Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
35%
Installation Wizard into new VRC
42%
Manual into existing VRC
3%
Manual into new VRC
19%
Total votes: 31

Baanboard at LinkedIn


Reference Content

 
Security

Use of the Open Graph Protocol to Disguise Malicious Facebook Links, (Fri, Aug 4th)

SANS Internet Storm Center - August 4, 2017 - 10:16pm
Whenever a link is posted to Facebook or other social media sites, the site will likely scan the destination page for Open Graph tags [1]. These tags may provide a link to an image to be displayed, or alternate URLs to be displayed and other meta tags.
Categories: Security

Using a Raspberry Pi honeypot to contribute data to DShield/ISC, (Thu, Aug 3rd)

SANS Internet Storm Center - August 3, 2017 - 3:06pm
We have been working for a while now on a honeypot based on a Raspberry Pi. Thanks to our volunteers, we now have a version of the honeypot that provides us not just with the firewall data that we usually collect, but also with data about telnet/ssh and webattacks. Traditionally, we have focused on firewall logs, and we will, of course, continue to collect them. But it has become more difficult to collect logs from many consumer level firewalls. The Raspberry Pi based system will allow us to maintain one code base that will make it easier to collect rich logs beyond firewall logs.
Categories: Security

Attacking NoSQL applications (part 2), (Wed, Aug 2nd)

SANS Internet Storm Center - August 2, 2017 - 1:27pm
Last week I was lucky enough to attend SANSFIRE , which is one of the biggest SANS events (I attended the SEC660 course by Tim Medin and just as my personal opinion: this is probably the best course I have ever attended).
Categories: Security

Rooting Out Hosts that Support Older Samba Versions, (Tue, Aug 1st)

SANS Internet Storm Center - August 2, 2017 - 12:38am
Ive had a number of people ask how they can find services on their network that still support SMBv1. In an AD Domain you can generally have good control of patching and the required registry keys to disable SMBv1. However, for non-domain members thats tougher. width:701px" />
Categories: Security

Text Banking Scams, (Sun, Jul 30th)

SANS Internet Storm Center - July 30, 2017 - 10:38pm
Over the past few days I have been getting a few phone text scams that kind of look realistic except for certain flaws that are fairly easy to pick out, however this is where it is important to read the whole URL. First, if you dont have a banking account with the bank that appears to be texting you, you would just ignore and delete it. Most bank won where it should be an o in bmo is has been replaced by a zero 0, the same with reconfirm and login and the country code is incorrect, it should be a dot com. Analysis of the site by urlscan shows the site is located in Amsterdam not in Canada but the picture of the scam [ 2 ] site looks very realistic compared to the real site [ 3 ].
Categories: Security

SMBLoris - the new SMB flaw, (Sun, Jul 30th)

SANS Internet Storm Center - July 30, 2017 - 3:31pm

While studying the infamous EternalBlue exploit about 2 months ago, researchers Sean Dillon (zerosum0x0) and Zach Harding (Aleph-Naught-) found a new flaw in the Server Message Block (SMB) protocol that could allow an adversary to interrupt the service by depleting the memory and CPU resources of the targeted machine on a Denial of Service (DoS) attack.


Tweet used to announce the flaw [2]

According to an article posted by ThreatPost [1], the flaw called SMBLoris was privately reported to Microsoft in early June, but the company considered it to be of moderate impact and that it would not be considered a security breach. In addition, it would probably not even be fixed.

As announced, some bug details were presented yesterday during a presentation at DEFCON 25 in Las Vegas. The attack is similar to another called SlowLoris [4] (hence also the similarity of the name) by allowing an attacker with a single machine and low bandwidth to be able to interrupt a service through a DoS attack. The difference is that SlowLoris affectedWeb servers.

Technically speaking, the problem occurs with the accumulation of a 4-bytes buffer called NBSS used during SMB session establishment which are allocated in the physical RAM and can not be swapped out. Triggering this, width:600px" />

SMBLoris attack demonstration

There is no update from Microsoft to fix the problem - so it has been considered a zero-day. For now, as a mitigation measure, the recommendation is to use a packet filter, like a Firewall, to limitthe number of connections from a same source to the Windows servers on port 445 (SMB).

