Sextortion Bitcoin on the Move, (Fri, Jan 18th)

This post was originally published on this site

We’ve gotten a few reports of the latest round of sextortion emails demanding bitcoin in exchange for deleting incriminating videos. These emails and wallets have piled up for some time. Usually the criminal doesn’t move the bitcoin immediately, so checking the bitcoin wallet isn’t helpful. But a week or so after such emails are sent, it becomes possible to see what miscreants are doing with their ill-gotten gains. So for this, I took an e-mail I received on Jan 8th, “Your account is being used by another person” that listed bitcoin wallet 1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr as the place to send money to protect “my little secret”.

The first thing to realize about bitcoin is that you have good enough anonymity… as long as you stay in the blockchain. Bitcoin is very decentralized. What isn’t at all decentralized is the places where you can turn your fake anarchist digital money into real money. So they key in these kind of investigations is to find what they do with their cryptocurrency to get investigative leads. Sometimes those leads involve finding wallets that are discussed publicly or on forums (i.e. how I track neonazi cryptocurrency online), sometimes it could be just finding where to send the subpoena.

With the wallet above, it has earned about $12,000 for spamming planet earth with these extortion threats. The wallet itself is part of a cluster of 5 addresses, all linked to similar scams (17YKd1iJBxu616JEVo15PsXvk1mnQyEFVt, 18Pt4B7Rz7Wf491FGQHPsfDeKRqnkyrMo6, 1G1qFoadiDxa7zTvppSMJhJi63tNUL3cy7, 1PH5CYMeD4ZLTZ2ZYnGLFmQRjnptyLNqcf) which you can research at Bitcoin abuse which is making tracking this much easier.

There are lots of tentacles of where these coins end up. Some end up cashed out at LocalBitcoins.com but the intrigued transaction happened yesterday with an approximately $12,000 transaction into a Binance wallet (transaction here).

The inputs to these criminals are commodity bitcoin exchanges as well, and it might be helpful if those reputable exchanges simply prohibit any transaction with these wallets. That said, knowing where the money is coming out provides leads to investigations looking to bring these actors to justice.  I’ve been estimating these scams are making about $100,000 a week or so, but much more work needs to be done to aggregate all the abusive wallets and then attribute them to specific actors or groups.

If you see these scams, please report them to BitcoinAbuse.com to allow researchers and investigators to have that data for more correlation.


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Parsing Text with PowerShell (1/3)

This post was originally published on this site

This is the first post in a three part series.

  • Part 1:
    • Useful methods on the String class
    • Introduction to Regular Expressions
    • The Select-String cmdlet
  • Part 2:
    • The -split operator
    • The -match operator
    • The switch statement
    • The Regex class
  • Part 3:
    • A real world, complete and slightly bigger, example of a switch-based parser

A task that appears regularly in my workflow is text parsing. It may be about getting a token from a single line of text or about turning the text output of native tools into structured objects so I can leverage the power of PowerShell.

I always strive to create structure as early as I can in the pipeline, so that later on I can reason about the content as properties on objects instead of as text at some offset in a string. This also helps with sorting, since the properties can have their correct type, so that numbers, dates etc. are sorted as such and not as text.

There are a number of options available to a PowerShell user, and I’m giving an overview here of the most common ones.

This is not a text about how to create a high performance parser for a language with a structured EBNF grammar. There are better tools available for that, for example ANTLR.

.Net methods on the string class

Any treatment of string parsing in PowerShell would be incomplete if it didn’t mention the methods on the string class.
There are a few methods that I’m using more often than others when parsing strings:

Name Description
Substring(int startIndex) Retrieves a substring from this instance. The substring starts at a specified character position and continues to the end of the string.
Substring(int startIndex, int length) Retrieves a substring from this instance. The substring starts at a specified character position and has a specified length.
IndexOf(string value) Reports the zero-based index of the first occurrence of the specified string in this instance.
IndexOf(string value, int startIndex) Reports the zero-based index of the first occurrence of the specified string in this instance. The search starts at a specified character position.
LastIndexOf(string value) Reports the zero-based index of the first occurrence of the specified string in this instance. Often used together with Substring.
LastIndexOf(string value, int startIndex) Reports the zero-based index position of the last occurrence of a specified string within this instance. The search starts at a specified character position and proceeds backward toward the beginning of the string.

