Baanboard.com

Go Back   Baanboard.com > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor

Main

Poll
For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
35%
Installation Wizard into new VRC
42%
Manual into existing VRC
3%
Manual into new VRC
19%
Total votes: 31

Baanboard at LinkedIn


Reference Content

 
Security

Basic Office maldoc analysis, (Mon, Jul 10th)

SANS Internet Storm Center - July 10, 2017 - 11:21pm

Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file.

Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

Static analysis is simple however. Let width:1267px" />

If you want to practice this type of analysis, its easy to create your own samples: with Word, use command: Insert / Object / Object / Create from file ...

Inserting object like this can result in other types of documents, which I will cover in an upcoming diary.

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Tuesday, July 11th 2017 https://isc.sans.edu/podcastdetail.html?id=5576, (Mon, Jul 10th)

SANS Internet Storm Center - July 10, 2017 - 10:00pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, July 10th 2017 https://isc.sans.edu/podcastdetail.html?id=5574, (Sun, Jul 9th)

SANS Internet Storm Center - July 9, 2017 - 9:40pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Adversary hunting with SOF-ELK, (Sun, Jul 9th)

SANS Internet Storm Center - July 9, 2017 - 6:51am

As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray.
We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the topic, take the well spent time to read TJ OConnors The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare. If youre reading this post, its possible that your front is that of 1s and 0s, either as a blue team defender, or as a red team attacker. I live in this world every day of my life as a blue teamer at Microsoft, and as a joint forces cyber network operator. We are faced, each day, with overwhelming, excessive amounts of data, of varying quality, where the answers to questions are likely hidden, but available to those who can dig deeply enough.
New platforms continue to emerge to help us in this cause. At Microsoft we have a variety of platforms that make the process easier for us, but no less arduous, to dig through the data, and the commercial sector continues to expand its offerings. For those with limited budgets and resources, but a strong drive for discovery, that have been outstanding offerings as well. Security Onion has been forefront for years, and is under constant development and improvement in the care of Doug Burks.
Another emerging platform, to be discussed here, is SOF-ELK, part of the SANS Forensics community, created bySANS FOR572, Advanced Network Forensics and Analysisauthor and instructor Phil Hagen. Count SOF-ELK in the NFAT family for sure, a strong player in the Network Forensic Analysis Tool category.
SOF-ELK has a great README, dont be that person, read it. Its everything you need to get started, in one place. What!? :-)
Better yet, you can download a fully realized VM with almost no configuration requirements, so you can hit the ground running. I ran my SOF-ELK instance with VMWare Workstation 12 Pro and no issues other than needing to temporarily disable Device Guard and Credential Guard on Windows 10.
SOF-ELK offers some good test data to get you started with right out of the gate, in /home/elk_user/exercise_source_logs, including Syslog from a firewall, router, converted Windows events, a Squid proxy, and a server named muse. You can drop these on your SOF-ELK server in the/logstash/syslog/ ingestion point for syslog-formatted data. Additionally, utilize /logstash/nfarch/ for archived NetFlow output, /logstash/httpd/ for Apache logs, /logstash/passivedns/ for logs from the passivedns utility, /logstash/plaso/ for log2timeline, and /logstash/bro/ for, yeah, you guessed it.
I mixed things up a bit and added my own Apache logs for the month of May to /logstash/httpd/. The muse log set in the exercise offering also included a DNS log (named_log), for grins I threw that in the /logstash/syslog/as well just to see how it would play.
Run down a few data rabbit holes with me, I swear I can linger for hours on end once I latch on to something to chase. Well begin with a couple of highlights from my Apache logs. The SOF-ELK VM comes with three pre-configured dashboards including Syslog, NetFlow, and HTTPD. You can learn more in the start page for the SOF-ELK UI, my instance is http://192.168.50.110:5601/app/kibana. There are three panels, or blocks, for each dashboards details, at the bottom of the UI. I drilled through to theHTTPD Log Dashboard for this experiment, and immediately reset the time period for analysis (click the time marker in the upper right hand part of the UI). It defaults to the last 15 minutes, if youre reviewing older data it wont show until you adjust to match your time stamps. My data is from the month of May so I selected an absolute window from the beginning of May to its end. You can also select quick or relative time options, it width:400px" /> Figure 1: HTTPD Log Dashboard

