Thursday, January 31, 2019
Wednesday, January 30, 2019
Cybersecurity Awareness Briefings
|
Cybersecurity Awareness Briefings Start Next Wednesday Webinar: Chinese Cyber Activity Targeting Managed Service Providers On December 20, 2018, the Cybersecurity and Infrastructure Security Agency (CISA) announced that malicious actors working on behalf of the Chinese government have been carrying out a campaign of cyber attacks targeting managed service providers (MSPs). Victims of these attacks have suffered from the loss of sensitive or proprietary information, as well as service disruptions, financial loss, and reputational harm. Organizations of all sizes, from all sectors, are still at risk for similar attacks in the future. Previously posted information on this threat can be found here: http://www.us-cert.gov/China. Join CISA for a virtual Awareness Briefing to review the background of this threat, as well as recommended steps MSPs and their customers can take to protect themselves from future attacks. Register now for one of two upcoming Awareness Briefings. Content is the same for each session.
This is the latest installment in CISA’s ongoing Awareness Briefing series. Recordings of previous Awareness Briefings are available at https://www.us-cert.gov/ccubedvp/events. |
Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide
The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals.
This FLASH has been released TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide. The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security.
The FBI is providing the following information with HIGH confidence:
SUMMARY:
The FBI obtained information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the U.S. and abroad. This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM. This group heavily targets managed service providers (MSP) who provide cloud computing services; commercial and governmental clients of MSPs; as well as defense contractors and governmental entities. APT10 uses various techniques for initial compromise including spearphishing and malware. After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence. This group has also used spearphishing to deliver malicious payloads and compromise victims.
WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately. Email: cywatch@fbi.gov Phone: 1-855-292-3937
This FLASH has been released TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide. The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security.
The FBI is providing the following information with HIGH confidence:
SUMMARY:
The FBI obtained information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the U.S. and abroad. This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM. This group heavily targets managed service providers (MSP) who provide cloud computing services; commercial and governmental clients of MSPs; as well as defense contractors and governmental entities. APT10 uses various techniques for initial compromise including spearphishing and malware. After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence. This group has also used spearphishing to deliver malicious payloads and compromise victims.
WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately. Email: cywatch@fbi.gov Phone: 1-855-292-3937
Tuesday, January 29, 2019
Deploying the Azure Information Protection scanner to automatically classify and protect files
If you heard me talk I say many time we need to start classify our data so the we can protect the critical files and add additional security to those files that are at the highest risk.
We need to protect data based on the risk. You may have heard me talk About RMS (Right Management Service) or AIP (Azure information Protection). Here is an article on an tool that will help you find and automatically classify file for you.
This article is for the current general availability version of the Azure Information Protection scanner.
If you are looking for deployment instructions for the current preview of the scanner, which includes configuration from the Azure portal, see Deploying the preview version of the Azure Information Protection scanner to automatically classify and protect files.
Use this information to learn about the Azure Information Protection scanner, and then how to successfully install, configure, and run it.
This scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:
To scan and label files on cloud repositories, use Cloud App Security.
When you have configured your Azure Information Protection policy for labels that apply automatic classification, files that this scanner discovers can then be labeled. Labels apply classification, and optionally, apply protection or remove protection:
The scanner can inspect any files that Windows can index, by
using IFilters that are installed on the computer. Then, to determine
if the files need labeling, the scanner uses the Office 365 built-in
data loss prevention (DLP) sensitivity information types and pattern
detection, or Office 365 regex patterns. Because the scanner uses the
Azure Information Protection client, it can classify and protect the
same file types.
You can run the scanner in discovery mode only, where you use the reports to check what would happen if the files were labeled. Or, you can run the scanner to automatically apply the labels. You can also run the scanner to discover files that contain sensitive information types, without configuring labels for conditions that apply automatic classification.
Note that the scanner does not discover and label in real time. It systematically crawls through files on data stores that you specify, and you can configure this cycle to run once, or repeatedly.
You can specify which file types to scan, or exclude from scanning. To restrict which files the scanner inspects, define a file types list by using Set-AIPScannerScannedFileTypes.
To learn more go Here
We need to protect data based on the risk. You may have heard me talk About RMS (Right Management Service) or AIP (Azure information Protection). Here is an article on an tool that will help you find and automatically classify file for you.
This article is for the current general availability version of the Azure Information Protection scanner.
If you are looking for deployment instructions for the current preview of the scanner, which includes configuration from the Azure portal, see Deploying the preview version of the Azure Information Protection scanner to automatically classify and protect files.
Use this information to learn about the Azure Information Protection scanner, and then how to successfully install, configure, and run it.
This scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:
- Local folders on the Windows Server computer that runs the scanner.
- UNC paths for network shares that use the Server Message Block (SMB) protocol.
- Sites and libraries for SharePoint Server 2016 and SharePoint
Server 2013. SharePoint 2010 is also supported for customers who have extended support for this version of SharePoint.
To scan and label files on cloud repositories, use Cloud App Security.
Overview of the Azure Information Protection scanner
When you have configured your Azure Information Protection policy for labels that apply automatic classification, files that this scanner discovers can then be labeled. Labels apply classification, and optionally, apply protection or remove protection:
You can run the scanner in discovery mode only, where you use the reports to check what would happen if the files were labeled. Or, you can run the scanner to automatically apply the labels. You can also run the scanner to discover files that contain sensitive information types, without configuring labels for conditions that apply automatic classification.
