Hidden in Google’s DNS Over HTTPS

 Today’s technological landscape has led to an explosion of cyber security products and services to automatically detect and deal with threats and malware. How-ever, as more and more emphasis is put on automated systems, attackers have to modify their strategies to combat this. Threat detection and analysis company, Huntress Labs, discovered a piece of malware that hides in plain sight and would likely not be detected by most automatic defenses, requiring a human analysis element.

The malware involves maintaining persistence on a system rather than the initial infection. Once inside the system, the malware creates services that seem to be legitimate, BfeOnService.exe and engine.exe, as well as a log file a.chk. The description also seems to be legitimate: however, these services are actually copies of two other services, mshta.exe and powershell.exe. These programs have not been modified except for the name, so an antivirus program wouldn’t flag them as malware. The name change keeps the processes from being flagged by security programs looking for running instances of mshta and powershell which could indicate a threat presence. They parse the log file, which at first glance seems harmless, to extract a payload used by powershell to connect to https://dns.google.com/resolve?name=dmarc.jqueryupdatejs.com&type=txt and retrieve another payload using Google’s DNS service.

The DNS response is actually a DNS TXT record response that contains further information embedded within it. The data field contains what appears to be a ture, which is used to authenticate e-mails from specific domains. However, it is a cleverly hidden base-64 encoded string that, after multiple layers of decoding, Reveals multiple decimal numbers that don’t appear to be anything but are actually IP addresses. For instance, one of the numbers analyzed was 1484238687, but this translates to 88.119.175.95 when entered in a browser address bar. These are the IP addresses for Command & Control servers hosting further payloads. This allows the attacker to rotate servers used for malware delivery, as well as changing the payloads themselves, without having to directly access the victim. Also, while many organizations filter DNS activity on their network, it is much less likely that they would lock down HTTPS access to google.com.

John Hammond, Senior Security Researcher at Huntress Labs, comments, “We found this malware from our own manual analysis. Obviously, there is an incredible benefit from having an automated, always on antivirus and endpoint protection suite… but this lacks the context that humans have. Manual investigation is a must”. The best defense lies somewhere in the balance between automated and human-controlled security practices.

Source:

Peraton CyberIntelligence Program (CIP)

Curse of The Golden Bug

 The saying goes, “Once is chance, twice is a coincidence, and three times is a pattern.” But do we really need three times when the repetition is so clearly similar? Researchers at Trustwave have found spyware within the Golden Tax Invoicing system provided by Baiwang and have named the spyware Golden Helper. A Golden Tax Invoicing system is required to log invoices and expenses for accurate centralized Value Added Tax reporting. Baiwang is joined by Aisin as the only two providers of the Golden Tax Invoicing system. The Aisino version was found last month to have the Golden Spy which had several similar infection avenues but different capabilities.

The Golden Spy malware had several obfuscation and detection avoidance capabilities:

• a two hour delay in malware installation,

• two auto-start services for self-monitoring and restarting,

• persistence beyond the tax software itself,

• communication with domains that were not tax related, and

• running with system level privileges for remote code execution.

A malware uninstaller was pushed in an update by Aisino by the time Golden Helper became public. Golden Helper, is planted in the Baiwang edition of the Golden Tax Invoicing system. The malware, itself, is curiously signed by an Aisino subsidiary, NouNou Technology. Golden Helper takes extensive efforts to stay hidden. It obfuscates the files produced with randomly generated filenames and obfuscates metadata by randomly generating “creation” and “last write” timestamps. It masks executable payload as .gif, .jpg, and .zip files while in transit and uses the Victim’s IP to algorithmically randomize download locations and communicate those locations to command and control servers. It has no need for User permission to install and escalate to SYSTEM level privilege and can perform remote code execution as well. Golden Tax software may also be delivered to companies pre-installed in computers provided by their bank. This makes sense to offer up a tool to make business easier so that the customer doesn’t have to go through the trouble of installing the software. But unfortunately, it also comes bundled with Golden Helper. Trustwave researchers are still looking for samples of the final payload installed by GoldenHelper, named taxver.exe.

Sources:

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-goldentax-software/

 https//:bleepingcomputer.com/news/security/new-goldenhelper-malware-foundin-official-chinese-tax-software/

https://arstechnica.com/information-technology/2020/07/malwarestashed-in-china-mandated-software-is-more-extensive-than-thought/

SigRed: “New” Windows DNS Vulnerability Scores 10/10 on CVSS Scale

What was computer-related life like in 2003? For starters: the iTunes store just opened, miniSD cards and DDR2 SDRAM were just hitting the market, and AMD released their first 64-bit processor. A vulnerability affecting Windows DNS, dubbed SigRed, has remained undetected for 17 years until found by Check-Point researchers earlier this year.

