• Specific process microcontrollers

Level 0: Field Devices

Sensors and actuators utilized in the cell, line, process, or DCS solution. These are frequently amalgamated with Level 1.

• Sensors and actuators
• Smart sensors/actuators speaking fieldbus protocols
• Intelligent Electronic Devices (IEDs)
• Industrial Internet-of-Things (IIoT) devices
• Communications gateways

Figure 2: Purdue Enterprise Reference Architecture description

Why am I talking about this? I did some research on shodan and found the following:

• I found a universe of 499 open-access HMI. This means attackers can get full view of an ICS process from the internet with no restriction. The following chart shows the country distribution:

Figure 3: Top countries with HMI published to the internet.

• For all those HMI published to the Internet, almost half uses VNC without authentication:

Figure 4: Top HMI publisher applications to the internet

• I found a universe of 25234 Modbus RTU devices published on the internet. The following chart shows the country distribution:

Figure 5: Top countries with modbus RTU devices published to the Internet

Now we can conclude the following:

• The relevant gap continues in the security measures found for IT vs. those found in OT. It is important that companies that have critical infrastructure management within their business establish a transversal cybersecurity strategy that manages all types of technology, including OT.
• The cloud is here to stay. It is definitely feasible to implement SCADA systems using cloud environments. However, the electronic protection of supervisory and control environments as established by standards such as the revised NERC ones is not negotiable.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Mastodon:manuelsantander@infosec.exchange
Linkedin:manuelsantander
email:msantand@isc.sans.org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Agentless Linux security with unmatched speed and reliability

Sandfly Security, headquartered in New Zealand (where they know sandflies all to well), refers to itself as such because they’re like sandflies: they relentlessly bug and discourage intruders, deploying like a swarm onto endpoints, then disappear only to return again and again. Theses swarms of checks make life miserable for hackers on Linux hosts while minimizing system impact. I’ve been following Sandfly’s Craig Rowland on Twitter for awhile with the intent of giving Sandlfy a look for toolsmith, and in the time I’ve kept watch, the offering has grown into a comprehensive and robust platform for Linux security.

Please note that Sandfly Security is a commercial platform that includes a free offering. My coverage of Sandfly is unsolicitated, and not compensated in anyway, but Craig did provide me with a professional license for a more comprehensive testing opportunity. The free license enables you to protect up to 50 hosts with 5 user accounts. The team created Sandfly with understanding of the limitations of conventional endpoint products. “A novel agentless method ensures security while monitoring and responding to threats across Linux systems without the risks associated with endpoint agents.” (Sandfly, 2023) The time was right for a Sandfly review in keeping with the v4.5.0 release. Sandfly 4.5.0 includes a massive capability upgrade with a new expression language syntax. This upgrade greatly expands how agentless threat hunting and incident response modules can be used to protect Linux, and includes:

• New expression language syntax allows rapid and wider creation of custom threat hunting sandflies for customers
• All built-in modules have been reviewed and depth of coverage for Linux threats broadened
• Expanded CPU support to cover IBM POWER8, 9 and 10 processors (Sandfly, 2023)

Please note that Sandfly Security is ridiculously well documented, every step I describe here is already provided in great detail via Documentation. As always, my goal is to pique your interest: protect your Linux hosts, people!

I took the easiest path for my Sandfly Server deployments and made use of the Digital Ocean preconfigured droplet image sandflysecurity450onubuntu2204. Instructions to do so are simple and straightforward, I was up and running quite quickly. While a production instance would likely include Dockerized servers and nodes, this setup includes server and node in one installation. The Sandfly UI has a common and comfortable feel to it and is intuitive and simple.

Figure 1: Sandfly UI

Craig provided me with a target range for testing, to connect to it I was required to go through a jump host so my order of configuration was Add Credentials, Add Jump Host, then Add Host. Once complete, all hosts were added to the queue, complete with authentication, and ready for a new manual scan.