This is a minor subset of the available functions. It may be well worth your time to read up on the string class since it is so fundamental in PowerShell.
Docs are found here.

As an example, this can be useful when we have very large input data of comma-separated input with 15 columns and we are only interested in the third column from the end. If we were to use the -split ',' operator, we would create 15 new strings and an array for each line. On the other hand, using LastIndexOf on the input string a few times and then SubString to get the value of interest is faster and results in just one new string.

function parseThirdFromEnd([string]$line){
    $i = $line.LastIndexOf(",")             # get the last separator
    $i = $line.LastIndexOf(",", $i - 1)     # get the second to last separator, also the end of the column we are interested in
    $j = $line.LastIndexOf(",", $i - 1)     # get the separator before the column we want
    $j++                                    # more forward past the separator
    $line.SubString($j,$i-$j)               # get the text of the column we are looking for
}

In this sample, I ignore that the IndexOf and LastIndexOf returns -1 if they cannot find the text to search for. From experience, I also know that it is easy to mess up the index arithmetics.
So while using these methods can improve performance, it is also more error prone and a lot more to type. I would only resort to this when I know the input data is very large and performance is an issue. So this is not a recommendation, or a starting point, but something to resort to.

On rare occasions, I write the whole parser in C#. An example of this is in a module wrapping the Perforce version control system, where the command line tool can output python dictionaries. It is a binary format, and the use case was complicated enough that I was more comfortable with a compiler checked implementation language.

Regular Expressions

Almost all of the parsing options in PowerShell make use of regular expressions, so I will start with a short intro of some regular expression concepts that are used later in these posts.

Regular expressions are very useful to know when writing simple parsers since they allow us to express patterns of interest and to capture text that matches those patterns.

It is a very rich language, but you can get quite a long way by learning a few key parts. I’ve found regular-expressions.info to be a good online resource for more information. It is not written directly for the .net regex implementation, but most of the information is valid across the different implementations.

Regex Description
* Zero or more of the preceding character. a* matches the empty string, a, aa, etc, but not b.
+ One or more of the preceding character. a+ matches a, aa, etc, but not the empty string or b.
. Matches any character
[ax1] Any of a,x,1
a-d matches any of a,b,c,d
w The w meta character is used to find a word character. A word character is a character from a-z, A-Z, 0-9, including the _ (underscore) character. It also matches variants of the characters such as ??? and ???.
W The inversion of w. Matches any non-word character
s The s meta character is used to find white space
S The inversion of s. Matches any non-whitespace character
d Matches digits
D The inversion of d. Matches non-digits
b Matches a word boundary, that is, the position between a word and a space.
B The inversion of b. . erB matches the er in verb but not the er in never.
^ The beginning of a line
$ The end of a line
(<expr>) Capture groups

Combining these, we can create a pattern like below to match a text like:

Text Pattern
" 42,Answer" ^s+d+,.+

The above pattern can be written like this using the x (ignore pattern whitespace) modifier.

Starting the regex with (?x) ignores whitespace in the pattern (it has to be specified explicitly, with s) and also enables the comment character #.

(?x)  # this regex ignores whitespace in the pattern. Makes it possible do document a regex with comments.
^     # the start of the line
s+   # one or more whitespace character
d+   # one or more digits
,     # a comma
.+    # one or more characters of any kind

By using capture groups, we make it possible to refer back to specific parts of a matched expression.

