Feed aggregator

Infocon: green

SANS Internet Storm Center, InfoCON: green - Wed, 2017/09/06 - 12:46
ISC Stormcast For Wednesday, September 6th 2017 https://isc.sans.edu/podcastdetail.html?id=5656
Categories: Security Posts

<div class="feedflare">

Room362.com - Wed, 2017/09/06 - 10:47
Categories: Security Posts

about

Room362.com - Wed, 2017/09/06 - 10:47
Mubix “Rob” Fuller Rob has over 11 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks - as well as performing penetration tests and Red Team assessments against those same networks. More recently, Rob has performed numerous successful Red Team assessments against commercial Fortune 50 companies representing some of the best defensive teams in the industry.
Categories: Security Posts

Cómo saltarse Device Guard en Windows 10 con CVE-2017-8625

Un informático en el lado del mal - Wed, 2017/09/06 - 09:48
Durante el mes de agosto ha seguido habiendo un gran movimiento en el mundo de la seguridad y Microsoft, y no debemos perder detalles de estos descubrimientos para mantener nuestro sistema operativo Microsoft Windows fortificado.  En esta ocasión, el investigador Oddvar Moe ha publicado cómo logró hacer un bypass a Device Guard en Windows.

Figura 1: Cómo saltarse Device Guard en Windows 10 con CVE-2017-8625
 Este ha sido un hecho relevante que ha consiguió tener un CVE por ello, del cual podéis obtener más detalle en MITRE. Vamos a ver cómo funciona este bug.

¿Qué es Device Guard?

Como se indica en la web de Technet de Microsoft, Device Guard es una combinación de características de seguridad de hardware y software, las cuales ayudan a bloquear un dispositivo para que pueda ejecutar aplicaciones de confianza. Es decir, si la aplicación no es de confianza no se ejecutará. El funcionamiento de Device Guard restringe a Windows 10 Enterprise para que ejecute código que esté firmado y que se pueda verificar en la directiva de integridad de código.

¿Qué partes tiene?

Puedes ver todos los detalles de sus componentes en la web de Device Guard en Technet, pero se resumen en los siguientes.
• UMCI. Integridad de código en modo usuario. • Nuevas reglas de integridad de código del kernel. • Arranque seguro con restricciones de base de datos. • Seguridad basada en la virtualización para proteger la memoria del sistema y los controladores.  • Como opcional, Microsoft indica el módulo de plataforma segura TPM 1.2 o 2.0.El descubrimiento

El investigador Oddvar Moe se fijó en el binario hh.exe, el cual es un programa que lanza la ayuda en Windows. El comportamiento del binario le llamó la atención, ya que independientemente del parámetro que se le pasará ocurrían diferentes situaciones. La primera prueba que llama la atención es la de ejecutar la siguiente instrucción hh.exe c:\ o hh.exe http://www.google.com. En la primera ejecución, como se mostrará más adelante, se obtiene la posibilidad de navegar por el sistema de archivos a través del binario hh.exe y en el segundo caso se obtiene la posibilidad de obtener un browser embebido en hh.exe, muy similar a cómo se puede navegar por Internet sin navegador dentro de Microsoft Word para poder saltarse protecciones de seguridad.

Figura 2: Navegando con hh.exe
Otra cosa interesante es el nivel de integridad. Cuando se ejecuta un proceso iexplore, se ejecute con integridad low, aunque el padre lo haga con media. Sin embargo, el browser que se ejecuta con hh.exe se ejecuta con integridad media. Esto se puede ver fácilmente con la herramienta procmon.

Figura 3: Process Monitor de hh.exe en Windows 10
En la siguiente imagen se muestra un ejemplo de lo que se comentaba anteriormente, cuando ejecutamos hh.exe c:\, se abre el binario hh.exe y se puede ver un contenido embebido que es un explorador de archivos. Esto hace pensar, ya que puede ser interesante para lograr realizar el bypass de Device Guard, como pensó Oddvar Moe.

Figura 4: Navegando por el disco duro con hh.exe
Oddvar Moe creó un script de Powershell que permite crear un fichero CHM o fichero de ayuda, el cual abrirá la ayuda y ejecutará una calculadora a través de ActiveX. El script puede ser descargado desde su Github y es bastante sencillo de entender. Además, está basado en un script que forma parte de Nishang, un framework de pentesting con Powershell bastante interesante.

Figura 5: Script en PowerShell para el CVE-2017-8625
La ejecución del script, como puede verse en la imagen, es totalmente sencilla. El resultado es un fichero CHM almacenado en la carpeta \hhpoc.

Figura 6: Ejecución del script que genera el fichero CHM a explotar
Una de las partes interesantes del script es la que se puede ver a continuación. En ella se puede ver cómo se ejecuta código, dónde primero nos mostrarán un alert indicando lo que viene a continuación. La calculadora será ejecutada saltándose las medidas de protección asociadas a Device Guard, por lo que se está aprovechando los archivos de ayuda y el binario asociado para lograr el bypass.

Figura 7: Ejecución de la calculadora
Al ejecutar el fichero CHM nos encontramos que el binario hh.exe es ejecutado, y muestra una página de ayuda dónde Oddvar ha escrito un texto. Además, se ejecuta el alert, como puede verse en la imagen, y nos indica lo que ocurrirá a continuación.

Figura 8: Alerta al abrir el fichero CHM creado para explotar el bug
En el momento que el usuario pulse sobre el “Yes”, la calculadora se ejecutará, por lo que el código se ejecutará. Esto sirve para demostrar que el código se puede lograr ejecutar saltándose la protección de Device Guard. 


Figura 9: Ejecución de código saltándose Device Guard en Windows 10
¿Podemos ejecutar otro tipo de código más interesante?

Lógicamente sí. Como ejemplo pongo este proyecto de Github llamado StarFighters, con el que se puede lograr ejecutar código interesante a través del JavaScript.

Figura 10: La calculadora en ejecución
En la imagen se puede ver como se produce la ejecución de la calculadora. Para ejemplificar la sencillez de método y la facilidad con la que hoy en día puede funcionar os dejamos un video.

Figura 11: PoC Saltarse Device Guard en Windows 10 con CVE-2017-8625
Además, hay que indicar que a día de hoy Windows 10 v1703 tiene parcheada esta vulnerabilidad, por lo que si actualizáis no deberíais tener este problema, el cual ha sido parcheado muy recientemente. Tenemos todos los datos sobre la vulnerabilidad aportados por Microsoft en este enlace.

Autor: Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Ethical Hacking", "Got Root" y “Pentesting con Powershell”, Microsoft MVP en Seguridad y Security Researcher en ElevenPaths
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

ISC Stormcast For Wednesday, September 6th 2017 https://isc.sans.edu/podcastdetail.html&#x3f;id=5656, (Wed, Sep 6th)

SANS Internet Storm Center, InfoCON: green - Wed, 2017/09/06 - 02:35
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Struts vulnerability patch released by apache, patch now, (Tue, Sep 5th)

SANS Internet Storm Center, InfoCON: green - Wed, 2017/09/06 - 02:30
UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT) Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a  remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement. A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked.  Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild.  Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc. (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Compiling a Windows Service With Mono on Kali

Didier Stevens - Wed, 2017/09/06 - 02:00
The Windows service I used in my previous blog post can also be compiled on Kali (or other Linux distros or OSX) using Mono. First I install Mono on Kali: sudo apt-get install mono-devel Then I can use Mono’s C# compiler mcs. Unlike .NET’s C# compiler csc.exe, mcs requires a reference to compile a Windows service: mcs -reference:System.ServiceProcess.dll service.cs  
Categories: Security Posts

