Blog

Archive for March, 2019

Ad Blocking With Pi Hole, (Tue, Feb 26th)

Network-wide ad blocking via your own Linux hardware

Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.

From the Pi-hole Overview:

Easy-to-install: versatile installer, takes less than ten minutes

Resolute: content is blocked in non-browser locations, such as ad-laden mobile apps and smart TVs

Responsive: speeds up browsing by caching DNS queries

Lightweight: runs smoothly with minimal hardware and software requirements

Robust: command line interface quality assured for interoperability

Insightful: responsive Web Interface dashboard to view and control Pi-hole

Versatile: optionally functions as DHCP server, ensuring all your devices are protected automatically

Scalable: capable of handling hundreds of millions of queries when installed on server-grade hardware

Modern: blocks ads over both IPv4 and IPv6

Free: open source software

Of Note
* Cited from docs.pi-hole.net.

The Pi-hole setup offers 8 options for an upstream DNS Provider during the initial setup.

Utilize the Pi-hole command line interface with ease.

Pi-hole includes a caching and forwarding DNS server, now known as FTLDNS.

After applying the blocking lists, it forwards requests made by the clients to configured upstream DNS server(s).

Updating is as simple as running the following command: pihole -up

Pi-hole Installation

I installed Pi-hole on a Raspberry Pi 2 Model B running Raspbian Stretch (November 2018, 4.14 kernel).

Figure 1: Pi-hole on Raspberry Pi 2 Model B

There a one step automated installation method for those who want to get started quickly and conveniently, using the following command:

curl -sSL https://install.pi-hole.net | bash

There are alternative installation methods if you’re not comfortable piping to bash.

Piloting Pi-hole

Once you’ve completed installation, browse to the IP addess you established during setup. After running Pi-hole for even a few hours, it will begin to serve you as designed, and well at that.

Figure 2: Pi-hole at work

Take note of the fact that 17.9% of traffic and 532 specific queries. Pi-hole’s Gravity script is key here: “Gravity is one of the most important scripts of Pi-hole. Its main purpose is to retrieve blocklists, and then consolidate them into one unique list for the built-in DNS server to use, but it also serves to complete the process of manual whitelisting, blacklisting and wildcard update. It is run automatically each week, but it can be invoked manually at any time.”

As seen in Figure 3, Pi-hole takes exception to a number of offending domains.

Figure 3: Pi-hole blocks

192.168.248.12 is my iPhone on my local network. You can see that between Apple, Microsoft, and other domains, there’s more than a bit of content in their ad streams that is flagged as less than desirable via Pi-hole’s Block Lists.

Enjoy the use and benefits of Pi-hole, I’d really like to hear about your success stories, and how you’re running Pi-hole (what hardware platforms?).

Let me know via Twitter or email. Cheers…until next time.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Maldoc Analysis by a Reader, (Wed, Feb 27th)

Reader Vinnie submitted a malicious document, including his analysis of this document. Great job!

Here is his analysis (we’re publishing some parts as pictures, to avoid triggering anti-virus when you view this diary entry):

 

Host performing SQL injection scanning also hosting Emotet Maldoc.

Junos Attack log X.X.X.X/80> HTTP-SQL-INJ

Host 35.190.186[.]53 GEO DATA (53.186.190[.]35.bc.googleusercontent.com, Google Provider, Virginia US)

VirusTotal: hxxp://35.190.186[.]53/De/SKTAPCYQTR6199495/Scan/Rechnungsanschrift

https://www.virustotal.com/#/file/15ea29d0e483c01df72c126e1a0b599f94bdc29dfb38a77306633c45d1851325/detection

File name:      190220-Pay_receipt-747585655.doc
File size:      308.63 KB
SHA-256:        15ea29d0e483c01df72c126e1a0b599f94bdc29dfb38a77306633c45d1851325

Similar files hosted on sites:
hxxp://13.233.173[.]191/wp-content/BXROAQEY9168432/gescanntes-Dokument/DETAILS/
hxxp://54.164.84[.]17/De/ZEDLYG0772400/GER/FORM
hxxp://104.198.73[.]104/De_de/BYLZNG4781296/Rechnungs-docs/Fakturierung/
hxxp://128.199.68[.]28/DE/GHQQAE4843885/GER/RECHNUNG/
hxxp://54.175.140[.]118/Februar2019/NFZJSULXU2729511/DE_de/Zahlungserinnerung
hxxp://botmechanic[.]io/DE_de/BJAWTAW9909728/de/Rechnungszahlung

