Category Archives: Security

Why yq? Adventures in XML, (Thu, May 16th)

This post was originally published on this site

I was recently asked to <ahem> "recover" a RADIUS key from a Microsoft NPS server.  No problem I think, just export the config and it's all there in clear text right?

… yes, sort of …

The XML file that gets output is of course perfect XML, but that doesn't mean it's easy to read for a human, it's as scrambled as my weekend eggs.  I got my answer, but then of course started to look for a way to get the answer in an easier way, something I could document and hand off to my client.  In other words, I started on the quest for a "jq" like tool for XML.  Often security work involves taking input in one text format and converting it to something that's human readable, or more easily parsed by the next tool in the pipeline.  (see below)

XMLLint is a pretty standard one that's in Linux, you can get it by installing libxml2.  Kali has it installed by default – usage is very straightforward:

xmllint < file.xml

or

cat file.xml | xmllint

There are a bunch of output options, but because it's not-so windows friendly I didn't dig to far – run man xmllint or browse here: https://gnome.pages.gitlab.gnome.org/libxml2/xmllint.html  if you need more than the basics on this.

However, finding something like this for Windows turned into an adventure, there's a port of xmllint for Windows but it's in that 10-year age range that makes me a bit leary to install it.  With a bit of googling I found yq.

This is a standalone install on most Linux distro's (sudo apt-get install yq or whatever), and has a few standard install methods for windows:

  • you can just download the binary and put it in your path
  • choco install yq
  • winget install –id MikeFarah.yq

yq is written to mimic jq like you'd expect from the name, but will take json, yaml, xml, csv and tsv files.  It's not as feature-heavy as jq, but it's got enough, and let's face it, most of us use these for pretty print output, so that we can grep against that anyway.
I especially liked it for today's problem because I can adjust the indent, since the NPS XML export has a fairly deep heirarchy I went with an indent of 1:

type nps-export.xml | yq --input-format xml --output-format xml --indent 1 > pretty.xml

A quick peek at the file found me my answwer in the pretty (and grep-able) format that I wanted.  A typical RADIUS Client section looks lke:

 <Clients name="Clients">
  <Children>
   <DEVICE name="DEVICENAME">
    <Properties>
     <Client_ _Template_Guid="_Template_Guid" xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{00000000-0000-0000-0000-000000000000}</Client_>
     <IP_Address xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">IP.Address.Goes.Here</IP_Address>
     <NAS_Manufacturer xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="int">0</NAS_Manufacturer>
     <Opaque_Data xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></Opaque_Data>
     <Radius_Client_Enabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</Radius_Client_Enabled>
     <Require_Signature xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">0</Require_Signature>
     <Shared_Secret xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">SuperSecretSharedKeyGoesHere</Shared_Secret>
     <Template_Guid xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">{1A1917B8-D2C0-43B3-8144-FAE167CE9316}</Template_Guid>
    </Properties>

Or I could dump all the shared secrets with the associated IP Addresses with:

type pretty.xml | findstr "IP_Address Shared_Secret"

or

cat pretty.xml | grep 'IP_address|Shared_Secret'

After all that, I think I've found my go-to for text file conversions – in particular xml or yaml, especially in Windows ..

Full details on these two tools discussed:
https://github.com/mikefarah/yq
https://linux.die.net/man/1/xmllint

If you've got a different text formatter (or un-formatter), or if you've used xmllint or yq in an interesting way, please let us know about it in our comment form!

===============
Rob VandenBrink
rob@coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th)

This post was originally published on this site

Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS.

DNS Suffixes on Windows, (Sun, May 12th)

This post was originally published on this site

I was asked if I could provide mote details on the following sentence from my diary entry "nslookup's Debug Options":

     (notice that in my nslookup query, I terminated the FQDN with a dot: "example.com.", I do that to prevent Windows from adding suffixes)

A DNS suffix is a configuration of the Windows DNS client (locally, via DHCP, …) to have it append suffixes when doing domain lookups.

For example, if a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com.local.

As an example, let me configure mylocalnetwork as a suffix on a Windows machine:

With DNS suffix mylocalnetwork configured, nslookup will use this suffix. For example, when I perform a lookup for "example.com", nslookup will also do a lookup for "example.com.mylocalnetwork".

I can show this with nslookup's debug option d2:

You can see in these screenshots DNS type A and AAAA resolutions for example.com.mylocalnetwork and example.com.

One of the ideas behind DNS suffixes, is to reduce typing. If you have a NAS, for example, named mynas, you can just access it with https://mynas/login. No need to type the fully qualified domain name (FQDN) https://mynas.mylocalnetwork/login.

