SANS Internet Storm Center, InfoCON: green

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 39 min 17 sec ago

ISC Stormcast For Wednesday, May 4th 2016 http://isc.sans.edu/podcastdetail.html?id=4981, (Wed, May 4th)

11 hours 11 min ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

Neutrino exploit kit sends Cerber ransomware, (Wed, May 4th)

12 hours 52 min ago
Introduction Seems like were always finding new ransomware. In early March 2016, BleepingComputer announced a new ransomware named Cerber had appeared near the end of February [1]. A few days later, Malwarebytes provided further analysis and more details on subsequent Cerber samples [2]. Ive seen Cerber distributed through exploit kits (EKs) and malicious spam (malspam). Im only aware of .rtf attachments that download and install Cerber when opened in Microsoft Word [3]." />
Shown above: Image of Cerber malspam from tier1net.com By April 2016, Proofpoint reported Cerber was being distributed by Magnitude exploit kit (EK) using a Flash exploit based on CVE-2016-1019 (then a zero-day exploit) [4]. I ran across two Cerber malware samples sent by Neutrino EK near the end of April 2016, but I didnt realize it at the time [5]. Since then, other sources like broadanalysis.com have also reported Neutrino EK sending Cerber [6]. This diary examines a Cerber ransomware infection from Neutrino EK on Tuesday 2016-05-03." />
Shown above: Cerber fromNeutrino EK. Details The few compromised websites Ive seen associated with this particular Neutrino EK campaign have similar patterns of injected script as seen below." />
Shown above: Injected script in page from a compromised website leading to Neutrino EK. Its a fairly straight-forward sequence of events. The compromised website leads to Neutrino EK. Then Neutrino EK sends Cerber ransomware. The only issue I had was generating an infection on a virtual machine (VM). On a VM, Cerber generated nearly the same network traffic, but it did not encrypt any files or generate any notices before deleting itself. On a normal host, Cerber acts as you might expect, encrypting files and showing notifications. Cerber also checks its IP and location at ipinfo.io on a normal host." />
Shown above:" />
Shown above: Traffic from a Cerber infection on a VM filtered in Wireshark. In the above two images, Neutrino EK is on 185.58.227.227 over TCP port 80 using the following domains:
  • blmeujdhcb.eilong.top
  • mifblup.eilong.top
  • psjebmwpes.eaautomatic.top
  • wocvx.eaautomatic.top
With or without the IP check at ipinfo.io, Cerber sent UDP traffic with 9 bytes of data to 16,384 IP address from 85.93.0.0 to 85.93.63.255 (85.93.0.0/18 in CIDR notation). The infected host used the same source/destination ports, but content within those 9 bytes changed each time. Previous Cerber samples use different IP ranges and UDP ports. Not sure what this UDP traffic means, though. I havent found any more information about it, and I havent have time to dig into it further. Images from the infected host" />
Shown above:">As others have already reported, Cerber speaks to you. It does this through a .vbs file named # DECRYPT MY FILES #.vbs. This .vbs file contains Visual Basic script that causes your Windows computer to speak, saying Attention! Attention! Attention! ten times followed by Your documents, photos, databases and other important files have been encrypted!" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:" />
Shown above:">Final words I havent seen as much Cerber as Ive seen other ransomware like CryptXXX from Angler EK or Locky from malspam. However, Cerber has been a fairly consistent threat since it first appeared. I expect well see more Cerber in the coming weeks. Pcaps and malware for this ISC diary can be found here. ---
Brad Duncan
brad [at] malware-traffic-analysis.net References: [1] http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/
[2] https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
[3] https://www.tier1net.com/cerber-ransomware-campaign/
[4] https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
[5] http://www.malware-traffic-analysis.net/2016/04/29/index.html
[6] http://www.broadanalysis.com/2016/05/02/neutrino-ek-from-185-58-227-227-sends-cerber-ransomware/ (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

OpenSSL Updates, (Tue, May 3rd)

Tue, 2016/05/03 - 23:03
TheOpenSSLupdates pre-announced last week have dropped. The latest versions are1.0.1t and 1.0.2h. These updates dont come with same level of urgency as some we have seen in the recent past, but these should are rated High.It is always a good idea to update your servers to the most up to date version of">CVE-2016-2108,High severity:Ita ASN.1 encoding issue (CVE-2016-2108) that could cause an out of bounds write leading to memory corruption. ">CVE-2016-2107,High severity: A padding attack could be used to permit an attacker who is in a position to Man-in-the-Middle the session to decrypt traffic. CVE-2016-2105,Low severity:This is a heap overflow resulting in heap corruption. The vulnerable function is internal to OpenSSL and is not believed to be exploitable. CVE-2016-2106,Low severity:This appears to be the same function as CVE-2016-2105 and because it is only used internally to OpenSSL it is not believed to be exploitable. CVE-2016-2109, Low severity:Is a resource exhaustion and/or memory exhaustion issue in the ASN.1 read. This is internal to OpenSSL and not believed to be exploitable. CVE-2016-2176, Low severity: An ASN.1 overread could result in access to arbitrary stack information being returned. The release is not clear on exploitability. There is no indication that there are exploits in the wild at this time. UPDATE: There is now a PoC for CVE-2016-2107 -- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts