Blog

Archive for July, 2019

Remembering Mike Assante, (Thu, Jul 11th)

In 2016 and 2017 I had the honor to present at RSA next to Mike Assante. I know him as one of the few people in our industry that not only understood the technical details of how attacks work and how attackers can be defeated, but are also able to communicate these difficult technical details to affect change. Let’s remember him for the battles he won. 

Statement on the Passing of Mike Assante

It is with deep sadness that the SANS Institute shares this statement on the passing of Mike Assante. Mike reached the end of a long and hard-fought battle with cancer on Friday, July 5. He will be deeply missed by our community and most importantly as a husband and father. 

A pioneer in the field of industrial control system cyber security, Mike made a long list of remarkable contributions to the advancement of critical infrastructure system design, threat intelligence, detection, mitigation, and incident response capabilities within the ICS community. The world is a safer place because of Mike.

Mike was selected as Naval Intelligence Officer of the Year in 1997 and was a prolific leader to the ICS security community for more than 20 years. After exiting the Navy, Mike became one of the youngest Vice Presidents and Chief Security Officers for American Electric Power (AEP). He worked with the Idaho National Labs for many years on various ICS-specific projects that would eventually lead him to become the first Chief Security Officer of the North American Electric Reliability Corporation (NERC). He also served as a board member for the Center for Internet Security (CIS), and was a member of the Commission on Cyber Security for the 44th Presidency. On July 9th, Representative James Langevin from Rhode Island recognized Mike’s great work during a live session on C-SPAN.

Mike also received many industry awards and honors, earning InfoSecurity magazine’s security leadership award for his efforts as a strategic thinker, the S4 SCADA Diva award, the RSA 2005 Outstanding Achievement Award in the practice of security, and the SANS Lifetime Achievement Award for outstanding accomplishments and long-term impact on ICS security.

Many in the cyber security community are paying tribute to his legacy as Director of the SANS ICS and SCADA security curriculum. Tim Conway said, “I am one of the blessed people who have had the opportunity to work with Mike for many years in various roles, and in each one he encouraged me to challenge myself and move in ways I would not have been comfortable with if he was not with me. Each of us in the cyber security community who had the opportunity to work with or near him owes much to Mike and to his family who supported his tireless efforts to lead and shape us.

“At this time we have all turned to our family and friends throughout this community for comfort and sharing of stories about Mike. While there are many wonderful things about SANS, I would say without question the one thing that makes this organization different is the family aspect that is present in everything we do. Within the SANS family Mike was like a proud pappa when it came time to talk about the great things he was able to do with the ICS curriculum and the difference it was making in the world. While Mike has had many achievements throughout his work life, I think what makes him happiest is looking down and watching as the people he worked with, cared about, and invested in personally are coming together to support each other and the Assante family.”

Fellow SANS author and ICS Security Curriculum Director Ted Gutierrez said: “Mike’s legacy of accomplishments in the field of cyber security and critical infrastructure protection speaks for itself – the world is safer because of the research he supported, the guidance he provided world leaders, and the new cyber leaders he helped develop. I was so privileged to work alongside Mike at SANS ICS, and to learn from him and from the world’s best cyber professionals that he attracted. But it was in his illness that I learned the most – he fought for and appreciated every single day, and he expressed his heartfelt gratefulness for the opportunities he was afforded and for the people he loved.”

In a CSO Magazine article, Aaron Turner wrote, “I’ve had the opportunity to interact with tens of thousands of cybersecurity experts in over 70 countries around the world, and there is no one like Mike Assante. He has received much greater accolades than I can give from industry publications, policymakers, and others. I’m so grateful that I could work side-by-side with Mike as long as I did. The gratitude is double for being able to call him a friend for over a decade.

“The highest compliment I can pay Mike is that he was tireless in his dedication to working on a complex problem, never taking credit for other people’s work. He acted with integrity at all times, motivating everyone around him to perform to their best potential and being an excellent industry leader. Most importantly, he did all this while being a great husband and father.”

Mike Assante’s legacy is one of innovation, relentlessness, and integrity. He has had a profound impact on the security of our critical infrastructure, and we are proud to have been part of his life and his mission. We will miss him deeply, but we are much better for having known him.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Recent AZORult activity, (Thu, Jul 11th)

I found a tweet from @ps66uk from on Monday morning 2019-07-10 about an open directory used in malspam to push an information stealer called AZORult. The open directory is hosted on sfoodfeedf[.]org at www.sfoodfeedf[.]org/wp-includes/Requests/Cookie/


Shown above:  The open directory at sfoodfeedf[.]org.