Podcast: Implications of the EU GDPR

Zero in a bit - Tue, 2017/09/05 - 16:37
The EU Global Data Protection Regulations (GDPR) go into effect in May 2018, and will introduce stark new data security requirements for any organization in the EU, or doing business in the EU. The requirements in this regulation surrounding data retention and personal information are unprecedented, and so are the fines for non-compliance. How will this play out in a world where information is a currency? Which organizations are ready, and which should be, but aren't? And could this be a sign of things to come in terms of cybersecurity regulations in the US? Listen to the latest episode of Veracode's AppSec in Review podcast to hear Evan Schuman and Veracode's Brian Fitzgerald discuss the implications of these ground-breaking regulations.
Categories: Security Posts

The Mirai Botnet: A Look Back and Ahead At What's Next, (Tue, Sep 5th)

SANS Internet Storm Center, InfoCON: green - Tue, 2017/09/05 - 16:30
It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for %%port:2323%% and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai. This scan hit a number of our sensors via ssh. At the time we did not collect telnet brute force attempts. Oddly enough, it was a singular scan from one IP address (%%ip:185.106.94.136%%) . Starting August 9th, 2016, we do see daily scans for the password xc3511 at a low level until they increase significantly around September 21st, which is probably the best date to identify as the outbreak of what we now call Mirai. I will use "Mirai" to identify the family of aggressive telnet scanning bots. It includes a wide range of varieties that all pretty much do the same thing: Scan for systems with telnet exposed (not just on port 23) and then trying to log in using a default password. Figure 1: Port 2323 Scanning for 2016. One of the first questions that keep coming up is how many hosts were or still are infected with Mirai. A back of the envelope calculation can be done by looking at the current rate of these scans. An average IP address will be hit once every 10 minutes. In my tests, I found that an infected system can scan about 200 IPs per second. To scan the entire internet, it will take an infected system about 200 days (accounting for the fact that Mirai does not scan about 20% of the IP address space). So to be hit about once every 10 minutes, we need only about 30,000 infected systems. This is likely a low estimate. I have seen a lot of Mirai connection attempts fail because the scanning system isn't responding in time, likely because it is not able to keep up with the scans. For port 23 scans, we do see around 100-150,000 sources each day. This is not just Mirai, but other bots as well. Port 2323 only sees around 5-10,000 sources per day. These are likely remnants of the original Mirai versions. Later versions did not use port 2323 as much as earlier versions. So a reasonable estimate of infected systems is likely in the "more than 100,000" range.  Figure 2: Decay of port 2323 scans and best fit. Now the next question is: "How long will all this last". I took a look a the %%port:2323%% traffic, to see how it decayed over the last year. Like I have seen in prior bot outbreaks all the way back to Nimda/CodeRed, the decay is best matched using two components: A "fast part" of systems that are patched relatively fast, and a "slow" part of systems that take much longer to fix. For SQL Slammer, for example, the "fast" part was patched in a few hours, while the "slow" part was patched "never". For Mirai, the "fast" decay has a half life of 12 days, which is still pretty slow. The "slow" part has a half life of 150 days, and 1/3 of infected systems are part of the "slow" curve. The result: Mirai is going to stick with us for a few more years. There are many efforts underway to reach out to infected systems and to protect them. But for Mirai, these efforts appear to have reached a point of diminishing returns. Unlike SQL Slammer, Mirai does not affect the host network enough to force a fix, and the fix isn't all that easy (often there is no simple "patch". And the password can not be changed by the user).  A system is only "removed" from the infected pool if it is patched, retired or placed behind a firewall. A system that is rebooted will likely get infected immediatly so we do not have to account for them. The is possibly also a component of new systems connected to the internet. I did not account for them, but they would become part of either the short or long "half-life" component and just increase the amplitude of either. I will try and run a simulation for that as well later. So what is next? Mirai and related bots/worms will stay around for the foreseeable future. There is no reason to believe that all backdoor passwords (aka "Support Passwords") have been found. Just last week news broke about such passwords in some Arris DSL modems. Exploiting these passwords is too easy and there isn't much that can be done by the user to protect the device. These are often not passwords that the user can change. In some cases, a firewall may work, unless the firewall itself is vulnerable. A lot of attention was paid to security camera DVRs and IP cameras, but Mirai infects pretty much any Linux based device with guessable telnet password. SSH will not help either. SSH is as vulnerable to default passwords as telnet. Mirai itself doesn't scan for ssh, but other bots do and have done so for a long time. In the end, this is something that has to be fixed by the manufacturer of these devices, not by the end user. The end user may be able to help by stop buying vulnerable devices, but then again, there isn't an easy way for the end user to tell. Maybe some kind of "security seal" that indicates that the device did go through a basic pentest and will provide security updates for a specific number of years will help. But Mirai vulnerable devices are likely still sold today, and due to a large variety of brand names reselling essentially the same device, it is hard to tell if a device is vulnerable or not. ---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Wikto Scanner Download – Web Server Security Tool