Note that the scanner does not discover and label in real time. It systematically crawls through files on data stores that you specify, and you can configure this cycle to run once, or repeatedly.
You can specify which file types to scan, or exclude from scanning. To restrict which files the scanner inspects, define a file types list by using Set-AIPScannerScannedFileTypes.
To learn more go Here
CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks
Original
release date: January 28, 2019
The CERT Coordination Center (CERT/CC) has released information to address NTLM relay attacks affecting Microsoft Exchange 2013 and newer versions. A remote attacker could exploit this vulnerability to take control of an affected system.
Overview
Microsoft Exchange 2013 and newer fail to set signing and
sealing flags on NTLM authentication traffic, which can allow a remote
attacker to gain the privileges of the Exchange server.
Description
Description
| Microsoft Exchange supports a API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscription,
which can be used to cause the Exchange server to connect to an
arbitrary website. Connections made using the PushSubscription feature
will attempt to negotiate with the arbitrary web server using NTLM
authentication. Starting with Microsoft Exchange 2013, the NTLM
authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks. Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server. |
Impact
| An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server. |
Solution
| The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: |
| Disable EWS push/pull subscriptions If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscription API call that triggers this attack. In an Exchange Management Shell window, execute the following commands:
Restart-WebAppPool -Name MSExchangeServicesAppPool Remove privileges that Exchange has on the domain object Please note that the following workaround was not developed by CERT and is not supported by Microsoft. Please test any workarounds in your environment to ensure that they work properly. https://github.com/gdedrouas/Exchange-AD-Privesc/blob/master/DomainObject/Fix-DomainObjectDACL.ps1 is a PowerShell script that can be executed on either the Exchange Server or Domain Controller system. By default this script will check for vulnerable access control entries in the current active directory. When executed with Domain Admin privileges and the -Fix flag, this script will remove the ability for Exchange to write to the domain object. Note that if you encounter an error about Get-ADDomainController not being recognized, you will need to install and import the ActiveDirectory PowerShell module, and then finally run Fix-DomainObjectDACL.ps1 :
Add-WindowsFeature RSAT-AD-PowerShell Import-Module ActiveDirectory .\Fix-DomainObjectDACL.ps1 If the script reports that faulty ACE were found, run:
PowerShell may be configured to block the execution of user-provided .ps1 files. If this is the case, first find your current PowerShell execution policy:
|
Saturday, January 26, 2019
Important Alert DNS Flag Day February 1, 2019 – Ensure Your Institution is Prepared
On Friday, February 1, major DNS (Domain Name System) software and public DNS providers will remove support for workarounds accommodating authoritative DNS servers that don’t follow published operational standards1. Most EDU sites will not be affected; however, institutions using authoritative servers that don’t meet standards may find their IT-based resources unreachable by large portions of the Internet.
Background:
How to Determine if You’re Affected • Make a list of all the domains your institution owns. • Test the domains using tools at DNS Flag Day site2 or ISC EDNS Compliance Tester3. Note that all domains hosted at a given server will either pass or fail.
How to Fix an Apparent Non-Compliant Server
- For domain names served by a third-party, contact the responsible party immediately.
- Make sure the failure isn’t a false report due to your authoritative server rate limiting the test tool.
- Make sure firewalls are not blocking EDNS traffic. Allow UDP packets greater than 512 bytes and see the firewall discussion on the DNS Flag Day site2.
- Update your authoritative DNS server software.
The “resolver”, or client side of DNS, initiates a sequence of queries ultimately leading to an "authoritative DNS server" that can answer a requested mapping (e.g. happy.edu = 10.0.0.1). The client resolver on your device is supported in the sequence-of-queries by a "recursive resolver", usually provided by the institution or Internet Service Provider. Most recursive resolvers now support EDNS (Extension Mechanisms for DNS). Absence of EDNS support in authoritative DNS servers requires workarounds by the recursive resolver. DNS Flag Day removes support for these workarounds.
Even if an institution doesn't upgrade its own recursive resolvers to a version that removes support for the workarounds, because others in the world will be upgrading their recursive resolvers, access to the institution’s IT-based resources will be affected by the institution’s non-compliant authoritative DNS server.
This post was provided by The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC).
To see how this might affect our members, REN-ISAC quickly inspected 53 institutions residing within one U.S. state, we found that 30 showed no problem, 15 showed minor problems, and six showed serious problems. Two tested schools returned with a result of “Fatal Error Detected”.
The following sites provide more information on how your organization can prepare:
- ISC Blog: DNS Flag Day; https://www.isc.org/blogs/dns-flag-day/
- APNIC Blog: DNS Flag Day; https://blog.apnic.net/2018/10/11/dns-flag-day/
- ISC EDU Report; https://ednscomp.isc.org/compliance/edu-report.html (note: data will be incomplete)
1 RFC 6891; https://tools.ietf.org/html/rfc6891
2 DNS Flag Day; https://dnsflagday.net/
3 ISC EDNS Compliance Tester; https://ednscomp.isc.org/ednscomp
Additional information can be found here https://dnsflagday.net/
Wednesday, January 23, 2019
Manufacturing RF Vulnerabilities
Radio-frequency (RF) remote controllers are everywhere: they open your car and your garage, they connect peripherals to your computer. You will also find them widely used in manufacturing and construction. Being able to remotely control large and/or multiple pieces of equipment from one device offers convenience and increased productivity, but remote solutions are often implemented with security as an afterthought, if thought of at all.
We’ve seen how trivial it is to hack a key fob or a wireless keyboard, and it's not much more difficult to hack a controller for large machinery. This week, Trend Micro released a report on how pervasive and vulnerable RF controllers are in the industrial world and they found that garage door openers are more secure than industrial RF controllers. Potential attack vectors might be as simple as a replay attack, where the attacker sniffs the RF packets and sends them back to the machine to gain control—something any script kiddie could do. From there the attacker could modify packets to inject commands.
Another relatively simple attack is called e-stop abuse, where the emergency stop command is replayed to the machine until it causes a denial-of-service (DoS). This could bring an entire factory to a grinding halt or disrupt safety mechanisms, putting workers in danger.
On the other end of the spectrum is a more difficult and more remote attack vector. An advanced hacker could remotely rewrite the firmware on a remote control with their own malicious code in order to gain and maintain access. This impacts all of the vendors tested by Trend Micro that support reprogramming on their devices. Researchers also noted that none of those devices had authentication implemented.
The vulnerabilities discovered have been reported to the manufacturers in the hopes that those companies will take a closer look at the security of their devices. It remains to be seen whether any changes will be made. Physical security is usually very good at manufacturing and construction sites, possibly thwarting a local attack, but it's never one hundred percent. A determined hacker will find a way and industry provides a large attack surface with many possibilities.
Sources:
• https://www.theregister.co.uk/2019/01/15/ even_cranes_are_hackable_trend_micro/
• https://documents.trendmicro.com/assets/white_papers/wp-a-securityanalysis-of-radio-remote-controllers.pdf
We’ve seen how trivial it is to hack a key fob or a wireless keyboard, and it's not much more difficult to hack a controller for large machinery. This week, Trend Micro released a report on how pervasive and vulnerable RF controllers are in the industrial world and they found that garage door openers are more secure than industrial RF controllers. Potential attack vectors might be as simple as a replay attack, where the attacker sniffs the RF packets and sends them back to the machine to gain control—something any script kiddie could do. From there the attacker could modify packets to inject commands.
Another relatively simple attack is called e-stop abuse, where the emergency stop command is replayed to the machine until it causes a denial-of-service (DoS). This could bring an entire factory to a grinding halt or disrupt safety mechanisms, putting workers in danger.
On the other end of the spectrum is a more difficult and more remote attack vector. An advanced hacker could remotely rewrite the firmware on a remote control with their own malicious code in order to gain and maintain access. This impacts all of the vendors tested by Trend Micro that support reprogramming on their devices. Researchers also noted that none of those devices had authentication implemented.
The vulnerabilities discovered have been reported to the manufacturers in the hopes that those companies will take a closer look at the security of their devices. It remains to be seen whether any changes will be made. Physical security is usually very good at manufacturing and construction sites, possibly thwarting a local attack, but it's never one hundred percent. A determined hacker will find a way and industry provides a large attack surface with many possibilities.
Sources:
• https://www.theregister.co.uk/2019/01/15/ even_cranes_are_hackable_trend_micro/
• https://documents.trendmicro.com/assets/white_papers/wp-a-securityanalysis-of-radio-remote-controllers.pdf
Flaws in Systemd Privilege Escalation in almost all of the systemd based Linux distros
Researchers at Qualys have revealed three security vulnerabilities in a component of systemd. This is believed to be affecting almost all of the systemd based Linux distros. The silver lining is that most of the distros have been made aware of the issue and have been working on fixes for these exploits.
The patches are respectively CVE-2018-16864, CVE-2018-16865, and CVE-201819866. They should be appearing in repos soon. This has been attributed to coordinated disclosure by Qualys. Debian will remain vulnerable for the time being, however, according to The Register, Qualys’s Jimmy Graham has said “that they are aware of the issue and we should be seeing a fix soon.”
The bugs were found in system-journald, a component of system that handles the collection and storage of logs. The first two, CVE-2018-16864 and CVE-201816865, are memory corruption flaws. CVE-2018-16864 can be leveraged by malware to crash and potentially hijack the system-journald service, there-by elevating access from a user to root for the attacker. CVE-2018-16865 and CVE2018-16866 can be used together to crash or hijack a root privileged journal service by a local attacker.
These exploits are believed to affect almost all of the systemd based Linux distros in use today. However, SUSE Linux Enterprise, openSUSE Leap 15.0, and Fedora 28 & 29 do not seem to be affected. This is thought to be due to their user-land code being compiled with GCC’s –fstack-clash-protection.
CVE-2018-16864 entered into the code base in April of 2013, then became exploitable with system v203 in Feb 2016. CVE-2018-16865 seems to have appeared in the code base in 2011 in system v38 and became exploitable in April 2013 (systremd v 201). CVE-2018-16866 was introduced in June of 2015. However, it was inadvertently fixed in August of 2018.
Sources
The patches are respectively CVE-2018-16864, CVE-2018-16865, and CVE-201819866. They should be appearing in repos soon. This has been attributed to coordinated disclosure by Qualys. Debian will remain vulnerable for the time being, however, according to The Register, Qualys’s Jimmy Graham has said “that they are aware of the issue and we should be seeing a fix soon.”