Figure 2: Sandfly Manual Scan

After you select target hosts, you have many choices for available Sandflies. These include Sandflies that are templated, or specific to incidents, directories, files, processes, logs, policy, and recon: 1168 Sandflies in total per the CSV I exported from the UI to assess my options. For this set of targets 587 Sandflies were made ready for me, I selected them all, and let fly. ;-) This sent my scan to the Task Queue and quickly produced findings in the Results menu inclusive of Results by Host, Results by Sandfly, or an all encompassing Results view.

Figure 3: Sandfly Results by Host

Of immediate interest to me was zero errors and minimal CPU load. The agentless approach really does offer significant advantage. Recognizing that we threw all available Sandflies at these hosts, the result was as many as 510 alerts for a single host. Given, these hosts are the Sandfly equivalent of Metasploitable for testing purposes, but I chose to spend time with a host with fewer alerts to zoom in with effect: fr08-d-user (10.124.32.5). I was intrigued with the SSH Hunter feature and immediately ran down that rabbit hole with this host. Using Host Investigation under the SSH Hunter menu, I found fr08-d-user immediately and noted that it was red flagged for duplicate key entries.

Figure 4: Sandfly Host Investigation

With the duplicate key entries finding I jumped back to Result by Host for fr08-d-user and zoomed in on the policy_user_ssh_authorized_keys_duplicates_found Sandfly. The Results Detail view for this alert (Result 2992) was one of the more rich, hunter-centric results and made my inner security analyst extremely happy. Please note that, via Raw Data, JSON data for each alert can be accessed. Automation, message topics, correlation, oh my!

Figure 5: Sandfly Result Detail

I love the Sandfly Hunter Data Points as well. This is easily another rabbit hole to run down, which I did so exploring a different alert, specifically process_deleted. Result 3085 stated that “the process name ‘killdemoprocess’ with PID ‘13311’ binary has been deleted from the disk but it is still running at ‘/tmp/killdemoprocess’. This could be a malicious program still resident in memory and trying to hide from the file system.” Note also the T1070.004 tag, aka the MITRE ATT&CK technique reference for Indicator Removal: File Deletion. You’ll find such tagging and labeling throughout the platform, enabling additional immediate insights and a direct connection to well defined industry standards. Scrolling through the related Sandfly Hunter Data Points, I settled on process.hash.sha1 and hit Search.

Figure 6: Sandfly Hunder Data Points

What!? This same process is running on other victim systems? Whodda thunk. ;-) This is a pivoting hunter’s paradise.

If I were still in the business of security operations and caring for Linux systems, Sandfly Security would absolutely be front and center in my defender’s arsenal. This offering, quite candidly, exceeded my expectations. I expected great, it’s even better. Well done to Craig and team! Grab yourself a free license, put it to use for a small deployment, and spend way more time testing the boundaries of this platform than I did. And seriously, read the documentation; to call this a “tip of the iceberg” review is an understatement. There’s profound capability awaiting you with this platform.

Cheers…until next time.

Russ McRee | @holisticinfosec | infosec.exchange/@holisticinfosec | LinkedIn.com/in/russmcree

References

Sandfly Security. (2023, March 17). Our Story. Sandfly Security - Agentless Linux Security and EDR. https://sandflysecurity.com/about-us/our-story/

Sandfly Security (2023, June 12). Sandfly 4.5.0 - powerful new expression syntax. Sandfly Security - Agentless Linux Security and EDR. https://sandflysecurity.com/blog/sandfly-4-5-0-powerful-new-expression-syntax/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The SANS Internet Storm Center (ISC) developed the DShield pfSense client in 2017 [1] to support the ingestion of pfSense firewall logs into the DShield project. The pfSense project has also evolved over the years, with some changes in the offerings [2]. With the advent of pfSense Community Edition (CE) 2.7.0 [3, 4] and pfSense Plus 23.01, updates to the DShield client were required to fix unintended issues.