Security researchers at Checkpoint were looking for a vulnerability that would allow an attacker to compromise a Windows Domain environment in a different way than the usual Server Message Block or Remote Desktop Protocol exploits when they came upon this vulnerability. They certainly found a winner, with SigRed receiving a CVSS score of 10, the highest possible severity on the scale and fairly rare. Not only does this vulnerability allow an attacker to achieve re-mote code execution on the server, but it is also wormable. This means that with just one exploit of the system, malware can spread quickly throughout the entire network without any human interaction. For instance, WannaCry and NotPetya were both wormable pieces of malware.

The vulnerability itself lies in the DNS module dns.exe and relies on an integer-overflow bug that leads to a heap-based buffer overflow. How the DNS server parses incoming DNS queries and how it parses responses for forwarded que-ries both provide avenues of attack to take advantage of. One of the response types for a Secure Internet Access (SIG) query was used by CheckPoint research-ers to exceed the maximum request size of 65,535 bytes, leading to the name SigRed. Another path for exploiting this vulnerability can be done remotely us-ing HTTP requests that are carrying DNS queries. While Google Chrome and Mozilla Firefox aren’t vulnerable to this attack, Microsoft Internet Explorer and Edge browsers can be used. The malicious request can be sent to TCP port 53 (UDP port 53 is the common DNS port) on a vulnerable server and the data will be interpreted as if it were a DNS query since Windows DNS support DNS over TCP.

SigRed can allow an unauthenticated attacker to run commands on the vulnera-ble Windows Server system as a local system admin, and with the wormable attribute it can compromise an entire organization within minutes of the initial exploit. This, coupled with the high chances of exploitation especially with the flaw being public knowledge now, led to the recommendation that all Windows Server 2003-2019 systems be updated with the new patch Microsoft released this week. If the patch can’t be implemented quickly, there is a workaround involving changing a registry key to limit the size of DNS TCP packets that are received.

Sources

https://threatpost.com/critical-dns-bug-windows-servers-infrastructure-takeover/157427/

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

https://thehackernews.com/2020/07/windows-dns-server-hacking.html

: Microsoft Security: Use baseline default tools to accelerate your security career

URL: https://www.microsoft.com/security/blog/?p=91853

Overview: As you build your cybersecurity career, take advantage of important
new and proactive security configuration and management capabilities that will
help your organization ‘move left’ on understanding and reducing risk.

The post Microsoft
Security: Use baseline default tools to accelerate your security career

appeared first on Microsoft
Security

Microsoft announces new Project OneFuzz framework, an open source developer tool to find and fix bugs at scale

URL: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/

Overview: We’re excited to release a new tool called OneFuzz, an extensible
fuzz testing framework for Azure.

The post Microsoft
announces new Project OneFuzz framework, an open source developer tool to find
and fix bugs at scale
appeared first on Microsoft
Security
.

News from Microsoft Announced Today at Ignite

 

Microsoft delivers unified SIEM and XDR to modernize security operations

https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-modernize-security-operations/
Overview: The new Microsoft Defender is the most comprehensive XDR in the
market today and prevents, detects, and responds to threats across identities,
endpoints, applications, email, IoT, infrastructure, and cloud platforms.

The post Microsoft
delivers unified SIEM and XDR to modernize security operations
appeared
first on Microsoft
Security
.

—————————-

Enable secure remote work, address regulations and uncover new risks with
Microsoft Compliance

URL: https://www.microsoft.com/security/blog/2020/09/22/enable-secure-remote-work-address-regulations-microsoft-compliance/
Overview: A recent Microsoft poll of Chief Information Security Officers
(CISOs) revealed that providing secure remote access to resources, apps, and data
is their top concern.

The post Enable
secure remote work, address regulations and uncover new risks with Microsoft
Compliance
appeared first on Microsoft
Security
.

—————————-

Identity at Microsoft Ignite: Rising to the challenges of secure remote
access and employee productivity

URL: https://www.microsoft.com/security/blog/2020/09/22/microsoft-identity-ignite-rising-challenges-secure-remote-access-employee-productivity/
Overview: Keeping your users secure, wherever they are, has been our collective
priority. Identity remains the heartbeat of all the services your users rely
on.