Notice that the suffix also applies for AAAA queries, while in the screenshots above I only configured it for IPv4. That's because the DNS suffix setting applies both to IPv4 and IPv6:

Before I show the results with "example.com." (notice the dot character at the end), let me show how I can summarize the lookups by grepping for "example" (findstr):

If I terminate my DNS query with a dot character (.), suffixes will not be appended:

Notice that there are no resolutions for mylocalnetwork in this last example. That's because the trailing dot instructs Windows' DNS client to start resolving from the DNS root zone.

A domain name consists of domain labels separated by dots:

If you are adding a trailing dot, you are actually adding an empty domain label:

The empty label represents the DNS root zone, and no suffixes are appended to the DNS root zone, as it is the top-level (root) DNS zone.

A small tip if you want to restrict nslookup's resolutions to A records, for example. There is an option for that.

If you use nslookup's help option /?, you will see that you can provide options, but the actual options are not listed:

To see the available options, start nslookup, and then type "?" at its prompt, like this:

Now you can see that option "type" allows you to specify which type of records to query. Here is an example for A records:

 

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

#StopRansomware: Black Basta

This post was originally published on this site

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the Tor browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. The authoring organizations urge HPH Sector and all critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from Black Basta and other ransomware attacks. Victims of ransomware should report the incident to their local FBI field office or CISA (see the Reporting section for contact information).

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 15. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Initial Access

Black Basta affiliates primarily use spearphishing [T1566] to obtain initial access. According to cybersecurity researchers, affiliates have also used Qakbot during initial access.[1]

Starting in February 2024, Black Basta affiliates began exploiting ConnectWise vulnerability CVE-2024-1709 [CWE-288] [T1190]. In some instances, affiliates have been observed abusing valid credentials [T1078].

Discovery and Execution

Black Basta affiliates use tools such as SoftPerfect network scanner (netscan.exe) to conduct network scanning. Cybersecurity researchers have observed affiliates conducting reconnaissance using utilities with innocuous file names such as Intel or Dell, left in the root drive C: [T1036].[1]

Lateral Movement

Black Basta affiliates use tools such as BITSAdmin and PsExec, along with Remote Desktop Protocol (RDP), for lateral movement. Some affiliates also use tools like Splashtop, Screen Connect, and Cobalt Strike beacons to assist with remote access and lateral movement.

Privilege Escalation and Lateral Movement

Black Basta affiliates use credential scraping tools like Mimikatz for privilege escalation. According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2]

Exfiltration and Encryption

Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. Prior to exfiltration, cybersecurity researchers have observed Black Basta affiliates using PowerShell [T1059.001] to disable antivirus products, and in some instances, deploying a tool called Backstab, designed to disable endpoint detection and response (EDR) tooling [T1562.001].[3] Once antivirus programs are terminated, a ChaCha20 algorithm with an RSA-4096 public key fully encrypts files [T1486]. A .basta or otherwise random file extension is added to file names and a ransom note titled readme.txt is left on the compromised system.[4] To further inhibit system recovery, affiliates use the vssadmin.exe program to delete volume shadow copies [T1490].[5]

Leveraged Tools

See Table 1 for publicly available tools and applications used by Black Basta affiliates. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Used by Black Basta Affiliates
Tool Name Description
BITSAdmin A command-line utility that manages downloads/uploads between a client and server by using the Background Intelligent Transfer Service (BITS) to perform asynchronous file transfers.
Cobalt Strike A penetration testing tool used by security professions to test the security of networks and systems. Black Basta affiliates have used it to assist with lateral movement and file execution.
Mimikatz A tool that allows users to view and save authentication credentials such as Kerberos tickets. Black Basta affiliates have used it to aid in privilege escalation.
PSExec A tool designed to run programs and execute commands on remote systems.
PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
RClone A command line program used to sync files with cloud storage services such as Mega.
SoftPerfect A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters. 
ScreenConnect Remote support, access, and meeting software that allows users to control devices remotely over the internet.
Splashtop Remote desktop software that allows remote access to devices for support, access, and collaboration.
WinSCP Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Black Basta affiliates have used it to transfer data from a compromised network to actor-controlled accounts.

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 2–6 for all referenced threat actor tactics and techniques in this advisory.

Table 2: Black Basta ATT&CK Techniques for Initial Access
Technique Title ID Use
Phishing T1566 Black Basta affiliates have used spearphishing emails to obtain initial access.
Exploit Public-Facing Application T1190 Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
Table 3: Black Basta ATT&CK Techniques for Privilege Escalation
Technique Title ID Use
Exploitation for Privilege Escalation T1068 Black Basta affiliates have used credential scraping tools like Mimikatz, Zerologon, NoPac and PrintNightmare for privilege escalation.
Table 4: Black Basta ATT&CK Techniques for Defense Evasion
Technique Title ID Use
Masquerading T1036 Black Basta affiliates have conducted reconnaissance using utilities with innocuous file names, such as Intel or Dell, to evade detection.
Impair Defenses: Disable or Modify Tools T1562.001

Black Basta affiliates have deployed a tool called Backstab to disable endpoint detection and response (EDR) tooling.

