legal contact
 

Week 32

09.08.2020 13:16

I'm Open Sourcing the Have I Been Pwned Code Base

The well known service of "have i been pwned" is making hist sourcecode open source.

Troy Hunt published a statement where he said that the sourcecode (excluding the databases) will become open source.

Thanks Troy for that step...!!!


09.08.2020 13:21

Exploiting iMessage: The Remote, Interaction-less Attack Surface of

Natalie Silvanovich AKA natashenka from Project-Zero published an extremly interesting slide deck of the exploitation of the iPhone.

While vuln's and exploits of iPhones are quite rare anyway, this is surly worth having a look.

Check out: Googles Project Zero

Week 31

31.07.2020 15:20

Unknown hackers fight back Emotet

First reported by ZDNet:

A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs

An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.

The sabotage, which started three days ago, on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation.

According to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante is now poisoning around a quarter of all Emotet's payload downloads.


31.07.2020 14:52

JSOF: Ripple20 aka Treck

JSOF published a scary fact of many embedded TCP/IP-stacks offer a vulnerability of missing sanitisation that allows a buffer overflow and a RCE.

From JSOF:

Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors. Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel,  Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries.

A detailed technical report of two of the vulnerabilities and their exploitation can be found in the CVE-2020-11896/CVE-2020-11898 whitepaper

JSOF will be providing scripts for the identification of products running Treck upon request.
For more information or requests please contact: Ripple20@jsof-tech.com

Fix: install vendor patches

Mitigation: implement the IDS/IPS (suricata) rule from CERT.CC and check at the CERT.CC page if your system is known to be afected. (CISCO ASR5xxx)

Vulnerabilities include:

CVE-2020-11896 CVE-2020-11897 CVE-2020-11898 CVE-2020-11899 CVE-2020-11900 CVE-2020-11901 CVE-2020-11902 CVE-2020-11903 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11908 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914


31.07.2020 10:21

GRUB2 - BootHole (CVE-2020-10713)

Eclypsium discovered a buffer overflow within the boot loader grub2 that can be used as a persistence machanism. By the way of the need to modify the grub.cfg file, the attacked needs to have elevated rights. 

In the course of Eclypsium’s analysis, we have identified a buffer overflow vulnerability in the way that GRUB2 parses content from the GRUB2 config file (grub.cfg).


KillChain: "persistence"

Such an attack would require an attacker to have elevated privileges. However, it would provide the attacker with a powerful additional escalation of privilege and persistence on the device, even with Secure Boot enabled and properly performing signature verification on all loaded executables.

Risk: medium

Mitigation/Fix: revoke the UEFI certs and install vendors patches.

Caution, as RedHat had feedback that a lot of machines had issues booting after applying theit patch.



27.07.2020 14:19

Cloudflare outage on July 17, 2020


John Graham-Cummig

Today a configuration error in our backbone network caused an outage for Internet properties and Cloudflare services that lasted 27 minutes. We saw traffic drop by about 50% across our network. Because of the architecture of our backbone this outage didn’t affect the entire Cloudflare network and was localized to certain geographies.

The outage occurred because, while working on an unrelated issue with a segment of the backbone from Newark to Chicago, our network engineering team updated the configuration on a router in Atlanta to alleviate congestion. This configuration contained an error that caused all traffic across our backbone to be sent to Atlanta. This quickly overwhelmed the Atlanta router and caused Cloudflare network locations connected to the backbone to fail.

The affected locations were San Jose, Dallas, Seattle, Los Angeles, Chicago, Washington, DC, Richmond, Newark, Atlanta, London, Amsterdam, Frankfurt, Paris, Stockholm, Moscow, St. Petersburg, São Paulo, Curitiba, and Porto Alegre. Other locations continued to operate normally.

For the avoidance of doubt: this was not caused by an attack or breach of any kind.

We are sorry for this outage and have already made a global change to the backbone configuration that will prevent it from being able to occur again.



27.07.2020 14:07

Sourceode of german Corona-App published for personal review

For those who do not trust the app are now able to review the apps sourcode.

Check this GitHub for the source.