Darknet - The Darkside - Tue, 2017/09/05 - 15:05
Wikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. It’s Nikto for Windows basically with some extra features written in C# and requires the .NET framework. What is Wikto Wikto is not a web application scanner. It is totally unaware of the application (if any) that’s running on the web site. Read the rest of Wikto Scanner Download – Web Server Security Tool now! Only available at Darknet.
Categories: Security Posts

LaCon2k17 Call for Pulpos

48Bits Blog - Sat, 2017/08/12 - 10:32
We are proud to present the call for papers for LaCon 2017!, get your papers in now. We are accepting short talks of 30min and long talks of ~1h. [when] conf will be held from the 22nd to the 24th of Sept 2017 [where] undisclosed location [who] a bunch of crazy bastards [topics] topics include:
  • h/p/v/c/e …
  • satellites, antennas and radioactive crap
  • cryptocurrencies
  • knitting
  • radare3, radare2 talks won’t be accepted this year, for radare2 related topics consider attending r2con
  • cats
  • 8===========D
[submit] submit your talk proposals to lacon2k17.org@lists.48bits.com [gpgkey] gpg –keyserver pgp.mit.edu –recv-key 2BE9CA85
Categories: Security Posts

Join Fortinet at HPE Discover 2017!

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 17:22
Fortinet is a Gold sponsor at Discover 2017, and will showcase several important security innovations to help you stay ahead of cyber threats. Join Fortinet at booth 231 while you’re at Discover 2017 to see a demo of the Fortinet Security Fabric in action! We’ll also have technical experts on hand to discuss any security needs you ma A key focus area for many attendees will be cybersecurity, given the challenges they face from today’s sophisticated and rapidly evolving threats. The isolated, proprietary security devices most organizations...
Categories: Security Posts

Governmental Entities Bringing Financial Cybersecurity to Center Stage

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 17:20
By now, it’s no secret that cybercriminals have targeted, and continue to target, the financial services industry with advanced attacks that are designed to steal or otherwise jeopardize valuable data. As a result, many organizations have taken at least some initial steps to better secure their networks and the information that lives within them. In fact, according to Duff & Phelps’ “Global Regulatory Outlook,” 86 percent of professionals in the financial services industry say their companies have plans to put more...
Categories: Security Posts

An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability

Fortinet FortiGuard Blog - Mon, 2017/06/05 - 03:52
FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack. While there are plenty of articles discussing this vulnerability, most of them are intended for technical readers and primarily focus on how to create proof-of-concept...
Categories: Security Posts

Support my videos on Patreon!

Niels Provos - Sun, 2017/05/28 - 01:18

Add your support on Patreon to help me create more videos. Your support will help with materials, rent as well as other equipment, e.g. cameras, lights, software, etc. It is not required but appreciated. Due to time constraints I can make no promises on how often I will be able to publish new videos but my plan is to continue producing videos as long as people find them interesting.
Categories: Security Posts

A Scheme to Encrypt the Entire Web Is Actually Working

Wired: Threat Level - Thu, 2016/04/14 - 13:00
The non-profit certificate authority Let's Encrypt is enabling a sea change toward HTTPS encryption online. The post A Scheme to Encrypt the Entire Web Is Actually Working appeared first on WIRED.