Text Pattern
" 42,Answer" ^s+(d+),(.+)
(?x)  # this regex ignores whitespace in the pattern. Makes it possible to document a regex with comments.
^     # the start of the line
s+   # one or more whitespace character
(d+) # capture one or more digits in the first group (index 1)
,     # a comma
(.+)  # capture one or more characters of any kind in the second group (index 2)

Naming regular expression groups

There is a construct called named capturing groups, (?<group_name>pattern), that will create a capture group with a designated name.

The regex above can be rewritten like this, which allows us to refer to the capture groups by name instead of by index.

^s+(?<num>d+),(?<text>.+)

Different languages have implementation specific solutions to accessing the values of the captured groups. We will see later on in this series how it is done in PowerShell.

The Select-String cmdlet

The Select-String command is a work horse, and is very powerful when you understand the output it produces.
I use it mainly when searching for text in files, but occasionally also when looking for something in command output and similar.

The key to being efficient with Select-String is to know how to get to the matched patterns in the output. In its internals, it uses the same regex class as the -match and -split operator, but instead of populating a global variable with the resulting groups, as -match does, it writes an object to the pipeline, with a Matches property that contains the results of the match.

Set-Content twitterData.txt -value @"
Lee, Steve-@Steve_MSFT,2992
Lee Holmes-13000 @Lee_Holmes
Staffan Gustafsson-463 @StaffanGson
Tribbiani, Joey-@Matt_LeBlanc,463400
"@

# extracting captured groups
Get-ChildItem twitterData.txt |
    Select-String -Pattern "^(w+) ([^-]+)-(d+) (@w+)" |
    Foreach-Object {
        $first, $last, $followers, $handle = $_.Matches[0].Groups[1..4].Value   # this is a common way of getting the groups of a call to select-string
        [PSCustomObject] @{
            FirstName = $first
            LastName = $last
            Handle = $handle
            TwitterFollowers = [int] $followers
        }
    }
FirstName LastName   Handle       TwitterFollowers
--------- --------   ------       ----------------
Lee       Holmes     @Lee_Holmes             13000
Staffan   Gustafsson @StaffanGson              463

Support for Multiple Patterns

As we can see above, only half of the data matched the pattern to Select-String.

A technique that I find useful is to take advantage of the fact that Select-String supports the use of multiple patterns.

The lines of input data in twitterData.txt contain the same type of information, but they’re formatted in slightly different ways.
Using multiple patterns in combination with named capture groups makes it a breeze to extract the groups even when the positions of the groups differ.

$firstLastPattern = "^(?<first>w+) (?<last>[^-]+)-(?<followers>d+) (?<handle>@.+)"
$lastFirstPattern = "^(?<last>[^s,]+),s+(?<first>[^-]+)-(?<handle>@[^,]+),(?<followers>d+)"
Get-ChildItem twitterData.txt |
     Select-String -Pattern $firstLastPattern, $lastFirstPattern |
    Foreach-Object {
        # here we access the groups by name instead of by index
        $first, $last, $followers, $handle = $_.Matches[0].Groups['first', 'last', 'followers', 'handle'].Value
        [PSCustomObject] @{
            FirstName = $first
            LastName = $last
            Handle = $handle
            TwitterFollowers = [int] $followers
        }
    }
FirstName LastName   Handle        TwitterFollowers
--------- --------   ------        ----------------
Steve     Lee        @Steve_MSFT               2992
Lee       Holmes     @Lee_Holmes              13000
Staffan   Gustafsson @StaffanGson               463
Joey      Tribbiani  @Matt_LeBlanc           463400

Breaking down the $firstLastPattern gives us

(?x)                # this regex ignores whitespace in the pattern. Makes it possible do document a regex with comments.
^                   # the start of the line
(?<first>w+)       # capture one or more of any word characters into a group named 'first'
s                  # a space
(?<last>[^-]+)      # capture one of more of any characters but `-` into a group named 'last'
-                   # a '-'
(?<followers>d+)   # capture 1 or more digits into a group named 'followers'
s                  # a space
(?<handle>@.+)      # capture a '@' followed by one or more characters into a group named 'handle'

The second regex is similar, but with the groups in different order. But since we retrieve the groups by name, we don’t have to care about the positions of the capture groups, and multiple assignment works fine.