27.07.2020 12:46

German police using corona data for investigations

Did you know that the german police is using the contact lists that everybody has to fill out, when i.e. eating in a restaurant, for their investigations?

As per the State Criminal Police Office (LKA), this is possible by using "investigations of any kind" ("Ermittlungen jedweglicher Art"), even if the used data was not intentionally ment to be used for such use.

Scary to me ...



27.07.2020 12:40

German BKA can read WhatsApp conversations

The German Fedaral Criminal Police Office (BKA) is able to read WhatApp conversations. Although with a quite high effort, but presumably by using the Web-function.

Check the official news article (in german) at the "tagsschau.de"

27.07.2020 12:00

‘Meow’ attack has deleted almost 4,000 unsecured databases

Things change. While silently taking the data from unsecured databases found, they are now also deleted. At least the owners are now fronted with the effect of leaving (personal) data unsecured.

Check "BLEEPINGCOMPUTER" for the original article.


Week 25

16.06.2020 19:58

Finally: The German Version of the "Corona App" is out

After the first Corona lock-down is almost over, the germans also have their app.
I will not suggest you to use or not to use this tool, but from my opinion, the app has nothing to do with conspiracy or state control. But this is just my personal view.

 

15.06.2020 20:42

Play with real IPv6 /48 at Hurricane Electric

Get yourself a /48 IPv6 tunnel (65535 times a /64) at Hurricane Electric and prove your IPv6 capabilities with a free exam.

15.06.2020 09:28

SMBGhost Exploit PoC

"chompie1337" is giving us a PoC for the SMBGhost vulnerability to test System in your Environment.

Even if not used to actively test your Systems (bluescreen posibility), it's an excellent Chance to learn more About the "ghost of SMB3".

 

SMBGhost_RCE_PoC

RCE PoC for CVE-2020-0796 "SMBGhost"

For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die.

Now that that's out of the way....

Week 21

24.05.2020 15:17

Windows Security Alert: Core System File Zero-Days Confirmed Unpatched


Davey Winder Senior Contributor is reporting about 4 new 0-Days at Forbes

A core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915CVE-2020-0916 and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating.
[…]
The last of the zero-day vulnerabilities publicly disclosed by ZDI does not have a CVE number, only a ZDI one of ZDI-20-666. This is another privilege escalation vulnerability, but this time within the handling of WLAN connection profiles. An attacker would have to create a malicious profile that would then enable them to disclose credentials for that computer account, which can then be leveraged in an exploit. Although also rated high by ZDI, this vulnerability was not determined to be severe enough for fixing "in the current version" by Microsoft, which closed the case without providing a patch.

ID action mitigation risk - "priv. escalation"
CVE-2020-0915
ZDI-20-662 
 The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity.  Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.  This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2020-0986
 ZDI-20-663
 The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity.  Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.  This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2020-0915
ZDI-20-664
The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVE-2020-0916
ZDI-20-665

The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to disclose information from low integrity in the context of the current user at medium integrity. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This vulnerability allows local attackers to disclose information on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
ZDI-20-666 The specific flaw exists within the handling of WLAN connection profiles. By creating a malicious profile, an attacker can disclose credentials for the machine account. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of an administrator. Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.


This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.


23.05.2020 12:19

Apple releases iOS 13.5 to the public with Exposure Notification API, Face ID enhancements, more

Week 20

22.05.2020 17:05

Probe opened after mosques blare ‘Bella Ciao’ from minarets in Turkey’s west

The Italian resistance song "Belly Ciao" (in a Turkish version) was broadcasted from several mosques in the Izmir area on May 21st 2020, the Hurriyet reported.

İzmir Provincial Religious Directorate initially denied reports of such a broadcast by issuing a statement on its social media account, however, it later removed this post.

“According to our initial analysis, unidentified people sabotaged our central adhan [call to prayer] system in an illegal way,” the directorate said in a second statement.

22.05.2020 16:58

Sourcecode: Corona-Warn-App Server

SAP is sharing it's alpha-state code of the Corona-Warn-App that might be made available for Germany. Have a look at the code and find out what and how it does with your personal data.