Categories: Security Posts

Matthew Keys Sentenced to Two Years for Aiding Anonymous

Wired: Threat Level - Wed, 2016/04/13 - 23:30
The former Tribune Company employee was convicted of giving Anonymous information that helped hackers access an LA Times server and alter a headline. The post Matthew Keys Sentenced to Two Years for Aiding Anonymous appeared first on WIRED.









Categories: Security Posts

Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers?

Wired: Threat Level - Wed, 2016/04/13 - 23:03
Here's how to distinguish the colors of the hacker rainbow. The post Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers? appeared first on WIRED.









Categories: Security Posts

PowerLocker

PandaLabs - Wed, 2014/03/05 - 10:53
PowerLocker, also called PrisonLocker, is a new family of ransomware which in addition to encrypting files on the victim’s computer (as with other such malware) threatens to block users’ computers until they pay a ransom (like the ‘Police virus’). Although the idea of ​​combining the two techniques may have caused more than a few sleepless nights, in this case the malware is just a prototype. During its development, the malware creator has been posting on blogs and forums describing the progress and explaining the different techniques included in the code. The malware creator’s message in pastebin In this post for example, the creator describes how PowerLocker is a ransomware written in c/c++ which encrypts files on infected computers and locks the screen, asking for a ransom. The malware encrypts the files, which is typical of this type of malware, using Blowfish as an encryption algorithm with a unique key for each encrypted file. It stores each unique key generated with an RSA-2048 public/private key algorithm, so only the holder of the private key can decrypt all the files. Also, according to the creator, PowerLocker uses anti-debugging, anti-sandbox and anti-VM features as well as disabling tools like the task manager, registry editor or the command line window. However, all the publicity surrounding PowerLocker that the creator has been generating across forums and blogs before releasing it, has led to his arrest in Florida, USA. Consequently, today there is no definitive version of this malware and there is no evidence that it is in-the-wild. Nevertheless, we still feel it’s worth analyzing the current version of PowerLocker, as someone else could be in possession of the source code or even a later version.   PowerLocker analysis The first thing PowerLocker does is to check whether two files with RSA keys are already created, and if not, it generates the public and private key in two files on the disk (pubkey.bin and privkey.bin). Unlike other ransomware specimens, which use the Windows CrytoAPI service, PowerLocker uses the openssl library for generating keys and encrypting files. Once it has the keys, PowerLocker runs a recursive search of directories looking for files to encrypt, excluding, not very effectively, files with any of the file names used by the malware: privkey.bin, pubkey.bin, countdown.txt, cryptedcount.txt. It also avoids $recycle.bin, .rans, .exe, .dll, .ini, .vxd or .drv files to prevent causing irreparable damage to the computer. The creator has however forgotten to exclude certain extensions corresponding to files which are delicate enough to affect the functionality of the system, such as .sys files. This means that any computer infected with PowerLocker would be unable to reboot. Moreover, in this version it is possible to use a parameter to control whether the ransomware encrypts or decrypts files using the pubkey.bin and privkey.bin keys generated when it was first run. This version does not include the screen lock feature described by the creator, although it displays a console with debug messages, names of the files to encrypt/decrypt, etc. and asks you to press a key before each encryption or decryption.   Conclusions At present, there is only a half-finished version of PowerLocker which could practically be labelled harmless, and which lacks many of the most important features that the creator has described on the forums and blogs, such as anti-debugging, screen locking, etc. Despite it not being fully functional we would recommend having a system for backing up critical files, not just to offer assurance in the event of hardware problems, but also to mitigate the damage of these types of malware infections. Also bear in mind that if you don’t have a backup system and your system is infected, we certainly do not recommend paying the ransom, as this only serves to encourage the perpetrators of such crimes. PowerLocker analysis performed by Javier Vicente
Categories: Security Posts

Redirecting...

Redirecting...
Syndicate content