Nice! An event count summary, source ASNs by count (you can immediately see where I scanned myself from work), a fantastic Access Source map, a records graph by HTTP verbs, and one by response codes.
The beauty of these SOF-ELK dashboards is that theyre immediately interactive and allow you to drill right in to interesting data points. The holisticinfosec.org website is intentionally flat and includes no active PHP or dynamic content. As a result, my favorite response code as a web application security tester, the 500 error, is notably missing. But, in both the timeline graphs we note a big traffic spike on 8 MAY 2017, which correlates nicely with my above mention scan from work, as noted in the ASN hit count, and seen here in Figure 2.
width:400px" /> Figure 2: Traffic spike from scan

This visualizes well but isnt really all that interesting or uncommon, particularly given that I know I personally ran the scan, and scans from the Intarwebs are dime a dozen. What did jump out for me though, as seen back in Figure 1, was the presence of four PUT requests. Thats usually a bad thing where some@$$h@t is trying to drop something on my server. Lets drill in a bit, shall we? After clicking the graph line with the four PUT requests, I quickly learned that two requests came from 204.12.194.234AS32097: WholeSale Internet in Kansas City, MO and two came from119.23.233.9 AS37963: Hangzhou Alibaba Advertising in Hangzhou, China. This is well represented in the HTTPD Access Source panel map (Figure 3).
width:400px" /> Figure 3: Access Source

The PUT request from each included a txt file attempt, specifically dbhvf99151.txt and htjfx99555.txt, both were rejected, redirected (302), and sent to my landing page (200).
Research on the IPs found that 119.23.233.9 was on the real time suspected malware list as detected by InterServers intrusion systems as seen 22 MAY, and 204.12.194.234 was found twice in the AbuseIPDB, flagged on 18 MAY 2017 forCknife Webshell Detected. Now were talking. Its common to attempt a remote file include attack or a PUT, with what is a web shell. I opened up SOF-ELK on that IP address and found eight total hits in my logs, all looking for common PHP opportunities with the likes of GET and POST for/plus/mytag_js.php, width:400px" /> Figure 4: Discovery

Thats a groovy little hunting trip through HTTPD logs, but how about a bit of Syslog? I spotted I likely oddity that could be correlated across a number of the exercise logs, well see if the correlation is real. Youll notice tabs at the top of your SOF-ELK UI, well use Discover for this experiment. I started from the Syslog Dashboard with my time range set broadly on the last two months. 7606 records presented themselves, sliced neatly by hosts and programs, as seen in Figure 5.
width:400px" /> Figure 5: Syslog Dashboard

Squid proxy logs showed the predominance of host entries (6778 or 57.95% of 11,696 to be specific), so I started there. Don laugh, but Ill often do keyword queries just to see what comes up, sometimes you land a pointer to a good rabbit hole. Within the body of 6778 proxy events, I searched malware. Two hits came back for GET request via a JS redirector to bleepingcomputer.com for your basic how-to based on random websites opening in Chrome width:400px" /> Figure 6: Malware keyword

More importantly, we have an IP address to pivot on:10.3.59.53. A search of that IP across the same 6778 Squid logs yielded 3896 entries specific to this IP, and lots to be curious about:

  • datingukrainewomen.com
  • anastasiadate.com
  • YouTube videos for hair loss
  • crowdscience.com for random pop-ups driving me nuts

Do I need to build this user profile out for you, or are you with me? Proxy logs tell us so much, and are deeply worthy of your blue team efforts to collect and review.
I jumped over to the named_log from the muse host to see what else might reveal itself. Heres where I jumped to Discover, the Splunk-like query functionality inherent to SOF-ELK (and ELK implemetations). I did reductive query to see what other oddities might surface:10.3.59.53 AND dns_query: (*.co.uk OR *.de OR *.eu OR *.info OR *.cc OR *.online OR *.website). I used these TLDs based on the premise that bots using Domain Generation Algorithms (DGA) will often use the TLDs. See The DGA of PadCrypt to learn more, as well as ISC Diary handler John Bambaneks OSINT logic. The query results were quite satisfying, 29 hits, including a number of clearly randomly generated domains. Those that were most interesting all included the .cc TLD, so I zoomed in further. Down to five hits with Figure 7:. CC TLD hits

