ISC Stormcast For Monday, October 19th 2020 https://isc.sans.edu/podcastdetail.html?id=7214, (Mon, Oct 19th)
Have you ever sent out the wrong file? I know it has happened to me, attaching the wrong file to an email.
And it happens to malicious actors too.
A reader sent us a malicious email with an attachment: PURCHASE ORDER.mmp
You must be thinking the same as me: what is an .mmp file? Microsoft Project? No, that seems to be .mpp.
Looking at it with a binary editor, it does seem to be some kind op project file:
I searched further for strings that might give me a clue, and found this:
Gammadyne Mailer is email marketing software.
This malicious actor sent out the project file for their mailing campaign!
Discovered by Tripwire VERT, CVE-2020-5135 is a buffer overflow vulnerability in the popular SonicWall Network Security Appliance (NSA) which can permit an unauthenticated bad guy to execute arbitrary code on the device.
The following versions of SonicWall are vulnerable:
SonicOS 184.108.40.206-79n and earlier
SonicOS 220.127.116.11-4n and earlier
SonicOS 18.104.22.168-93o and earlier
SonicOSv 22.214.171.124-44v-21-794 and earlier
After some research, I am unclear how many devices may be vulnerable to this attack. Tenable/Tripwire implies it could be up to approximately 800,000 devices (as detected by Shodan).
I expect that not all of these devices have the VPN enabled, and some have been updated already, so the number is probably quite a bit lower, but still significant.
I have not been able to find a way to remotely detect which devices are vulnerable. Nmap can be used to detect SonicWall instances, but does not provide enough information to determine the OS version or probe for the vulnerability.PORT STATE SERVICE REASON VERSION 80/tcp open http-proxy syn-ack ttl 53 SonicWALL SSL-VPN http proxy |_http-server-header: SonicWALL SSL-VPN Web Server 443/tcp open ssl/http-proxy syn-ack ttl 53 SonicWALL SSL-VPN http proxy |_http-server-header: SonicWALL SSL-VPN Web Server 50001/tcp filtered unknown no-response
If any of you know of a reliable scanning technique to detect this vulnerability please let me know at our contact page and I will update the diary.
SonicWall released updates last week which fix this vulnerability and several others. Although no known exploit has been detected in the wild. I expect, give recent historical attacks on VPNs, I would expect this one will get a lot of interest from bad guys. I strongly recommend updating as soon as reasonable.
More information can be found at the following links:
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
CVE-2020-3991 VMWare Security Advisory for VMWare Horizon Client - https://www.vmware.com/security/advisories/VMSA-2020-0022.html, (Fri, Oct 16th)
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It's that time of the month again... Time for another traffic analysis quiz! This one is from a Windows 10 client logged into an Active Directory (AD) environment. Details follow:
- LAN segment: 10.10.16.0/24 (10.10.16.1 through 10.10.16.255)
- Domain Controller: Ugly-Wolf-DC at 10.10.16.6
- Gateway: 10.10.16.1
- Broadcast address: 10.10.16.255
The pcap and alerts are available on my Github repository at:
- https://github.com/brad-duncan/pcaps-for-ISC-diaries/blob/main/2020-10-15-ISC-traffic-analysis-quiz.pcap.zip (3,711,761 bytes)
- https://github.com/brad-duncan/pcaps-for-ISC-diaries/blob/main/2020-10-15-ISC-traffic-analysis-quiz-alerts.zip (4,273,268 bytes)
The zip archives are password-protected with the term: infected
The alerts archive contains an image of alerts and a text file with the same information.
The alerts should give away the type of infection(s) happening on the Windows computer at ugly-wolf.net. Since this is an AD environment, you should also be able to find the user account name that was logged into the Windows host before it became infected. In a real-world situation, this could help you track down an infected user and perform incident response actions.
You can also use this quiz to practice drafting an incident report.
If the answers are not obvious, feel free to leave a comment in the comments section, and I'll answer when I get the time.
brad [at] malware-traffic-analysis.net
ISC Stormcast For Friday, October 16th 2020 https://isc.sans.edu/podcastdetail.html?id=7212, (Fri, Oct 16th)
CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability, (Thu, Oct 15th)
For more details, see also the youtube video I just published:
One vulnerability that got defenders' (including mine) attention this week was CVE-2020-16898. The vulnerability sometimes called "Bad Neighbor", can be used to execute arbitrary code on a Windows system. To exploit the vulnerability, an attacker has to send a crafted ICMPv6 router advertisement.What Are Router Advertisements?
I (and probably others) have called them sometimes "DHCP Lite". IPv6 relies less on DHCP to manage IP addresses. After all, we got plenty of them, and the need to "recycle" IP addresses pretty much went away. A router will send router advertisements periodically, or in response to a router solicitation sent by a host that just joined the network. All hosts that "speak" IPv6 will listen for router advertisements to learn about the network configuration. Even if you use DHCPv6, you still need router advertisements to learn about the default gateway.
One more recently added option includes a list of recursive DNS servers. This "completes" the DHCP-Lite analogy by now offering a gateway, IP address(es) and DNS servers. The same data usually found in DHCP servers.How are recursive DNS servers (RDNSS) encoded in router advertisements?