References

[1] https://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/126927/?utm_source=kasperskysocialchannel.comutm_medium=REAL%20Solutions%20Technologies,%20LLCutm_campaign=kasperskysocialchannel.com
[2] https://twitter.com/zerosum0x0/status/870862422327689216
[3] https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dillon
[4] https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Maldoc Submitted and Analyzed, (Sat, Jul 29th)

SANS Internet Storm Center - July 29, 2017 - 4:48pm

Reader Jason submitted a malicious document he received via email. Although it contains VBA code with string obfuscation that is not too complex, it has a very low VirusTotal detection score.

Let width:867px" />

The for loop and the Chr$, Asc and Mid functions are clear indications that function sierra is a decoding function.

Let width:867px" />

And here we see a call to function sierra with 2 long strings which is executed when the document is closed. One string looks like encoded text, and the second string is a chain of digits. The decoding is actually simple. From each character in the first string, we substract the digit in the second string: f - 3 = c, n - 1 = m, g - 3 = d, ... That spells out as cmd...

It width:867px" />

The payload uses command waitfor /t 3 hUZM width:867px" />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Static Analysis of Emotet Maldoc, (Fri, Jul 28th)

SANS Internet Storm Center - July 28, 2017 - 11:33pm

Brad wrote a great analysis of an Emotet maldoc send to us by a reader.

In this diary, I would like to show how this maldoc can be staticaly analyzed with a couple of tools.

oledump.py confirms it is an Office document with VBA macros, as we expected (the M indicators tell us which streams contain macros):

Selecting stream 9 (oledump.py -s 9 -v) shows the code that will execute automatically (Document_Open sub):

As expected, it is obfuscated, but we can still recognize some strings that look like BASE64. If we would manually concatenate them in the right order and decode, we would recover the payload. Fortunately, for this sample, there is an easier way by using an open-source VBA emulator: vipermonkey.

The VBA emulator encounters some errors during the emulation, fortunately for us, while outputing the concatenated base64 payload:

We can pipe this into base64dump to decode the base64 code (since vipermonkey outputs the base64 string as error in stderr, I combine stderr and stdout with 2 width:867px" />

The decoded base64 payload starts with powershell, so we are on the right track. Lets dump the full decoded payload:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, July 28th 2017 https://isc.sans.edu/podcastdetail.html?id=5602, (Fri, Jul 28th)

SANS Internet Storm Center - July 28, 2017 - 4:20am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

TinyPot, My Small Honeypot, (Thu, Jul 27th)

SANS Internet Storm Center - July 27, 2017 - 2:02pm

Running honeypots is always interesting to get an overview of whats happening on the Internet in terms of scanners or new threats. Honeypots are useful not only in the Wild but also on your internal networks. There are plenty of solutions to deploy honeypots with more or less nice features (depending on the chosen solution). They are plenty of honeypots[1] which can simulate specific services or even mimic a complete file system, computer or specific hardware.

Thats cool but often such honeypots require a lot of dependencies (Python/Perl modules) or must be compiled. Sometimes, you just need to collect basic data to understand whos knocking on your door. I was looking for a quick padding:5px 10px"> # iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000

Note: I limited the range to port 65534 to allow binding my SSH daemon to port 65535 (if you need to access the honeypot remotely).

The next step is to accept and establish a connection on any port (at least the TCP handshake). netcat[2] is the perfect tool for this and is usually installed by default with many Linux distribution. Let padding:5px 10px"> # netcat -l -k -p 10000 | tee -a /tmp/netcat.log

Finally, a full packet capture is always nice to have, let padding:5px 10px"> # tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 65534

Finally, we can put all the commands in a single script tinypot.sh. Im using the screen padding:5px 10px"> #!/bin/bash /sbin/iptables -t nat -A PREROUTING -p tcp --dport 1:65534 -j REDIRECT --to-ports 10000 /usr/bin/screen -S netcat -d -m /bin/netcat -l -k -p 10000 | tee -a /tmp/netcat.log /usr/bin/screen -S tcpdump -d -m /sbin/tcpdump -i eth0 -w /tmp/tcpdump.pcap -C 1000 -W 10 -lenx -X -s 0 not port 65534 echo TinyPot running, use screen -r [netcat|tcpdump] to access tools width:800px" />
We can see classic stufflike bots scanning for open proxies, SMB shares or searching for admin interfaces. Whats next? Wireshark can be used to export statistics(menu Statistics - Conversations width:800px" />

Nothing fancy here and Im sure that it can be improved but TinyPot just does the work!