Oh man, not good. I had a hunch now, and went back to the proxy logs with10.3.59.53 AND squid_request:*.exe. And there you have it, ladies and gentlemen, hunch rewarded (Figure 8).
width:400px" /> Figure 8: taxdocs.exe

It taxdocs.exe isnt malware, Im a monkeys uncle. Unfortunately, I could find no online references to these .cc domains or the .exe sample or URL, but you get the point. Given that its exercise data, Phil may have generated it to entice to dig deeper.
When we think about the IOC patterns for Petya, a hunt like this is pretty revealing. Petyas initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. This is not Petya (as far as I know) specifically but we see pattern similarities for sure, one can learn a great deal about the sheep and the wolves. Be the sheepdog!
Few tools better in the free and open source arsenal to help you train and enhance your inner digital sheepdog than SOF-ELK. Im a sheepdog. I live to protect the flock and confront the wolf. ~LTC Dave Grossman, from On Combat.
text-align:center">

Believe it or not, theres a ton more you can do with SOF-ELK, consider this a primer and a motivator.
I LOVE SOF-ELK. Phil, well done, thank you. Readers rejoice, this is really one of my favorites for toolsmith, hands down, out of the now 126 unique tools discussed over more than ten years. Download the VM, and get to work herding. :-)
Cheers...until next time.

Russ McRee|@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th)

SANS Internet Storm Center - July 8, 2017 - 6:56am

A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px" />

But yesterday, I found, on pastebin.com[2], a malicious WScript file with a Base64 string that did not decode. The script ended with an error Invalid character in input stream padding:5px 10px"> H=TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIb gBTM~*hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ~*KJAAAAAAAAABQRQAATAEDAGGnBFkAAAAAAAAAA OAAAgELAQsAALIAAAAIAAAAAAAAjtEAAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAAAAAAAIAQI UAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADTRAABXAAAAAOAAAPgEAAAAAAAAAAAAAAAAAAAAAAAAAAABAAwAAAD8zwA AHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAA AC5~*ZXh~*AAAAlLEAAAAgAAAAsgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPgEAAAA4AAAAAYAAAC~*AAAAAAAAAAAAAA AAAABAAABAL...(redacted)

If you check in the VBScript code, youll indeed see an instruction padding:5px 10px"> $_b=$_b.replace(~*,0

When just replace the string by 0 padding:5px 10px"> $ sed s/\~\*/0/g base64.txt | base64 -d padding:5px 10px"> O.regwrite D,H,REG_SZ O.Run C chrw(34) $_b = (get-itemproperty -path HKCU:\SOFTWARE\Microsoft\ -name KeyName $_b=$_b.replace(~*,0 Chrw(34),0,false

Nothing fancy here but attackers are always using small tricks to prevent (or better to slow down) the automated analysis by security tools. Search always for functions/tools that do search/replace operations in the analyzed code. It can help to save your time. Happy hunting!

[1] https://isc.sans.edu/forums/diary/Searching+for+Base64encoded+PE+Files/22199
[2] https://pastebin.com/EhG9ZQtH
[3] https://www.virustotal.com/en/file/0e6694d37b2a424402a41bbd520bec4bc416813fa744013ba1b3eab27378a291/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

DDoS Extortion E-mail: Yet Another Bluff?, (Fri, Jul 7th)

SANS Internet Storm Center - July 7, 2017 - 8:05pm

And DDoS extortion campaigns continue to be reported. Two weeks ago, Johannes Ullrich published a diary [1] about a fake DDoS pretending to be sent from Anonymous, threatening the targeted company with a massive attack if they werent paid in Bitcoins. Yesterday we were reportedofa similar extortion campaignalthough, this time,followed by a realDDoStestas promised by thesender.

The threat message seems to be a copy catof an old campaign reported last year in a blog postbyCloudFlare [2]. It was signed by the sameArmada Collectivegroup, as seen below (text was partialy anonymized):

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We areArmada Collective.

In past, we launched one of the largest attacks in Switzerlands history. Use Google.
All network of[victims name]will be DDoS-ed starting[date]. if you dont pay 10 Bitcoins @ [bit coin address]

When we say all, we mean all - users will not be able to use any of your services.

Right now we will start 15 minutes attack on one of your IPs([victims IP address]). It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. Its just to prove that this is not a hoax. Check your logs!
If you dont pay by [date], attack will start, price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.

This is not a joke.
Our attacks are extremely powerful - ourMirai botnetcan reach over 1 Tbps per second. So, no protection will help.
Prevent it all with just 10 BTC @ [bit coin address]
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Although the targeted companyhasactually received the DDoS test attack, there are some considerations on the way it was carried out which raise questions about the veracity of the campaign. By analyzing the DDoS test traffic, it was clear that it was sentthroughreflective attack using open NTP services over the Internet and not from a botnet like Mirai, as stated on the message. All the packets came from UDP/123 port (NTP service).

Regardless of the campaign reliability, itsworth ones whileto takesometimeandreview your companys anti-DDoS strategies. On most scenarios, a pre-established agreement with your ISP to filter out volumetric attacks can avoid unpleasant surprises and high costs during emergencies. If you already have the agreement, it would be interesting toput it totestand check if the response time is suitabletoyour business requirements.

Until now,we areunawareof any caseofDDoSbeing launched after those e-mail threatening messages andthere arenoreasonsto pay even though there is no guarantee that theextortion will stop.

If youreceivedsimilar e-mails, please forward it to us.

References:[1] text-decoration:underline">https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/
[2] text-decoration:underline">https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

--
Renato Marinho
Morphus Labs | LinkedIn | Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, July 7th 2017 https://isc.sans.edu/podcastdetail.html?id=5572, (Thu, Jul 6th)

SANS Internet Storm Center - July 6, 2017 - 9:05pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 2 ? Log Files artefacts), (Wed, Jul 5th)

SANS Internet Storm Center - July 6, 2017 - 8:44am

[This is a second guest diary by Dr. this post discusses evidencethat can be extracted from related log files of BitTorrent Sync version 2.0 on Windows 8.1, Mac OS X Mavericks 10.9.5, and Ubuntu 14.04.1 LTS.

BitTorrent Sync storeslogs in the application folder and the filename of which is displayed as sync.log border:solid windowtext 1.0pt">

Relevance

Examples of log entries obtained in our research

Enables a practitioner to identify the BitTorrent Sync version installed on the device under investigation.

  • platform: Windows workstation 6.3.0 x86

version: 2.0.93

Assist the practitioner in determining the non-encoded peer ID of the device under investigation.

  • [2015-04-03 16:18:32] My PeerID: 103B760A3674FE44C4A512B4EF802D452F633F99

A master folder will only be created during identity creation. This potentially allows the practitioner to determine when BitTorrent Sync was first used on a device.

  • [2015-04-03 16:19:50] MD[init]: Master Folder: create

May assist the practitioner in determining the IP addresses used by the device under investigation.

  • [2015-04-03 16:18:30] Using IP address 192.168.220.176
  • [2015-04-03 16:31:03] Changing IP address from 192.168.220.176 to 192.168.220.143

Informs the practitioner the IP addresses used by the peer devices.

  • [2015-04-04 09:05:32] Incoming connection from 192.168.220.176:49734
  • [2015-04-03 16:51:58] SD[BBAD]: Peer 1: local IP 192.168.220.176:20566
  • [2015-04-03 16:51:47] SD[BBAD]: Got ping (broadcast: 1) from peer 192.168.220.176:20566 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5)
  • Peer 1: 60.50.83.170:49449 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5
  • [2015-04-05 08:23:56] SF[1F7E] [A2B5]: Found peer 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5 192.168.220.176:49759 direct:1 transport:1 version: 2.0.93

Allows a practitioner to identify the device names of the peer devices.

  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)

Since most peer IDs are stored in base32 format in the metadata and configuration files, these log entries would provide a potential method for identification of the actual (non-encoded) peer IDs from the device names.

  • [2015-04-05 09:05:32] SF[B5E2] [A2B5]: Got id message from peer WIN-KMM6MUN4701 (10DEC8109E524439D9454ABE2BB1475BF7D5A2B5) 2.0.93
  • [2015-04-15 12:30:31] SD[4F11]: Got ping (broadcast: 1) from peer 192.168.220.146:50523 (107C1CFB546B565559FE2929E7B7C8804E7302F0)
  • [2015-04-17 12:51:19] MD[A965]: new device found WIN-KMM6MUN4701 (CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV)
  • [2015-04-17 12:51:19] API: callback id=19, value={ value: {peerid:CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV}}, can_deferred=0, _delegate=0x1c57d48

May assist the practitioner in determining the share IDs for the shared folders added.