Router advertisement options follow the standard "Type/Length/Value" format. They start with a byte indicating the type (25 = RDNSS), followed by a byte indicating the length, two reserved bytes, and a 4-byte "lifetime". Plus of course the DNS server IP addresses
As typical for IPv6, the length is indicated in 8-byte increments. So a length of "1" indicates that our option is 8 bytes long. The initial fields (Type, Length, Reserved, Lifetime) are exactly 8 bytes long. Each IP address is 16 bytes long.
For one IP address, our length would be "3". Each additional IP address adds another "2" (2 x 8 Bytes). As a result, the length has to be always odd.
The vulnerability is triggered if the length is even, and larger then 3. For example, consider this packet with a length of "4":
The last eight bytes of the second IP address are no longer included in the length. And this is exactly where Windows gets confused. Wireshark actually gets a bit confused as well:
Wireshark still displays both IP address but also recognizes that there is data beyond the option length.How bad is it?
It is bad, in that this allows arbitrary code execution. But an attacker has to be able to send the packet from the victim's network. Even an exposed host can not be attacked from "across the internet", only from within a subnet. An attacker will also have to overcome anti-exploit features in Windows 10 (address layout randomization and such), requiring a second, information leakage, vulnerability and exploit.What can I do?
Patching is probably the simplest, most straight forward solution which is least likey to cause problems. Other options:
- Microsoft offers the ability to turn off the RDNSS feature as an option. This could of course come back to haunt you later as you start using the option.
- Various IDSs have released signatures to detect the attack
- Some switches offer a "Router Advertisement Guard" feature that can limit router advertisements. Maybe it will help.
- Did I mention that you should just get it over with and patch?
While hunting, I found an interesting Python script. It matched one of my YARA rules due to the interesting list of imports but the content itself was nicely obfuscated. The script SHA256 hash is c5c8b428060bcacf2f654d1b4d9d062dfeb98294cad4e12204ee4aa6e2c93a0b and the current VT score is only 2/59!
The script is simple, after a bunch of imports and an if/then condition to detect if it is executed on Windows or Linux, we have this piece of code (slightly beautified):import zlib,marshal exec marshal.loads(zlib.decompress( 'x\xda\xd4\xbd\x0bx\x1c\xc9y\x18X\xd5=O`\x80\x01\xf1\x06\x9fC\xee <stuff deleted> \xab\xac\xff\xd4Oy\x99\x86\x17\xff\xfa\xa1\x14\xe3M\x92\x92z\xf9\xc9\xe5\xff\x03\x1d\x99\x95\xf3'))
When I'm teaching FOR610, I like to say that, when you see eval() in a script, often this means it's "evil". In Python, eval() is able to evaluate and execute either a string, an open file object, or a bytecode object. You know that Python is an interpreted language but, like many other languages, it actually compiles source code to a set of instructions for a virtual machine (the Python "interpreter"). This intermediate format is called "bytecode". You probably already saw files ending with '.pyc'.
The payload is zipped and, once decompressed, it is passed to the marshal module which performs internal Python object (de)serialization. The output is a bytecode that is evaluated and executed by exec(). The challenge is now to investigate what's inside this bytecode. To achieve this, we can use a third-party module called uncompyle6. This module is able to decompile bytecode into Python source code. Let's change the original code into this:import zlib import marshal import uncompyle6 uncompyle6.main.decompile(2.7,marshal.loads(zlib.decompress('...')),sys.stdout)
Here is the generated output. We start to see interesting stuff:# uncompyle6 version 3.7.4 # Python bytecode 2.7 # Decompiled from: Python 2.7.17 (default, Jul 20 2020, 15:37:01) # [GCC 7.5.0] import imp, sys, marshal stdlib = marshal.loads('... <more obfuscated data>...') config = marshal.loads('... <more obfuscated data> ...') pupy = imp.new_module('pupy') pupy.__file__ = 'pupy://pupy/__init__.pyo' pupy.__package__ = 'pupy' pupy.__path__ = ['pupy://pupy/'] sys.modules['pupy'] = pupy exec marshal.loads(stdlib['pupy/__init__.pyo'][8:]) in pupy.__dict__ pupy.main(stdlib=stdlib, config=config)
We see a lot of references to "pupy" which is a Python RAT ("Remote Access Tool").