The bugs were found in system-journald, a component of system that handles the collection and storage of logs. The first two, CVE-2018-16864 and CVE-201816865, are memory corruption flaws. CVE-2018-16864 can be leveraged by malware to crash and potentially hijack the system-journald service, there-by elevating access from a user to root for the attacker. CVE-2018-16865 and CVE2018-16866 can be used together to crash or hijack a root privileged journal service by a local attacker.
These exploits are believed to affect almost all of the systemd based Linux distros in use today. However, SUSE Linux Enterprise, openSUSE Leap 15.0, and Fedora 28 & 29 do not seem to be affected. This is thought to be due to their user-land code being compiled with GCC’s –fstack-clash-protection.
CVE-2018-16864 entered into the code base in April of 2013, then became exploitable with system v203 in Feb 2016. CVE-2018-16865 seems to have appeared in the code base in 2011 in system v38 and became exploitable in April 2013 (systremd v 201). CVE-2018-16866 was introduced in June of 2015. However, it was inadvertently fixed in August of 2018.
Sources
Card Access Control System Accessed
What you know, what you are, and what you have. These are three of the key components of security. Key cards are a common form of security that can deny access to a space or object to anyone without an object with the proper credentials. Researchers at Tenable have discovered a series of flaws discovered in September of last year. The flaws pertain to PremiSys Identicard Access control System.
The researchers at Tenable found a hardcoded set of credentials in version 3.1.190 of PremiSys IDenticard. This set of credentials would allow an adversary all the capabilities of an administrator including modifying access to existing users, deleting users, and adding users. Though it’s doubtful that an adversary could act without trace, they can certainly act without hindrance.
The researchers also found that the sensitive information in the system was stored with an insecure hashing algorithm. It currently uses the MD5 which has not been recommended since 1996 and is subject to commonly known collision vulnerabilities.
Backups within the system are stored in password protected zip files. Unfortunately, the password has been hardcoded into each instance of the product with no option for the user to change the password without the intervention of the vendor. Along with backups being barely protected by a hardcoded password, the database also comes with a preselected username and password with no opportunity for the user to change those credentials. They must once again go to the vendor for a custom solution.
These issues seem fairly pressing and can be crippling in a product that promises security. The common practice of providing a grace period for a company to patch the issues seems generous in the face of such glaring flaws. So far a patch has not been released and the product is still vulnerable.
Workarounds include network segmentation and restricting access to systems from outside of the network. It might not be possible to maintain vigilance over the entirely of a database without verification hashes.
John Fox, Senior Product Manager at Identicard, has provided a statement to Bleeping Computer claiming to be vigilant of the situation. They “anticipate releasing improvements in the near term” which should be expected of any company experiencing any such complications in their product.
Sources:
• https://www.tenable.com/security/ research/tra-2019-01
• https://medium.com/tenabletechblog/trumping-physical-securitywith-software-insecurity3945a63e1f1a
• https:// www.bleepingcomputer.com/news/ security/flaws-in-a-card-accesscontrol-system-may-allow-hackersto-bypass-security/Flaws
The researchers at Tenable found a hardcoded set of credentials in version 3.1.190 of PremiSys IDenticard. This set of credentials would allow an adversary all the capabilities of an administrator including modifying access to existing users, deleting users, and adding users. Though it’s doubtful that an adversary could act without trace, they can certainly act without hindrance.
The researchers also found that the sensitive information in the system was stored with an insecure hashing algorithm. It currently uses the MD5 which has not been recommended since 1996 and is subject to commonly known collision vulnerabilities.
Backups within the system are stored in password protected zip files. Unfortunately, the password has been hardcoded into each instance of the product with no option for the user to change the password without the intervention of the vendor. Along with backups being barely protected by a hardcoded password, the database also comes with a preselected username and password with no opportunity for the user to change those credentials. They must once again go to the vendor for a custom solution.
These issues seem fairly pressing and can be crippling in a product that promises security. The common practice of providing a grace period for a company to patch the issues seems generous in the face of such glaring flaws. So far a patch has not been released and the product is still vulnerable.
Workarounds include network segmentation and restricting access to systems from outside of the network. It might not be possible to maintain vigilance over the entirely of a database without verification hashes.
John Fox, Senior Product Manager at Identicard, has provided a statement to Bleeping Computer claiming to be vigilant of the situation. They “anticipate releasing improvements in the near term” which should be expected of any company experiencing any such complications in their product.
Sources:
• https://www.tenable.com/security/ research/tra-2019-01
• https://medium.com/tenabletechblog/trumping-physical-securitywith-software-insecurity3945a63e1f1a
• https:// www.bleepingcomputer.com/news/ security/flaws-in-a-card-accesscontrol-system-may-allow-hackersto-bypass-security/Flaws
CISA Emergency Directive on DNS Infrastructure Tampering UPDATE
 National Cyber Awareness System:
01/22/2019 06:48 PM EST
Original
release date: January 22, 2019
The U.S. Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency(CISA) issued an emergency directive to address ongoing incidents associated with global Domain Name System (DNS) infrastructure tampering. CISA is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them. The directive requires Federal agencies to take specific steps and comply with reporting procedures to mitigate risks from undiscovered tampering, prevent illegitimate DNS activity, and detect unauthorized certificates. Federal agencies should review Emergency Directive 19-01 for required actions and reporting procedures.
|
|||||||||||||||||||
Saturday, January 12, 2019
WordPress Pressed into Service
Researchers at Defiant Threat Intelligence Team have identified a brute force attack campaign on WordPress sites. There have been four command and control (C2) servers identified, over 14,000 proxy servers from best-proxies.ru, and over 20,000 infected WordPress sites. The attacks make XML-RPC authentication attempts against accounts. XML-RPC authentication is used for network services that require security but do not require callers to identify themselves. It is often used in the APIs for mobile app developers to allow their apps to post to WordPress. As such, the apps usually store credentials locally which makes failed credentials fairly uncommon. The high rate of failure caught the researcher’s attention and revealed the campaign.