Black Basta affiliates have used PowerShell to disable antivirus products.

Table 5: Black Basta ATT&CK Techniques for Execution
Technique Title ID Use
Command and Scripting Interpreter: PowerShell T1059.001 Black Basta affiliates have used PowerShell to disable antivirus products.
Table 6: Black Basta ATT&CK Techniques for Impact
Technique Title ID Use
Inhibit System Recovery T1490 Black Basta affiliates have used the vssadmin.exe program to delete shadow copies. 
Data Encrypted for Impact T1486 Black Basta affiliates have used a public key to fully encrypt files. 

 

INDICATORS OF COMPROMISE

See Table 7 for IOCs obtained from FBI investigations.

Table 7: Malicious Files Associated with Black Basta Ransomware
Hash Description
0112e3b20872760dda5f658f6b546c85f126e803e27f0577b294f335ffa5a298 rclone.exe
d3683beca3a40574e5fd68d30451137e4a8bbaca8c428ebb781d565d6a70385e Winscp.exe
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc DLL
58ddbea084ce18cfb3439219ebcf2fc5c1605d2f6271610b1c7af77b8d0484bd DLL
39939eacfbc20a2607064994497e3e886c90cd97b25926478434f46c95bd8ead DLL
5b2178c7a0fd69ab00cef041f446e04098bbb397946eda3f6755f9d94d53c221 DLL
51eb749d6cbd08baf9d43c2f83abd9d4d86eb5206f62ba43b768251a98ce9d3e DLL
d15bfbc181aac8ce9faa05c2063ef4695c09b718596f43edc81ca02ef03110d1 DLL
5942143614d8ed34567ea472c2b819777edd25c00b3e1b13b1ae98d7f9e28d43 DLL
05ebae760340fe44362ab7c8f70b2d89d6c9ba9b9ee8a9f747b2f19d326c3431 DLL
a7b36482ba5bca7a143a795074c432ed627d6afa5bc64de97fa660faa852f1a6 DLL
86a4dd6be867846b251460d2a0874e6413589878d27f2c4482b54cec134cc737 DLL
07117c02a09410f47a326b52c7f17407e63ba5e6ff97277446efc75b862d2799 DLL
96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be ELF
1c1b2d7f790750d60a14bd661dae5c5565f00c6ca7d03d062adcecda807e1779 ELF
360c9c8f0a62010d455f35588ef27817ad35c715a5f291e43449ce6cb1986b98 ELF
0554eb2ffa3582b000d558b6950ec60e876f1259c41acff2eac47ab78a53e94a EXE
9a55f55886285eef7ffabdd55c0232d1458175b1d868c03d3e304ce7d98980bc EXE
62e63388953bb30669b403867a3ac2c8130332cf78133f7fd4a7f23cdc939087 EXE
7ad4324ea241782ea859af12094f89f9a182236542627e95b6416c8fb9757c59 EXE
350ba7fca67721c74385faff083914ecdd66ef107a765dfb7ac08b38d5c9c0bd EXE
90ba27750a04d1308115fa6a90f36503398a8f528c974c5adc07ae8a6cd630e7 EXE
fafaff3d665b26b5c057e64b4238980589deb0dff0501497ac50be1bc91b3e08 EXE
acb60f0dd19a9a26aaaefd3326db8c28f546b6b0182ed2dcc23170bcb0af6d8f EXE
d73f6e240766ddd6c3c16eff8db50794ab8ab95c6a616d4ab2bc96780f13464d EXE
f039eaaced72618eaba699d2985f9e10d252ac5fe85d609c217b45bc8c3614f4 EXE
723d1cf3d74fb3ce95a77ed9dff257a78c8af8e67a82963230dd073781074224 EXE
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e EXE
fff35c2da67eef6f1a10c585b427ac32e7f06f4e4460542207abcd62264e435f EXE
df5b004be71717362e6b1ad22072f9ee4113b95b5d78c496a90857977a9fb415 EXE
462bbb8fd7be98129aa73efa91e2d88fa9cafc7b47431b8227d1957f5d0c8ba7 EXE
3c50f6369f0938f42d47db29a1f398e754acb2a8d96fd4b366246ac2ccbe250a EXE
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa EXE
37a5cd265f7f555f2fe320a68d70553b7aa9601981212921d1ac2c114e662004 EXE
3090a37e591554d7406107df87b3dc21bda059df0bc66244e8abef6a5678af35 EXE
17879ed48c2a2e324d4f5175112f51b75f4a8ab100b8833c82e6ddb7cd817f20 EXE
42f05f5d4a2617b7ae0bc601dd6c053bf974f9a337a8fcc51f9338b108811b78 EXE
882019d1024778e13841db975d5e60aaae1482fcf86ba669e819a68ce980d7d3 EXE
e28188e516db1bda9015c30de59a2e91996b67c2e2b44989a6b0f562577fd757 EXE
0a8297b274aeab986d6336b395b39b3af1bb00464cf5735d1ecdb506fef9098e EXE
69192821f8ce4561cf9c9cb494a133584179116cb2e7409bea3e18901a1ca944 EXE
3337a7a9ccdd06acdd6e3cf4af40d871172d0a0e96fc48787b574ac93689622a EXE
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 EXE
b32daf27aa392d26bdf5faafbaae6b21cd6c918d461ff59f548a73d447a96dd9 EXE