The most interesting data that deserves some deeper check is the 'config' object. Let's have a look at it by executing the code related to it and we find this:
Unfortunately, the host is an RFC198 IP address. Maybe we could find interesting information in the certificate? Let's have a look:# openssl x509 -in cert.tmp -text Certificate: Data: Version: Unknown (3) Serial Number: 3 (0x3) Signature Algorithm: sha256WithRSAEncryption Issuer: O = IbHnTWnhcE Validity Not Before: Oct 12 14:13:58 2020 GMT Not After : Oct 12 14:13:58 2023 GMT Subject: O = lKIWjXhiof, OU = CLIENT Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ac:a3:41:31:96:ca:4c:15:64:3d:f8:51:f7:89: 55:01:56:2e:bf:c9:33:07:71:d8:91:91:74:3d:98: c8:ec:26:9d:af:ef:6b:43:54:37:6d:0c:44:43:b6: 78:37:3b:4b:ca:c6:cc:cc:40:51:19:30:cc:75:01: ab:45:b1:47:fc:0e:33:81:a4:b3:9c:81:f6:f9:fb: 48:9e:36:14:12:85:ce:b6:96:45:f2:3e:46:da:a4: 76:e9:5a:93:05:86:e1:61:a8:03:15:03:3d:b3:f1: 39:5f:b1:66:f7:84:2f:00:20:60:05:0c:92:65:36: 01:40:a0:a9:28:44:a2:af:87:71:ee:19:1f:45:98: 2b:8c:15:7d:60:b3:c5:18:5a:9d:d4:85:f5:93:fd: 09:c9:83:2d:9c:29:cf:e6:40:63:33:cf:d0:ea:10: e0:75:5e:d3:12:ce:c2:99:a8:69:2f:ea:e5:63:78: a3:22:8f:66:d4:1e:67:96:16:f5:ba:0e:fe:c3:df: d8:74:77:dc:94:68:d0:d9:d9:a2:d3:f9:dd:a7:ae: 9a:32:54:07:86:3c:c3:9c:d9:70:76:c2:7b:ef:ec: f1:e1:a5:9d:37:6b:d8:e1:a7:dd:78:7b:35:56:80: 11:be:73:79:50:22:fb:47:54:da:23:5e:90:52:58: 4a:4b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: CA:62:86:22:80:70:B9:70:A5:B1:E3:65:C2:8C:39:12 X509v3 Key Usage: Key Encipherment Netscape Cert Type: SSL Server Signature Algorithm: sha256WithRSAEncryption 2c:0d:74:1a:e2:71:39:f0:2d:c9:db:15:d9:84:a7:29:7e:d3: 57:4e:6a:17:50:8f:47:0d:5d:0f:4b:bc:92:15:ae:bd:3b:c7: ef:35:57:be:75:dd:36:7a:ab:15:1f:82:28:51:eb:d2:9f:ea: 26:1b:a7:4b:ed:a2:2c:6e:d3:01:fd:71:3f:6d:2f:20:e1:5e: 8a:60:65:78:86:9d:af:f3:21:3b:65:51:70:2f:90:8c:da:0d: 31:09:de:de:05:00:b5:fe:06:84:14:f1:29:31:e1:8d:8e:2e: 98:bf:7d:8f:e4:bb:8f:d0:45:ac:4e:10:b1:cc:9a:49:63:6e: 1a:e2:c5:31:e7:24:78:31:5a:f7:e7:5c:fa:f6:89:cb:f1:08: 7b:0b:f6:bd:60:2b:cc:de:f9:97:f2:8c:35:5e:6e:27:58:80: bc:ed:86:b5:e2:0a:f3:53:5b:53:e2:89:45:bb:58:77:86:42: 3a:7b:3b:ce:ef:66:95:0e:09:9d:a1:54:66:6d:23:9b:2f:1a: 30:6a:82:a4:42:c8:b3:36:bd:a5:f2:bc:be:91:49:19:48:6b: 26:5e:6b:69:9b:24:56:f9:66:1c:ef:a4:da:e8:88:10:1a:ef: 6a:f5:ac:e8:11:65:1a:80:f2:4e:1c:be:8d:49:1f:7c:41:21: c1:a8:a4:de
Same conclusion, no interesting information here. This is probably an internal test or a red-team exercise but the obfuscation technique used in this sample is interesting...
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
ISC Stormcast For Thursday, October 15th 2020 https://isc.sans.edu/podcastdetail.html?id=7210, (Thu, Oct 15th)
ISC Stormcast For Wednesday, October 14th 2020 https://isc.sans.edu/podcastdetail.html?id=7208, (Wed, Oct 14th)
The TA551 (Shathak) campaign continues to push IcedID (Bokbot) malware since I last wrote a diary about it in August 2020. The template for its Word documents has been updated, but otherwise, not much has changed. This campaign has also targeted non-English speaking targets with other types of malware, but I've only seen English speaking victims with IcedID since mid-July 2020.
Today's diary reviews an infection from the TA551 campaign on Tuesday 2020-10-13.
TA551 still uses password-protected zip archives attached to emails. These zip archives contain a Word document with macros designed to infect vulnerable Windows hosts with IcedID. Malspam from TA551 uses legitimate email chains stolen from mail clients on previously-infected Windows hosts, These emails attempt to spoof the sender by using a name from the email chain as an alias for the sending address. Examples from this malspam campaign submitted to VirusTotal usually have some, if not all, of the email chain removed or redacted.
Passwords for the attached zip archives are different for each email. Victims use the password from the message text to extract a Word document from the zip attachment.
An infection starts when a victim enables macros on a vulnerable Windows host while ignoring any security warnings.
Enabling macros causes a vulnerable Windows host to retrieve a Windows DLL file from a URL ending with .cab. This DLL is saved to the host and run using regsvr32.exe. The DLL is an installer for IcedID.
