All posts by David

Windows Security change affecting PowerShell

This post was originally published on this site

Windows Security change affecting PowerShell

January 9, 2019

The recent (1/8/2019) Windows security patch CVE-2019-0543, has introduced a breaking change for a PowerShell remoting scenario. It is a narrowly scoped scenario that should have low impact for most users.

The breaking change only affects local loopback remoting, which is a PowerShell remote connection made back to the same machine, while using non-Administrator credentials.

PowerShell remoting endpoints do not allow access to non-Administrator accounts by default. However, it is possible to modify endpoint configurations, or create new custom endpoint configurations, that do allow non-Administrator account access. So you would not be affected by this change, unless you explicitly set up loopback endpoints on your machine to allow non-Administrator account access.

Example of broken loopback scenario

# Create endpoint that allows Users group access
PS > Register-PSSessionConfiguration -Name MyNonAdmin -SecurityDescriptorSddl 'O:NSG:BAD:P(A;;GA;;;BA)(A;;GA;;;BU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)' -Force

# Create non-Admin credential
PS > $nonAdminCred = Get-Credential ~NonAdminUser

# Create a loopback remote session to custom endpoint using non-Admin credential
PS > $session = New-PSSession -ComputerName localhost -ConfigurationName MyNonAdmin -Credential $nonAdminCred

New-PSSession : [localhost] Connecting to remote server localhost failed with the following error message : The WSMan
service could not launch a host process to process the given request.  Make sure the WSMan provider host server and
proxy are properly registered. For more information, see the about_Remote_Troubleshooting Help topic.
At line:1 char:1
+ New-PSSession -ComputerName localhost -ConfigurationName MyNonAdmin - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : -2146959355,PSSessionOpenFailed

The above example fails only when using non-Administrator credentials, and the connection is made back to the same machine (localhost). Administrator credentials still work. And the above scenario will work when remoting off-box to another machine.

Example of working loopback scenario

# Create Admin credential
PS > $adminCred = Get-Credential ~AdminUser

# Create a loopback remote session to custom endpoint using Admin credential
PS > $session = New-PSSession -ComputerName localhost -ConfigurationName MyNonAdmin -Credential $adminCred
PS > $session

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  1 WinRM1          localhost       RemoteMachine   Opened        MyNonAdmin               Available

The above example uses Administrator credentials to the same MyNonAdmin custom endpoint, and the connection is made back to the same machine (localhost). The session is created successfully using Administrator credentials.

The breaking change is not in PowerShell but in a system security fix that restricts process creation between Windows sessions. This fix is preventing WinRM (which PowerShell uses as a remoting transport and host) from successfully creating the remote session host, for this particular scenario. There are no plans to update WinRM.

This affects Windows PowerShell and PowerShell Core 6 (PSCore6) WinRM based remoting.

This does not affect SSH remoting with PSCore6.

This does not affect JEA (Just Enough Administration) sessions.

A workaround for a loopback connection is to always use Administrator credentials.

Another option is to use PSCore6 with SSH remoting.

Paul Higinbotham
Senior Software Engineer
PowerShell Team

Heartbreaking Emails: “Love You” Malspam, (Thu, Jan 10th)

This post was originally published on this site

Introduction

Malicious spam (malspam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cyber criminals to distribute malware.  I’ve written diaries discussing such malspam in July 2015, September 2015, and February 2016.  I’ve run across plenty of examples since then, but I’ve focused more on Microsoft Office documents instead of .js files.  I last documented .js-based malspam in May 2018.

Despite my personal focus on malicious Word documents and Excel spreadsheets, waves of malspam using zipped .js files were still happening.  So I decided to watch for these .js files as 2019 rolled around.

It didn’t take long.  Earlier this week, I ran across zipped .js attachments from a wave of malspam.  The attachment names all started with Love_You_, and subject lines indicated these were love letters.  A quick Twitter search showed this tactic was used to distribute GandCrab ransomware as recently as November 2018.  Further research revealed this malspam is associated with the Phorpiex botnet.

Today’s diary examines a wave of “Love You” malspam from Tuesday 2019-01-08.  The infection traffic included GandCrab ransomware, a Monero (XMRig) cryptocurrency miner, and Phorpiex spambot traffic.


Shown above:  Flowchart for “Love You” malspam infection traffic.

The emails

Emails follow the same patterns as seen in Proofpoint’s May 2018 report on Phorpiex botnet malspam.  See the images below for details.


Shown above:  Spreadsheet tracker with 10 examples of Phorpiex botnet “Love You” malspam.


Shown above:  Example of the malspam and attached zip archive with .js file.


Shown above:  Script near the bottom of the extracted .js file.