Context around Matches

Select-String also has a Context parameter which accepts an array of one or two numbers specifying the number of lines before and after a match that should be captured. All text parsing techniques in this post can be used to parse information from the context lines.
The result object has a Context property, that returns an object with PreContext and PostContext properties, both of the type string[].

This can be used to get the second line before a match:

# using the context property
Get-ChildItem twitterData.txt |
    Select-String -Pattern "Staffan" -Context 2,1 |
    Foreach-Object { $_.Context.PreContext[1], $_.Context.PostContext[0] }
Lee Holmes-13000 @Lee_Holmes
Tribbiani, Joey-@Matt_LeBlanc,463400

To understand the indexing of the Pre- and PostContext arrays, consider the following:

Lee, Steve-@Steve_MSFT,2992                  <- PreContext[0]
Lee Holmes-13000 @Lee_Holmes                 <- PreContext[1]
Staffan Gustafsson-463 @StaffanGson          <- Pattern matched this line
Tribbiani, Joey-@Matt_LeBlanc,463400         <- PostContext[0]

The pipeline support of Select-String makes it different from the other parsing tools available in PowerShell, and makes it the undisputed king of one-liners.

I would like stress how much more useful Select-String becomes once you understand how to get to the parts of the matches.

Summary

We have looked at useful methods of the string class, especially how to use Substring to get to text at a specific offset. We also looked at regular expression, a language used to describe patterns in text, and on the Select-String cmdlet, which makes heavy use of regular expression.

Next time, we will look at the operators -split and -match, the switch statement (which is surprisingly useful for text parsing), and the regex class.

Staffan Gustafsson, @StaffanGson, github

Thanks to Jason Shirk, Mathias Jessen and Steve Lee for reviews and feedback.

Drupal Releases Security Updates

This post was originally published on this site

Original release date: January 16, 2019

Drupal has released security updates addressing vulnerabilities in Drupal 7.x, 8.5.x, and 8.6.x. A remote attacker could exploit these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Drupal’s security advisories SA-CORE-2019-001 and SA-CORE-2019-002 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Emotet infections and follow-up malware, (Wed, Jan 16th)

This post was originally published on this site

Introduction

Three major campaigns using malicious spam (malspam) to distribute malware stopped sending malspam before Christmas–sometime during the week ending on Sunday 2018-12-23.  These three campaigns are Emotet (also known as Feodo), Hancitor (also known as Chanitor or Tordal), and Trickbot.  But this week, all three campaigns have been sending out malspam again.

Among these campaigns, Emotet is by far the most active.  Dozens of indicators are discovered every day as vectors for Emotet infections.  Emotet also acts a distributor for other families of malware.  So far in 2019, I’ve seen Emotet retrieve Gootkit and the IcedID banking Trojan.  As 2019 progresses, I expect to find examples of Emotet distributing other families of malware like Qakbot and Trickbot, something we saw in 2018.

Today’s diary examines recent Emotet malspam and two examples of infection traffic from Tuesday 2019-01-15.


Shown above:  Chain of events for Emotet malware distribution seen so far this year.

The malspam

As usual, emails pushing Emotet use Microsoft Word documents with malicious macros.  On vulnerable Windows hosts, opening these documents in Microsoft Word and enabling macros will attempt an Emotet infection.  So far this week, Emotet malspam had a link to download the Word document, or it’s had a Word document directly attached to the email.  See the images below for examples.


Shown above:  Screenshot 1 of 3 – Emotet malspam with link for Word doc from Tuesday 2019-01-15.


Shown above:  Screenshot 2 of 3 – Emotet malspam with link for Word doc from Tuesday 2019-01-15.