Forensics on an infected Windows host
After the DLL is run using regsvr32.exe, the victim's Windows host retrieves a PNG image over HTTPS traffic. This initial PNG is saved to the victim's AppData\Local\Temp directory with a .tmp file extension. The PNG image has encoded data that the DLL installer uses to create an EXE for IcedID. This EXE is also saved to the AppData\Local\Temp directory.
During the infection process, the initial EXE for IcedID generates more HTTPS traffic, and we find another PNG image saved somewhere under the victim's AppData\Local or AppData\Roaming directories. This second PNG also contains encoded data.
Finally, we see another EXE for IcedID saved to a new directory and made persistent through a scheduled task. This persistent EXE is the same size as the first EXE, but it has a different file hash.
Indicators of Compromise (IOCs)
22 examples of SHA256 hashes for TA551 Word docs with macros for IcedID (read: SHA256 hash file name):
- d90cac341ea9f377a9a20b2cc2f098956a2b09c1a423a82de9af0fa91f6d777c bid_010.20.doc
- f6fcd5702a73bba11f71216e18e452c0a926c61b51a4321314e4cdbebf651bf4 certificate-010.13.20.doc
- a0224c5fd2cfd0030f9223cc84aef311f7cc320789ca59d4f846dbc383310dce charge.010.13.20.doc
- 121451c0538037e6e775f63aa57cd5c071c8e2bf1bda902ab5acbefd99337ebb command.010.20.doc
- d220e39e4cfac20fcffdecafc1ccfd321fecd971e51f0df9a4df267c3a662cbe command_010.20.doc
- 4cdbcfdd9deec0cd61152f2e9e1ba690640dc0bf3c201a42894abcf37c961546 commerce -010.20.doc
- 9fa50c60e8dda3f9207e6f5d156df5f9bedd9e1b8a2837861b39245052f27482 decree,010.13.2020.doc
- 4d0defd5dc6f7691c9b3f06ec2b79694c58f9835e5dec65ad7185957fae44081 details.010.13.2020.doc
- b81b017a518c71ecc83835f31c3bc9dd9f0fac2bc0fa4f07bd0abff75f507d91 direct-010.20.doc
- d7eb2833615397fd9c7538c1f31c408e3548d50baaca109f5136b14a424aa1ba enjoin,010.13.20.doc
- cf6b55d6cdeee06d03c197eebcdb5e7c9fe8277e5e626426610305192dcf0b00 enjoin_010.13.2020.doc
- 4dadeaa387616bfc80eb61f521d7a4cb03f6055a64811eaab9c2429723d62823 file 010.13.2020.doc
- 67e502cc48b587f78ee637cd7f522f2ea6026bbe87921ecd43e0fae11c64f775 instruct-010.20.doc
- 35fe201a9da94441c3375106dd75c09de9c281b5a1de705448f76ed5a83978ad instrument indenture-010.13.2020.doc
- 0d6f7dbd45829aa73f0258440816fdb259599a64df328664ca4714cde5dd4968 intelligence 010.13.2020.doc
- 6dc7a98930d5541fc9a01f8f71a2c487c51bb8391627a1e16a81d1162c179e80 legal agreement-010.13.2020.doc
- 2cdbd4ac39b64abd42931d7c23dd5800ca0be0bcd0e871cf0c5e065786437619 official paper-010.20.doc
- 2d934205d70f10534bb62e059bab4eb2e8732514f7e6874cb9588b2627210594 prescribe .010.20.doc
- 96f991df625e19fb3957dafe0475035dd5e6d04c7ff7dad819cc33a69bcde1c9 question-010.13.2020.doc
- 5e3c9cd19c33b048736ccaecf0ebbbab51960cdc5c618970daa6234236c0db01 question.010.20.doc
- 64567431faf0e14dacab56c8b3d7867e7d6037f1345dc72d67cd1aff208b6ca7 report 010.13.2020.doc
- 34b84e76d97cf18bb2d69916ee61dbd60481c45c9ac5c7e358e7f428b880859f rule_010.13.2020.doc
At least 12 domains hosting installer DLL files retreived by Word macros:
- aqdcyy[.]com - 185.66.14[.]66
- akfumi[.]com - 193.187.175[.]114
- ar99xc[.]com - 194.31.237[.]158
- bn50bmx[.]com - 45.153.75[.]33
- h4dv4c1w[.]com - 94.250.255[.]189
- krwrf1[.]com - 78.155.205[.]102
- mbc8xtc[.]com - 193.201.126[.]251
- osohc6[.]com - 45.150.64[.]70
- pdtcgw[.]com - 45.89.67[.]166
- qczpij[.]com - 194.120.24[.]6
- t72876p[.]com - 178.250.156[.]128
- vwofdq[.]com - 80.85.157[.]227
HTTP GET requests for the installer DLL:
- GET /ryfu/bary.php?l=konu1.cab
- GET /ryfu/bary.php?l=konu2.cab
- GET /ryfu/bary.php?l=konu3.cab
- GET /ryfu/bary.php?l=konu4.cab
- GET /ryfu/bary.php?l=konu5.cab
- GET /ryfu/bary.php?l=konu6.cab
- GET /ryfu/bary.php?l=konu7.cab
- GET /ryfu/bary.php?l=konu8.cab
- GET /ryfu/bary.php?l=konu9.cab
- GET /ryfu/bary.php?l=konu10.cab
- GET /ryfu/bary.php?l=konu11.cab
- GET /ryfu/bary.php?l=konu12.cab
- GET /ryfu/bary.php?l=konu13.cab
- GET /ryfu/bary.php?l=konu14.cab
- GET /ryfu/bary.php?l=konu15.cab
- GET /ryfu/bary.php?l=konu16.cab
- GET /ryfu/bary.php?l=konu17.cab
- GET /ryfu/bary.php?l=konu18.cab
25 examples of TA551 installer DLL files for IcedID:
Names/locations of the installer DLL files:
Run method for installer DLL files:
- regsvr32.exe [filename]
HTTPS traffic to legitimate domains caused by the installer DLL files:
- port 443 - www.intel.com
- port 443 - support.oracle.com
- port 443 - www.oracle.com
- port 443 - support.apple.com
- port 443 - support.microsoft.com
- port 443 - help.twitter.com
At least 2 different URLs for HTTPS traffic generated by the installer DLL files:
- 134.209.25[.]122 port 443 - jazzcity[.]top - GET /background.png
- 161.35.111[.]71 port 443 - ldrpeset[.]casa - GET /background.png
2 examples of SHA256 hashes of IcedID EXEs created by installer DLLs:
- afd16577794eab427980d06631ccb30b157600b938376cc13cd79afd92b77d0e (initial)
- 48c44bfd12f93fdd1c971da0c38fc7ca50d41ca383406290f587c73c27d26f76 (persistent)
HTTPS traffic to malicious domains caused by the above IcedID EXE files:
- 143.110.176[.]28 - port 443 - minishtab[.]cyou
- 143.110.176[.]28 - port 443 - novemberdejudge[.]cyou
- 143.110.176[.]28 - port 443 - xoxofuck[.]cyou
- 143.110.176[.]28 - port 443 - suddekaster[.]best
- 143.110.176[.]28 - port 443 - sryvplanrespublican[.]cyou
brad [at] malware-traffic-analysis.net
This month we got patches for 87 vulnerabilities. Of these, 12 are critical, 6 were previously disclosed and none of them are being exploited according to Microsoft.
Amongst critical vulnerabilities, there is a CVSSv3 9.8 remote code execution in Windows TCP/IP stack (CVE-2020-16898) due to the way it improperly handles ICMPv6 Router Advertisement packets. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows host (client or server). Several Windows 10 versions, Windows Server (core installation), and Windows Server 2019 are affected by this vulnerability. There is a workaround for Windows 1709 and above that consists in disabling ICMPV6 RDNSS. For more details, check the vulnerability advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
There is also a remote code execution in Windows Graphics Device Interface (GDI+) (CVE-2020-16911). An attacker could exploit this vulnerability by convincing users to view a specially crafted website or sending them an e-mail attachment with a malicious attachment. The CVSS v3 score for this vulnerability is 8.8.
A third vulnerability worth mentioning is an elevation of privilege affecting Windows Hyper-V (CVE-2020-1080). If successfully exploited, this vulnerability could give an attacker elevated privileges on the target system. The CVSSv3 for this vulnerability is 8.8 as well.
See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.comDescription CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Framework Information Disclosure Vulnerability %%cve:2020-16937%% Yes No Less Likely Less Likely Important 4.7 4.2 Azure Functions Elevation of Privilege Vulnerability %%cve:2020-16904%% No No Less Likely Less Likely Important 5.3 4.8 Base3D Remote Code Execution Vulnerability %%cve:2020-16918%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-17003%% No No Less Likely Less Likely Critical 7.8 7.0 Dynamics 365 Commerce Elevation of Privilege Vulnerability %%cve:2020-16943%% No No Less Likely Less Likely Important 6.5 5.9 GDI+ Remote Code Execution Vulnerability %%cve:2020-16911%% No No Less Likely Less Likely Critical 8.8 7.9 Group Policy Elevation of Privilege Vulnerability %%cve:2020-16939%% No No Less Likely Less Likely Important 7.8 7.0 Jet Database Engine Remote Code Execution Vulnerability %%cve:2020-16924%% No No Less Likely Less Likely Important 7.8 7.0 Media Foundation Memory Corruption Vulnerability %%cve:2020-16915%% No No Less Likely Less Likely Critical 7.8 7.0 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability %%cve:2020-16956%% No No Less Likely Less Likely Important 5.4 4.9 %%cve:2020-16978%% No No Less Likely Less Likely Important 5.4 4.9 Microsoft Excel Remote Code Execution Vulnerability %%cve:2020-16929%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16930%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16931%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16932%% No No Less Likely Less Likely Important 7.8 7.0 Microsoft Exchange Information Disclosure Vulnerability %%cve:2020-16969%% No No Less Likely Less Likely Important 7.1 6.4 Microsoft Graphics Components Remote Code Execution Vulnerability %%cve:2020-16923%% No No Less Likely Less Likely Critical 7.8 7.0 %%cve:2020-1167%% No No Less Likely Less Likely Important 7.8 7.0 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability %%cve:2020-16957%% No No Less Likely Less Likely Important 7.8 7.0 Microsoft Office Click-to-Run Elevation of Privilege Vulnerability %%cve:2020-16928%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16934%% No No Less Likely Less Likely Important 7.0 6.3 %%cve:2020-16955%% No No Less Likely Less Likely Important 7.8 7.0 Microsoft Office Remote Code Execution Vulnerability %%cve:2020-16954%% No No Less Likely Less Likely Important 7.8 7.0 Microsoft