This post was originally published on this site

Recently I was discussing Alert/Case management tools for SOCs. I started thinking about what were the key points I used when deciding. Depending on how big your SOC is, you will have different priorities for each point if you have customer SLA's and a turnover. But these are the things I look for, in no particular order.

• Open Source
• Alert and Case Management
• Artifact Enhancement
• Playbook/Work Flows
• Metrics

 

TheHive (1)

This has been my favorite tool for managing cases for a while. In the last year, it has gone to a pay model, if you use TheHive version 5. Support for 4 has stopped, but you can still use it. I did a quick look, and I didn't see anyone with a Forked version 4 supporting it. Metrics in version 3 could have been better, and in 5, they have improved. It also supports marking cases with ATT&C techniques. Elastalert has direct support for Hive, which is an excellent and easy way to get alerts from SecurityOnion into your case system. They use Cortex for enhancing artifact information, which has a great plugin architecture. Most people are familiar with TheHive, so I'll skip any screenshots. It's a great project, and if you have the money to allocate, I suggest supporting this project for your SOC.

 

DFIR-IRIS (2)

It is a robust system that can run as a docker and the database is Postgres. In the latest revisions, released this month, they have added support for alert tracking. Alerts can be fed into their system using their API (No Elastalert support yet..) You can convert alerts into cases easily. You can create case templates that contain playbooks for what to do. If you put your information in the right places, the generated report feature does a very nice readable report. They currently do not have predefined ATT&CK techniques, but you can tag most items you add in cases. This project is very active and doing a great job with adding features. They already have a full demo online to try (3), so go take a look! 

 

Alert queue

The alert queue was added in the latest release. There is an API to get alerts into the system. 

 

 

Case Management

 

At the top of the case, view is where you access the different parts of the case. Assets are where you list which assets are involved in the incident. Typically with TheHive, I would create a new task per device and put in the notes for each compromised asset. This is a nice feature to quickly see what is involved.

 

 

Notes Section

I've only messed around with the demo, but I'm unsure how to use the note section now. You can group things together nicely, but in real cases, I would have to see if the input fields from the tasks were not enough to meet the needs first.

 

 

Case Template/Playbooks

Creating templates is easy to do. These end up in the task area of the case, where they can be used to walk the responder through tasks for the case type.

 

 

You can add files to the case along with IOCs.

 

 

They do have some modules and enrichment, but only a little for now. A 3rd party module by SOCfortress will integrate with Cortex, giving you a ton of flexibility. (4)

 

 

There is at least one more alert manager I plan on covering in the future, but let me know what you are using and why you like it in the comments.

 

(1) https://thehive-project.org/

(2) https://dfir-iris.org/

(3)https://v200.beta.dfir-iris.org/welcome

(4)https://github.com/socfortress/iris-cortexanalyzer-module

 

 

—

Tom Webb

@tom_webb@infosec.exchange

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Please let me know if you have any idea what they are trying to do here 🙂

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Almost all the reports come from the same user-agent and IP address:

User-Agent: Go-http-client/1.1
Source IP: %%ip:109.207.200.43%%

The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just "random" URLs like:

• /boaform/admin/formLogin
• blank.org:443

There are a couple other IPs and User-Agents used to scan for Nifi:

%%ip:65.154.226.171%% – Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip:205.169.39.250%% – Claiming to use Chrome, but ancient versions so I assume these user agents are fake

Both of these IPs are part of Qwest/CenturyLink/Lumen. 65.154.226.171 at least used to be part of Paloalto.

But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining… ? There isn't a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.

Let me know if you use NiFi, and if you have an idea what they may be looking for.

 

 

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

ABUS is usually better known for its "old-fashioned" mechanical locks. But as part of its b "Industry Solution" portfolio of products, ABUS is offering some more high-tech solutions, like, for example, network-connected cameras [1]. Sadly, these cameras suffer from some of the same vulnerabilities as many similar cameras.

In February, Peter Ohm disclosed a vulnerability affecting ABUS cameras on the full disclosure mailing list [2]. The disclosure includes three different vulnerabilities,

1 – Local File Inclusion

This vulnerability can be used to read arbitrary files:

cgi-bin/admin/fileread?READ.filePath=[filename]

 

2 – Remote command injection vulnerability

/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]

This vulnerability allows for arbitrary command injection. Instead of a semicolon, an attacker could also use a pipe or a carriage return.

3 – Fixed "maintenance" account

The affected cameras use the following credentials for a built-in "maintenance" account.

manufacture erutcafunam

 

Among these vulnerabilities, the remote command execution vulnerability is the most interesting one. Yesterday, our sensor picked up exploit attempts consistent with this vulnerability:

/cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}

I did not obfuscate the command. The attacker did not correctly expand the command parameter. Maybe they are using a Python "f-string" but forgot the leading "f"?

All the attacks originate from an unconfigured server (%%ip:45.95.147.229%%) in the Netherlands. This server has a history of attempts to exploit various common vulnerabilities.

But there is more…

Our web application honeypots have been around for a while, so we have some history to look back at. Similar exploit attempts are going back to 2015:

+------------+--------------------------------------------------------------------+
| date       | url                                                                |
+------------+--------------------------------------------------------------------+
| 2015-07-12 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft                                          |
| 2015-07-13 | /cgi-bin/mft/wireless_mft?ap=testname;cat%20/var/www/secret.passwd |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-13 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2021-12-17 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;id                           |
| 2022-01-22 | /cgi-bin/mft/wireless_mft?ap=travesti;ipconfig                     |
| 2023-05-20 | /cgi-bin/mft/wireless_mft                                          |
| 2023-05-21 | /cgi-bin/mft/wireless_mft?ap=irrelevant;{payload}                  |
+------------+--------------------------------------------------------------------+

Back in 2015, CORE security released a very similar vulnerability in "Air Live" cameras [3][4]. Searching further shows that this vulnerability was also found in 2013 Zavio IP Cameras [5]. 

So this appears to be one of these all too common "IoT" security issues: The same firmware/hardware is being resold under different brands, and once a vendor fixes the flaw does in no way guarantee that other vendors selling the same equipment will even bother to look if they are vulnerable as well. ABUS likely is just the sales organization feeling zero responsibility to check if what they are selling is remotely fit to be connected to a network.

As a user of such a camera, you must ensure that you keep your firmware up to date and avoid exposing these cameras to the internet. And as ABUS puts it: "KEEP AN EYE ON EVERYTHING.", most notably your vendors.

[1] https://mobil.abus.com/usa/Commercial-Security/Industry-solutions/Campus-Security
[2] https://seclists.org/fulldisclosure/2023/Feb/16
[3] https://seclists.org/fulldisclosure/2015/Jul/29
[4] http://camera.airlive.com/
[5] https://www.exploit-db.com/exploits/25815

—

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

 

A reader contacted us (thank you, Scott) to share an interesting phishing email. We are always looking for fresh meat, don't hesitate to share your samples with us! I had a look at the EML file provided by Scott, and it looked indeed weird. 

When you open the mail in Outlook, it looks like this:

You could think that first reflex, this is a phishing campaign targeting Chinese people. If we look a bit deeper, we see that the document is lacking any "format" (paragraphs, carriage returns, …), and there are here and there "emoticons". This looks definitively like an encoding problem.

If you check the raw EML file, there is this piece of code at the beginning of the mail body:

<=00m=00e=00t=00a=00 =00h=00t=00t=00p=00-=00e=00q=00u=00i=00v=00=3D=00"=00C=
=00o=00n=00t=00e=00n=00t=00-=00T=00y=00p=00e=00"=00 =00c=00o=00n=00t=00e=00=
n=00t=00=3D=00"=00t=00e=00x=00t=00/=00h=00t=00m=00l=00;=00 =00c=00h=00a=00r=
=00s=00e=00t=00=3D=00u=00t=00f=00-=001=006=00"=00>=00<html><head><meta http=
-equiv=3D"Content-Type" content=3D"text/html; charset=3Dunicode">
=20
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> <title></title>=
</head>=20
<body>

Export the body and open it in a text editor, you will get:

As you can see, the attacker messed up the encoding, and Outlook cannot display the mail body correctly. Here is what should be displayed:

Note that the attackers not only messed up with the encoding, they also messed up the variable replacement with correct values ("[EMail]", "[Date_short]", …).