I am pleased to share that the DShield pfSense client has been updated and tested to be working* with pfSense CE 2.7.0 Release Candidate (RC) (just in time before pfSense CE 2.7.0-RELEASE is released on the targeted date of June 29, 2023), pfSense Plus 23.01-RELEASE as well as pfSense CE 2.6.0-RELEASE. To take a look at the DShield pfSense client, please visit the GitHub repository here [5]. If you are a pfSense user and would like to participate in the DShield project, please refer to my previous diary [6] for the steps required to set it up.

[* This release would not have been made possible without the understanding and support of my employers (JT Consultancy & Management Pte. Ltd. and ASSET Research Group) that kindly allowed me to work on this quickly to resolve issues faced by the DShield pfSense users. I would also like to thank my colleagues, Hamilton Chan and Yong Xian Ng, for their kind assistance and support rendered in this release.]

References:
1. https://github.com/jullrich/dshieldpfsense/commit/13a891e5ba4ee86c3a35fea4dcda24cf8107e39b
2. https://www.netgate.com/blog/announcing-pfsense-plus
3. https://www.netgate.com/blog/pfsense-rc-2.7.0-and-23.05.1
4. https://www.netgate.com/blog/pfsense-2.7.0-and-23.05
5. https://github.com/jullrich/dshieldpfsense
6. https://isc.sans.edu/diary/27240

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT.  The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it's not like the GuLoader or ModiLoader samples I've run across so far.  Today's diary reviews the infection chain that ultimately led to Remcos RAT traffic on Monday 2023-06-26.

Shown above:  Flow chart for the loader-style infection for Remcos RAT on Monday 2023-06-26.

Images From the Infection

Shown above:  Both the email and the attached PDF document have the same link for a malicious zip archive.

Shown above:  The link led to an Adobe page hosting the malicious zip archive.  It's been taken off-line and is no longer active.

Shown above:  The downloaded, password-protected zip archive contains a decoy audio file and a malicious Windows shortcut.

Shown above:  Malicious .vbs file ran in the background, while a decoy PDF file appeared on my lab host's desktop.

Shown above:  Traffic from the infection filtered in Wireshark.

Shown above:  The Remcos RAT C2 server viewed in a web browser.

Shown above:  Windows registry updates that made the loader persistent on the infected host.

Shown above:  A closer look at one of the Windows registry updates.

Indicators of Compromise (IOCs)

Select email headers:

Received: from [23.106.121[.]131]    by mail.tasekmaju[.]com[.]my; Mon, 26 Jun 2023 12:20:26 +0800
Received: from 103.1.151[.]84 (EHLO mail.tasekmaju[.]com[.]my)
From: IM Zernoff SRL<ar@gbwhotel[.]com[.]my>
Subject: RE: RFQ No. 41 26_06_2023
Date: 26 Jun 2023 12:20:25 UTC
Message-ID: <20230626050534.1C6FDEBC3DC87BEE@gbwhotel[.]com[.]my>

Malware/artifacts from an infection:

SHA256 hash: 29c766c8910fa35b76bdea7738e32f51fc063bc01e8f557c1f309a4b07c47733

File size: 48,392 bytes
File name: RFQ No 41 26_06_2023.pdf
File description: email attachment, a PDF file with link to Adobe-hosted page for malicious zip archive
Note: Link in this PDF file is the same link seen in the email message text

SHA256 hash: 1d030984aa406ff1a05c1d42e67455b79665d50ea98f49713b1fd21887b7b2eb

File size: 6,922,238 bytes
File name: RFQ No 41 26_06_2023.zip
File location: hxxps://acrobat.adobe[.]com/id/urn:aaid:sc:VA6C2:57c88930-644f-4131-94c6-bee1152af5ab
File description: password-protected zip archive on Adobe-hosted page
Password: ZERNOFF
Note 1: This content has been taken off-line, and the link no longer works
Note 2: Since this is a password-protected zip, it's not malicious without the password to access its contents