Infection traffic

Infection traffic showed several HTTP requests for additional malware, resulting in multiple copies of the same malware on the infected host.  The host generated Monero (XMRig) cryptocurrency mining traffic, and it also caused the expected post-infection traffic patterns for GandCrab ransomware.  My infected lab host also turned into a spambot for the Phorpiex botnet.

Attachments in malspam from my infected lab host were approximately 1.3 kB, which is much considerably smaller than the 43 to 46 kB attachments I found through VirusTotal.  However, these smaller .js files generated the same infection traffic as the larger ones.  The larger .js files had more obfuscation for the same functions.


Shown above:  Some of the web-based infection traffic filtered in Wireshark.


Shown above:  Monero (XMRig) cryptocurrency miner traffic from the infection.


Shown above:  Phorpiex spambot traffic from my infected lab host.


Shown above:  One of the malspam messages sent out from my infected lab host.


Shown above:  Examining one of the zipped .js attachments sent from my infected lab host.

Forensics on an infected host

GandCrab ransomware was the most visible aspect of my infected lab host.  Of note, the file downloader established itself on a USB thumb drive plugged into the infected host.


Shown above:  Desktop from an infected Windows host.


Shown above:  Decryptor page for the GandCrab ransomware infection.


Shown above:  File downloader established itself on a USB drive plugged into the infected host.

Indicators of compromise (IOCs)

Date:/Time of the malspam:

  • Tuesday 2019-01-08 as early as 00:15 UTC through at least 18:24 UTC

10 examples of spoofed sending addresses from the malspam:

  • From:  Teddy Bailey <Teddy31@8038.com>
  • From:  Imogene Carter <Imogene99@0354.com>
  • From:  Imelda Jones <Imelda31@1529.com>
  • From:  Ted Hall <Ted93@4302.com>
  • From:  Deanne Harris <Deanne11@5387.com>
  • From:  Bob Ross <Bob01@0437.com>
  • From:  Teddy Gonzalez <Teddy21@8381.com>
  • From:  Bradford Reed <Bradford99@2804.com>
  • From:  Taylor Phillips <Taylor74@4656.com>
  • From:  Deena Hernandez <Deena49@1659.com>

8 examples of subjects lines from 10 examples of the malspam:

  • Subject:  Always thinking about you
  • Subject:  Felt in love with you!
  • Subject:  I love you
  • Subject:  Just for you!
  • Subject:  My letter just for you
  • Subject:  My love letter for you
  • Subject:  Wrote this letter for you
  • Subject:  😀

8 file attachments (zip archives) from 10 examples of malspam:

  • Love_You_24373792-2019-txt.zip – 43,646 bytes
  • Love_You_25821416-2019-txt.zip – 45,504 bytes
  • Love_You_26943288-2019-txt.zip – 43,481 bytes
  • Love_You_35140600-2019-txt.zip – 45,289 bytes
  • Love_You_36450240-2019-txt.zip – 45,305 bytes
  • Love_You_4169768-2019-txt.zip – 43,447 bytes
  • Love_You_5742488-2019-txt.zip – 43,494 bytes
  • Love_You_8801848-2019-txt.zip – 47,121 bytes

SHA256 hashes for the above zip archives:

  • 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
  • 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
  • 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
  • 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
  • 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
  • 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
  • 32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
  • 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8

JavaScript (JS) files extracted from the above zip archives:

  • Love_You_24373792-2019-txt.js – 43490 bytes
  • Love_You_25821416-2019-txt.js – 45348 bytes
  • Love_You_26943288-2019-txt.js – 43325 bytes
  • Love_You_35140600-2019-txt.js – 45133 bytes
  • Love_You_36450240-2019-txt.js – 45149 bytes
  • Love_You_4169768-2019-txt.js – 43293 bytes
  • Love_You_5742488-2019-txt.js – 43340 bytes
  • Love_You_8801848-2019-txt.js – 46967 bytes

SHA256 hashes for the above JS files:

  • 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
  • 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
  • d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
  • c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
  • f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
  • f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
  • 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
  • ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87

Information from file attachment seen in post-infection spambot traffic:

  • SHA256 hash: cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
  • File name: Love_You_2019_38154368-txt.zip
  • File size: 1,382 bytes
  • File description: Zip archive extracted from post-infection spambot traffic
  • SHA256 hash: 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
  • File name: Love_You_2019_38154368-txt.js
  • File size: 1,226 bytes
  • File description: Extracted JS file from zip archive seen in spambot traffic

Malware retrieved from an infected Windows host:

HTTP traffic for the initial malware EXE:

  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /krablin.exe?ceaYZof

HTTP traffic generated by the initial malware EXE and follow-up EXE/malware downloader:

  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /1.exe
  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /2.exe
  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /3.exe
  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /4.exe
  • 92.63.197[.]48 port 80 – slpsrgpsrhojifdij[.]ru – GET /5.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/1.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/2.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/3.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/4.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/5.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/2.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /1.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /2.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /3.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /4.exe
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /5.exe
  • 198.105.244[.]228 port 80 – osheoufhusheoghuesd[.]ru – GET /1.exe
  • 198.105.244[.]228 port 80 – osheoufhusheoghuesd[.]ru – GET /2.exe
  • 198.105.244[.]228 port 80 – osheoufhusheoghuesd[.]ru – GET /3.exe
  • 198.105.244[.]228 port 80 – osheoufhusheoghuesd[.]ru – GET /4.exe
  • 198.105.244[.]228 port 80 – osheoufhusheoghuesd[.]ru – GET /5.exe
  • 198.105.244[.]228 port 80 – suieiusiueiuiuushgf[.]ru – GET /1.exe
  • 198.105.244[.]228 port 80 – suieiusiueiuiuushgf[.]ru – GET /2.exe
  • 198.105.244[.]228 port 80 – suieiusiueiuiuushgf[.]ru – GET /3.exe
  • 198.105.244[.]228 port 80 – suieiusiueiuiuushgf[.]ru – GET /4.exe
  • 198.105.244[.]228 port 80 – suieiusiueiuiuushgf[.]ru – GET /5.exe

Traffic caused by the GandCrab ransomware EXE:

  • 78.46.77[.]98 port 80 – www.2mmotorsport[.]biz – GET /
  • 78.46.77[.]98 port 443 – www.2mmotorsport[.]biz – HTTPS traffic
  • 217.26.53[.]161 port 80 – www.haargenau[.]biz – GET /
  • 217.26.53[.]161 port 80 – www.haargenau[.]biz – POST /includes/pictures/fusemoru.png
  • 74.220.215[.]73 port 80 – www.bizziniinfissi[.]com – GET /
  • 74.220.215[.]73 port 80 – www.bizziniinfissi[.]com – POST /uploads/images/dethso.gif
  • 136.243.13[.]215 port 80 – www.holzbock[.]biz – POST /uploads/images/rumose.png
  • 138.201.162[.]99 port 80 – www.fliptray[.]biz – GET /
  • 138.201.162[.]99 port 443 – www.fliptray[.]biz – HTTPS traffic
  • gandcrabmfe6mnef[.]onion – Tor domain noted in decryption instructions

Traffic caused by the Monero (XMRig) cryptocurrency miner EXE:

  • 92.63.197[.]48 port 9090 – XMRig coinminer traffic

Traffic caused by the Phorpiex spambot EXE:

  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/attachment.js
  • port 80 – icanhazip[.]com – GET /   (IP address check, not inherently malicious)
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/mnum.txt
  • 92.63.197[.]48 port 80 – 92.63.197[.]48 – GET /m/1994.txt
  • UDP port 53 – DNS queries for various mail servers
  • various IP addresses over TCP port 25 – SMTP traffic caused by the spambot

Final words

A pcap of the infection traffic and malware associated with today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

DSC Resource Kit Release January 2019

This post was originally published on this site

We just released the DSC Resource Kit!

This release includes updates to 14 DSC resource modules. In the past 6 weeks, 41 pull requests have been merged and 54 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • ActiveDirectoryCSDsc
  • AuditPolicyDsc
  • CertificateDsc
  • ComputerManagementDsc
  • NetworkingDsc
  • SecurityPolicyDsc
  • SqlServerDsc
  • StorageDsc
  • xActiveDirectory
  • xBitlocker
  • xExchange
  • xFailOverCluster
  • xHyper-V
  • xWebAdministration

Several of these modules were released to remove the hidden files/folders from this issue. This issue should now be fixed for all modules except DFSDsc which is waiting for some fixes to its tests.

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our latest community call for the DSC Resource Kit was today, January 9. A recording is available on YouTube here. Join us for the next call at 12PM (Pacific time) on February 13 to ask questions and give feedback about your experience with the DSC Resource Kit.