See Tables 8–11 for IOCs obtained from trusted third-party reporting.

Disclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and some IP addresses may host valid domains.

Table 8: Network Indicators
IP Address Description
66.249.66[.]18 0gpw.588027fa.dns.realbumblebee[.]net, dns.trailshop[.]net, dns.artspathgroupe[.]net
66.249.66[.]18 my.2a91c002002.588027fa.dns.realbumblebee[.]net
66.249.66[.]18 fy9.39d9030e5d3a8e2352daae2f4cd3c417b36f64c6644a783b9629147a1.afd8b8a4615358e0313bad8c544a1af0d8efcec0e8056c2c8eee96c7.b06d1825c0247387e38851b06be0272b0bd619b7c9636bc17b09aa70.a46890f27.588027fa.dns.realbumblebee[.]net
95.181.173[.]227 adslsdfdsfmo[.]world
  fy9.36c44903529fa273afff3c9b7ef323432e223d22ae1d625c4a3957d57.015c16eff32356bf566c4fd3590c6ff9b2f6e8c587444ecbfc4bcae7.f71995aff9e6f22f8daffe9d2ad9050abc928b8f93bb0d42682fd3c3.445de2118.588027fa.dns.realbumblebee[.]net
207.126.152[.]242 xkpal.d6597fa.dns.blocktoday.net
nuher.3577125d2a75f6a277fc5714ff536c5c6af5283d928a66daad6825b9a.7aaf8bba88534e88ec89251c57b01b322c7f52c7f1a5338930ae2a50.cbb47411f60fe58f76cf79d300c03bdecfb9e83379f59d80b8494951.e10c20f77.7fcc0eb6.dns.blocktoday[.]net
72.14.196[.]50 .rasapool[.]net, dns.trailshop[.]net
72.14.196[.]192 .rasapool[.]net
72.14.196[.]2 .rasapool[.]net
72.14.196[.]226 .rasapool[.]net
46.161.27[.]151  
207.126.152[.]242 nuher.1d67bbcf4.456d87aa6.2d84dfba.dns.specialdrills[.]com
185.219.221[.]136  
64.176.219[.]106  
5.78.115[.]67 your-server[.]de
207.126.152[.]242 xkpal.1a4a64b6.dns.blocktoday[.]net
46.8.16[.]77  
185.7.214[.]79 VPN Server
185.220.100[.]240 Tor exit
107.189.30[.]69 Tor exit
5.183.130[.]92  
185.220.101[.]149 Tor exit
188.130.218[.]39  
188.130.137[.]181  
46.8.10[.]134  
155.138.246[.]122  
80.239.207[.]200 winklen[.]ch
183.181.86[.]147 Xserver[.]jp
34.149.120[.]3  
104.21.40[.]72  
34.250.161[.]149  
88.198.198[.]90 your-server[.]de; literoved[.]ru
151.101.130[.]159  
35.244.153[.]44  
35.212.86[.]55  
34.251.163[.]236  
34.160.81[.]203  
34.149.36[.]179  
104.21.26[.]145  
83.243.40[.]10  
35.227.194[.]51  
35.190.31[.]54  
34.120.190[.]48  
116.203.186[.]178  
34.160.17[.]71  
Table 9: File Indicators
Filename Hash
C:UsersPublicAudioJun.exe b6a4f4097367d9c124f51154d8750ea036a812d5badde0baf9c5f183bb53dd24
C:UsersPublicAudioesx.zip  
C:UsersPublicAudio7zG.exe f21240e0bf9f0a391d514e34d4fa24ecb997d939379d2260ebce7c693e55f061
C:UsersPublicAudio7z.dll  
C:UsersPublicdb_Usr.sql 8501e14ee6ee142122746333b936c9ab0fc541328f37b5612b6804e6cdc2c2c6
C:UsersPublicAudiodb_Usr.sql  
C:UsersPublicAudiohv2.ps1  
C:UsersPublic7zG.exe  
C:UsersPublic7z.dll  
C:UsersPublicBitLogic.dll  
C:UsersPublicNetApp.exe 4c897334e6391e7a2fa3cbcbf773d5a4
C:UsersPublicDataSoft.exe 2642ec377c0cee3235571832cb472870
C:UsersPublicBitData.exe b3fe23dd4701ed00d79c03043b0b952e
C:UsersPublicDigitalText.dll  
C:UsersPublicGeniusMesh.exe  
DeviceMup{redacted}C$UsersPublicMusicPROCEXP.sys  
DeviceMup{redacted}C$UsersPublicMusicDumpNParse86.exe  
DeviceMup{redacted}C$UsersPublicMusicPOSTDump.exe  
DeviceMup{redacted}C$UsersPublicMusicDumpNParse.exe  
C:UsersPublicsocksps.ps1  
C:UsersPublicThief.exe 034b5fe047920b2ae9493451623633b14a85176f5eea0c7aadc110ea1730ee79