Office SharePoint XSS Vulnerability %%cve:2020-16945%% No No Less Likely Less Likely Important 8.7 7.8 %%cve:2020-16946%% No No Less Likely Less Likely Important 8.7 7.8 Microsoft Outlook Denial of Service Vulnerability %%cve:2020-16949%% No No Less Likely Less Likely Moderate 4.7 4.2 Microsoft Outlook Remote Code Execution Vulnerability %%cve:2020-16947%% No No Less Likely Less Likely Critical 8.1 7.3 Microsoft SharePoint Information Disclosure Vulnerability %%cve:2020-16941%% No No Less Likely Less Likely Important 4.1 3.7 %%cve:2020-16942%% No No Less Likely Less Likely Important 4.1 3.7 %%cve:2020-16948%% No No Less Likely Less Likely Important 6.5 5.9 %%cve:2020-16953%% No No Less Likely Less Likely Important 6.5 5.9 %%cve:2020-16950%% No No Less Likely Less Likely Important 5.0 4.5 Microsoft SharePoint Reflective XSS Vulnerability %%cve:2020-16944%% No No Less Likely Less Likely Important 8.7 7.8 Microsoft SharePoint Remote Code Execution Vulnerability %%cve:2020-16951%% No No Less Likely Less Likely Critical 8.6 7.7 %%cve:2020-16952%% No No Less Likely Less Likely Critical 8.6 7.7 Microsoft Word Security Feature Bypass Vulnerability %%cve:2020-16933%% No No Less Likely Less Likely Important 7.0 6.3 NetBT Information Disclosure Vulnerability %%cve:2020-16897%% No No Less Likely Less Likely Important 5.5 5.0 Network Watcher Agent Virtual Machine Extension for Linux Elevation of Privilege Vulnerability %%cve:2020-16995%% No No Less Likely Less Likely Important 7.8 7.0 October 2020 Adobe Flash Security Update ADV200012 No No Less Likely Less Likely Critical PowerShellGet Module WDAC Security Feature Bypass Vulnerability %%cve:2020-16886%% No No Less Likely Less Likely Important 5.3 4.8 Visual Studio Code Python Extension Remote Code Execution Vulnerability %%cve:2020-16977%% No No Less Likely Less Likely Important 7.0 6.3 Win32k Elevation of Privilege Vulnerability %%cve:2020-16907%% No No More Likely More Likely Important 7.8 7.0 %%cve:2020-16913%% No No More Likely More Likely Important 7.8 7.0 Windows - User Profile Service Elevation of Privilege Vulnerability %%cve:2020-16940%% No No Less Likely Less Likely Important 7.8 7.0 Windows Application Compatibility Client Library Elevation of Privilege Vulnerability %%cve:2020-16876%% No No Less Likely Less Likely Important 7.1 6.4 %%cve:2020-16920%% No No Less Likely Less Likely Important 7.8 7.0 Windows Backup Service Elevation of Privilege Vulnerability %%cve:2020-16976%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16912%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16936%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16972%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16973%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16974%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16975%% No No Less Likely Less Likely Important 7.8 7.0 Windows COM Server Elevation of Privilege Vulnerability %%cve:2020-16935%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-16916%% No No Less Likely Less Likely Important 7.8 7.0 Windows Camera Codec Pack Remote Code Execution Vulnerability %%cve:2020-16967%% No No Less Likely Less Likely Critical 7.8 7.0 %%cve:2020-16968%% No No Less Likely Less Likely Critical 7.8 7.0 Windows Elevation of Privilege Vulnerability %%cve:2020-16877%% No No Less Likely Less Likely Important 7.1 6.4 Windows Enterprise App Management Service Information Disclosure Vulnerability %%cve:2020-16919%% No No Less Likely Less Likely Important 5.5 5.0 Windows Error Reporting Elevation of Privilege Vulnerability %%cve:2020-16905%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2020-16909%% Yes No Less Likely Less Likely Important 7.8 7.0 Windows Error Reporting Manager Elevation of Privilege Vulnerability %%cve:2020-16895%% No No Less Likely Less Likely Important 7.8 7.0 Windows Event System Elevation of Privilege Vulnerability %%cve:2020-16900%% No No Less Likely Less Likely Important 7.0 6.3 Windows GDI+ Information Disclosure Vulnerability %%cve:2020-16914%% No No Less Likely Less Likely Important 5.5 5.0 Windows Hyper-V Denial of Service Vulnerability %%cve:2020-1243%% No No Less Likely Less Likely Important 7.8 7.0 Windows Hyper-V Elevation of Privilege Vulnerability %%cve:2020-1047%% No No Less Likely Less Likely Important 7.8 7.0 %%cve:2020-1080%% No No Less Likely Less Likely Important 8.8 7.9 Windows Hyper-V Remote Code Execution Vulnerability %%cve:2020-16891%% No No Less Likely Less Likely Critical 8.8 7.9 Windows Image Elevation of Privilege Vulnerability %%cve:2020-16892%% No No Less Likely Less Likely Important 7.8 7.0 Windows Installer Elevation of Privilege Vulnerability %%cve:2020-16902%% No No Less Likely Less Likely Important 7.8 7.0 Windows Kernel Elevation of Privilege Vulnerability %%cve:2020-16890%% No No Less Likely Less Likely Important 7.8 7.0 Windows Kernel Information Disclosure Vulnerability %%cve:2020-16938%% Yes No Less Likely Less Likely Important 5.5 5.0 %%cve:2020-16901%% Yes No Less Likely Less Likely Important 5.0 4.5 Windows KernelStream Information Disclosure Vulnerability %%cve:2020-16889%% No No Less Likely Less Likely Important 5.5 5.0 Windows NAT Remote Code Execution Vulnerability %%cve:2020-16894%% No No Less Likely Less Likely Important 7.7 6.9 Windows Network Connections Service Elevation of Privilege Vulnerability %%cve:2020-16887%% No No Less Likely Less Likely Important 7.8 7.0 Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability %%cve:2020-16927%% No No Less Likely Less Likely Important 7.5 6.7 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability %%cve:2020-16896%% No No More Likely More Likely Important 7.5 6.7 Windows Remote Desktop Service Denial of Service Vulnerability %%cve:2020-16863%% No No Less Likely Less Likely Important 7.5 6.7 Windows Security Feature Bypass Vulnerability %%cve:2020-16910%% No No Less Likely Less Likely Important 6.2 5.6 Windows Setup Elevation of Privilege Vulnerability %%cve:2020-16908%% Yes No Less Likely Less Likely Important 7.8 7.0 Windows Spoofing Vulnerability %%cve:2020-16922%% No No More Likely More Likely Important 5.3 4.8 Windows Storage Services Elevation of Privilege Vulnerability %%cve:2020-0764%% No No Less Likely Less Likely Important 7.8 7.0 Windows Storage VSP Driver Elevation of Privilege Vulnerability %%cve:2020-16885%% Yes No Less Likely Less Likely Important 7.8 7.2 Windows TCP/IP Denial of Service Vulnerability %%cve:2020-16899%% No No More Likely More Likely Important 7.5 6.7 Windows TCP/IP Remote Code Execution Vulnerability %%cve:2020-16898%% No No More Likely More Likely Critical 9.8 8.8 Windows Text Services Framework Information Disclosure Vulnerability %%cve:2020-16921%% No No Less Likely Less Likely Important 5.5 5.0 Windows iSCSI Target Service Elevation of Privilege Vulnerability %%cve:2020-16980%% No No Less Likely Less Likely Important 7.8 7.0
ISC Stormcast For Tuesday, October 13th 2020 https://isc.sans.edu/podcastdetail.html?id=7206, (Tue, Oct 13th)
A reader had problems extracting the attachment inside an .MSG file, and asked me for help.
Let me start with a simple .MSG file with one attachment (the same I used in diary entry "Analyzing MSG Files With plugin_msg_summary").
__attach_version1.0_#00000000 is a storage (a storage in OLE files is like a folder: it can contain streams (comparable to files) and storages).
__attach_version1.0_ tells us this is the storage for an attachment, and 00000000 tells us it is the first attachment.
Inside that storage, you have different streams: __properties_version1.0 and __substg1.0_*
The 37 in __substg1.0_37* tells us these streams contain data/metadata of the attachment.
For example, 3701 is the "attachment data" (content) of the attachment, and 0102 stands for "binary data":
And as you can see, for example, 3707 is metadata of the attachment: the long filename of the attachment in UNICODE (001F).
The short filename is an 8.3 filename.
To summarize: in .MSG files, the data (content) and metadata of attachments are stored inside streams that are stored inside a storage (one per attachment).
Now, the reader that asked me for help, had this:
Lots of entries with 3701000D. We know already that 3701 is the "attachment data", but what is 000D (0102 is binary data)? 000D is a directory, a storage.
And __substg1.0_3701000D is a storage this time (it is followed by /...), not a stream.
What's happening here, is that the attachment is an .MSG file. So this is an .MSG file, that contains another .MSG file as attachment.
In that case, Outlook will not store the attached .MSG file as a binary blob (37010102) but as an .MSG file with all its storages and streams (3701000D). So the attached .MSG file is not stored as a single data stream, but is decomposed in all its elements (storages and streams) like a "normal" .MSG file is.
The direct result of this, is that you have much more streams and storages inside the "root" .MSG file.
An a practical result, is that you can directly search inside the attached .MSG file, without having to use a second instance of oledump to parse it.