The next DSC Resource Kit release will be on Wednesday, February 20.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the README.md or CHANGELOG.md file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
ActiveDirectoryCSDsc 3.1.0.0
  • Updated LICENSE file to match the Microsoft Open Source Team standard.
  • Added .VSCode settings for applying DSC PSSA rules – fixes Issue 60.
  • Added fix for two tier PKI deployment fails on initial deployment, not error – fixes Issue 57.
AuditPolicyDsc 1.4.0.0
  • Explicitly removed extra hidden files from release package
CertificateDsc 4.3.0.0
  • Updated certificate import to only use Import-CertificateEx – fixes Issue 161
  • Update LICENSE file to match the Microsoft Open Source Team standard -fixes Issue 164.
  • Opted into Common Tests – fixes Issue 168:
    • Required Script Analyzer Rules
    • Flagged Script Analyzer Rules
    • New Error-Level Script Analyzer Rules
    • Custom Script Analyzer Rules
    • Validate Example Files To Be Published
    • Validate Markdown Links
    • Relative Path Length
  • CertificateExport:
    • Fixed bug causing PFX export with matchsource enabled to fail – fixes Issue 117
ComputerManagementDsc 6.1.0.0
  • Updated LICENSE file to match the Microsoft Open Source Team standard. Fixes Issue 197.
  • Explicitly removed extra hidden files from release package
NetworkingDsc 6.3.0.0
  • MSFT_IPAddress:
    • Updated to allow retaining existing addresses in order to support cluster configurations as well
SecurityPolicyDsc 2.7.0.0
  • Bug fix – Issue 83 – Network_access_Remotely_accessible_registry_paths_and_subpaths correctly applies multiple paths
  • Update LICENSE file to match the Microsoft Open Source Team standard
SqlServerDsc 12.2.0.0
  • Changes to SqlServerDsc
    • During testing in AppVeyor the Build Worker is restarted in the install step to make sure the are no residual changes left from a previous SQL Server install on the Build Worker done by the AppVeyor Team (issue 1260).
    • Code cleanup: Change parameter names of Connect-SQL to align with resources.
    • Updated README.md in the Examples folder.
      • Added a link to the new xADObjectPermissionEntry examples in ActiveDirectory, fixed a broken link and a typo. Adam Rush (@adamrushuk)
    • Change to SqlServerLogin so it doesn”t check properties for absent logins.
StorageDsc 4.4.0.0
  • Refactored module folder structure to move resource to root folder of repository and remove test harness – fixes Issue 169.
  • Updated Examples to support deployment to PowerShell Gallery scripts.
  • Removed limitation on using Pester 4.0.8 during AppVeyor CI.
  • Moved the Code of Conduct text out of the README.md and into a CODE_OF_CONDUCT.md file.
  • Explicitly removed extra hidden files from release package
xActiveDirectory 2.23.0.0
  • Explicitly removed extra hidden files from release package
xBitlocker 1.4.0.0
  • Change double quoted string literals to single quotes
  • Add spaces between array members
  • Add spaces between variable types and variable names
  • Add spaces between comment hashtag and comments
  • Explicitly removed extra hidden files from release package
xExchange 1.26.0.0
  • Add support for Exchange Server 2019
  • Added additional parameters to the MSFT_xExchUMService resource
  • Rename improperly named functions, and add comment based help in MSFT_xExchClientAccessServer, MSFT_xExchDatabaseAvailabilityGroupNetwork, MSFT_xExchEcpVirtualDirectory, MSFT_xExchExchangeCertificate, MSFT_xExchImapSettings.
  • Added additional parameters to the MSFT_xExchUMCallRouterSettings resource
  • Rename improper function names in MSFT_xExchDatabaseAvailabilityGroup, MSFT_xExchJetstress, MSFT_xExchJetstressCleanup, MSFT_xExchMailboxDatabase, MSFT_xExchMailboxDatabaseCopy, MSFT_xExchMailboxServer, MSFT_xExchMaintenanceMode, MSFT_xExchMapiVirtualDirectory, MSFT_xExchOabVirtualDirectory, MSFT_xExchOutlookAnywhere, MSFT_xExchOwaVirtualDirectory, MSFT_xExchPopSettings, MSFT_xExchPowershellVirtualDirectory, MSFT_xExchReceiveConnector, MSFT_xExchWaitForMailboxDatabase, and MSFT_xExchWebServicesVirtualDirectory.
  • Add remaining unit and integration tests for MSFT_xExchExchangeServer.
xFailOverCluster 1.12.0.0
  • Explicitly removed extra hidden files from release package
xHyper-V 3.15.0.0
  • Explicitly removed extra hidden files from release package
xWebAdministration 2.4.0.0
  • Explicitly removed extra hidden files from release package

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

# To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 
Find-DscResource

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:
http://www.powershellgallery.com/packages/< module name >
For example:
http://www.powershellgallery.com/packages/xWebAdministration

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:

Update-Module

After installing modules, you can discover all DSC resources available to your local system with this command:

Get-DscResource

How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:
https://github.com/PowerShell/< module name >
For example, for the CertificateDsc module, go to:
https://github.com/PowerShell/CertificateDsc.

All DSC modules are also listed as submodules of the DscResources repository in the DscResources folder and the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:
https://github.com/PowerShell/< module name >/issues
For example:
https://github.com/PowerShell/xPSDesiredStateConfiguration/issues

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Katie Kragenbrink
Software Engineer
PowerShell DSC Team
@katiedsc (Twitter)
@kwirkykat (GitHub)

Juniper Networks Releases Multiple Security Updates

This post was originally published on this site

Original release date: January 09, 2019

Juniper Networks has released multiple security updates to address vulnerabilities in various Juniper products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Juniper’s Security Advisories webpage and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Updates

This post was originally published on this site

Original release date: January 09, 2019

Cisco has released security updates to address vulnerabilities in Cisco AsyncOS Software for Cisco Email Security Appliance. A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition.
 