C:UsersAll Users{redacted}GWT.ps1

C:Program FilesMonitorITGWT.ps1

8C68B2A794BA3D148CAE91BDF9C8D357289752A94118B5558418A36D95A5A45F

Winx86.exe 

Comment: alias for cmd.exe

 
C:UsersPubliceucr.exe 3c65da7f7bfdaf9acc6445abbedd9c4e927d37bb9e3629f34afc338058680407
C:WindowsDS_c1.dll 808c96cb90b7de7792a827c6946ff48123802959635a23bf9d98478ae6a259f9
C:WindowsDS_c1.dll 3a8fc07cadc08eeb8be342452636a754158403c3d4ebff379a4ae66f8298d9a6
C:WindowsDS_c1.dll 4ac69411ed124da06ad66ee8bfbcea2f593b5b199a2c38496e1ee24f9d04f34a
C:WindowsDS_c1.dll 819cb9bcf62be7666db5666a693524070b0df589c58309b067191b30480b0c3a
C:WindowsDS_c1.dll c26a5cb62a78c467cc6b6867c7093fbb7b1a96d92121d4d6c3f0557ef9c881e0
C:WindowsDS_c1.dll d503090431fdd99c9df3451d9b73c5737c79eda6eb80c148b8dc71e84623401f
*instructions_read_me.txt  
Table 10: Known Black Basta Cobalt Strike Domains
Domain Date/Time (UTC)/Time (UTC)
trailshop[.]net 5/8/2024 6:37
realbumblebee[.]net 5/8/2024 6:37
recentbee[.]net 5/8/2024 6:37
investrealtydom[.]net 5/8/2024 6:37
webnubee[.]com 5/8/2024 6:37
artspathgroup[.]net 5/8/2024 6:37
buyblocknow[.]com 5/8/2024 6:37
currentbee[.]net 5/8/2024 6:37
modernbeem[.]net 5/8/2024 6:37
startupbusiness24[.]net 5/8/2024 6:37
magentoengineers[.]com 5/8/2024 6:37
childrensdolls[.]com 5/8/2024 6:37
myfinancialexperts[.]com 5/8/2024 6:37
limitedtoday[.]com 5/8/2024 6:37
kekeoamigo[.]com 5/8/2024 6:37
nebraska-lawyers[.]com 5/8/2024 6:37
tomlawcenter[.]com 5/8/2024 6:37
thesmartcloudusa[.]com 5/8/2024 6:37
rasapool[.]net 5/8/2024 6:37
artspathgroupe[.]net 5/8/2024 6:37
specialdrills[.]com 5/8/2024 6:37
thetrailbig[.]net 5/8/2024 6:37
consulheartinc[.]com 3/22/2024 15:35
otxcosmeticscare[.]com 3/15/2024 10:14
otxcarecosmetics[.]com 3/15/2024 10:14
artstrailman[.]com 3/15/2024 10:14
ontexcare[.]com 3/15/2024 10:14
trackgroup[.]net 3/15/2024 10:14
businessprofessionalllc[.]com 3/15/2024 10:14
securecloudmanage[.]com 3/7/2024 10:42
oneblackwood[.]com 3/7/2024 10:42
buygreenstudio[.]com 3/7/2024 10:42
startupbuss[.]com 3/7/2024 10:42
onedogsclub[.]com 3/4/2024 18:26
wipresolutions[.]com 3/4/2024 18:26
recentbeelive[.]com 3/4/2024 18:26
trailcocompany[.]com 3/4/2024 18:26
trailcosolutions[.]com 3/4/2024 18:26
artstrailreviews[.]com 3/4/2024 18:26
usaglobalnews[.]com 2/15/2024 5:56
topglobaltv[.]com 2/15/2024 5:56
startupmartec[.]net 2/15/2024 5:56
technologgies[.]com 1/2/2024 18:16
jenshol[.]com 1/2/2024 18:16
simorten[.]com 1/2/2024 18:16
investmentgblog[.]net 1/2/2024 18:16
protectionek[.]com 1/2/2024 18:16
Table 11: Suspected Black Basta Domains
airbusco[.]net
allcompanycenter[.]com
animalsfast[.]net
audsystemecll[.]net
auuditoe[.]com
bluenetworking[.]net
brendonline[.]com
businesforhome[.]com
caspercan[.]com
clearsystemwo[.]net
cloudworldst[.]net
constrtionfirst[.]com
erihudeg[.]com
garbagemoval[.]com
gartenlofti[.]com
getfnewsolutions[.]com
getfnewssolutions[.]com
investmendvisor[.]net
investmentrealtyhp[.]net
ionoslaba[.]com
jessvisser[.]com
karmafisker[.]com
kolinileas[.]com
maluisepaul[.]com
masterunix[.]net
monitor-websystem[.]net
monitorsystem[.]net
mytrailinvest[.]net
prettyanimals[.]net
reelsysmoona[.]net
seohomee[.]com
septcntr[.]com
softradar[.]net
startupbizaud[.]net
startuptechnologyw[.]net
steamteamdev[.]net
stockinvestlab[.]net
taskthebox[.]net
trailgroupl[.]net
treeauwin[.]net
unitedfrom[.]com
unougn[.]com
wardeli[.]com
welausystem[.]net
wellsystemte[.]net
withclier[.]com