@ps66uk already mentioned a file named purchase order.iso which is an ISO file containing an executable file for AZORult.  However, I found another one in the same directory named 201907060947039062.iso.  Further analysis showed it was also AZORult, like the other ISO file.


Shown above:  Getting the other ISO file.


Shown above:  Extracting the EXE file from the ISO on a Windows 7 host.

In previous AZORult infections in my lab, the malware usually deleted itself after an initial exfiltration of data.  This one repeatedly did callback traffic, and there was a .vbs file made persistent on my infected Windows host during the infection.  This is apparently a more recent variant of AZORult dubbed AZORult++ as described by Kaspersky Labs and followed-up by BleepingComputer.  It’s called AZORult++ because it’s now compiled in C++ after formerly being compiled in Delphi.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  TCP conversations from my infected Windows host.


Shown above:  An example of the AZORult callback traffic.


Shown above:  This AZORult EXE was compiled with C++, a characteristic of AZORult++.


Shown above:  VBS file made persistent on my infected Windows host.

Malware indicators

SHA256 hash: ed7c0a248904a026a0e3cabded2aa55607626b8c6cfc8ba76811feed157ecea8

Final words

Earlier this month on 2019-07-01, I saw an AZORult sample (also compiled in C++) which did the expected two HTTP post requests to exfiltrate data, then deleted itself from my infected host.  Today’s example proves there can be some variation in AZORult infection activity.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Dumping File Contents in Hex (in PowerShell), (Wed, Jul 10th)

I got to thinking about file dumps in hexadecimal this week.  This is something I do at least a few times a week – usually to look at file headers or non-printable characters for one reason or another.

File headers will usually let you know what type of file you’re looking at (no matter what the file extension is).  More here on that: https://linux.die.net/man/1/file

When looking at or for non-printable characters, this can be for any number of reasons, but almost always it’s to figure out what some crazy application is doing with CRLF (Carriage Return / Line Feed) so that I can fix the output to properly feed the next script or tool, or so that Word will read it correctly (which I guess is the same thing).

Anyway, the go-to tool for this is XXD:

# xxd /usr/bin/vi | more
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF…………
00000010: 0300 3e00 0100 0000 b0b4 0600 0000 0000  ..>………….
00000020: 4000 0000 0000 0000 a066 3000 0000 0000  @……..f0…..
00000030: 0000 0000 4000 3800 0900 4000 1d00 1c00  …[email protected]…@…..
00000040: 0600 0000 0500 0000 4000 0000 0000 0000  ……[email protected]…….
00000050: 4000 0000 0000 0000 4000 0000 0000 0000  @……[email protected]…….
00000060: f801 0000 0000 0000 f801 0000 0000 0000  …………….

More on XXD here (or type”man xxd”): https://linux.die.net/man/1/xxd

If you’re on a stripped-down Linux version, something like busybox, XXD won’t be there (it comes with VIM, not VI), but often those distro’s will still have the “hexdump” command:

# hexdump -C /bin/vi | more
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF…………|
00000010  03 00 03 00 01 00 00 00  88 63 00 00 34 00 00 00  |………c..4…|
00000020  6c bf 05 00 00 00 00 00  34 00 20 00 08 00 28 00  |l…….4. …(.|
00000030  1f 00 1c 00 06 00 00 00  34 00 00 00 34 00 00 00  |……..4…4…|
00000040  34 00 00 00 00 01 00 00  00 01 00 00 05 00 00 00  |4……………|
00000050  04 00 00 00 03 00 00 00  34 01 00 00 34 01 00 00  |……..4…4…|
00000060  34 01 00 00 13 00 00 00  13 00 00 00 04 00 00 00  |4……………|

But what if you’re on a customer Windows host?  And what if they haven’t installed any of the Linux tools?  Well, as you might guess, “PowerShell to the rescue!”  Powershell’s “format-hex” command gives you much the same output:

PS C:> Get-Content windowssystemcmd.exe |format-hex |more

           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   4D 5A 3F 00 03 00 00 00 04 00 00 00 3F 3F 00 00  MZ?………??..
00000010   3F 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ?……[email protected]…….
00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  …………….
00000030   00 00 00 00 00 00 00 00 00 00 00 00 3F 00 00 00  …………?…
00000040   0E 1F 3F 0E 00 3F 09 3F 21 3F 01 4C 3F 21 54 68  ..?..?.?!?.L?!Th
00000050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
00000060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
00000070   6D 6F 64 65 2E                                   mode.

Better yet, format-hex handles multiple encodings, so if you have a specific character encoding to work with, “-encoding” is your friend!  The default is UTF8BOM (for “byte order marker”), “unicode” encoding will give you UTF-16

The full “format-hex” docs are here (along with dozens of other places that google will find for you): https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/format-hex?view=powershell-6
(or “get-help format-hex”)

More on the various encoding options here: https://docs.microsoft.com/en-us/dotnet/api/system.text.encoding.codepage?view=netcore-2.2

If you’ve seen a situation where you needed a different method to accomplish this task, please use our comment form to share!!