String ‘shell’ & Base64 encoded command in VBA compressed macro found in stream 8. Shown with yara rule below.

python ~/Documents/oledump.py -y#s#’shell’ ~/Downloads/190220-Pay_receipt-747585655.doc.vir

1:       114 ‘x01CompObj’
2:      4096 ‘x05DocumentSummaryInformation’
3:      4096 ‘x05SummaryInformation’
4:      7514 ‘1Table’
5:    129889 ‘Data’
6:       420 ‘Macros/PROJECT’
7:        47 ‘Macros/PROJECTwm’
8: M  113116 ‘Macros/VBA/D_03_5’
YARA rule: string
9: m    1105 ‘Macros/VBA/X85417_’
10:     32735 ‘Macros/VBA/_VBA_PROJECT’
11:      1221 ‘Macros/VBA/__SRP_0’
12:       106 ‘Macros/VBA/__SRP_1’
13:       220 ‘Macros/VBA/__SRP_2’
14:        66 ‘Macros/VBA/__SRP_3’
15:       548 ‘Macros/VBA/dir’
16:      4096 ‘WordDocument’
All VBA source code:

Variables defined in Function from stream 8:

– -URL’s-
hxxp://51.15.113[.]220/2sT3beRO4
hxxp://167.99.85[.]165/XyBY4Kl
hxxp://18.205.117[.]241/wp-content/uploads/P7KgkINX
hxxp://23.23.29[.]10/DAINhWrv
hxxp://18.213.62[.]169/wp-content/uploads/oEk4aUu

Interesting Strings:
Project.D_03_5.autoopen
PROJECT.D_03_5.AUTOOPEN
C:Program FilesCommon FilesMicrosoft SharedVBAVBA7.1VBE7.DLL
C:Program FilesMicrosoft OfficeRootOffice16MSWORD.OLB
C:Windowssystem32stdole2.tlb

Post Infection Traffic from EXE found at hxxp://51.15.113[.]220/2sT3beRO4:
URL hxxp://23.233.240[.]77:8443/
URL hxxp://201.122.94[.]84:8080/
URL hxxp://187.163.204[.]187:995/

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Phishing impersonations, (Thu, Feb 28th)

Phishing is a constant cat and mouse game. Most organizations are now doing SPF, DMARC and other technologies to prevent spoofed emails from making it into your user’s inbox.  Attackers have now been shifting to using real accounts from providers.

The type of attack we are seeing recently tries to bypass these more traditional protections by useing Impersonation attacks. This is where the displayed name in the email client is the same as the person of interest along with a plausible email address.  

Let say your CEOs name is Tony Stark and his legitimate address is [email protected]  The attacker would set a display name as Tony Stark and address [email protected] My.com has been used a lot in the past six months for these types of attacks. You can easily block any emails from the domain my.com in your mail filters.

Attackers are also using Gmail, Yahoo and other major domains with the same technique (e.g. [email protected] or [email protected]).  Unfortunately, in most cases you will not be able to block these domains. The way many email products are fighting this is by a feature most are calling impersonation detection. Setup a profile in the product for the display name of VIP’s and it tries to detect fake accounts.  My issue with these is that you are leaving it up to a “BlackBox” to determine if your VIP’s email is going to work.

If you have the option in your email solution to use Yara rules or nested if statements, this seems to be the best solution overall.  Once you have determined what VIP’s you want to place this on, you need to use their real personal address. After that, you do a nested if statement for blocking anything else.

 

If Display Name “ Tony Stark”

And  If addreess is  [email protected]

Or [email protected]    (Pass)

 

Else  (Junk)

If you start running into many false positives due to a common name of a VIP, you can start adding to the whitelist and continue to build it out.  This can be tedious and having a small number on the list is key. I would suggest at least your C-Levels, General Counsel and Finance/Payroll.

 

What techniques have been successful for you?  

Tom Webb @twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Critical Cisco Wireless Patch for RV Series, CVE-2019-1663., (Fri, Mar 1st)

Cisco has released a critical patch for the RV110W, RV130W, and RV215W wireless routers. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. This was initially discussed at the GeekPwn Shanghai conference on October 24-25, 2018.

 

Check out the link below for more information.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex

 

Tom Webb @twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 7 of 7 «...34567