MITIGATIONS

The authoring organizations recommend all critical infrastructure organizations implement the mitigations below to improve your organization’s cybersecurity posture based on Black Basta’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

The authoring organizations also recommend network defenders of HPH Sector and other critical infrastructure organizations to reference CISA’s Mitigation Guide: Healthcare and Public Health (HPH) Sector and HHS’s HPH Cybersecurity Performance Goals, which provide best practices to combat pervasive cyber threats against organizations. Recommendations include the following:

  • Asset Management and Security: Cybersecurity professionals should identify and understand all relationships or interdependencies, functionality of each asset, what it exposes, and what software is running to ensure critical data and systems are protected appropriately. HPH Sector organizations should ensure electronic PHI (ePHI) is protected and compliant with the Health Insurance Portability and Accountability Act (HIPAA). Organizations can complete asset inventories using active scans, passive processes, or a combination of both techniques.
  • Email Security and Phishing Prevention: Organizations should install modern anti-malware software and automatically update signatures where possible. For additional guidance, see CISA’s Enhance Email and Web Security Guide.
    • Check for embedded or spoofed hyperlinks: Validate the URL of the link matches the text of the link itself. This can be achieved by hovering your cursor over the link to view the URL of the website to be accessed.
  • Access Management: Phishing-resistant MFA completes the same process but removes ‘people’ from the equation to help thwart social engineering scams and targeted phishing attacks that may have been successful using traditional MFA. The two main forms of phishing-resistant MFA are FIDO/Web Authentication (WebAuthn) authentication and Public Key Infrastructure (PKI)-based authentication. Prioritize phishing-resistant MFA on accounts with the highest risk, such as privileged administrative accounts on key assets. For additional information on phishing-resistant MFA, see CISA’s Implementing Phishing-Resistant MFA Guide.
  • Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy. To assist with prioritization, it is essential to:
    • Map your assets to business-critical functions. For vulnerability remediation, prioritize assets that are most critical for ongoing operations or which, if affected, could impact your organization’s business continuity, sensitive PII (or PHI) security, reputation, or financial position.
    • Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors. To assist, leverage CISA’s KEV Catalog and other threat intelligence feeds.
    • Leverage prioritization methodologies, ratings, and scores. The Common Vulnerability Scoring System (CVSS) assesses the technical severity of vulnerabilities. The Exploit Prediction Scoring System (EPSS) measures the likelihood of exploitation and can help with deciding which vulnerabilities to prioritize. CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC) methodology leverages decision trees to prioritize relevant vulnerabilities into four decisions, Track, Track*, Attend, and Act based on exploitation status, technical impact, mission prevalence, and impacts to safety and public-wellbeing.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Tables 2-6).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

REFERENCES

  1. SentinelOne: Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor
  2. Trend Micro: Ransomware Spotlight – Black Basta
  3. Kroll: Black Basta – Technical Analysis
  4. Who Is Black Basta? (blackberry.com)
  5. Palo Alto Networks: Threat Assessment – Black Basta Ransomware

REPORTING

Your organization has no obligation to respond or provide information back to FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

FBI, CISA, and HHS do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or by calling 1-844-Say-CISA [1-844-729-2472]).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, HHS, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, HHS, and MS-ISAC.