  • [2015-04-05 11:37:54] SSLEH[0x15fa28b0]: hello packet { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 } has been sent
  • [2015-04-05 11:37:54] SSLEH[0x08e849e8]: received hello packet, { share:6C25389E651AC160F91ECAF3D9A249C58F6BED15 }
  • [2015-04-05 11:47:58] Requesting peers from tracker 52.1.1.135:3000 for share 6C25389E651AC160F91ECAF3D9A249C58F6BED15

Enables identification of the shared folder names/IDs created on the device under investigation.

  • [2015-04-04 20:36:45] FC[B5E2]: started periodic scan for \\?\C:\Sync
  • [2015-04-05 11:37:57] MD[A965]: [apply] Processing folder Sync (-2775350472753142605)

Assists the practitioner in determining the synced filenames or folder names as well as the addition/creation times.

  • [2015-04-05 08:24:17] JOURNAL[22F5]: new torrent created for file Enron3111.txt mt:1418488391 9603FC44BB0F59A822FA3331A1802F880ABA583B

[2015-04-05 08:24:17] JOURNAL[22F5]: setting time for file \\?\C:\Sync\Enron3111.txt to 1428193457

[2015-04-05 08:24:17] JOURNAL[22F5]: insert file \\?\C:\Sync\Enron3111.txt = 131072:22982

Informs the practitioner folder names for the deleted folders as well as the deletion times.

  • [2015-06-28 23:41:17] Folder being removed from this device and the files at \\?\C:\Sync are being removed.

Allows the practitioner to determine the local identitys disconnection time.

  • [2015-04-05 09:12:01] Master Folder Controller: disconnect master folder

Table 2: Records of BitTorrent Sync border:solid windowtext 1.0pt">

Relevance

Examples of log entries obtained in our research

Provides the practitioner details about the device under investigation such as the peer ID, device name, last online time, last sync completed time, and folder IDs for the shared folders created/added.

  • [2015-04-05 09:11:53] API: -- getmfdevices({ status: 200, value: [{ aod: false, devicename: WIN-KMM6MUN4701, folders: [ { added: true, id: -7338009380596345790, mode: 1 }, { added: true, id: 3964779361527927184, mode: 1 }, { added: true, id: 4780923171276619705, mode: 1 }, { added: true, id: 5471258729987051831, mode: 1 } ], id: CDPMQEE6KJCDTWKFJK7CXMKHLP35LIVV, lastseen: 1428196287, lastsynccompleted: 1428196287, name: WIN-KMM6MUN4701, online: true, self: false, syncerr: 0, syncerrmsg: , userid: } ] })

Assists the practitioner in determining the pending user requests sent to the device under investigation including the folder IDs (if any), the times when the requests were sent, access permissions, as well as the requesters IP addresses and certificate fingerprints.

  • [2015-04-03 16:51:48] API: -- getpendingrequests({ status: 200, value: [ { access_level: 3, id: 5471258729987051831, ip: 192.168.220.176, license: false, readwrite: true, time: 1428051108, user_identity: { devicename: device, fingerprint: 2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ, username: Guest } } ] })

May assist a practitioner in determining the folder names, folder IDs, storage paths, folder sizes, timestamp information, as well as peer device names, peer IDs, and fingerprints associated with the shared folders added by or downloaded to the device under investigation.

  • [2015-04-05 09:05:37] API: -- getsyncfolders({ folders: [ { access: 4, archive: C:\\Sync\\.sync\\Archive, archive_files: 3, archive_size: 153187, date_added: 1428049323, down_eta: 0, down_speed: 0, down_status: 100, error: 0, files: 3, folderid: 5471258729987051831, has_key: true, indexing: false, ismanaged: true, iswritable: true, last_modified: 1428053450, name: Sync, path: C:\\Sync, paused: false, peers: [ { direct: true, downdiff: 0, id: 10DEC8109E524439D9454ABE2BB1475BF7D5A2B5, isonline: true, lastreceivedtime: 0, lastsenttime: 1428051120, lastsynctime: 1428051129, name: WIN-KMM6MUN4701, updiff: 0, userid: UQO52P4G5O2QU6OOGX3AS7R6RUAU22JBBWJ4H2CYNXHRO3KIRVBQ }], size: 321638, status: 314.0 kB in 3 files, stopped: false, synclevel: 2, up_eta: 0, up_speed: 0, up_status: 100, users: [{ access: 3, id: 2UMI566O3XAE7BB2V3N3YWWECJ3TCGJHMRGZTVLN2SZY276QI4AQ, name: Guest } ] },

Informs the practitioner the storage path for the device under investigation.

  • [2015-04-03 16:43:13] API: -- getfoldersstoragepath({ status: 200, value: C:\\Users\\anonymous\\BitTorrent Sync })
  • [2015-04-05 09:05:33] API: -- setfoldersstoragepath({ path: C:\\Users\\anonymous\\BitTorrent Sync, status: 200 })

Allows the practitioner to identify the folder name, path, and timestamp references for the shared folders added by the device under investigation.

  • [2015-04-04 20:27:22] API: -- addsyncfolder(path=C%3A%5CSyncselectivesync=falset=1428150442927)

Contains copy of history.dat file (see section 4.1) at the time of request.

  • [2015-04-05 08:33:06] API: -- history({ status: 200, value: [{ id: 39, msg: WIN-KMM6MUN4701 updated file Enron3111.zip, time: 1428193777 }, { id: 38, msg: WIN-KMM6MUN4701 updated file Enron3111.txt, time: 1428193777 }, { id: 37, msg: Remote peer removed file Enron3111.rtf, time: 1428193777 }, { id: 13, msg: Added file Enron3111.docx, time: 1428153859 }

The next post discuss about BitTorrentSync v.2 evidenceretrievable from physical memory.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, July 6th 2017 https://isc.sans.edu/podcastdetail.html?id=5570, (Wed, Jul 5th)

SANS Internet Storm Center - July 5, 2017 - 8:40pm
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Selecting domains with random names, (Wed, Jul 5th)

SANS Internet Storm Center - July 5, 2017 - 7:30pm

I often have to go through lists of domains or URLs, and filter out domains that look like random strings of characters (and could thus have been generated by malware using an algorithm).

Thats one of the reasons I developed my re-search.py tool. re-search is a tool to search through (text) files with regular expressions. Regular expressions can not be used to identify strings that look random, thats why re-search has methods to enhance regular expressions with this capability.

We will use this list of URLs in our example:
http://didierstevens.com
http://zcczjhbczhbzhj.com
http://www.google.com
http://ryzaocnsyvozkd.com
http://www.microsoft.com
http://ahsnvyetdhfkg.com

Here is an example to extract alphabetical .com domains from file list.txt with a regular expression:
re-search.py [a-z]+\.com list.txt

Output:
didierstevens.com
zcczjhbczhbzhj.com
google.com
ryzaocnsyvozkd.com
microsoft.com
ahsnvyetdhfkg.com

Detecting random looking domains is done with a method I call gibberish detection, and it is implemented by prefixing the regular expression with a comment. Regular expressions can contain comments, like programming languages. This is a comment for regular expressions: (?#comment).

If you use re-search with regular expression comments, nothing special happens:
re-search.py (?#comment)[a-z]+\.com list.txt

However, if your regular expression comment prefixes the regular expression, and the comment starts with keyword extra=, then you can use gibberish detection (and other methods, use re-search.py -m for a complete manual).
To use gibberisch detection, you use directive S (S stands for sensical). If you want to filter all strings that match the regular expression and are gibberish, you use the following regular expression comment: (?#extra=S:g). :g means that you want to filter for gibberish.

Here is an example to extract alphabetical .com domains from file list.txt with a regular expression that are gibberish:
re-search.py (?#extra=S:g)[a-z]+\.com list.txt

Output:
zcczjhbczhbzhj.com
ryzaocnsyvozkd.com
ahsnvyetdhfkg.com

If you want to filter all strings that match the regular expression and are not gibberish, you use the following regular expression comment: (?#extra=S:s). :s means that you want to filter for sensical strings.

Classifying a string as gibberish or not, is done with a set of classes that I developed based on work done by rrenaud at https://github.com/rrenaud/Gibberish-Detector. The training text is a public domain book in the Sherlock Holmes series. This means that English text is used for gibberish classification. You can provide your own trained pickle file with option -s.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, July 5th 2017 https://isc.sans.edu/podcastdetail.html?id=5568, (Tue, Jul 4th)

SANS Internet Storm Center - July 5, 2017 - 12:05am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

PE Section Name Descriptions, (Sun, Jul 2nd)

SANS Internet Storm Center - July 2, 2017 - 10:19pm

PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing.