The plan of this attack contains three steps: create a list of credentials using dynamic wordlist generation, lean on multicall vulnerability to attack on scale, and try to cover its tracks with proxy servers between C2 servers and infected sites. The credentials begin with common passwords along with passwords generated from the list of usernames. Examples given in their report include the domain name, the username, and the username with common values appended to the end. Their example is an attack on example.com with the user name alice, the attack would use example, alice, alice1, alice2, alice2015, alice2016, alice2017, alice2018, and so forth. The attack also relied on the multicall functionality of XML-RPC authentication, the ability to send multiple username and password pairs at once and receive a list of successes and failures. This would allow the attack to make significant initial gains on progress but is limited to attacks on WordPress versions 4.3 and older.
Version 4.4 had since patched this issue and will return failures on any further attempts if the initial attempt is a failure. It is currently on version 4.9.8, but many users are still vulnerable to the multicall attack vector because they have not updated.
Finally, the attacker tries to cover their tracks by using proxy servers to anonymize the control between the attacker and the infected sites. The researchers at Defiant found a word list regeneration script that included a path argument that contained an IP address. The IP address brought the researchers to a login page on a server, which they easily uncovered as one of the C2 servers. They found four different servers which were poorly guarded. The researchers are currently working alongside law enforcement to remedy the attacks and reach out to the victims to alleviate the attacks.
The best defense against such brute force attacks would be to use long randomly generated passwords and updating your services to the latest versions.
Sources:
• https://www.wordfence.com/blog/2018/12/wordpress-botnet-attackingwordpress/
• https://threatpost.com/infected-wordpress-sites-are-attacking-otherwordpress-sites/139666/12
The plan of this attack contains three steps: create a list of credentials using dynamic wordlist generation, lean on multicall vulnerability to attack on scale, and try to cover its tracks with proxy servers between C2 servers and infected sites. The credentials begin with common passwords along with passwords generated from the list of usernames. Examples given in their report include the domain name, the username, and the username with common values appended to the end. Their example is an attack on example.com with the user name alice, the attack would use example, alice, alice1, alice2, alice2015, alice2016, alice2017, alice2018, and so forth. The attack also relied on the multicall functionality of XML-RPC authentication, the ability to send multiple username and password pairs at once and receive a list of successes and failures. This would allow the attack to make significant initial gains on progress but is limited to attacks on WordPress versions 4.3 and older.
Version 4.4 had since patched this issue and will return failures on any further attempts if the initial attempt is a failure. It is currently on version 4.9.8, but many users are still vulnerable to the multicall attack vector because they have not updated.
Finally, the attacker tries to cover their tracks by using proxy servers to anonymize the control between the attacker and the infected sites. The researchers at Defiant found a word list regeneration script that included a path argument that contained an IP address. The IP address brought the researchers to a login page on a server, which they easily uncovered as one of the C2 servers. They found four different servers which were poorly guarded. The researchers are currently working alongside law enforcement to remedy the attacks and reach out to the victims to alleviate the attacks.
The best defense against such brute force attacks would be to use long randomly generated passwords and updating your services to the latest versions.
Sources:
• https://www.wordfence.com/blog/2018/12/wordpress-botnet-attackingwordpress/
• https://threatpost.com/infected-wordpress-sites-are-attacking-otherwordpress-sites/139666/12
Free Ebook Azure in a month of Lunches
To help developers build and run their applications, services and
integrate upcoming technologies, Microsoft has released an eBook – Learn Azure in a Month of Lunches.
The eBook offers great insights into entry into cloud administration.
Besides, it also gives a high-level explanation of each concept and
common implementations. It breaks down the most important Azure concepts into bite-sized lessons. Using this you will be able to learn how to:
Get Started with Azure
There’s a powerful suite of Azure services dedicated to containers that aligns more with the PaaS approach. If you are not aware, containers offer a concept of isolation similar to VMs. However, Containers are typically much more lightweight than VMs and can start up quicker than VMs, often in a matter of seconds rather than minutes. Moreover, the size of a container image is typically only tens or hundreds of MBs, compared to many tens of GBs for VMs.
You can download this Azure eBook here.
Get Started with Azure
- Use core Azure infrastructure for writing and deploying web servers.
- Make your applications and data secure
- Utilize platform services—including how to choose which service for which task.
- Get ready to adapt to new technologies, including containers and Kubernetes, AI/Machine Learning, and IoT.
There’s a powerful suite of Azure services dedicated to containers that aligns more with the PaaS approach. If you are not aware, containers offer a concept of isolation similar to VMs. However, Containers are typically much more lightweight than VMs and can start up quicker than VMs, often in a matter of seconds rather than minutes. Moreover, the size of a container image is typically only tens or hundreds of MBs, compared to many tens of GBs for VMs.