For example, I can search for the subject of the .MSG files like this:
Here I'm grepping for 0037 (the code for Subject). I could also have grepped for string "Subject", but then I would have more output: I would also have streams like "Subject (normalized)", and I wanted to avoid this for this example.
We can see 2 subjects:
- "Microsoft Outlook Test Message" is the Subject of the attached .MSG file (stream 13)
- "Testing" is the Subject of the "root" .MSG file (stream 71)
So if you are dealing with attached .MSG files, their content is not stored inside a single stream (37010102), but it is decomposed in storages and streams, that are stored under one storage (3701000D) per attached .MSG file.
And this concept is recursive: you can have .MSG files inside .MSG files inside .MSG files ... "Turtles all the way down" :-)
ISC Stormcast For Monday, October 12th 2020 https://isc.sans.edu/podcastdetail.html?id=7204, (Mon, Oct 12th)
Due to research I did recently, I added a new framework for plugins to oledump, and this allowed me to create a new plugin (plugin_msg_summary) that presents a summary of an email (.msg file).
I show this new plugin in this video:
Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types.
OOXML files follow the Open Packaging Conventions (OPC) format.
OPC files contain a /[Content_Types].xml file (describing the MIME format of all parts of the OPC container) and a _rels/.rels file (documenting the relationships inside the OPC container).
Like this .xlsm file:
In my experience with OOXML files, /[Content_Types].xml is the first ZIP record, and _rels/.rels is the second ZIP record.
When an OOXML file has been modified with a ZIP utility, it's often the case that that order is no longer respected: files /[Content_Types].xml and _rels/.rels are no longer first and second (this has no impact on the parsing of these altered files by Office applications).
AFAIK, the OPC standard does not require these 2 files to be the first in the ZIP container.
Please post a comment if you know of OPC examples (there are other file formats than OOXML that are based on OPC) created by applications that do not put these 2 files first inside the ZIP container.
If you’ve never delved too deep into the topic of phishing kits, you might – quite reasonably – expect that they would be the sort of tools, which are traded almost exclusively on dark web marketplaces. This is however not the case – many phishing kits (or “scam pages” or “scamas” as they are called by their creators) are quite often offered fairly openly on the indexed part of the web as well, as are the corresponding “letters” (i.e. the e-mail templates), e-mail validity checkers and other related tools. You may take a look at what is out there yourself – simply search for “scam page” along with the name of your favorite large bank or major online service on Google…
Since I haven’t done so in a while, last weekend I decided to take a look at phishing kits that are available on the “surface” web – more specifically, at those, which have been published during this year. I thought it might be interesting to see what their prices were, which brands and services they “covered” the most and whether there would be any significant increase in the number of phishing kits on offer in the second and third quarter of the year (i.e. in relation to the Covid-19 situation).
The idea was to gather information on at least 100 different phishing kits, as although it would not be a large sample size by any means, it should be enough to give us at least some idea of how things stood. I started by looking at YouTube and planned to go through Google, GitHub and a few file upload and e-commerce sites afterwards. Since I have, however, managed find 104 kits for sale/free download from this year on YouTube alone, just using the first search term I tried, I decided to stop there.
Each of the phishing kits was presented in a standalone video showing its capabilities. Most of the videos had terms “undetected” and “clean” in their titles in an attempt to make the phishing kits look more desirable (and definitely not backdoored).
Some of the videos were offering e-mail templates, access to complex phishing platforms, or tutorials in addition to the scam pages themselves, either as part of a bundle with specific phishing kit or at a premium. Similar selection of additional tools and other materials was available on external e-commerce platforms, where some the kits shown off in the videos were sold.
Of the 104 kits, 18 were offered free of charge (and at least one of these was backdoored - this wasn't mentioned in the video description so it was probably intended as a surprise bonus feature). For 76 of them, price was available by e-mail/ICQ/Telegram/Facebook only and the 10 remaining ones ranged in price from $10 to $100.
The 86 “commercial” phishing kits were offered by 21 sellers, with the most prolific one of them being responsible for 22 different scam pages.
At all, the phishing kits “simulated” sites of 53 different services or brands, from Adobe to Zoom. You may take a look at all of the services and brands, which were “used” by at least two different phishing kits, in the following chart. It probably won’t come as a much of a surprise that PayPal and Office 365 were the two “covered” the most often, but some of the others (e.g. Free Fire) might be a bit unexpected.
It should be mentioned that although most global phishing statistics published for 2020 so far [1,2] don’t show any significant rise in the numbers of spam and phishing e-mails in the wild in relation to Covid-19, the frequency of publishing new phishing kits on “surface” web (or at least on YouTube) seems to have increased significantly from the second half of March onward.
Whether this increase is due to the Covid-19 situation or because YouTube managed to clear most of the phishing kit videos from the first quarter of this year is impossible to say with any certainty, though I tend to lean towards the former explanation being the more probable one.
In any case, as this short excursion to YouTube shows, even on the indexed part of the web there are phishing kits galore…and there is little reason to expect that it will be much different in the near future. Therefore, if you work in infosec in any organization, whose customers might be a good target for semi-targeted phishing, try looking for phishing kits spoofing your brand or service on Google from time to time – you might be surprised at what you find…