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:

 
 

This product is provided subject to this Notification and this Privacy & Use policy.

gganimate: Animate YouR Security Analysis, (Wed, Jan 9th)

This post was originally published on this site

I regularly challenge myself and others to visualize the results of their analysis, when and where the data permits it. The likes of ggplot2 enables this beautifully for R users. Then, in September 2018, gganimate hit my radar via R-bloggers and I had an epiphany.

“gganimate extends the grammar of graphics as implemented by ggplot2 to include the description of animation. It does this by providing a range of new grammar classes that can be added to the plot object in order to customize how it should change with time.”

While Thomas’s gganimate examples are intriguing, and triggered my notions for deeper visualization opportunities, they were contextually unrelated to my goals. As such, I endeavored to provide example data sets and applicability for information security and assurance analysis. As purveyors of security analysis services, my team is perpetually faced with solving problems at massive scale, yet finding intelligent, accurate answers in the sea of data. While a static visualization specific to a related analysis can be truly effective, an animated visualization, particularly a time-based graphic, can bring the art to a whole new level. A couple of points and caveats:

  • This review drove me a bit crazy over the nuance between security analysis versus security analytics. In the end, I settled on the fact that this work enables analysis, based on the Merriam-Webster definitions:
    • Analysis is “a detailed examination of anything complex in order to understand its nature or to determine its essential features: a thorough study.”
    • Analytics is defined as “the method of logical analysis.” The Electronic Engineering Times elaborates further: “Merriam-Webster’s definition of analytics as a “method of logical analysis” includes the term analysis, but introduces a significant differentiator with the term “logical.” Analytic methods use data to answer questions that occurred in the past, but also provide insights or deductive reasoning to act in the future.” In my mind, static and animated visualizations of data past are more an “examination of anything complex in order to understand its nature or to determine its essential features”. Yet, one can argue that these same visualizations can, at least, help inform action in the future. It came out to be approximately a 70⁄30 split for me, in favor of analysis. Let the debate begin, but this gives you good insight regarding the discussions I have with myself. 😉
  • While the data sets provided here are artificial, they are based on absolute realities, and represent legitimate scenarios and likely outcomes. That said, they are artificial (#FakeData) so please do not use this data to influence any decisions other than to use these methods with your real data. The goal here is simply to provide you with hopefully new and innovative ways to represent your analysis.

gganimate installation is really simple. You can grab the stable version from CRAN via

install.packages('devtools')

or the development version via

devtools::install_github('thomasp85/gganimate')

Note that, while working on Windows 10, I used a gganimate fork via

devtools::install_github("dmi3kno/gganimate")

to overcome a Windows 10-specific bug. Installation from CRAN or the thomasp85 GitHub should be otherwise successful. I strongly suggest reading through as much of the gganimate reference guide, as a Grammar of Animated Graphics, there is some granular syntax to consume and understand here.

I selected three of Thomas’s examples and customized them for use in a security analysis context. Thomas is gganimate’s author and maintainer, for a very current review of the project’s history, current state, and road map, see gganimate has transitioned to a state of release. The project is now officially a v1.0 release. The project GitHub includes three examples:

  1. Temperature Time Series
  2. Gapminder
  3. Election Results

I utilized the principles and code from each of these and applied them to three unique security-oriented scenarios, namely security incident counts over time, a cloud provider Cybersecurity Framework attestation comparison, and ten years of Security Development Lifecycle utilization.

Security Incidents Time Series

I’ll start with a simple example and concept. I’m not a big fan of security incident counts by themselves as a metric or a KPI, but they do inform trend indicators. For large service providers and operations, data of this nature can inform leadership of patterns to manage as well. This visualization compares incident counts by day of the month, over five months August through December, in parallel, as seen in Figure 1.

library(ggplot2)
library(gganimate)

incidents <- read.csv("incidents.csv")
incidents$Month <- format(ISOdate(2004,1:12,1),"%B")[incidents$Month]

p <- ggplot(incidents, aes(Day, Inc_Cnt, group = Month)) + 
  geom_line(aes(colour=Month)) + 
  geom_segment(aes(xend = 31, yend = Inc_Cnt), linetype = 2, colour = 'blue') + 
  geom_point(size = 2) + 
  geom_text(aes(x = 31.1, label = Month), hjust = 0, colour = 'brown') + 
  transition_reveal(Month, Day) + 
  coord_cartesian(clip = 'off') + 
  labs(title = 'Incident Counts by Day - AUG through DEC', y = 'Incident Count') + 
  theme_minimal() + 
  theme(plot.margin = margin(5.5, 40, 5.5, 5.5)) +
  theme(legend.position='none')
p + anim_save("incidentTS.gif", animation = last_animation())

Incident Counts By Day

Figure 1: Security incidents time series

One could reach conclusions such as:

  • Incident counts are above the median in all but August at the beginning of month
  • In all but October there were noteworthy dips in security incidents on on or about the 17th of the month

Were this real data specific to the environment you’re supporting you might adjust scheduling and staffing to account for a heavier work load at the beginning of the month, while potentially pushing scheduled time off to the middle of the month.