Shown above:  Screenshot 3 of 3 – Emotet malspam with attached Word doc from Monday 2019-01-14.


Shown above:  Example of Word document with macro to infect a vulnerable Windows host with Emotet.

The traffic

Network traffic is typical for what we’ve seen with recent Emotet infections from December 2018.  Emotet frequently uses HTTP traffic over non-standard TCP ports (not TCP port 80).  This may cause issues when reviewing the infection traffic in Wireshark.  Traffic on ports like TCP port 53 (associated with DNS activity like zone transfers) and TCP port 22 (normally associated with SSH) may not be decoded as HTTP in Wireshark.  That was the case with two examples of infection traffic I generated on Monday.

Post-infection activity from the first run included Gootkit, which had similar in traffic patterns that I’ve previously documented.  Post-infection activity from the second run included IcedID (also known as Bokbot), something I’ve also documented.

Indicators of Compromise (IoCs)

The following are indicators from two infections on Tuesday 2019-01-15.  Any malicious URLs, IP addresses, and domain names have been “de-fanged” to avoid issues when viewing today’s diary.

Malware from the first run:

SHA256 hash: 2b8c45af81889ce22ffaf3a78d79a307ce3ab4ebeabbd00bc5982d60a89a2c87

  • File size: 158,208 bytes
  • File location: hxxp://mdmshipping[.]org/wp-content/uploads/Clients_transactions/012019/
  • File name: 190115_invoice.doc
  • File description: Downloaded Word doc with macro for Emotet

SHA256 hash: 4cb1c0ce3de256e671b096729ae35b65b5f4ac67fe0ca9bbdc27e84aaf25a4d3

  • File size: 151,552 bytes
  • File location: hxxp://www.al-bay[.]com/JbDEG76/
  • File location: C:Users[username]AppDataLocaltablesvcstablesvcs.exe
  • File description: Emotet executable retrieved by Word macro

SHA256 hash: e1f60b891005dfd0f6738444406c8e57d644cc3ce0154f8d17454c886637dfbd

  • File size: 151,552 bytes
  • File location: C:Users[username]AppDataLocaltablesvcstablesvcs.exe
  • File description: Emotet executable updated after initial infection

SHA256 hash: 9fd057d99bad388e08f3d71c1d78e90b308e0eb656ecaec88cd70d31f723118e

  • File size: 315,392 bytes
  • File location: C:ProgramData7gYMH.exe
  • File description: Gootkit executable retrieved by my Emotet-infected host

Malware from the second run:

SHA256 hash: abd3942b115eef97d1dca7bbc05022689ee78090b02fb930d202148b9218323c

  • File size: 153,088 bytes
  • File location: hxxp://ciblage-spain[.]es/Transactions/01_19/
  • File name: 012019_INV_0049.doc
  • File description: Downloaded Word doc with macro for Emotet

SHA256 hash: a2d4ccd13954f43ab541b10f879f0d8b5fcf4fa24fffa1b08444bd2313242a78

  • File size: 155,648 bytes
  • File location: hxxp://starbilisim[.]net/umEgLOOKUD/
  • File location: C:Users[username]AppDataLocalpesicypesicy.exe
  • File description: Emotet executable retrieved by Word macro

SHA256 hash: e1f60b891005dfd0f6738444406c8e57d644cc3ce0154f8d17454c886637dfbd

  • File size: 151,552 bytes
  • File location: C:Users[username]AppDataLocalpesicypesicy.exe
  • File description: Emotet executable updated after initial infection

SHA256 hash: 4f519a9e1df4558336263f398c44796cb412e7ef56d3290f0f12b422eb325730

  • File size: 275,456 bytes
  • File location: C:ProgramData35YXoiR.exe
  • File description: IcedID executable retrieved by my Emotet-infected host