The post Identity
at Microsoft Ignite: Rising to the challenges of secure remote access and
employee productivity
appeared first on Microsoft
Security
.

2020 NY Metro Joint Cyber Security Conference(NYMJCSC.ORG)

As co-chair of the The 2020 NY Metro Joint Cyber Security Conference i invite you to our conferance. The on-line conferance  will take
place virtually on October 22nd.
NYMJCSC is now in its seventh year; featuring a keynote and
sessions aimed at various aspects of information security and technology.



NYMJCSC will also a post-conference online workshop
on October 23rd featuring in-depth half-day
hands-on classroom-style educational courses to expand your knowledge and
foster security discussions.

NYMJCSC: Who We Are

The New York Metro Joint Cyber
Security Conference is a collaborative event cooperatively developed, organized
and sponsored by the leading information security industry organizations and
chapters.

Organizational Partners:

  • InfraGard Members Alliance – New York Metro Chapter
  • Information Systems Audit and Control Association
    (ISACA) – New Jersey Chapter
  • Information Systems Audit and Control Association
    (ISACA) – Greater Hartford CT Chapter
  • High Technology Crime Investigation Association (HTCIA)
    – New York City Metro Chapter
  • Internet Society (ISOC) – New York Chapter
  • Information Systems Security Association (ISSA) – New
    York Chapter

Community Partners:

  • (ISC)2 – New Jersey Chapter
  • Information Systems Audit and Control Association
    (ISACA) – New York Metro Chapter
  • Cloud Security Alliance (CSA) – New York Metro Chapter
  • Association of Certified Fraud Examiners (ACFE) – New
    Jersey Chapter
  • Association of Continuity Professionals (ACP) – New
    York City Metro Chapter

Driven by the collaboration between members of this
coalition, the strength of organizational membership, the provision of
desirable CPE credits and the concurrence of National Cyber Security Awareness
Month, the NYMJCSC promises — once again — to be well-attended by members of
the information technology, information security, audit, academic, and business
communities.

 

Schedule for Oct 22, 2020

8:45
am

Welcome
& Introductions

9:00
am

Keynote

William Hugh Murray

9:45
am

Protecting the
Big Apple: Managing Cyber Risk at the City Level

Munish Walther-Puri

10:30
am

10:45
am

Beyond
Cybersecurity: Why, How, and What Do You Need to Know about Cyber
Resilience?

Michael Melore, CISSP

11:30
am

12:15
pm

12:30
pm

Understanding
AI’s Risks and Rewards

Mark Francis

1:15
pm

The Art of
Social Engineering

John Pizurro

2:00
pm

2:15
pm

Boosting Cyber
Resilience – Black Swans, Gray Rhinos and Coordinated Crisis Response

Beth Dunphy

3:00
pm

The OODA Loop
for CISOs

Roselle Safran

3:45
pm

4:00
pm

Top Ten
Challenges of Securing Smart Infrastructure

Niloufer Tamboly

4:45
pm

Closing
Remarks & Raffle

_Schedule of Workshop and Topics Oct 23. 2020

 

AZ-900: Microsoft Azure Fundamentals
Instructor: Jay Ferron

In this full day
course students will learn the following information. This training is for
those who have heard about the cloud and now want to learn the Fundamentals.
Students will also learn how they can get a free account in Azure with a
$200.00 credit. This full day session will include lots of demos. Topics
include:

  • Describe Cloud Concepts
    • Describe the benefits and considerations of using
      cloud services
    • Describe the differences between
      Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and
      Software-as-a-Service (SaaS)
    • Describe the differences between Public, Private and
      Hybrid cloud models
  • Describe Core Azure Services
    • Describe the core Azure architectural components
    • Describe some of the core products available in Azure
    • Describe some of the solutions available on Azure
    • Describe Azure management tools
  • Describe Security, Privacy, Compliance, and Trust
    • Describe securing network connectivity in Azure
    • Describe core Azure Identity services
    • Describe security tools and features of Azure
    • Describe Azure governance methodologies
    • Describe monitoring and reporting options in Azure
    • Describe privacy, compliance and data protection
      standards in Azure
  • Describe Azure Pricing, Service Level Agreements, and
    Lifecycles
    • Describe Azure subscriptions
    • Describe planning and management of costs
    • Describe Azure Service Level Agreements (SLAs)
    • Describe service lifecycle in Azur