VERSION HISTORY

May 10, 2024: Initial version.

Analyzing Synology Disks on Linux, (Wed, May 8th)

This post was originally published on this site

Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For example, there are no expensive hardware RAID controllers in the box. They use the good old “MD” (“multiple devices”) technology, managed with the well-known mdadm tool[1]. Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools.

In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. The device had two drives configured in RAID0 (not the best solution I know but they lack storage capacity). The idea was to mount the file system (or at least have the block device) on a Linux host and run forensic tools, for example, photorec.

In such a situation, the biggest challenge will be to connect all the drivers to the analysis host! Here, I had only two drives but imagine that you are facing a bigger model with 5+ disks. In my case, I used two USB-C/SATA adapters to connect the drives. Besides the software RAID, Synology volumes also rely on LVM2 (“Logical Volume Manager”)[2]. In most distributions, the packages mdadm and lvm2 are available (for example on SIFT Workstation). Otherwise, just install them:

# apt install mdadm lvm2

Once you connect the disks (tip: add a label on them to replace them in the right order) to the analysis host, verify if they are properly detected:

# lsblk
NAME    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda       8:0    0 465.8G  0 disk
|-sda1    8:1    0 464.8G  0 part  /
|-sda2    8:2    0     1K  0 part
`-sda5    8:5    0   975M  0 part  [SWAP]
sdb       8:16   0   3.6T  0 disk
|-sdb1    8:17   0     8G  0 part
|-sdb2    8:18   0     2G  0 part
`-sdb3    8:19   0   3.6T  0 part
sdc       8:32   0   3.6T  0 disk
|-sdc1    8:33   0   2.4G  0 part
|-sdc2    8:34   0     2G  0 part
`-sdc3    8:35   0   3.6T  0 part
sr0      11:0    1  1024M  0 rom

"sdb3" and "sdc3" are the NAS partitions used to store data (2 x 4TB in RAID0). The good news, the kernel will detect that these disks are part of a software RAID! You just need to rescan them and "re-assemble" the RAID:

# mdadm --assemble --readonly --scan --force --run 

Then, your data should be available via a /dev/md? device:

# cat /proc/mdstat
Personalities : [raid0]
md0 : active (read-only) raid0 sdb3[0] sdc3[1]
      7792588416 blocks super 1.2 64k chunks

unused devices: <none>

The next step is to detect how data are managed by the NAS. Synology provides a technology called SHR[3] that uses LVM:

# lvdisplay
  WARNING: PV /dev/md0 in VG vg1 is using an old PV header, modify the VG to update.
  --- Logical volume ---
  LV Path                /dev/vg1/syno_vg_reserved_area
  LV Name                syno_vg_reserved_area
  VG Name                vg1
  LV UUID                08g9nN-Etde-JFN9-tn3D-JPHS-pyoC-LkVZAI
  LV Write Access        read/write
  LV Creation host, time ,
  LV Status              NOT available
  LV Size                12.00 MiB
  Current LE             3
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto

  --- Logical volume ---
  LV Path                /dev/vg1/volume_1
  LV Name                volume_1
  VG Name                vg1
  LV UUID                fgjC0Y-mvx5-J5Qd-Us2k-Ppaz-KG5X-tgLxaX
  LV Write Access        read/write
  LV Creation host, time ,
  LV Status              NOT available
  LV Size                <7.26 TiB
  Current LE             1902336
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto

You can see that the NAS has only one volume created ("volume_1" is the default name in DSM).

From now on, you can use /dev/vg1/volume_1 in your investigations. Mount it, scan it, image it, etc…

[1] https://en.wikipedia.org/wiki/Mdadm
[2] https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)
[3] https://kb.synology.com/en-br/DSM/tutorial/What_is_Synology_Hybrid_RAID_SHR

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th)

This post was originally published on this site

ISPs have a history of intercepting DNS. Often, DNS interception is done as part of a "value add" feature to block access to known malicious websites. Sometimes, users are directed to advertisements if they attempt to access a site that doesn't exist. There are two common techniques how DNS spoofing/interception is done:

  1. The ISP provides a recommended DNS server. This DNS server will filter requests to known malicious sites.
  2. The ISP intercepts all DNS requests, not just requests directed at the ISPs DNS server.

The first method is what I would consider a "recommended" or "best practice" method. The customer can use the ISP's DNS server, but traffic is left untouched if a customer selects a different recursive resolver. The problem with this approach is that malware sometimes alters the user's DNS settings.

Comcast, as part of its "Business Class" offer, provides a tool called "Security Edge". It is typically included for free as part of the service. Security Edge is supposed to interface with the customer's modem but can only do so for specific configurations. Part of the service is provided by DNS interception. Even if "Security Edge" is disabled in the customer's dashboard, DNS interception may still be active.