The goal of this project is to develop the official Corona-Warn-App for Germany based on the exposure notification API from Apple and Google. The apps (for both iOS and Android) use Bluetooth technology to exchange anonymous encrypted data with other mobile phones (on which the app is also installed) in the vicinity of an app user's phone. The data is stored locally on each user's device, preventing authorities or other parties from accessing or controlling the data. This repository contains the implementation of the server for encryption keys for the Corona-Warn-App. This implementation is still a work in progress, and the code it contains is currently alpha-quality code.

22.05.2020 16:46

BIAS: Bluetooth Impersonation AttackS

Daniele Antoniole, Nils Ole Tippenhauer and Kasper Rasmussenhave discovered a flaw within the BT stack that allows an attacker to fake an already authenticated (paired) connection to be established with a new device by sniffing the traffic between two devices in the pairing process.

So be careful when pairing devices while sitting at public places. The sniffed data could be used to pair an unknown device without your knowledge as well.

 

 

 

19.05.2020 18:06

easyJet Loses 9 Million Customers’ Data To Hackers

Our investigation found that the email address and travel details of approximately 9 million customers were accessed. These affected customers will be contacted in the next few days. If you are not contacted then your information has not been accessed.  Other than as referenced in the following paragraph, passport details and credit card details of these customers were not accessed. 

[…]

There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO, we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.  We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

17.05.2020 19:57

Cuckoo2GO: A VMWare install of Cuckoo using a nested VirtualBox to analyze

Have a look at the article I wrote within the Malware section of how to setup a VirtualBox analysis inside a Cuckoo running in VMWare:

Cuckoo2GO: VMware Cuckoo with a nested VirtualBox analysis

17.05.2020 20:02

Microsoft first shows DNS over HTTPS in Windows 10 Insider Preview Build 19628

We’re adding initial support for DNS over HTTPS, so that you can opt into using encryption when Windows makes DNS queries. Follow the instructions in this blog post to opt in as it will be off by default.

 

17.05.2020 20:06

Massive ssh attacks ongoing, so check your logfiles...

GOLEM, reported that high performance Computers have seen massive ssh attacks. So it might be worth monitoring your own ssh-connections to the outer world for such attacks as well.

In several European countries, high-performance computers have been temporarily switched off after hacker attacks. The Leibniz Supercomputer Center in Garching near Munich, the Hawk computer at the High Performance Computing Center in Stuttgart and the Jureca, Judac and Jewels computers at the computer center in Jülich are said to be affected by the incidents. Heise Security first reported on Thursday. Germany's fastest supercomputer Hawk was only put into operation at the end of February 2020.

Week 18

26.04.2020 17:38

Autopsy: One day online course for free (until 15th May 2020)

Thanks Autopsy for providing you one day Autopsy online course for free.

In deed a perfect way to spend Covid-19 time with something very useful.
Although I used Autopsy a lot in the past, I still got (and get) new things to learn from the course.

Week 17

24.04.2020 21:23

I've passed the GCFA Exam successfully.


… and won the trophy of being part of the "best group"

To support the community for the help I received, I've published my learning notes and writings within my "Self study" section.

 

Week 16

14.04.2020 19:05

Some cool Windows Usecases for Splunk


Windows UseCases

Found an excellent list of cheat sheets at the Malware Archaeology and took the Splunk sheet as source of compiling a list of a good starting point of usecases in Splunk. Although having a lot of them in use, this would dispose some critical information. But my page shows the cool stuf from MA.

Check the original cheat sheets from Malware Archaeology at:

Cheat Sheets to help you in configuring your systems:

MITRE ATT&CK Cheat Sheets

Week 15

05.04.2020 14:18

Looking for another source to verify your malware hashes and contribute to the community?

Checkout the great service of abuse.ch to verify a malware hash and contribute to the community by uploading your own malware samples.

While building your own malware zoo, the "daily malware package" might be of interest for a daily dose of malware.

On top, the use of data in a commercial environment is allowed. (TLP:WHITE)

Please also contribute by uploading your own malware samples as you find them useful.

Week 14

03.04.2020 14:59

Coronaaaaa boaaaard

Well, while working at home I had some time left to get me the honeypot project to the next step.