SHA256 hash: 748c0ef7a63980d4e8064b14fb95ba51947bfc7d9ccf39c6ef614026a89c39e5

File size: 2,150 bytes
File name: RFQ No 41 26_06_2023.pdf.lnk
File description: malicious Windows shortcut extracted from the above zip archive

SHA256 hash: ab6c5af91d0e384cc011f3e3be12b13290bfc802ce5dd8a3788100f583d4b800

File size: 5,598 bytes
File location: hxxps://shorturl[.]at/guDHW
Redirect from above URL: hxxps://img.softmedal[.]com/uploads/2023-06-23/298186187297.jpg
Saved file location: C:\Windows\Tasks\Reilon.vbs
File description: VBS file with PowerShell script used for this infection

SHA256 hash: afbfc145affa16280139a70e92364d8cc9d71b951d3258df9a9855c0c1f1f567

File size: 546,346 bytes
File location: hxxps://shorturl[.]at/iwAK9
Redirect from above URL: hxxps://img.softmedal[.]com/uploads/2023-06-23/773918053744.jpg
Saved file location: C:\Users\Public\RFQ-INFO.pdf
File description: Decoy PDF file retrieved and opened during this infection
Note: Not a malicious file

SHA256 hash: f3b62d90f02bbecd522049f9186c67d939b77e98449d63e73de4893060f1dd48

File size: 283,748 bytes
File location: hxxp://194.55.224[.]183/kng/Persuasive.inf
Saved file location: C:\Users\[username]\AppData\Roaming\opbrugende.Dal
File description: Base64 text retrieved by Reilon.vbs and registry update at HKCU\bdello\Unacquis
Note: Not inherently malicious on its own

SHA256 hash: 9abe143f74890f4336573364fce24257167977b576db98b7579e19283a126bec

File size: 212,810 bytes
File type: data
File description: Data binary decoded from the above base64 text
Note: Not inherently malicious on its own

SHA256 hash: d7b17df67410b8d408bb768c11757162a49cfb8602e50ac98283bfd49c54a9c5

File size: 493,120 bytes
File location: hxxp://194.55.224[.]183/kng/DtEIjJvibmBIjb254.bin
File type: data
File description: Data binary retrieved during this infection process
Note: Not inherently malicious on its own

Traffic from an infection:

URL that returned the zip archive:

hxxps://acrobat.adobe[.]com/id/urn:aaid:sc:VA6C2:57c88930-644f-4131-94c6-bee1152af5ab

URL that returned the decoy PDF file:

hxxps://shorturl[.]at/iwAK9
hxxps://img.softmedal[.]com/uploads/2023-06-23/773918053744.jpg

URL that returned the Reilon.vbs file:

hxxps://shorturl[.]at/guDHW
hxxps://img.softmedal[.]com/uploads/2023-06-23/298186187297.jpg

GuLoader- or ModiLoader-style traffic:

194.55.224[.]183 port 80 - 194.55.224[.]183 - HEAD /kng/Persuasive.inf
194.55.224[.]183 port 80 - 194.55.224[.]183 - GET /kng/Persuasive.inf
194.55.224[.]183 port 80 - 194.55.224[.]183 - GET /kng/DtEIjJvibmBIjb254.bin

Remcos RAT traffic:

194.187.251[.]91 port 12603 - top1.banifabused1[.]xyz - TLSv1.3 HTTPS traffic
port 80 - geoplugin.net - GET /json.gp <-- location check by the infected host, not inherently malicious

Final words

This seems like it might be a new type of loader, but Recorded Future's Triage analysis of the Windows shortcut tagged it as GuLoader.  I'm not entirely convinced.  But it's definitely a loader that's at least similar in principle to GuLoader or ModiLoader/DBatLoader.  If anyone has further information on this malware, please email me or leave a comment.

A carved and sanitized pcap of the infection traffic, along the the associated email, malware, and artifacts have been posted here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In my last Diary, we looked at internet-connected web servers, which still support SSL version 2.0. Since this cryptographic protocol was deprecated all the way back in 2011, one might not think that there would be many such devices left on the internet, nevertheless, we have shown that there still appear to be over 460,000 of them[1].