Cloud Provider Cybersecurity Framework (CSF) Attestation Comparison

For our second scenario, imagine you’re in the market for a cloud service provider, and you’re charged with conducting the utmost due diligence. It just so happens that The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is “designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to tools including the Cybersecurity Framework.” The CSF is oriented towards the function areas Identify, Protect, Detect, Respond, and Recover. With a combination of cloud service provider data, as well as your own research, you gathered data to measure provider performance in each of the function area over the period of a year. Your data is refined to a percentage of completeness towards each of the function areas for the twelve months of the year for your final two provider candidates. The code to create this visualization follows.

library(dplyr)
library(ggplot2)
library(gganimate)

cldprvdr_data <- read.csv("CloudProvidersCSF.csv") %>%
  mutate(control = factor(control, levels = c("Identify", "Protect", "Detect", "Respond", "Recover")))

control_color <- c(
  "Identify" = "#1a9fde",
  "Protect" = "#e10b1f", 
  "Detect" = "#565656", 
  "Respond" = "#727272", 
  "Recover" = "#499533" 
)

cp_animated <- ggplot(cldprvdr_data, aes(x = control, y = result, fill = control)) +
  geom_hline(yintercept = 0.05, colour = "#D3D3D3", linetype = "dashed") +
  geom_bar(position = "dodge", stat = "identity") +
  #geom_text(aes(label = scales::percent(result), 
  #              y = result + 0.01),
  #          position = position_dodge(width = 0.9), 
  #          vjust = -0.5, size = 6, color = "black") +
  labs(title = "2018 CSF attestation per month: {closest_state}",
       subtitle = "Cyber Security Framework (CSF) results per Cloud Provider",
       caption = "CSF function areas: Identify, Protect, Detect, Respond, Recover",
       x = "", y = "") +
  theme_light(base_size = 16) +
  guides(fill = FALSE) +
  facet_grid(cldprvdr ~ .) +
  scale_y_continuous(labels = scales::percent, limits = c(0, 1)) +
  scale_fill_manual(values = control_color) +
  transition_states(month, 1,3, wrap = FALSE) +
  ease_aes('quadratic-in-out')
cp_animated + anim_save("CloudProvidersCSF.gif", animation = last_animation())

Visualizing this data with gganimate for purposes of comparison thus might appear as seen in Figure 2.

Cloud providers CSF

Figure 2: Cloud providers CSF comparison

There’s a pretty clear conclusion to be reached with this visualization. It certainly appears that Cloud Provider 2 is the more mature of the two providers, by at least 20% per function area. A visualization of this nature for vendor comparisons of many different kinds could be very useful in making better informed decision, particularly when they’re large financial investments.

Ten Years of Security Development Lifecycle Utilization

I’m personally fond of this last example as I am both a proud advocate for the practice of a Security Development Lifecycle and a believer that this level of performance measurement granularity can and should be performed. I have to imagine mature development environments with strong code management capabilities are likely able to achieve some semblance of this scenario. The premise of the data set assumes a ten year measurement where aggregate development organizations have tracked:

  • lines of code to measure code base growth and potential bloat
  • the number of bugs submitted or detected
  • the number of code regressions

Each of these are valid and important measurements and KPIs for development organizations, nor matter what product is being developed. This data set represents measurements across multiple applications, built for all major platforms (Windows, Linux, Android, iOS, Mac), over a ten year period since the organization began utilizing SDL. First, the code.

library(ggplot2)
library(gganimate)
library(tibble)

data <- read.csv("SDL.csv")
sdl_data <- as_data_frame(data)

options(scipen=10000)
dev.off(which = dev.prev())

ggplot(sdl_data, aes(bugs, regressions, size = code, colour = apps)) +
  geom_point(alpha = 0.7) +
  scale_colour_manual(values = rainbow(n=142)) +
  scale_size(range = c(2, 12)) +
  scale_x_log10() +
  facet_wrap(~OS) +
  theme(legend.position = 'none') +
  labs(title = 'Year: {frame_time}', x = 'Bugs', y = 'Regressions', 
       subtitle = "Ten Years of SDL") +
  transition_time(year)

The resulting visualization warrants a bit of explanation. This size of each node (application) in the five major platform panes panes represents is indicative of the size of the application’s code base. The x axis represents the number of bugs filed, and the y axis represents the number of regressions introduced, as seen in Figure 3.