Use a client-server scenario and visualize and compute the results in splunk.

Read my whole article.

Week 13

23.03.2020 08:37

COVID-19 work from home

Better then doing my tax or clean the flat.

Building a little piHoneypot to serve my Splunk with fancy data…

Week 12

17.03.2020 13:20

Me != Airbus

My time at Airbus has come to an end and I whish to thank all the colleges that have joined me on the past years for their great support with professional and personal topics.

It has been a great time with you guys … ! ! !

17.03.2020 13:23

Test yourself for CVE-2020-0796 aka CoronaBlue aka SMBGhost

Check the exploit-DB for a python POC of the recent Windows SMBv3 RCE CVE-2020-0796. But be careful, if the target is vulnerable, you will crash the target.

CVE-2020-0796 is a bug in Windows 10 1903/1909' s="" new="" smb3="" compression="" capability.="" smb="" protocol="" version="" 3.1.1="" introduces="" the="" ability="" for="" a="" client="" or="" server="" to="" advertise="" compression="" capabilities,="" and="" to="" selectively="" compress="" smb3="" messages="" as="" beneficial.="" to="" accomplish="" this,="" when="" negotiating="" an="" smb="" session,="" the="" client="" and="" server="" must="" both="" include="" a="" `smb2_compression_capabilities`="" as="" documented="" in="" [ms-smb2="">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271).

Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value.

CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.

17.03.2020 14:22

APT36 spreads fake coronavirus health advisory

As if the bio-virus of Corona were not enough, the crooks use it now to gain profit.

Checkout this brilliant article by Malwarebytes doing an analysis of an ongoing spear phishing that concludes to the usual behaviour to "do not click on everything that is clickable".

Running the IOCs through TheHive and my MISP, only fond one IOC known to VT (5/71).

Indicators of Compromise

Decoy URLs

email.gov.in.maildrive[.]email/?att=1579160420
email.gov.in.maildrive[.]email/?att=1581914657

Decoy documents

876939aa0aa157aa2581b74ddfc4cf03893cede542ade22a2d9ac70e2fef1656
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a

Crimson RAT

0ee399769a6e6e6d444a819ff0ca564ae584760baba93eff766926b1effe0010
b67d764c981a298fa2bb14ca7faffc68ec30ad34380ad8a92911b2350104e748

C2s

107.175.64[.]209
64.188.25[.]205

MITRE ATT&CK

https://attack.mitre.org/software/S0115/

Week 01

01.01.2020 21:40

Happy New Year 2020

I wish all of you a very happy, healthy and secure new 2020.

I hope you all head at least as much fun coming into the new year as I had. I've been up on 1600 meters high above in the mountains of Bavaria next to the Wendelstein at a fantastic place called Sudelfeld.

Sudelfeld at midnight

05.01.2020 12:29

Citrix CVE-2019-1978: remote code execution vulnerability

We all know the danger of unauthenticated remote code executions. Citrix has published one recently that effects a major list of their applications. Read below what it's all about and how to find open spots within the public Internet.

Description of Problem

A vulnerability  has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

The vulnerability affects all supported product versions and all supported platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Analysis (tenable)

While Citrix does not detail the exact nature of the vulnerability in the advisory, the recommended mitigation steps seem to block HTTP based VPN requests with additional components that could potentially contain code. This implies that there is unsanitized code in the VPN handler for these devices. The mitigation, therefore checks for incoming HTTP-based VPN requests, and sends a 403 FORBIDDEN response whenever requests with the exploit format are detected.

Fix/mitigation

CTX267679 - Mitigation steps for CVE-2019-19781

snort rule (Emerging Threats):

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; content:"/vpns/"; http_uri; fast_pattern; content:"/../"; http_uri; metadata: former_category EXPLOIT; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, deployment SSLDecrypt, signature_severity Major, created_at 2019_12_30, updated_at 2019_12_30;)

Target for vulnerability scan (prove of vuln)

i.e. https://www.shodan.io/search?query=%22Citrix+Applications%3A%22+port%3A1604+

05.01.2020 19:32

Started my GCFA preparation