The link points to a Java RAT stored on the Discord CDN[1]. The RAT connects to its C2 server via magicfinger[.]ddns[.]net

[1] https://bazaar.abuse.ch/sample/d7b24068f673031c8c27271bf36790f9468b8c27ec08c51a348fc08c34ff6881/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Today, Apple released macOS, iOS, iPadOS, tvOS, watchOS, and Safari updates.

Three of the vulnerabilities are already exploited in the wild. Combining the three vulnerabilities, an attacker can gain complete system access as the user visits a malicious website. CVE-2023-32373 allows for arbitrary code execution as WebKit processes malicious content. CVE-2023-32409, in turn, enables breaking out of the web content sandbox, completing the full system compromise. The vulnerabilities are not indicated as "patched" for older versions of macOS, but they are covered in the Safari update, which applies the patch to older versions of macOS.

As usual, Apple's vulnerability descriptions are terse. As promised in a prior diary, I let ChatGPT "guess" the CVSS score for these updates. Let me know if you agree or not. The rating (moderate/important/critical) are mine. ChatGPT refused to provide a CVSS score for some vulnerabilities based on insufficient information. Let me know if you feel ChatGPT did ok or not (or if it is worthwhile keeping these ChatGPT CVSS scores or not)

Safari 16.5	watchOS 9.5	tvOS 16.5	iOS 16.5 and iPadOS 16.5	iOS 15.7.6 and iPadOS 15.7.6	macOS Big Sur 11.7.7	macOS Ventura 13.4	macOS Monterey 12.6.6
CVE-2023-32402 [moderate] ChatGPT-CVSS: 4.3 WebKit An out-of-bounds read was addressed with improved input validation. Processing web content may disclose sensitive information
x	x	x	x			x
CVE-2023-32423 [moderate] ChatGPT-CVSS: 5.3 WebKit A buffer overflow issue was addressed with improved memory handling. Processing web content may disclose sensitive information
x	x	x	x			x
CVE-2023-32409 [moderate] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit The issue was addressed with improved bounds checks. A remote attacker may be able to break out of Web Content sandbox. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x			x
CVE-2023-28204 [moderate] ChatGPT-CVSS: 7.5 *** EXPLOITED *** WebKit An out-of-bounds read was addressed with improved input validation. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x	x		x
CVE-2023-32373 [critical] ChatGPT-CVSS: 8.8 *** EXPLOITED *** WebKit A use-after-free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
x	x	x	x	x		x
CVE-2023-32388 [important] ChatGPT-CVSS: N/A Accessibility A privacy issue was addressed with improved private data redaction for log entries. An app may be able to bypass Privacy preferences
	x		x	x	x	x	x
CVE-2023-32400 [moderate] ChatGPT-CVSS: N/A Accessibility This issue was addressed with improved checks. Entitlements and privacy permissions granted to this app may be used by a malicious app
	x		x			x
CVE-2023-32399 [important] ChatGPT-CVSS: 4.3 Core Location The issue was addressed with improved handling of caches. An app may be able to read sensitive location information
	x	x	x			x
CVE-2023-28191 [important] ChatGPT-CVSS: N/A AppleEvents This issue was addressed with improved redaction of sensitive information. An app may be able to bypass Privacy preferences
	x	x	x		x	x	x
CVE-2023-32417 [moderate] ChatGPT-CVSS: 4.0 Face Gallery This issue was addressed by restricting options offered on a locked device. An attacker with physical access to a locked Apple Watch may be able to view user photos or contacts via accessibility features
	x
CVE-2023-32392 [important] ChatGPT-CVSS: 4.3 GeoServices A privacy issue was addressed with improved private data redaction for log entries. An app may be able to read sensitive location information
	x	x	x		x	x	x
CVE-2023-32372 [important] ChatGPT-CVSS: 5.3 ImageIO An out-of-bounds read was addressed with improved input validation. Processing an image may result in disclosure of process memory
	x	x	x			x
CVE-2023-32384 [critical] ChatGPT-CVSS: 7.8 ImageIO A buffer overflow was addressed with improved bounds checking. Processing an image may lead to arbitrary code execution
	x	x	x	x	x	x	x