Last week, I was talking to Justin Searle, one of our fellow SANS instructors, about the SSLv2 situation, and Justin raised a good point about how it might be interesting to learn what the devices are and where they are located… So, I have decided to find out – I did a quick analysis with the help of Shodan, and the results turned out to be quite interesting indeed!

While web servers which support SSLv2 are located in many countries all over the world, as the following image shows, we can clearly see that there are “hot spots” where their concentration is highest.

In fact, if we filter out just the top 10 countries with the highest numbers of web servers supporting SSLv2, we can see that there are 3 at the top, which account for most of what’s out there…

It is worth noting that we get similar results (at least in the top spot) with regards to geographic distribution of systems which support only SSLv2 and SSLv3.

Getting back to all devices which support SSL version 2.0, we saw that most of them are located in Kazakhstan, Tunisia and in the U.S.

It can be clearly seen that in Tunisia and in the United States, public IP addresses where SSLv2 support was detected are located in IP ranges/autonomous systems assigned to different ISPs, and that devices to which these IP addresses are mapped are running different types of software (if we can identify the SW at all).

The situation was somewhat different in Kazakhstan… But before we get to that, let’s take a look at which web servers are, according to Shodan, most common when it comes to SSLv2 support.

As we can see from the chart, by far the most common has been for some time the GoAhead Embedded Web Server. As its name suggests, it is a lightweight web server intended for integration into IoT and embedded devices[2].

While this software is still being developed, it is worth mentioning that several high-impact vulnerabilities (for example, CVE-2017-17562 and CVE-2019-5096, to name just two[3,4]) have been identified in some of its older versions (e.g., those, which one might expect to be configured to support SSLv2).

At this point, we can get back to the large number of SSLv2 devices in Kazakhstan.

Almost all of them are located in IP ranges assigned to the JSC Kazakhtelecom, the largest ISP in Kazahkstan…

…and, as you have probably guessed by now, most of them seem to be running the GoAhead Embedded Web Server.

In fact, most of these devices appear to be of the same exact type - they use an identical SSL server certificate (serial number “fe676b96c70714f9”, issuing organization “CIG”) and if one were to connect to any of them over HTTP(S), one would be greeted by the same login screen for a “GPON Home Gateway”[5].

Given this data, it seems probable that most of the devices which support SSLv2 in Kazakhstan are last-mile network devices made by a Chinese company Cambridge Industries Group (CIG)[6] and used by JSC Kazakhtelecom to provide connectivity to their customers.

Due to the support of SSL version 2.0, it is also probable that these devices are quite old, which, in connection with the fact that they are running the GoAhead Embedded Web Server, would seem to indicate that they might be affected by known high-impact vulnerabilities, even if we can’t reliably identify the specific version of the software installed on the devices.

If these assumptions were true, and it seems probable they might be, it would make large portions of the internet in Kazakhstan potentially vulnerable to malicious actions of even less advanced threat actors... On the other hand, it should be mentioned that while it is almost certain that the identified devices are running outdated and vulnerable versions of the webserver, it is possible that the vulnerable components themselves might not be accessible to a remote attacker, and it might therefore not be possible to use exploits for known vulnerabilities in order to compromise the devices.

It should also be noted that, although, at the time of writing, Shodan detects over 166 thousand (please disregard the discrepancy between this number and the values shown in the images above – Shodan seems to count systems differently in different tools and views) devices of the type discussed above within Kazakhstan, it is possible that there might really be significantly less of them, since it is possible that the ISP, in whose networks these devices are placed, might have repeatedly mapped multiple public IP addresses to a single device.

In any case, once I’ve gathered all the data discussed above, it seemed appropriate to get in touch with JSC  Kazakhtelecom and the Kazakhstan national CERT, KZ-CERT[7], inform them about the situation and give them time to take any steps they might believe necessary before I publish any information about it.

While Kazakhtelecom didn’t respond to even repeated requests for communication, KZ-CERT did. They evaluated the information I’ve provided and let me know that they don’t object to me releasing it publicly, though they did ask if I could provide them with some more detailed data about specific IP addresses, which the situation concerned. I have done so and here we are - the originally simple analysis of location and type of devices which still support SSL version 2.0 has taken us down a really interesting rabbit hole.

Hopefully, as a result of it, the devices discussed above will disappear from the internet in the upcoming months... or years.

[1] https://isc.sans.edu/diary/29908
[2] https://www.embedthis.com/goahead/
[3] https://www.securityweek.com/devices-running-goahead-web-server-prone-remote-attacks/
[4] https://nsfocusglobal.com/advisory-two-high-risk-vulnerabilities-goahead-web-server/
[5] https://en.wikipedia.org/wiki/GPON
[6] https://www.cigtech.com/
[7] https://www.cert.gov.kz/

-----------
Jan Kopriva
@jk0pr
Nettles Consulting

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When dealing with malware analysis, you like to get "fresh meat".  Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don’t need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don’t have time to analyze all samples!

How to perform your malware triage? It will help if you have tools for this (executed from a sandbox). There are a lot of tools to achieve this. Still, another critical element is "automation": Your collected samples must feed a pipe of tools that will try to guess the malware family, extract config, … and why not archive and index everything? For this purpose, I'm using a local instance of mwdb[1] (MalwareDB). Coupled with karton [2]. For example, I'm extracting samples from catch-all mailboxes and sending them to the triage process via the REST API's:

Mail > MIME-Extract > mwdb > karton > Analysis modules (sandbox, YARA, ...)

But sometimes, you need to perform a quick analysis of a suspicious file manually, and you need "manual" tools. Recently, Jim (also FOR610 Instructor) found an interesting tool to achieve this task: Qu1ckSc0pe[3]. Why is this tool interesting? It can analyze multiple types of files: Windows, Linux, OSX binaries, Document files, APK files, and Archive files.

Written in Python, such tools usually require a lot of third-party modules and, therefore, are good candidates to be executed from a Docker container (to avoid pollution of your core OS with a lot of files and libraries). A simple Docker file is provided with the tool, but it was impossible to have a stable installation. So, I create my Dockerfile:

FROM ubuntu:22.04 MAINTAINER Xavier Mertens <xmertens@isc.sans.edu> # Update & install required packages RUN DEBIAN_FRONTEND=noninteractive apt update && apt -y upgrade && apt -y install sudo git python3-pip wget unzip # Install main app WORKDIR /app COPY . . # Stupid fix to allow non-interactive install RUN sed -i "s/apt install/DEBIAN_FRONTEND=noninteractive apt -y install/g" setup.sh RUN chmod a+x qu1cksc0pe.py setup.sh # Another simple fix to avoid breaking the setup script RUN ln -s /root /home/root RUN ./setup.sh # Missing dependencies RUN pip3 install pycryptodome # Install Radare2 WORKDIR /opt RUN git clone https://github.com/radareorg/radare2 RUN radare2/sys/install.sh WORKDIR /app ENTRYPOINT ["/app/qu1cksc0pe.py"]

How to build the tool?

remnux@remnux:/opt$ git clone https://github.com/CYB3RMX/Qu1cksc0pe.git

Replace the existing Dockerfile with mine and build the image:

remnux@remnux:/opt/Qu1ckSc0pe$ docker built -t isc/quickscope .

Now, to use the tool, map a volume containing your samples:

Here is an example against a Word document with a VBA macro:

The Dockerfile must still be fine-tuned (for example, to create a volume to keep the YARA rules updated), but it already does the job.

Qu1ckScope has many features that I did not cover here.  If interested, look at the repository that provides multiple examples of usage.

[1] https://github.com/CERT-Polska/mwdb-core
[2] https://github.com/CERT-Polska/mwdb-core
[3] https://github.com/CYB3RMX/Qu1cksc0pe

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.