SHA256 hash: 92352a5a9e473c8939e3a609253f65d3afaa392f872134ba73c3972d2c5e4830

  • File size: 275,456 bytes
  • File location: C:ProgramData{A2EE4104-C104-4A1F-9FCE-D86635165D72}floflbjnc.exe
  • File description: IcedID executable made persistent on my Emotet-infected host

Emotet Infection traffic from the first run:

  • 92.222.210[.]16 port 80 – mdmshipping[.]org – GET /wp-content/uploads/Clients_transactions/012019/
  • 149.255.58[.]108 port 80 – www.al-bay[.]com – GET /JbDEG76
  • 149.255.58[.]108 port 80 – www.al-bay[.]com – GET /JbDEG76/
  • 189.146.157[.]111 port 20 – Attempted TCP connections (no response from the server)
  • 216.244.228[.]62 port 53 – 216.244.228[.]62:53 – GET /
  • 187.163.177[.]194 port 22 – Attempted TCP connections (no response from the server)
  • 181.164.8[.]8 port 22 – 181.164.8[.]8:22 – GET /
  • 189.129.134[.]124 port 20 – Attempted TCP connections (no response from the server)
  • 189.225.146[.]180 port 8443 – 189.225.146[.]180:8443 – GET /

Gootkit infection traffic from the first run:

  • 66.23.200[.]58 port 443 – mid.centralcoastbagels[.]com – HTTPS/SSL/TLS traffic
  • DNS query for loredanusos[.]com – response: No such name
  • DNS query for bigiterra[.]com – response: No such name
  • DNS query for getlowfast[.]com – response: No such name

Emotet infection traffic from the second run:

  • 87.98.154[.]146 port 80 – ciblage-spain[.]es – GET /Transactions/01_19
  • 87.98.154[.]146 port 80 – ciblage-spain[.]es – GET /Transactions/01_19/
  • 149.255.58[.]108 port 80 – www.al-bay[.]com – GET /JbDEG76
  • 149.255.58[.]108 port 80 – www.al-bay[.]com – GET /cgi-sys/suspendedpage.cgi
  • 159.253.42[.]200 port 80 – starbilisim[.]net – GET /umEgLOOKUD
  • 159.253.42[.]200 port 80 – starbilisim[.]net – GET /umEgLOOKUD/
  • 187.163.177[.]194 port 22 – Attempted TCP connections (no response from the server)
  • 181.164.8[.]8 port 22 – 181.164.8[.]8:22 – GET /
  • 189.129.134[.]124 port 20 – Attempted TCP connections (no response from the server)
  • 189.225.146[.]180 port 8443 – Attempted TCP connections (no response from the server)
  • 66.50.57[.]73 port 8080 – 66.50.57[.]73:8080 – GET /
  • 186.15.66[.]98 port 443 – 186.15.66[.]98:443 – GET /
  • 181.211.11[.]171 port 443 – 181.211.11[.]171:443 – GET /

IcedID infection traffic from the second run:

  • 185.223.163[.]26 port 443 – kepleted[.]pw – HTTPS/SSL/TLS traffic
  • 194.165.3[.]3 port 80 – bestcontrol[.]at – GET /data2.php?45DD8E695E0FFFAB
  • 185.223.163[.]26 port 443 – stronour[.]host – HTTPS/SSL/TLS traffic
  • 194.165.3[.]3 port 443 – bestcontrol[.]at – HTTPS/SSL/TLS traffic
  • 194.165.3[.]3 port 443 – exeterol[.]host – HTTPS/SSL/TLS traffic
  • 194.165.3[.]3 port 443 – decretery[.]host – HTTPS/SSL/TLS traffic

Final words

Pcaps of the infection traffic and malware associated with today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Publishes Patches for Skype for Business and Team Foundation Server, (Tue, Jan 15th)

This post was originally published on this site

Today, Microsoft published an advisory on CVE-2019-0624 on a spoofing vulnerability in Skype for Business 2015. It requires a few steps of the attacker and isn’t entirely straightforward to execute. They must be an authenticated user and then send a spoofed request that can then perform a XSS on the victim machine at the privilege level of the user using Skype for Business.

Additionally, two advisories were published for Team Foundation Server (2017 and 2018) involving an XSS attack from crafted user-input (CVE-2019-0646) and an information disclosure bug (CVE-2019-0647).

The risk and urgency of applying these isn’t an emergency, but if you accept input from untrusted third-parties in TFS or Skype for Business, that may enhance your risk. Due to the sensitivity of what most people use TFS for, you may wish to find a window when your developers are off and get that applied sooner.

No public exploitation has been reported, but the TFS vulnerabilities were publicly disclosed.


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle Releases January 2019 Security Bulletin

This post was originally published on this site

Original release date: January 15, 2019

Oracle has released its Critical Patch Update for January 2019 to address 284 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Oracle January 2019 Critical Patch Update and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Still Running Windows 7? Time to think about that upgrade project!, (Mon, Jan 14th)

This post was originally published on this site

For folks still running Windows 7, Microsoft has it scheduled for End of Life in exactly 1 year – https://support.microsoft.com/en-ca/help/13853/windows-lifecycle-fact-sheet

Not such a big deal if you have 1 or 2 machines at home to manage, but if you are an enterprise with hundreds or thousands of Windows 7 machines, it’s really time to start that migration project.  If you’re still running Windows XP, you’re in even deeper trouble!  If you’ve got business apps keeping you at W7 (or XP for that matter), it’s past time to consider an update or migration to better applications!

The difference I’m seeing between companies that run Windows 10 / Office 2016, and companies that run Windows 7 and older versions of office is a significant difference in rates of malware infection.  Maybe start your project by updating machines as a standard first response to malware incident response?  Or make the decision that it’s better for the business to pay for updates, as opposed to paying ransomware (and maybe not even getting what you pay for in that case)? 

Haopy updating! 

===============
Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Snorpy a Web Base Tool to Build Snort/Suricata Rules, (Sat, Jan 12th)

This post was originally published on this site

Snorpy is a web base application to easily build Snort/Suricata rules in a graphical way. It is simple to use starting from the Action and Protocol fields and as you pick each field, the rule builder shows the rule in the bottom window. Before setting up your own local copy, you want to test a live version maintained by the author go here.

This is an example of an existing Snort rule entered via the interface. The rule used for my example is from Emergingthreats with sid:2002809.

alert tcp any 21 -> $HOME_NET any (msg:”ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)”; flow:established,from_server; content:”220 StnyFtpd 0wns j0″; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Note: You have to excape any of the special characters in the MSG fields (see example), just make sure you remove them after you copy the rule. There are a few fields that currently don’t exist but they can be added in the code since the code is available.

If you are interested in trying Snorpy, I wrote a guide to install it on CentOS 7.6 located here.
[1] http://snorpy.com/
[2] https://github.com/chrisjd20/Snorpy
[3] https://handlers.sans.org/gbruneau/snorpy_setup.htm
[4] https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-attack_response.rules

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Quick Maldoc Analysis, (Fri, Jan 11th)

This post was originally published on this site

Reader Kevin asked for help with the analysis of maldoc 7eac18cab2205d94e5e5e0c43daf64cbab2e0b43cf841213c25ca34e8124739f.

Here is the analysis in one-line, as I like to do:

Similar samples have been analyzed step by step in this and this diary entry. And I also have a video.

This is a good opportunity to point to our diary archive that you can find here, Diary entries by handler can be found here.

My list is here.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

DNS Infrastructure Hijacking Campaign

This post was originally published on this site

Original release date: January 10, 2019

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolves. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

NCCIC encourages administrators to review FireEye’s blog on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
  • Search for encryption certificates related to domains and revoke any malicious certificates.

This product is provided subject to this Notification and this Privacy & Use policy.