@Hexacorn compiled a list of section names with corresponding description, you can find the latest version here. I find this list so useful, that I included it (with permission) in my pecheck.py tool. pecheck is a Python tool to analyze PE files, based on Ero Carrera width:1067px" />

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue), (Sat, Jul 1st)

SANS Internet Storm Center - July 2, 2017 - 5:09pm

With both WannaCry and NotPetya using MS17-010 for propagation it is important to be able to detect servers which are vulnerable. Even if you have comprehensive vulnerability management and patching programs there are almost certainly servers that have been missed, whether because they are vendor supported or part of your companyscottage IT. It is important to be able to find those servers and either remediate them or put additonal controls in place to protect them.

My fall back to do any kind of discovery scanning is always nmap. It is easy enough to identifydevices that have SMB open using nmap.

nmap -Pn -p445 ip-netblock

Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-30 23:40 EDT

Nmap scan report for ...

Host is up (0.11s latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

While detecting SMB is the first step, there are legitimate reasons why a server may have SMB open. For the specific case of finding servers that are vulnerable to MS17-010 we need to dig a bit deeper.

Fortunately, Paulino Calderon has created an nmap NSE script which will reliably detect MS17-010. The script is not part of the standard nmap NSE scripts, so you will need to go and grab the smb-vuln-ms17-010 script from githuband place it into the NSE scripts directory before you can use it (on linux that directory is/usr/share/nmap/scripts/)

This is the nmap command line that seems to work best with this nse script. (with thanks to Neo23x0)

nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17-010 ip_netblock

When the scan finds a server with SMB open and not vulnerable to MS17-010 then the output looks identical to the previous scan however a vulnerable server will generate additional output.

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-01 11:13 EDT

Nmap scan report for ...

Host is up (0.23s latency).

PORT STATE SERVICE

445/tcp open microsoft-ds

Host script results:

| smb-vuln-ms17-010:

| VULNERABLE:

| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)

| State: VULNERABLE

| IDs: CVE:CVE-2017-0143

| Risk factor: HIGH

| A critical remote code execution vulnerability exists in Microsoft SMBv1

| servers (ms17-010).

|

| Disclosure date: 2017-03-14

| References:

| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

UPDATE: It was pointed out that a version of this script was packaged with the 7.50 version of nmap that was released in mid-June. For those of you who are not yet on the 7.50 version (like me) you can get the packaged version of the script from the nmap svn repository. The packaged version is slightly different than the one on github.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

TA17-181A: Petya Ransomware

US-CERT - Alerts - July 1, 2017 - 6:41am
Original release date: July 01, 2017 | Last revised: July 07, 2017
Systems Affected

Microsoft Windows operating systems

Overview

On June 27, 2017, NCCIC was notified of Petya ransomware events occurring in multiple countries and affecting multiple sectors. Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable.

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional IOCs in comma-separated-value form for information sharing purposes.

Available Files:

The scope of this Alert’s analysis is limited to the newest “Petya” variant that surfaced June 27, 2017, and this malware is referred to as “Petya” throughout this Alert.

Description

Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Background information on ransomware infections is provided in US-CERT Alert TA16-091A.

Technical Details

US-CERT received a sample of this Petya ransomware variant and performed a detailed malware analysis. The team found that this Petya variant encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid.

This Petya variant spreads using the SMB exploit as described in MS17-010 and by stealing the user’s Windows credentials. This variant of Petya is notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credentials. The stolen credentials can be used to access other systems on the network. This Petya variant will also attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.

The compromised system’s files are encrypted with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. This Petya variant writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. It modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, then reboots the system. Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.

Impact

According to multiple reports, this Petya ransomware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems without patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145 are at risk of infection.