Ten Years of SDL

Figure 3: Ten Years of SDL

A few observations:

  • The largest apps are found in the Windows groupings, you can watch their code size grow in small margins as the years progress, and while the bugs reported increase as expected with code growth, the regressions decline gradually
  • Linux apps tended to perform best over time, relatively stable with minor code growth, almost no increase in bugs over time, and some noteworthy declines in regressions are observed
  • Only a very few apps, in the Windows and Linux collections, performed really well over time, with minimal bugs and regressions, yet a steady decrease in both, even with observable code growth
  • Most of the Android apps remain high in bugs and regressions until half way through the decade, then decrease in regression, but the largest app shows now improvement at all, it even worsens.

While again, this is artificial, manipulated data, I tried to cook it in such a manner as to produce likely outcomes that would be well observed with animated visualizations over time.
I do hope this has stimulated your thinking on these types of scenarios, and ideally, the additional plethora opportunities to bring animation to your security data.

Each of these scripts and data sets are available for you on my GitHub, as is a Jupyter Notebook.
https://github.com/holisticinfosec/gganimate-Animate-YouR-Security-Analysis

I’d love to see what you come up with, please share them with me via social media, @holisticinfosec or email, russ at holisticinfosec dot io.

Cheers…until next time.

Russ McRee | @holisticinfosec 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Releases January 2019 Security Updates

This post was originally published on this site

Original release date: January 08, 2019

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Microsoft’s January 2019 Security Update Summary and Deployment Information and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft January 2019 Patch Tuesday, (Tue, Jan 8th)

This post was originally published on this site

This month we got patches for 49 vulnerabilities total. None of them have been used in the wild, and only one vulnerability has been made public before today.

Particularly interesting is the vulnerability in the DHCP client. This could likely be exploited via a malicious DHCP server, for example in a public WiFi network. Microsoft assigned this vulnerability a CVSS base score of 9.8. 

We got a good number of vulnerabilities in the Jet Database Engine. Jet Database vulnerabilities are often exploitable via Office documents. But none of the vulnerabilities are labeled as critical. Only 8 vulnerabilities are labeled as “Critical” this month. The majority of them affects web browsers. But there are also two critical code execution vulnerabilities in HyperV.

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Information Disclosure Vulnerability
%%cve:2019-0545%% No No Less Likely Less Likely Important    
ASP.NET Core Denial of Service Vulnerability
%%cve:2019-0548%% No No Less Likely Less Likely Important    
%%cve:2019-0564%% No No Important    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-0539%% No No Critical 4.2 3.8
%%cve:2019-0567%% No No Critical 4.2 3.8
%%cve:2019-0568%% No No Critical 4.2 3.8
January 2019 Adobe Flash Update
ADV190001 No No      
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2019-0538%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0575%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0576%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0577%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0578%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0579%% Yes No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0580%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0581%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0582%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0583%% No No Unlikely Unlikely Important 7.8 7.0
%%cve:2019-0584%% No No Unlikely Unlikely Important 7.8 7.0
Latest Servicing Stack Updates
ADV990001 No No Critical    
MSHTML Engine Remote Code Execution Vulnerability
%%cve:2019-0541%% No No More Likely More Likely Important 6.4 5.8
Microsoft Edge Elevation of Privilege Vulnerability
%%cve:2019-0566%% No No Important 4.3 3.9
Microsoft Edge Memory Corruption Vulnerability
%%cve:2019-0565%% No No Critical 4.2 3.8
Microsoft Exchange Information Disclosure Vulnerability
%%cve:2019-0588%% No No Less Likely Less Likely Important    
Microsoft Exchange Memory Corruption Vulnerability
%%cve:2019-0586%% No No More Likely More Likely Important    
Microsoft Office Information Disclosure Vulnerability
%%cve:2019-0560%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-0556%% No No Important    
%%cve:2019-0557%% No No Important    
%%cve:2019-0558%% No No Less Likely Less Likely Important    
Microsoft Outlook Information Disclosure Vulnerability
%%cve:2019-0559%% No No Less Likely Less Likely Important    
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2019-0562%% No No Less Likely Less Likely Important    
Microsoft Visual Studio Information Disclosure Vulnerability
%%cve:2019-0537%% No No Less Likely Less Likely Important    
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2019-0543%% No No More Likely More Likely Important 7.8 7.8
Microsoft Word Information Disclosure Vulnerability
%%cve:2019-0561%% No No Less Likely Less Likely Important    
Microsoft Word Remote Code Execution Vulnerability
%%cve:2019-0585%% No No Less Likely Less Likely Important    
Microsoft XmlDocument Elevation of Privilege Vulnerability
%%cve:2019-0555%% No No More Likely More Likely Important 7.0 6.3
Skype for Android Elevation of Privilege Vulnerability
%%cve:2019-0622%% No No Less Likely Less Likely Moderate    
Visual Studio Remote Code Execution Vulnerability
%%cve:2019-0546%% No No Less Likely Less Likely Moderate    
Windows COM Elevation of Privilege Vulnerability
%%cve:2019-0552%% No No More Likely More Likely Important 7.0 6.3
Windows DHCP Client Remote Code Execution Vulnerability
%%cve:2019-0547%% No No Critical 9.8 8.8
Windows Data Sharing Service Elevation of Privilege Vulnerability
%%cve:2019-0571%% No No Less Likely Less Likely Important 7.8 7.8
%%cve:2019-0572%% No No More Likely More Likely Important 7.8 7.8
%%cve:2019-0573%% No No More Likely More Likely Important 7.8 7.8
%%cve:2019-0574%% No No More Likely More Likely Important 7.8 7.8
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2019-0550%% No No Less Likely Less Likely Critical 7.6 6.8
%%cve:2019-0551%% No No Less Likely Less Likely Critical 7.6 6.8
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-0536%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-0549%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-0554%% No No Less Likely Less Likely Important 4.7 4.2
%%cve:2019-0569%% No No More Likely More Likely Important 5.5 5.5
Windows Runtime Elevation of Privilege Vulnerability
%%cve:2019-0570%% No No Less Likely Less Likely Important 7.8 7.8
Windows Subsystem for Linux Information Disclosure Vulnerability
%%cve:2019-0553%% No No Less Likely Less Likely Important 4.7 4.2