[1] https://github.com/paralax/awesome-honeypots
[2]https://nmap.org/ncat/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 27th 2017 https://isc.sans.edu/podcastdetail.html?id=5600, (Thu, Jul 27th)

SANS Internet Storm Center - July 27, 2017 - 3:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Malspam pushing Emotet malware, (Wed, Jul 26th)

SANS Internet Storm Center - July 26, 2017 - 7:20pm

2017-07-26 update: After publishing this diary, we were contacted by several people who provided samples of the emails. Screenshots of these emails have been added after my signature block. Thanks to everyone who responded!

Introduction

On Tuesday 2017-07-25, we were contacted by a reader through our contact page. He sent us a Microsoft Word document, and he included the following message:

Received a typical phishing email pointing to the site: anduron.com/XXGX911533.

This links downloads a doc with an open document macro. Interestingly, the macro was not encrypted. Understanding the payload however is outside my skill set...

I examined the Word document and found its a downloader for Emotet malware. We never obtained a copy of the associated email. Emotet is generally known as a banking Trojan, although its also been described as a downloader with worm-like propagation. border-width:2px" />
Shown above: Chain of events for malspam pushing Emotet.

The Word document

The Word document is a typical macro-based downloader. You enable Word macros after opening the document, and the macro code attempts to download and run malware. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: The macro name is Document_Open. Click Edit border-width:2px" />
Shown above: The highly-obfuscated macro code is shown in Microsofts Visual Basic editor.

Enabling macros caused the code to download a Windows executable (an Emotet binary) to the users AppData\Local\Temp directory with a file name of 5 random digits and an .exe file extension. This file executed and promptly deleted itself from the AppData\Local\Temp directory. Before that, the malware copied itself to the user border-width:2px" />
Shown above: border-width:2px" />
Shown above: Emotet binary made persistent on an infected Windows host.

Infection traffic

At this point, I didnt know what the malware was, so I reviewed the network traffic. The URL to download the malicious document was still active, so I retrieved the Word document from anduron.com and infected a Windows host. I wasnt familiar with the traffic, but I had monitored the infection with a Security Onion host running Suricata and the EmergingThreats Pro ruleset. border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Escalate the Emotet events, and youll see all the destination IPs.

Indicators of Compromise (IOCs)

Payload Securitys reverse.it sandbox analysis (same as hybrid-analysis.com) of the Word document shows 5 other URLs from the macro that download the same Emotet malware binary. Payload Security border-width:2px" />
Shown above: border-width:2px" />
Shown above: Some additional URLs leading to the Word document.

The following are IOCs associated with malspam pushing Emotet malware on 2017-07-25:

Word document from links in the emails:

  • SHA256 hash: 6cad070bd1a37291b207895bbb51b975fa07b4ad2f05fb9a1ee15fb7441d600e
  • File size: 120,320 bytes
  • Links: VirusTotal , reverse.it , malwr.com

Emotet binary downloaded by the Word macro:

  • SHA256 hash: 48f3c89ea2f1e3190ae00f7ac7243ddb752364c076b40afc049424c6a0f75443
  • File size: 176,128 bytes
  • Links: VirusTotal , reverse.it , malwr.com

Links from the malspam to download the word document:

  • anduron.com - GET /XXGX911533/
  • approxim.com - GET /RHKA318298/
  • beckiyore.com - GET /ECPT315356/
  • bluedevils.be - GET /joomla/language/MZQO136516/
  • boscoandzoe.com - GET /ICHY890603/
  • bravasav.net - GET /ENOD612941/
  • cohenbenefits.com - GET /office/custom/SIPQ546465/
  • cpkapability.com - GET /UKSV614228/
  • danielmerchen.com - GET /TZEX247131/
  • denbar.com.au - GET /UOOP149434/
  • driften.org - GET /MCGF919307/
  • euphorianet.com - GET /YQCB092598/
  • event-weekend.ch - GET /ICOT371647/
  • falconbilgisayar.com - GET /RIOC718921/
  • flexlogic.nl - GET /QBUP530634
  • ftpgmbh.ch - GET /VYXG951483
  • getoutofthecube.com - GET /JZST874751/
  • goldencoyote.com - GET /ALLS580885/
  • hcsnet.com.br - GET /FDED220303/
  • hobbycoinexchange.com - GET /ssfm/ESIF185658/
  • homexxl.de - GET /images/articles/EYQD907375/
  • huiwei19.com - GET /YJPW400437/
  • intedyn.com - GET /PZFY613518/
  • interwatts.com - GET /jcgestio/report/XIND162748/
  • kovalantie.fi - GET /XOON622261/
  • lincolngroup.biz - GET /BCCC068652/
  • livablecity.org - GET /DFKR972152/
  • mariamartinezportfolio.com - GET /XLJF149270/
  • merz.com.ar - GET /POXE116744/
  • molodin.org - GET /YFUF766014
  • phvfd221.org - GET /CVQP360485/
  • procebe.com - GET /MPKL050560/
  • prodevinc.com - GET /RPJI648495/
  • rehaunion.de - GET /GDOG943694/
  • rekonaudio.com - GET /TGVY210050/

Macros from the Word document downloading the Emotet binary:

  • ais-fo.fr - GET /kukajweln/
  • blushphotoandfilm.com - GET /ckgawd/
  • bugbbq.com - GET /awhwgra/
  • dzynr.com - GET /ev/
  • netoip.com - GET /rwibpm/

HTTP post-infection traffic:

  • 74.208.17.10 port 8080 - 74.208.17.10:8080 - POST /
  • 158.69.199.223 port 8080 - 158.69.199.223:8080 - POST /
  • 178.62.175.211 port 443 - 178.62.175.211:443 - POST /

Post-infection attempted TCP connections, but no response (or RST) from the server:

  • 93.180.157.92 port 443
  • 164.132.50.32 port 8080
  • 173.212.192.45 port 8080
  • 178.79.132.214 port 443
  • 192.81.212.79 port 443

Final words

As mentioned earlier, we didnt obtain a copy of the email with a link to the Word document. Last month, a similar report on Emotet was published on malwarebreakdown.com, but it was also without an example of the associated emails. If anyone has an example of these emails, feel free to share a copy through our contact page.

If your organization follows best security practices, your risk of infection is minimal. However, we continue to see reports on this type of malspam on a near-daily basis. That implies the criminals behind it are at least somewhat successful.

Pcap and malware samples for todays diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

2017-07-26 update: Anther reader contacted us with additional info on yesterdays Emotet malspam. From the reader:

We saw this campaign as well yesterday. The senders were all random, but they seem to rely on the from field to lend increased credibility. There were two emotet campaigns with the one before this using other employee names that work in the same department as the recipient. This campaign used a very convincing bill from ATT, with the exception of the odd characters for ATT in the body everything else seemed pretty convincing.

Subjects:

ATT Bill Message
ATT Monthly Statement
ATT Customer
ATT Statement
ATT Automatic Billing Message
AT border-width:2px" />
Shown above: Screenshot from one of the emails pushing Emotet malware.

2017-07-26 additional update: Thanks to everyone who emailed contacted us with examples of malspam they found pushing Emotet. border-width:2px" />

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 26th 2017 https://isc.sans.edu/podcastdetail.html?id=5598, (Wed, Jul 26th)

SANS Internet Storm Center - July 26, 2017 - 2:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Trends Over Time, (Mon, Jul 24th)

SANS Internet Storm Center - July 25, 2017 - 10:56am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 13:09.


©2001-2017 - Baanboard.com - Baanforums.com