Phishing for 2FA
Cybersecurity professionals have known for a long time that passwords alone are not secure enough. Two-factor Authentication (2FA) has become an increasingly common way to add another layer of security. But like anything else in the security world, it is not infallible. This week Amnesty International reported that hacker groups are targeting the email accounts of journalists and human rights activists from the Middle East and North Africa.
One campaign targeted well -known secure email services like ProtonMail, while another campaign focused on Google and Yahoo! accounts where the hackers were able to harvest credentials even from 2FA-enabled accounts.
Chances are, you have at least one account with 2FA. If you've ever had to enter a code sent to your smartphone, you've used it before. It may seem like a hacker wouldn't be able to get that code, but if they couldn't stay one step ahead, they wouldn't be in business. This report found that the attacks used tried-and true phishing techniques, but with some extra infrastructure in place to automate the process.
It starts with a security alert email that links to a counterfeit login page. Once the victim enters their credentials, the attackers' server automatically sends those credentials to the legitimate login page. This triggers a request for a 2FA code from the legitimate site that is sent to the victim. The victim enters the code on the fake site, which also passes it to the legitimate site, giving the hackers access to the account. From here the attackers would enable access for third-party apps to keep control of the account.
Despite the extra steps happening in the background, the time it takes to do it is negligible and the victim would not notice the process taking any longer. However, the hackers behind these campaigns did make some mistakes. The servers hosting their fake Google and Yahoo! pages were not locked down. Researchers were able to use exposed directories to view various files and determine what the hackers were up to.
This is not to say that we shouldn't keep using 2FA - it absolutely is better than a password alone. But it's worth keeping in mind that phishing is still prevalent because it works and its success isn't limited to stealing passwords. For folks that feel they are at risk or that just want some extra protection, researchers recommend using hardware tokens.
Sources:
• https://motherboard.vice.com/ en_us/article/bje3kw/how-hackersbypass-gmail-two-factorauthentication-2fa-yahoo
• https://www.amnesty.org/en/latest/ research/2018/12/when-bestpractice-is-not-good-enough/
• https://thestack.com/ security/2018/12/20/hackers-bypass -two-factor-authentication-at-scale/
One campaign targeted well -known secure email services like ProtonMail, while another campaign focused on Google and Yahoo! accounts where the hackers were able to harvest credentials even from 2FA-enabled accounts.
Chances are, you have at least one account with 2FA. If you've ever had to enter a code sent to your smartphone, you've used it before. It may seem like a hacker wouldn't be able to get that code, but if they couldn't stay one step ahead, they wouldn't be in business. This report found that the attacks used tried-and true phishing techniques, but with some extra infrastructure in place to automate the process.
It starts with a security alert email that links to a counterfeit login page. Once the victim enters their credentials, the attackers' server automatically sends those credentials to the legitimate login page. This triggers a request for a 2FA code from the legitimate site that is sent to the victim. The victim enters the code on the fake site, which also passes it to the legitimate site, giving the hackers access to the account. From here the attackers would enable access for third-party apps to keep control of the account.
Despite the extra steps happening in the background, the time it takes to do it is negligible and the victim would not notice the process taking any longer. However, the hackers behind these campaigns did make some mistakes. The servers hosting their fake Google and Yahoo! pages were not locked down. Researchers were able to use exposed directories to view various files and determine what the hackers were up to.
This is not to say that we shouldn't keep using 2FA - it absolutely is better than a password alone. But it's worth keeping in mind that phishing is still prevalent because it works and its success isn't limited to stealing passwords. For folks that feel they are at risk or that just want some extra protection, researchers recommend using hardware tokens.
Sources:
• https://motherboard.vice.com/ en_us/article/bje3kw/how-hackersbypass-gmail-two-factorauthentication-2fa-yahoo
• https://www.amnesty.org/en/latest/ research/2018/12/when-bestpractice-is-not-good-enough/
• https://thestack.com/ security/2018/12/20/hackers-bypass -two-factor-authentication-at-scale/
Lojax UEFI Rootkit
Unified Extensible Firmware Interface (UEFI) rootkits gained quite a bit of attention in the security community over the years with a considerable amount of research going into the topic. However, there’s been limited practical use of this malware type in the wild until the discovery of LoJax. Researchers at ESET associate this new malware with the Sednit group, also known as Fancy Bear, and thoroughly discussed it at the 35C3 conference in Germany late last month.
What makes this kind of malware so dangerous is that it lies within the firmware of a physical machine, thus it is extremely hard to detect and very difficult to cleanse. It can survive reboots, operating system reinstallation, and even hard disk replacement. The chain of infection can usually be broken down into four stages: (1) User-Mode client infection, (2) Kernel-Mode escalation, (3) System Management Mode injection, and ($) SPI Flashing. As is the case for other types of malware, an initial client-side exploit dropper (mechanism for an attacker to get user access to a victim system) is needed. Once attackers have user access to a vulnerable host, they then escalate privileges to system access and attempt to bypass various kernel level security controls such as code signing policies to install kernel-mode payloads. Then the malware elevates privileges to execute System Management Mode payloads so it has access to SPI Flash. Lastly they bypass flash writing protection altering Flash firmware to implant their own flash malware.
LoJax, named after Absolute Software Corporation’s LoJack, is unique for using Lojack’s persistence technique of coming pre-installed in the firmware of laptops manufactured by various OEMs. Due to security weaknesses and misconfigurations within LoJack, attackers were able to trojanize the anti-theft tool creating LoJax. Once LoJax implants itself within the firmware and the system is booted, it loads the malicious SecDxe DXE driver and calls EFI_EVENT_GROUP_READY_TO_BOOT. This callback loads an embedded NTFS DXE driver, writes ‘rpcnetp.exe’ and ‘autoche.exe’ to the OS, and modifies the registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Session Manager\BootExecute’. The rpcnetp.exe executable is a small agent that is used to initiate communication back to the attacker Command and Control (C&C) server.
As of the date of the initial LoJax research, the primary targets have been different entities in the Balkans as well as Central and Eastern Europe. The primary defense against this malware is enabling Secure Boot and ensuring UEFI firmware is up to date.
Sources
• https://www.welivesecurity.com/wp-content/uploads/2018/09/ESETLoJax.pdf
• https://threatpost.com/uefi-rootkit-sednit/140420/http://www.ncsl.org/
What makes this kind of malware so dangerous is that it lies within the firmware of a physical machine, thus it is extremely hard to detect and very difficult to cleanse. It can survive reboots, operating system reinstallation, and even hard disk replacement. The chain of infection can usually be broken down into four stages: (1) User-Mode client infection, (2) Kernel-Mode escalation, (3) System Management Mode injection, and ($) SPI Flashing. As is the case for other types of malware, an initial client-side exploit dropper (mechanism for an attacker to get user access to a victim system) is needed. Once attackers have user access to a vulnerable host, they then escalate privileges to system access and attempt to bypass various kernel level security controls such as code signing policies to install kernel-mode payloads. Then the malware elevates privileges to execute System Management Mode payloads so it has access to SPI Flash. Lastly they bypass flash writing protection altering Flash firmware to implant their own flash malware.
LoJax, named after Absolute Software Corporation’s LoJack, is unique for using Lojack’s persistence technique of coming pre-installed in the firmware of laptops manufactured by various OEMs. Due to security weaknesses and misconfigurations within LoJack, attackers were able to trojanize the anti-theft tool creating LoJax. Once LoJax implants itself within the firmware and the system is booted, it loads the malicious SecDxe DXE driver and calls EFI_EVENT_GROUP_READY_TO_BOOT. This callback loads an embedded NTFS DXE driver, writes ‘rpcnetp.exe’ and ‘autoche.exe’ to the OS, and modifies the registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Session Manager\BootExecute’. The rpcnetp.exe executable is a small agent that is used to initiate communication back to the attacker Command and Control (C&C) server.
As of the date of the initial LoJax research, the primary targets have been different entities in the Balkans as well as Central and Eastern Europe. The primary defense against this malware is enabling Secure Boot and ensuring UEFI firmware is up to date.
Sources
• https://www.welivesecurity.com/wp-content/uploads/2018/09/ESETLoJax.pdf
• https://threatpost.com/uefi-rootkit-sednit/140420/http://www.ncsl.org/
DNS Infrastructure Hijacking Campaign
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:
NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
CryptoMix Misdirection
The group behind the CryptoMix malware have changed tactics once again. The bad actors in this case brute force a login through RDP, and then encrypt the data on your computer while attempting to identify and remove any local backups available. With a successful attack, there’s no way to regain your data without the decryption key or through an off-network backup of the system. When attempting to contact the group of enterprising individuals, they will send you an email claiming that the proceeds of your “donation” are going to be put towards charity. They allude that by paying the ransom, the victim will help fund the treatment and care of sick children! In addition to this patently absurd falsity, the bad actors have taken information from local news and crowdfunding websites to be more believable. While this is a bit far fetched, the idea behind it is rather applicable to malware.
The most vulnerable part of every secure system is the human element. Which brings attention to one of the most widely adopted tactics that has been used to acquire information in recent years: social engineering. By interacting with the human component and appealing to either emotions or inattentiveness, bad actors can obtain information or access to locations with next to zero technical prowess. A study at the university of Luxembourg showed that among three groups of individuals given a gift either at the start of interaction, after the question, or as a reward for revealing their password, anywhere from 3050% disclosed their sensitive information. The number goes as high as 47.9% when the reward is predicated on giving an answer. While this is just a single anecdote involving college students, the mentality doesn’t disappear when applied to the working world. Even clicking a real website link is enough when there exists a piece of malware that utilizes a flash exploit to infect the computer upon displaying the malicious advertisement.
One of the best solutions for this social vector is due diligence. Well-designed policies that employees are intimately aware of through thorough training, including awareness of these threats, better threat identification in e-mail firewalls, and clearer communication of proper procedures for employees will help ease the threat of this specific branch of malware. The science does not lie, people want to trust other people, especially those who are friendly, and identifying those who would abuse this trust for personal gain is easier said than done. As professionals, the education and increased awareness of those who aren’t so technically inclined is paramount for the safety of the collective companies that we represent.
Sources:
• https://www.sciencedaily.com/releases/2016/05/160512085123.htm
• https://www.zdnet.com/article/this-old-ransomware-is-using-anunpleasant-new-trick-to-try-and-make-you-pay-up/
• https://www.zdnet.com/article/this-malvertising-campaign-infected-pcswith-ransomware-without-users-even-clicking-a-link/
The most vulnerable part of every secure system is the human element. Which brings attention to one of the most widely adopted tactics that has been used to acquire information in recent years: social engineering. By interacting with the human component and appealing to either emotions or inattentiveness, bad actors can obtain information or access to locations with next to zero technical prowess. A study at the university of Luxembourg showed that among three groups of individuals given a gift either at the start of interaction, after the question, or as a reward for revealing their password, anywhere from 3050% disclosed their sensitive information. The number goes as high as 47.9% when the reward is predicated on giving an answer. While this is just a single anecdote involving college students, the mentality doesn’t disappear when applied to the working world. Even clicking a real website link is enough when there exists a piece of malware that utilizes a flash exploit to infect the computer upon displaying the malicious advertisement.