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe Releases Security Updates

This post was originally published on this site

Original release date: January 08, 2019

Adobe has released security updates to address vulnerabilities in Adobe Connect and Adobe Digital Editions. An attacker could exploit one of these vulnerabilities to take control of an affected system.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review Adobe Security Advisories APSB19-05 and APSB19-04, and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

The PowerShell-Docs repo is moving

This post was originally published on this site

On January 16, 2019 at 5:00PM PDT, the PowerShell-Docs repositories are moving from the PowerShell
organization to the MicrosoftDocs organization in GitHub.

The tools we use to build the documentation are designed to work in the MicrosoftDocs org. Moving
the repository lets us build the foundation for future improvements in our documentation experience.

Impact of the move

During the move there may be some downtime. The affected repositories will be inaccessible during
the move process. Also, the documentation processes will be paused. After the move, we need to test
access permissions and automation scripts.

After these tasks are complete, access and operations will return to normal. GitHub automatically
redirects requests to the old repo URL to the new location.

For more information about transferring repositories in GitHub,
see About repository transfers.

  • If the transferred repository has any forks, then those forks will remain associated with the
    repository after the transfer is complete.
  • All Git information about commits, including contributions, are preserved.
  • All of the issues and pull requests remain intact when transferring a repository.
  • All links to the previous repository location are automatically redirected to the new location.

When you use git clone, git fetch, or git push on a transferred repository, these commands will
redirect to the new repository location or URL.

However, to avoid confusion, we strongly recommend updating any existing local clones to point to
the new repository URL. You can do this by using git remote on the command line:

git remote set-url origin new_url

For more information, see Changing a remote’s URL.

Which repositories are being moved?

The following repositories are being transferred:

  • PowerShell/PowerShell-Docs
  • PowerShell/powerShell-Docs.cs-cz
  • PowerShell/powerShell-Docs.de-de
  • PowerShell/powerShell-Docs.es-es
  • PowerShell/powerShell-Docs.fr-fr
  • PowerShell/powerShell-Docs.hu-hu
  • PowerShell/powerShell-Docs.it-it
  • PowerShell/powerShell-Docs.ja-jp
  • PowerShell/powerShell-Docs.ko-kr
  • PowerShell/powerShell-Docs.nl-nl
  • PowerShell/powerShell-Docs.pl-pl
  • PowerShell/powerShell-Docs.pt-br
  • PowerShell/powerShell-Docs.pt-pt
  • PowerShell/powerShell-Docs.ru-ru
  • PowerShell/powerShell-Docs.sv-se
  • PowerShell/powerShell-Docs.tr-tr
  • PowerShell/powerShell-Docs.zh-cn
  • PowerShell/powerShell-Docs.zh-tw

Call to action

If you have a fork that you cloned, change your remote configuration to point to the new upstream URL.

Help us make the documentation better.

  • Submit issues when you find a problem in the docs.
  • Suggest fixes to documentation by submitting changes through the PR process.

 

Sean Wheeler
Senior Content Developer for PowerShell
https://github.com/sdwheeler