One issue with any filtering based on blocklists is false positives. In some cases, what constitutes a "malicious" hostname may not even be well defined. I could not find a definition on Comcast's website. But Bleeping Computer (www.bleepingcomputer.com) recently ended up on Comcast's "naughty list". I know all to well that it is easy for a website that covers security topics to end up on these lists. The Internet Storm Center website has been on lists like this before. Usually, sloppy signature-based checks will flag a site as malicious. An article may discuss a specific attack and quote strings triggering these signatures.

Comcast offers recursive resolvers to it's customers: 75.75.75.75, 75.75.76.76, 2001:558:feed:1 and 2001:558:feed:2. There are advantages to using your ISP's DNS servers. They are often faster as they are physically closer to your network, and you profit from responses cached by other users. My internal resolver is configured as a forwarding resolver, spreading queries among different well performing resolvers like Quad9, Cloudflare and Google.

So what happened to bleepingcomputer.com? When I wasn't able to resolve bleepingcomputer.com, I checked my DNS logs, and this entry stuck out:

broken trust chain resolving 'bleepingcomputer.com/A/IN': 8.8.8.8#53 

My resolver verifies DNSSEC. Suddenly, I could not verify DNSSEC, which is a good indication that either DNSSEC was misconfigured or someone was modifying DNS responses. Note that the response appeared to come from Google's name server (8.8.8.8).

My first step in debugging this problem was dnsviz.net, a website operated by Sandia National Laboratory. The site does a good job of visualizing DNSSEC and identifying configuration issues. Bleepingcomputer.com looked fine. Bleepingcomputer didn't use DNSSEC. So why the error? There was another error in my resolver's logs that shed some light on the issue:

no valid RRSIG resolving 'bleepingcomputer.com/DS/IN': 8.8.8.8#53

DNSSEC has to establish somehow if a particular site supports DNSSEC or not. The parent zone should offer an "NSEC3" record to identify zones that are not signed or not signed. DS records, also offered by the parent zone, verify the keys you may receive for a zone. If DNS is intercepted, the requests for these records may fail, indicating that something odd is happening.

So, someone was "playing" with DNS. And it affected various DNS servers I tried, not just Comcast or Google. Using "dig" to query the name servers directly, and skipping DNSSEC, I received a response:

8.8.8.8.53 > 10.64.10.10.4376: 35148 2/0/1 www.bleepingcomputer.com. A 192.73.243.24, www.bleepingcomputer.com. A 192.73.243.36 (85)

Usually, www.bleepingcomputer.com resolved to:

% dig +short www.bleepingcomputer.com
104.20.185.56
172.67.2.229
104.20.184.56

It took a bit of convincing, but I was able to pull up the web page at the wrong IP address:

screen shot of Comcast block page.

The problem with these warning pages is that you usually never see them. Even if you resolve the IP address, TLS will break the connection, and many sites employ strict transport security. As part of my Comcast business account, I can "brand" the page, but by default, it is hard to tell that this page was delivered by Comcast.

But how do we know if someone is interfering with DNS traffic? A simple check I am employing is to look for the DNS timing and compare the TTL values for different name servers.

(1) Check timing

Send the same query to multiple public recursive DNS servers. For example:

% dig www.bleepingcomputer.com @75.75.75.75

; <<>> DiG 9.10.6 <<>> www.bleepingcomputer.com @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8432
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.bleepingcomputer.com.    IN    A

;; ANSWER SECTION:
www.bleepingcomputer.com. 89    IN    A    104.20.185.56
www.bleepingcomputer.com. 89    IN    A    104.20.184.56
www.bleepingcomputer.com. 89    IN    A    172.67.2.229

;; Query time: 59 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Tue May 07 20:00:05 EDT 2024
;; MSG SIZE  rcvd: 101

Dig includes the "Query time" in its output. In this case, it was 59 msec. We expect a speedy time like this for Comcast's DNS server while connected to Comcast's network. But let's compare this to other servers:

8.8.8.8: 59 msec
1.1.1.1: 59 msec
9.9.9.9: 64 msec
11.11.11.11: 68 msec
113.113.113.113: 69 msec

The results are very consistent. In particular, the last one is interesting. This server is located in China. 

(2) check TTLs

A recursive resolver will add a response it receives from an authoritative DNS server to its cache. The TTL for records bulled from the cache will decrease with the time the response sits in the resolver's cache. If all responses come from the same resolver, the TTL should decrement consistently. This test is a bit less telling. Often, several servers are used, and with anycast, it is not always easy to tell which server the response comes from. These servers do not always have a consistent cache.

Final Words

DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS.

 

 

 


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.