CVE-2023-32354 [important] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator An out-of-bounds read was addressed with improved input validation. An app may be able to disclose kernel memory
	x	x	x
CVE-2023-32420 [moderate] ChatGPT-CVSS: 7.5 IOSurfaceAccelerator An out-of-bounds read was addressed with improved input validation. An app may be able to cause unexpected system termination or read kernel memory
	x	x	x			x
CVE-2023-27930 [important] ChatGPT-CVSS: 8.8 Kernel A type confusion issue was addressed with improved checks. An app may be able to execute arbitrary code with kernel privileges
	x	x	x			x
CVE-2023-32398 [important] ChatGPT-CVSS: 8.8 Kernel A use-after-free issue was addressed with improved memory management. An app may be able to execute arbitrary code with kernel privileges
	x	x	x	x	x	x	x
CVE-2023-32413 [important] ChatGPT-CVSS: 8.8 Kernel A race condition was addressed with improved state handling. An app may be able to gain root privileges
	x	x	x	x	x	x	x
CVE-2023-32352 [important] ChatGPT-CVSS: 7.0 LaunchServices A logic issue was addressed with improved checks. An app may bypass Gatekeeper checks
	x		x		x	x	x
CVE-2023-32407 [important] ChatGPT-CVSS: N/A Metal A logic issue was addressed with improved state management. An app may be able to bypass Privacy preferences
	x	x	x	x	x	x	x
CVE-2023-32368 [important] ChatGPT-CVSS: 6.5 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
	x	x	x			x	x
CVE-2023-32403 [important] ChatGPT-CVSS: 4.3 NetworkExtension This  issue was addressed with improved redaction of sensitive information. An app may be able to read sensitive location information
	x	x	x	x	x	x	x
CVE-2023-32390 [moderate] ChatGPT-CVSS: 4.3 Photos The issue was addressed with improved checks. Photos belonging to the Hidden Photos Album could be viewed without authentication through Visual Lookup
	x		x			x
CVE-2023-32357 [moderate] ChatGPT-CVSS: 7.0 Sandbox An authorization issue was addressed with improved state management. An app may be able to retain access to system configuration files even after its permission is revoked
	x	x	x		x	x	x
CVE-2023-32391 [moderate] ChatGPT-CVSS: N/A Shortcuts The issue was addressed with improved checks. A shortcut may be able to use sensitive data with certain actions without prompting the user
	x		x	x		x
CVE-2023-32404 [important] ChatGPT-CVSS: 6.2 Shortcuts This issue was addressed with improved entitlements. An app may be able to bypass Privacy preferences
	x		x			x
CVE-2023-32394 [moderate] ChatGPT-CVSS: 5.3 Siri The issue was addressed with improved checks. A person with physical access to a device may be able to view contact information from the lock screen
	x	x	x			x
CVE-2023-32376 [important] ChatGPT-CVSS: 7.0 StorageKit This issue was addressed with improved entitlements. An app may be able to modify protected parts of the file system
	x	x	x			x
CVE-2023-28202 [moderate] ChatGPT-CVSS: N/A System Settings This issue was addressed with improved state management. An app firewall setting may not take effect after exiting the Settings app
	x	x	x			x
CVE-2023-32412 [moderate] ChatGPT-CVSS: 7.8 Telephony A use-after-free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected app termination or arbitrary code execution
	x	x	x	x	x	x	x
CVE-2023-32408 [important] ChatGPT-CVSS: 7.5 TV App The issue was addressed with improved handling of caches. An app may be able to read sensitive location information
	x	x	x	x		x	x
CVE-2023-32389 [important] ChatGPT-CVSS: 7.5 Wi-Fi This  issue was addressed with improved redaction of sensitive information. An app may be able to disclose kernel memory
	x	x	x			x
CVE-2023-32411 [important] ChatGPT-CVSS: 6.5 AppleMobileFileIntegrity This issue was addressed with improved entitlements. An app may be able to bypass Privacy preferences
		x	x		x	x	x
CVE-2023-32422 [moderate] ChatGPT-CVSS: 6.5 SQLite This issue was addressed by adding additional SQLite logging restrictions. An app may be able to access data from other apps by enabling additional SQLite logging
		x	x			x
CVE-2023-32415 [important] ChatGPT-CVSS: 5.3 Weather This  issue was addressed with improved redaction of sensitive information. An app may be able to read sensitive location information