===============
Rob VandenBrink
Coherent Security

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Samba Project tells us "What's New" – SMBv1 Disabled by Default (finally), (Wed, Jul 10th)

Samba 4.11 (preview release) came out 2 days ago (4.11p0).  Not huge news you say, except for one detail – the default settings on this version now have SMBv1 disabled.  Better yet, they’ve started to set the stage for removing it completely.

Yes, 2 years after WannaCry, Petya, NotPetya Eternal-everything and all the rest, they’ve come around and joined the party.  Mind you, this does not change any settings on existing installations, fixing those is still a manual change.  

Hopefully you’ve used tools like NMAP (nmap -p445 –open –script smb-protocols.nse) to find and fix any hosts that still support SMBv1, which hopefully includes and *nix/SAMBA hosts in your environment.  I’m also hoping that you’ve scanned any “storage appliances”, which mostly are Linux + SAMBA + iSCSI under the covers.  If you haven’t done these scans and remediations, you’ve likely had a some bad days over the last 2 years.

If you require SMBv1 support in Samba, the team requests that you let them know via a bug report.  This gives them the feedback they need to work on scheduling the deprecation and final removal process for the protocol.

Anyway, good news from the Samba project, and better days ahead!

Full release notes are here: https://github.com/samba-team/samba/blob/59cca4c5d699be80b4ed22b40d8914787415c507/WHATSNEW.txt

===============
Rob VandenBrink
Coherent Security

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

VMWare Security Advisory on DoS Vulnerability in ESXi, (Tue, Jul 9th)

VMWare has released patches for ESXi that address a denial of service vulnerablility in hostd. ESXi 6.0 is unaffected, 6.5 has a patch, and 6.7 has a patch pending. This addresses a vulnerability described in CVE-2019-5528 and is rated important (CVSSv3 = 5.3). A workaround has also been published. If you run ESXi, you should take a look at this as well today.

 


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

MSFT July 2019 Patch Tuesday, (Tue, Jul 9th)