One of the best solutions for this social vector is due diligence. Well-designed policies that employees are intimately aware of through thorough training, including awareness of these threats, better threat identification in e-mail firewalls, and clearer communication of proper procedures for employees will help ease the threat of this specific branch of malware. The science does not lie, people want to trust other people, especially those who are friendly, and identifying those who would abuse this trust for personal gain is easier said than done. As professionals, the education and increased awareness of those who aren’t so technically inclined is paramount for the safety of the collective companies that we represent.
Sources:
• https://www.sciencedaily.com/releases/2016/05/160512085123.htm
• https://www.zdnet.com/article/this-old-ransomware-is-using-anunpleasant-new-trick-to-try-and-make-you-pay-up/
• https://www.zdnet.com/article/this-malvertising-campaign-infected-pcswith-ransomware-without-users-even-clicking-a-link/
Hacker Exposes Another Zero-Day Exploit
A hacker called SandboxEscaper disclosed an unpatched zero-day exploit affecting the Windows® operating system. This is the third zero-day exploit SandboxEscaper has disclosed in the last six months. The first exploit was a privilege escalation vulnerability taking advantage of the Advanced Local Procedure Call. SandboxEscaper also released a proof-of-concept (PoC) confirming that the first exploit worked on a fully-patched 64-bit version of Windows 10. The second exploit was another privilege escalation flaw that resided in Microsoft® Data Sharing (dssvc.dll). This exploit allowed lower-privileged users to delete files that normally would only be available to admin level users. They also released a PoC, confirming that the exploit works on a fully patched version of Windows 10, Server 2016, and Server 2019, but doesn’t affect older versions of Windows because dssvc.dll was introduced in Windows 10.
The most recent exploit is “...an arbitrary file read issue” that could allow a malicious program to read the content of any file on a targeted Windows computer that would normally only be accessible with admin privileges. This vulnerability exists within a function in Windows called MsiAdvertiseProduct, which is used to generate advertising scripts, advertise products to the computer, and enable the installer to write the registry and shortcut information used to assign or publish a product to a script. According to SandboxEscaper, this exploit could allow a malicious program to force the installer to make a copy of any file in the system, regardless of privileges, and read its content. They also released a PoC, however, their GitHub account has been taken down since releasing this exploit. Their Twitter account has been suspended, as well as their alternate account. Finally, SandboxEscaper may be under investigation by the FBI. They posted a screenshot of an email from Google stating “Google has received legal process by the Federal Bureau of Investigation (Eastern District of New York) compelling the release of information related to your Google account.”
This blog post has since been removed, as has the blog posts disclosing the various exploits, but the screenshot can still be found on Twitter reposted by other hackers. The motive of this subpoena is unknown at the moment, though, as SandboxEscaper allegedly tweeted something containing a threat against the President of the United States. The tweet was quickly deleted and we are unable to locate any screenshot or mention of the specific contents of the tweet.
Sources:
• https://thehackernews.com/2018/08/windows-zero-day-exploit.html
• https://thehackernews.com/2018/10/windows-zero-day-exploit.html
• https://thehackernews.com/2018/12/windows-zero-dayexploit.html
• http://www.ncsl.org/research/telecommunications-andinformation-technology/cybersecurity-legislation-2018.aspx
The most recent exploit is “...an arbitrary file read issue” that could allow a malicious program to read the content of any file on a targeted Windows computer that would normally only be accessible with admin privileges. This vulnerability exists within a function in Windows called MsiAdvertiseProduct, which is used to generate advertising scripts, advertise products to the computer, and enable the installer to write the registry and shortcut information used to assign or publish a product to a script. According to SandboxEscaper, this exploit could allow a malicious program to force the installer to make a copy of any file in the system, regardless of privileges, and read its content. They also released a PoC, however, their GitHub account has been taken down since releasing this exploit. Their Twitter account has been suspended, as well as their alternate account. Finally, SandboxEscaper may be under investigation by the FBI. They posted a screenshot of an email from Google stating “Google has received legal process by the Federal Bureau of Investigation (Eastern District of New York) compelling the release of information related to your Google account.”
This blog post has since been removed, as has the blog posts disclosing the various exploits, but the screenshot can still be found on Twitter reposted by other hackers. The motive of this subpoena is unknown at the moment, though, as SandboxEscaper allegedly tweeted something containing a threat against the President of the United States. The tweet was quickly deleted and we are unable to locate any screenshot or mention of the specific contents of the tweet.
Sources:
• https://thehackernews.com/2018/08/windows-zero-day-exploit.html
• https://thehackernews.com/2018/10/windows-zero-day-exploit.html
• https://thehackernews.com/2018/12/windows-zero-dayexploit.html
• http://www.ncsl.org/research/telecommunications-andinformation-technology/cybersecurity-legislation-2018.aspx
Subscribe to:
Posts (Atom)