Blog

Archive for September, 2019

Maldoc, PowerShell & BITS, (Mon, Sep 30th)

The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.

Taking a look with msoffcrypto-crack and oledump gives the following:

Stream 6 contains VBA code with strings that look like BASE64 encoded data:

There are a lot of uppercase letter As in this BASE64 string, so this might be UNICODE, which often turns out to be a PowerShell script.

However, base64dump does not select these strings as BASE64. That’s because syntactically, they are not valid BASE64. The number of characters in a BASE64 string must be a multiple of 4. This is not the case here.

To hamper analysis and detection, the malware authors did split the BASE64 string in chunks that are not valid BASE64 strings. First, we need to reassemble these strings to complete our analysis.

To achieve this, we extract all double-quoted strings (without the double-quotes) using re-search.py:

Then with grep, we select all strings that are long enough (at least 70 bytes long, e.g. regular expression .{70,}):

And then we can use base64dump again, this time with option -w, to ignore all whitespace. This results in the concatenation of these BASE64 fragments prior to decoding:

And it is indeed a PowerShell script, using module BitsTransfer to download (and run) an executable:

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Encrypted Maldoc, Wrong Password, (Sun, Sep 29th)

Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.

But that wasn’t the correct password. Luckily, Chad found and shared the correct password with us: petrofac.

The good news is that the recipient won’t be able to open the password, and might even call the helpdesk. The user’s machine won’t get infected, and the SOC might get alerted indirectly by the user.

However, as an analyst, you want to be able to analyze the document to recover IOCs and check the logs for sign of compromise (other maldocs, with a valid password and using the same IOCs might have passed the company’s defenses).

You can quickly crack the password with John the Ripper or Hashcat, but there are corporations were such tools are even prohibited for the blue teams.

Some time ago, I created a Python tool to help with encrypted Office maldocs: msoffcrypto-crack.py. This maldoc inspired me to make a small change to my tool: add an optional rule to perform case toggling when working through a password list.

For this sample, using option -r an providing a password list including PETROFAC, my tool will test PETROFAC and petrofac. There’s also an option to provide the email body to extract potential passwords.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

New Scans for Polycom Autoconfiguration Files, (Fri, Sep 27th)

One of my honeypots detected a nice scan yesterday. A bot was looking for Polycom master provisioning files. Such files are called by default ‘000000000000.cfg’ and contain interesting information to perform provisioning of VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-based configuration, it will pull the default file.

Here is the list of scanned files:

/cfgvoip/polycom/0000000000000.cfg
/configs/device/polycom/0000000000000.cfg
/device/polycom/0000000000000.cfg
/ftp/polycom/0000000000000.cfg
/bws/provisioner/polycom/0000000000000.cfg
/config/sipphone/polycom/0000000000000.cfg
/polycomftp/0000000000000.cfg
/p/config/polycom/0000000000000.cfg
/vcfg/polycom/0000000000000.cfg
/pbx/polycom/0000000000000.cfg
/home/tftpboot/polycom/0000000000000.cfg
/config/tftp/polycom/0000000000000.cfg
/pps/polycom/0000000000000.cfg
/tftproot/polycom/0000000000000.cfg
/xml/polycom/0000000000000.cfg
/app/polycom/0000000000000.cfg
/ipeconfig/polycom/0000000000000.cfg
/p/v2/config/polycom/0000000000000.cfg
/tftpboot/polycom/0000000000000.cfg
/SIPCfg/0000000000000.cfg
/voip_provisioning/0000000000000.cfg
/tftpboot/backup/0000000000000.cfg
/tftpphone/0000000000000.cfg
/voice/0000000000000.cfg
/files/0000000000000.cfg
/provisioner/0000000000000.cfg
/phoneprov/0000000000000.cfg
/pbxcfg/0000000000000.cfg
/l/0000000000000.cfg
/cfgsip/0000000000000.cfg
/cfgs/0000000000000.cfg
/sipphones/0000000000000.cfg
/cfgvoice/0000000000000.cfg
/sip_phone/0000000000000.cfg
/deskphone/0000000000000.cfg
/PP/0000000000000.cfg
/backup/0000000000000.cfg
/cfgvoip/0000000000000.cfg
/configs/device/0000000000000.cfg
/device/0000000000000.cfg
/ftp/0000000000000.cfg
/bws/provisioner/0000000000000.cfg
/config/sipphone/0000000000000.cfg
/p/config/0000000000000.cfg
/vcfg/0000000000000.cfg
/pbx/0000000000000.cfg
/home/tftpboot/0000000000000.cfg
/config/tftp/0000000000000.cfg
/pps/0000000000000.cfg
/tftproot/0000000000000.cfg
/xml/0000000000000.cfg
/app/0000000000000.cfg
/ipeconfig/0000000000000.cfg
/p/v2/config/0000000000000.cfg
/tftpboot/0000000000000.cfg
/devicecfg/0000000000000.cfg
/configpolycom/0000000000000.cfg
/voip/0000000000000.cfg
/phone/config/0000000000000.cfg
/config/phone/0000000000000.cfg
/voipprov/0000000000000.cfg
/cfgprov/0000000000000.cfg
/sip/config/0000000000000.cfg
/sip/0000000000000.cfg
/voipconfig/0000000000000.cfg
/tftp/0000000000000.cfg
/cfg/config/0000000000000.cfg
/sipphone/0000000000000.cfg
/devicecfg/polycom/0000000000000.cfg
/polycom/config/0000000000000.cfg
/sip/config/polycom/0000000000000.cfg
/polycom/phones/0000000000000.cfg
/sip/polycom/0000000000000.cfg
/polycom/phone/0000000000000.cfg
/sipphone/polycom/0000000000000.cfg
/config/phone/polycom/0000000000000.cfg
/cfg/config/polycom/0000000000000.cfg
/tftp/polycom/0000000000000.cfg
/voip/polycom/0000000000000.cfg
/phone/config/polycom/0000000000000.cfg
/voipconfig/polycom/0000000000000.cfg
/home/polycom/0000000000000.cfg
/cfgprov/polycom/0000000000000.cfg
/voipprov/polycom/0000000000000.cfg
/polycom/polycom/0000000000000.cfg
/autoprpvisioning/polycom/0000000000000.cfg
/autoprpvision/polycom/0000000000000.cfg
/autoprpv/polycom/0000000000000.cfg
/autoprovisioning/polycom/0000000000000.cfg
/autoprovision/polycom/0000000000000.cfg
/autoprov/polycom/0000000000000.cfg
/phones/polycom/0000000000000.cfg
/phone/polycom/0000000000000.cfg
/configs/polycom/0000000000000.cfg
/config/polycom/0000000000000.cfg
/conf/polycom/0000000000000.cfg
/cfg/polycom/0000000000000.cfg
/provisioning/polycom/0000000000000.cfg
/provision/polycom/0000000000000.cfg
/prov/polycom/0000000000000.cfg
/pv/polycom/0000000000000.cfg
/p/polycom/0000000000000.cfg
/polycom/0000000000000.cfg
/autoprpvisioning/0000000000000.cfg
/autoprpvision/0000000000000.cfg
/autoprpv/0000000000000.cfg
/autoprovisioning/0000000000000.cfg
/autoprovision/0000000000000.cfg
/autoprov/0000000000000.cfg
/phones/0000000000000.cfg
/phone/0000000000000.cfg
/configs/0000000000000.cfg
/config/0000000000000.cfg
/conf/0000000000000.cfg
/cfg/0000000000000.cfg
/provisioning/0000000000000.cfg
/provision/0000000000000.cfg
/prov/0000000000000.cfg
/pv/0000000000000.cfg
/p/0000000000000.cfg
/0000000000000.cfg

The IP address was %%ip:185.53.88.96% and has a bad score in our DShield database.

Such configuration files contain very sensitive information about internal networks and should never be publicly available. If you detected the same kind of scan recently, please share!

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Vulnerability on specific Cisco Industrial / Grid router models, (Thu, Sep 26th)

Our reader Marc reports a vulnerability posted by Cisco yesterday: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth

This issue affects hosts that support and are running Guests as a Hypervisor.  In particular, the note calls out model 800 Industrial ISR Routers and model 1000 Grid routers.  The vulnerability describes a failure in RBAC (Role Based Access Control), where a guest user can get access to a guest VM when only admin users have that access configured – so a privilege escallation from host to guest.

While this affects only a very small subset of Cisco customers, the customers that are affected are likely to be in the public utility sector, and be subject to NERC / FERC regulatory controls.  