Negative consequences of ransomware infection include the following:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the below sites are C2 payment sites for this activity. These sites are not included in the CSV package as IOCs.

hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

Network Signatures

NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Because there is overlap between the WannaCry and Petya activities, many of the available rulesets can protect against both malware strains when appropriately implemented. The following rulesets provided in publically available sources may help detect this activity:

  • sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
  • sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
  • sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]
Recommended Steps for Prevention
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing. 
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
  • Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
  • Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
  • Test your backups to ensure they work correctly upon use.
  • Utilize host-based firewalls and block workstation-to-workstation communications.
Recommendations for Network Protection 
  • Disable SMBv1 and
  • Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

  1. Segregate networks and functions.
  2. Limit unnecessary lateral communications.
  3. Harden network devices.
  4. Secure access to infrastructure devices.
  5. Perform out-of-band network management.
  6. Validate integrity of hardware and software.
Recommended Steps for Remediation
  • Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 
General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
  • Only download software—especially free software—from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.
Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. Cyber crime incidents can also be reported to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

References Revision History
  • July 1, 2017: Initial version
  • July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-181B_IOCs.csv for TA-17-181A_IOCs.csv.
  • July 7, 2017: Included further guidance from Microsoft in the Reference Section

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security

TA17-181A: Petya Ransomware

US-CERT - Alerts - July 1, 2017 - 6:41am
Original release date: July 01, 2017 | Last revised: July 28, 2017
Systems Affected

Microsoft Windows operating systems

Overview

This Alert has been updated to reflect the National Cybersecurity and Communications Integration Center's (NCCIC) analysis of the "NotPetya" malware variant.

The scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout this Alert.

On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from a hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in its propagation methods. 

The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information sharing purposes.

Available Files:

Description

NotPetya leverages multiple propagation methods to spread within an infected network. According to malware analysis, NotPetya attempts the lateral movement techniques below:

  • PsExec - a legitimate Windows administration tool
  • WMI - Windows Management Instrumentation, a legitimate Windows component
  • EternalBlue - the same Windows SMBv1 exploit used by WannaCry
  • EternalRomance - another Windows SMBv1 exploit

Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques.

Technical Details

NCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the analysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves more like destructive malware rather than ransomware.

NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods.

The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID.

The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development environment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M.E.Doc installed as suspicious, and should examine these systems for additional malicious activity. [12]

Impact

According to multiple reports, this NotPetya malware campaign has infected organizations in several sectors, including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems are also at risk, such as:

  • those that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145, and
  • those who operate on the  shared network of affected organizations.

Negative consequences of malware infection include:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Solution

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one NCCIC stakeholder, the sites listed below sites are used for payment in this activity. These sites are not included in the CSV package as IOCs.

hxxp://mischapuk6hyrn72[.]onion/
hxxp://petya3jxfp2f7g3i[.]onion/
hxxp://petya3sen7dyko2n[.]onion/
hxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ
hxxp://mischapuk6hyrn72[.]onion/MZ2MMJ
hxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ
hxxp://petya3sen7dyko2n[.]onion/MZ2MMJ

Network Signatures

NCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for this threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya, many of the available rulesets can protect against both malware types when appropriately implemented. The following rulesets provided in publically available sources may help detect activity associated with these malware types:

  • sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]
  • sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3]
  • sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]
  • sid:42944,"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"[11]
  • sid:42340,"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"[11]
  • sid:41984,"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt"[11]

Recommended Steps for Prevention

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6], and consider implementing the following best practices:

  • Ensure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5]
  • Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
  • Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
  • Secure use of WMI by authorizing WMI users and setting permissions.
  • Utilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.
  • Disable or limit remote WMI and file sharing.
  • Block remote execution through PSEXEC.
  • Segregate networks and functions.
  • Harden network devices and secure access to infrastructure devices.
  • Perform out-of-band network management.
  • Validate integrity of hardware and software.
  • Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.

Note: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users.

Recommended Steps for Remediation

  • NCCIC strongly encourages organizations contact a local Federal Bureau of Investigation (FBI) field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement a security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 

Report Notice

DHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. You can also report cyber crime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

References Revision History
  • July 1, 2017: Initial version
  • July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-181B_IOCs.csv for TA-17-181A_IOCs.csv.
  • July 7, 2017: Included further guidance from Microsoft in the Reference Section
  • July 28, 2017: Revised multiple sections based on additional analysis provided

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: Security

ISC Stormcast For Friday, June 30th 2017 https://isc.sans.edu/podcastdetail.html?id=5566, (Fri, Jun 30th)

SANS Internet Storm Center - June 30, 2017 - 2:25am
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 17:02.


©2001-2017 - Baanboard.com - Baanforums.com