		x	x			x
CVE-2023-32371 [important] ChatGPT-CVSS: 6.5 Associated Domains The issue was addressed with improved checks. An app may be able to break out of its sandbox
			x			x
CVE-2023-32419 [moderate] ChatGPT-CVSS: 8.8 Cellular The issue was addressed with improved bounds checks. A remote attacker may be able to cause arbitrary code execution
			x
CVE-2023-32385 [moderate] ChatGPT-CVSS: 4.3 PDFKit A denial-of-service issue was addressed with improved memory handling. Opening a PDF file may lead to unexpected app termination
			x			x
CVE-2023-32365 [moderate] ChatGPT-CVSS: N/A Photos The issue was addressed with improved checks. Shake-to-undo may allow a deleted photo to be re-surfaced without authentication
			x	x
CVE-2023-32367 [important] ChatGPT-CVSS: 7.5 Security This issue was addressed with improved entitlements. An app may be able to access user-sensitive data
			x			x
CVE-2023-23532 [important] ChatGPT-CVSS: 7.0 Apple Neural Engine This issue was addressed with improved checks. An app may be able to break out of its sandbox
				x
CVE-2023-28181 [important] ChatGPT-CVSS: 9.8 CoreCapture The issue was addressed with improved memory handling. An app may be able to execute arbitrary code with kernel privileges
				x	x
CVE-2023-32410 [important] ChatGPT-CVSS: 7.5 IOSurface An out-of-bounds read was addressed with improved input validation. An app may be able to leak sensitive kernel state
				x	x	x	x
CVE-2023-27940 [moderate] ChatGPT-CVSS: 4.0 Kernel The issue was addressed with additional permissions checks. A sandboxed app may be able to observe system-wide network connections
				x		x	x
CVE-2023-32397 [important] ChatGPT-CVSS: 6.5 Shell A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
				x	x	x	x
CVE-2023-32386 [moderate] ChatGPT-CVSS: 5.0 Contacts A privacy issue was addressed with improved handling of temporary files. An app may be able to observe unprotected user data
					x	x	x
CVE-2023-32360 [moderate] ChatGPT-CVSS: 6.5 CUPS An authentication issue was addressed with improved state management. An unauthenticated user may be able to access recently printed documents
					x	x	x
CVE-2023-32387 [moderate] ChatGPT-CVSS: 8.8 dcerpc A use-after-free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected app termination or arbitrary code execution
					x	x	x
CVE-2023-27945 [moderate] ChatGPT-CVSS: 4.3 Dev Tools This issue was addressed with improved entitlements. A sandboxed app may be able to collect system logs
					x		x
CVE-2023-32369 [important] ChatGPT-CVSS: 6.5 libxpc A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32405 [important] ChatGPT-CVSS: 7.8 libxpc A logic issue was addressed with improved checks. An app may be able to gain root privileges
					x	x	x
CVE-2023-32380 [critical] ChatGPT-CVSS: 8.8 Model I/O An out-of-bounds write issue was addressed with improved bounds checking. Processing a 3D model may lead to arbitrary code execution
					x	x	x
CVE-2023-32382 [important] ChatGPT-CVSS: 5.3 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
					x	x	x
CVE-2023-32355 [important] ChatGPT-CVSS: 7.5 PackageKit A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32395 [important] ChatGPT-CVSS: 7.0 Perl A logic issue was addressed with improved state management. An app may be able to modify protected parts of the file system
					x	x	x
CVE-2023-32414 [important] ChatGPT-CVSS: 4.0 DesktopServices The issue was addressed with improved checks. An app may be able to break out of its sandbox
						x
CVE-2023-32375 [important] ChatGPT-CVSS: 7.5 Model I/O An out-of-bounds read was addressed with improved input validation. Processing a 3D model may result in disclosure of process memory
						x	x
CVE-2023-32363 [important] ChatGPT-CVSS: 0 Screen Saver A permissions issue was addressed by removing vulnerable code and adding additional checks. An app may be able to bypass Privacy preferences
						x
CVE-2023-23535 [important] ChatGPT-CVSS: 7.5 ImageIO The issue was addressed with improved memory handling. Processing a maliciously crafted image may result in disclosure of process memory
							x

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.