So for the folks that are affected by this, please treat this as a high priority, time to schedule a maintenance window to patch!

===============
Rob VandenBrink
rob coherentsecurity.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Mining MAC Address and OUI Information, (Thu, Sep 26th)

So often when we’re working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
MAC addresses are 48 bit (6 bytes, or 12 hex characters) values, and are commonly split by a colons, dashes or dots (all are equally valid):

aa:bb:cc:dd:ee:ff
aa-bb-cc-dd-ee-ff
aabbcc-ddeeff
aabb.ccdd.eeff

MAC addresses are commonly split, with the leading bits being the OUI (Organizationally Unique Identifier).  These OUI’s (also called MAC Address Prefixes) are purchased from the IEEE (at https://standards.ieee.org/products-services/regauth/oui/index.html).  The most commonly seen OUI’s are 24 bits wide, so the first 3 bytes of the MAC.  So in our example above, the corresponding 24 bit OUI would be: aabbcc, and the host “bits” would be ddeeff.  However, that “OUI boundary” can move to a 28 or 36 byte boundary, for instance if the vendor wants a smaller allocation of addresss.  In that case, OUIs of aabbccd00000/28 or aabbccdde000/36 would both also be valid identifiers.  Note that if the boundary isn’t at the mid-point, that the trailing zero’s and the bit-wise mask are normally written out.

All interesting you say, but what does this have to do with security?  All too often when looking at MAC address tables, we see something “odd”, and it struck me that it’d be handy to have a quick lookup tool.  Wireshark maintains a very most complete online tool (https://www.wireshark.org/tools/oui-lookup.html ), and is usually my go-to.  However, it means that I need internet access, it’s not easy to script using a webpage, and on most of my hardware I need to scroll up and down to use that page.  Luckily they maintain their OUI Table in text format at  https://standards.ieee.org/products-services/regauth/oui/index.html

So with a text file in hand, I wrote a quick-and-dirty shell script to download the file it if it isn’t there, and grep it for OUI’s, partial OUI’s or vendor names:

For instance, what OUI’s does VMware use for it’s VMs?

[email protected]:~# ./oui.sh vmware
000569  Vmware  VMware, Inc.
000C29  Vmware  VMware, Inc.
001C14  Vmware  VMware, Inc.
005056  Vmware  VMware, Inc.

Alternatively, if we were looking up an OUI that we got from a switch “show mac address-table” command:

[email protected]:~# ./oui.sh 0050:56
005056  Vmware  VMware, Inc.

Or, if you want a list of all vendors that have smaller allocations, let’s list the folks with /28’s:

[email protected]:~# ./oui.sh /28 | more
0055DA000000/28 ShinkoTe        Shinko Technos co.,ltd.
0055DA100000/28 Koolpos KoolPOS Inc.
0055DA200000/28 BeijingC        Beijing Connected Information Technology Co.,Ltd.
0055DA300000/28 NovexxSo        Novexx Solutions GmbH
0055DA400000/28 Datapath        Datapath Limited
0055DA500000/28 Nanoleaf
…..

This script, plus a Windows equivalent cmd file is in my github at: https://github.com/robvandenbrink/ouilookup

Notes:

The Windows version uses c:utils for the downloaded text file.  I usually keep the script in the same place, but it can really reside anyplace in the path.
The Linux version downloads the text file to $HOME/Downloads, the script can reside anywhere

Edit the script you are using if these directories are not desirable in your situation.

Syntax:

     OUI NN:NN:NN      Request information on a specific OUI
                       Input is NOT case sensitive
                       Acceptable delimiters include “:”, “.” or “-“
                       Address delimeters can be in any position (at the byte or word boundaries for instance)
                       Address delimeters are optional, and can be partially specified
                       So any of 005000, 00:50:00, 0050.00, 00-50-00 and just 50 are acceptable inputs
    OUI Manufacturer   List all OUI’s associated with a manufacturer
                       Partial company names are acceptable
                       Input is NOT case sensitive
    OUI update         Update the OUI listing
                       This update comes from Wireshark’s consolidated vendor list (as noted above)

If you’ve worked an incident where MAC / OUI information was crucial in getting to a solution, please, share using our comment form! (please stay within your NDA of course).

Stay tuned, in my next story we’ll use this approach to find “odd” stations in your network.

===============
Rob VandenBrink
rob coherentsecurity.com

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 1 of 6 12345...»