Robotic Process Automation: The Promise, the Patterns,
and the Pitfalls

Instructors: Mike Ogrinz and John C. Checco

Automation (RPA/RDA)
is proliferating as it is being used to optimize mundane tasks, cut costs and
support Machine Learning and AI applications. Designing for automation is not
as simple as record and play, there are several major areas for consideration
to create robust but auditable RPAs. Topics include:

  • Lesson 1: A Brief History of Robotics
    • 1.1 Find out where it all began
    • 1.2 Consider the modern robotics era
    • 1.3 Discover the new tools bring to the table
  • Lesson 2: The Patterns & Anti-Patterns
    • 2.1 Learn a subset of patterns for deploying RPA to
      create value
    • 2.2 Discover RPA use cases that undermine success
  • Lesson 3: Governance and Controls
    • 3.1 Responsible Automation . Why?
    • 3.2 The Guardrails – Part I
    • 3.3 The Guardrails – Part II
  • Lesson 4: Demos
    • 4.1 Experience demos of leading RPA tools and
      capabilities
  • Lesson 5: The Future of RPA

 

To register go here: 

https://www.eventbrite.com/e/2020-ny-metro-joint-cyber-security-conference-workshop-registration-117659696319

 

 

CISA Releases Emergency Directive on Microsoft Windows Netlogon Remote Protocol

 Original
release date: September 18, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released Emergency
Directive (ED) 20-04
addressing a critical vulnerability—
CVE-2020-1472—affecting Microsoft Windows Netlogon Remote Protocol. An
unauthenticated attacker with network access to a domain controller could
exploit this vulnerability to compromise all Active Directory identity
services.

Earlier this month, exploit
code for this vulnerability was publicly released
. Given the nature of the
exploit and documented adversary behavior, CISA assumes active exploitation of
this vulnerability is occurring in the wild.

ED 20-04 applies to Executive Branch departments and agencies; however, CISA
strongly recommends state and local governments, the private sector, and others
patch this critical vulnerability as soon as possible. Review the following
resources for more information:

GCTC CPAC COVID-19 eResourceKit

This eResouceKit is your guide to Working, Learning, and Living from Home, with your security and privacy defended. It will be a long and challenging road for us all, but we can and will get there, together by taking informed actions to gain control and risk prioritization during and after the pandemic – Cities and Communities, Businesses, First Responders, and Self-Employed/Gig Worker.


For more information go here

Home / SMB Router Device Security Issues

     Routers are a key piece of any computer network and handle all traffic destined from one network to another. While business networks typically utilize big single purpose routers from vendors like Cisco or Juniper, home networks typically utilize a smaller ‘router’ combining a router, switch, and wireless access point. They make it extremely simple to establish a home network to anyone with about $100. This low cost and ease of use seems to come with a penalty though: The security of the resulting network.
    Two researchers, Peter Weidenbach and Johannes vom Dorp, from the German Fraunhofer Institute recently released a comprehensive report on the state of home router device security. What they found is that nearly every home router device on the market is insecure in various ways.
    In their research the researchers looked at the security posture of 127 different models of routers designed for home use. These included models from name brands you would find at any store carrying this type of product like Netgear, Linksys, TP-Link, and D-Link. The first step in evaluating the security of these devices was extracting the included firmware in order to get a look at how they were configured and the software versions in place. The result of this was surprising: they found that most devices on the market were still using Linux kernel 2.6, which has been EOL for a few years. This means that system security patches are unlikely to be released in a timely manner, if at all for those devices. In the extracted firmware they also found a number of hardcoded credentials as well as cryptographic keys being used in an insecure manner, defeating the point of having them.
   
    Another aspect in their research was figuring out how often updates are released to the devices. Security vulnerabilities can happen to any device, but the impact can be mitigated with regular and timely patching. They disappointingly found that the average number of days between up-dates was 378, over a full year of no up-dates for many of the devices. It did appear that ASUS, AVM, and Netgear were among the better vendors when it comes to updates for their devices. It is also important to note that just because updates are available doesn’t mean they are al-ways applied. Most devices do not have auto-update mechanisms, instead an ad-min must check for and apply updates manually.
    When it comes to the security of your home network it may be worth doing some research before spending your money on a device. It is important to note too that high price is not always an indicator of quality, as many devices appear to focus more on form over function in this space. The best bet would be to look for past security vulnerabilities for the particular device and note how often the device receives updates from the vendor.