July 2019 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Denial of Service Vulnerability
%%cve:2019-1083%% No No Less Likely Less Likely Important    
.NET Framework Remote Code Execution Vulnerability
%%cve:2019-1113%% No No More Likely More Likely Critical    
ADFS Security Feature Bypass Vulnerability
%%cve:2019-0975%% No No Less Likely Less Likely Important 4.3 3.9
%%cve:2019-1126%% No No Less Likely Less Likely Important 5.3 4.8
ASP.NET Core Spoofing Vulnerability
%%cve:2019-1075%% No No Less Likely Less Likely Moderate    
Azure Automation Elevation of Privilege Vulnerability
%%cve:2019-0962%% Yes No Less Likely Less Likely Important    
Azure DevOps Server and Team Foundation Server Remote Code Execution Vulnerability
%%cve:2019-1072%% No No Less Likely Less Likely Critical    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1062%% No No Critical 4.2 3.8
%%cve:2019-1092%% No No Critical 4.2 3.8
%%cve:2019-1103%% No No Critical 4.2 3.8
%%cve:2019-1106%% No No Critical 4.2 3.8
%%cve:2019-1107%% No No Critical 4.2 3.8
DirectWrite Information Disclosure Vulnerability
%%cve:2019-1093%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1097%% No No Less Likely Less Likely Important 5.5 5.0
DirectWrite Remote Code Execution Vulnerability
%%cve:2019-1117%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1118%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1119%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1120%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1121%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1122%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1123%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1124%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1127%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1128%% No No Less Likely Less Likely Important 7.8 7.0
DirectX Elevation of Privilege Vulnerability
%%cve:2019-0999%% No No Important 7.8 7.0
Docker Elevation of Privilege Vulnerability
%%cve:2018-15664%% Yes No Less Likely Less Likely Important    
GDI+ Remote Code Execution Vulnerability
%%cve:2019-1102%% No No Less Likely Less Likely Critical 8.4 7.6
Internet Explorer Memory Corruption Vulnerability
%%cve:2019-1063%% No No More Likely More Likely Critical 6.4 5.8
Latest Servicing Stack Updates
ADV990001 No No Critical    
Microsoft Browser Memory Corruption Vulnerability
%%cve:2019-1104%% No No More Likely More Likely Critical 6.4 5.8
Microsoft Excel Information Disclosure Vulnerability
%%cve:2019-1112%% No No More Likely More Likely Important    
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2019-1110%% No No Less Likely Less Likely Important    
%%cve:2019-1111%% No No Less Likely Less Likely Important    
Microsoft Exchange Information Disclosure Vulnerability
%%cve:2019-1084%% No No Less Likely Less Likely Important    
Microsoft Exchange Server Elevation of Privilege Vulnerability
%%cve:2019-1136%% No No Less Likely Less Likely Important    
Microsoft Exchange Server Spoofing Vulnerability
%%cve:2019-1137%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2019-1134%% No No Less Likely Less Likely Important    
Microsoft Office Spoofing Vulnerability
%%cve:2019-1109%% No No Less Likely Less Likely Important    
Microsoft SQL Server Remote Code Execution Vulnerability
%%cve:2019-1068%% Yes No Less Likely Less Likely Important    
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2019-1074%% No No More Likely More Likely Important 5.3 5.3
%%cve:2019-1082%% No No Important 7.7 7.7
Microsoft splwow64 Elevation of Privilege Vulnerability
%%cve:2019-0880%% No Yes Detected More Likely Important 7.0 6.3
Microsoft unistore.dll Information Disclosure Vulnerability
%%cve:2019-1091%% No No Less Likely Less Likely Important 5.5 5.0
Outlook on the web Cross-Site Scripting Vulnerability
ADV190021 No No Important    
Remote Desktop Protocol Client Information Disclosure Vulnerability
%%cve:2019-1108%% No No More Likely More Likely Important 6.5 5.9
Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2019-0887%% Yes No More Likely More Likely Important 8.0 7.2
Scripting Engine Memory Corruption Vulnerability
%%cve:2019-1056%% No No Critical 6.4 5.8
%%cve:2019-1059%% No No Less Likely Less Likely Critical 6.4 5.8
%%cve:2019-1001%% No No More Likely More Likely Critical 6.4 5.8
%%cve:2019-1004%% No No More Likely More Likely Critical 6.4 5.8
SymCrypt Denial of Service Vulnerability
%%cve:2019-0865%% Yes No Less Likely Less Likely Important 7.5 6.7
Team Foundation Server Cross-site Scripting Vulnerability
%%cve:2019-1076%% No No Less Likely Less Likely Important    
Visual Studio Elevation of Privilege Vulnerability
%%cve:2019-1077%% No No Less Likely Less Likely Important    
Visual Studio Information Disclosure Vulnerability
%%cve:2019-1079%% No No Less Likely Less Likely Important    
WCF/WIF SAML Token Authentication Bypass Vulnerability
%%cve:2019-1006%% No No Less Likely Less Likely Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2019-1132%% No Yes Important 7.8 7.2
Win32k Information Disclosure Vulnerability
%%cve:2019-1096%% No No Less Likely Less Likely Important 5.5 5.0
Windows Audio Service Elevation of Privilege Vulnerability
%%cve:2019-1086%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1087%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2019-1088%% No No Less Likely Less Likely Important 7.8 7.0
Windows DHCP Server Remote Code Execution Vulnerability
%%cve:2019-0785%% No No Less Likely Less Likely Critical 9.8 8.8
Windows DNS Server Denial of Service Vulnerability
%%cve:2019-0811%% No No Less Likely Less Likely Important 7.5 6.7
Windows Elevation of Privilege Vulnerability
%%cve:2019-1129%% Yes No More Likely More Likely Important 7.8 7.0
%%cve:2019-1130%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2019-1037%% No No Less Likely Less Likely Important 7.0 6.3
Windows GDI Information Disclosure Vulnerability
%%cve:2019-1094%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1095%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2019-1098%% No No Important 5.5 5.0
%%cve:2019-1099%% No No Important 5.5 5.0
%%cve:2019-1100%% No No Important 5.5 5.0
%%cve:2019-1101%% No No Important 5.5 5.0
%%cve:2019-1116%% No No Important 5.5 5.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2019-0966%% No No Less Likely Less Likely Important 6.8 6.1
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2019-1067%% No No More Likely More Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2019-1071%% No No More Likely More Likely Important 5.5 5.0
%%cve:2019-1073%% No No More Likely More Likely Important 5.5 5.0
Windows RPCSS Elevation of Privilege Vulnerability
%%cve:2019-1089%% No No More Likely More Likely Important 7.8 7.0
Windows WLAN Service Elevation of Privilege Vulnerability
%%cve:2019-1085%% No No Less Likely Less Likely Important 7.8 7.0
Windows dnsrlvr.dll Elevation of Privilege Vulnerability
%%cve:2019-1090%% No No Less Likely Less Likely Important 7.8 7.0

 


John Bambenek
bambenek at gmail /dot/ com
ThreatSTOP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 5 of 7 «...34567